Data Security Policy

Industry Best Practices

Preserving the privacy and security of any personal or business data within SISS solutions is at the forefront of everything we do.  For over a decade, SISS has provided services to obtain and supply data from Australian Financial Institutions.  Our information security and risk programs must meet the expectations of not only the Financial Institutions but those of the Third Parties (Data Recipients) we provide the data to.

We use and follow industry best practices, including:

  • risk management and security controls based on the ISO 27001 Information Security Management Standard;
  • a security team responsible for the management and monitoring of all our services;
  • encryption of data while moving into, through or out of our systems, as well as encrypting any data whenever it is stored at rest;
  • independent external reviews of the design and security of our solutions during development, with regular reviews after deployment;
  • resiliency of our systems through Disaster Recovery programs, requiring a regular testing and review;
  • compliance with the Australian privacy laws, including any other data privacy requirements as provided by the Office of the Australian Information Commissioner (OAIC).

World Class Partners

SISS partners with world-class suppliers providing key infrastructure and services, such as monitoring for suspicious activity, physical security, server and power redundancy, and built-in firewalls:

Data Recipient Accreditation & Monitoring

All environments that access or receive your data need to adhere to minimum level of data security.  SISS together with your Financial Institution proactively review and monitor the data security practices and processes of all Data Recipients.

At least annually, a Data Recipient must undertake a Compliance Review with SISS Data Services, which your Financial Institution uses to assess and then permit the continued access to your data.

If at any time SISS Data Services or your Financial Institution believes your data could be at risk, we may suspend or cancel the connection a Data Recipient has to your data.

The annual Compliance review may include:

  1. Update of company information and solution details to capture any changes.
  2. Review of data security policies and practices, including consent and privacy practices.
  3. Assessment of regular vulnerability testing and security monitoring effectiveness.
  4. Annual penetration testing of solution by a suitably qualified independent security specialist.
  5. Evidence of risk management and data breach handling processes, with a review of any incidents or unresolved risks.
  6. A security review by a suitable qualified independent security specialist to verify adherence to documented data security policies and practices

Your Explicit Consent

Our role is to securely make your data available to the Data Recipient you nominate in the explicit consent you provided us.

Your consent must be:

  • freely given;
  • specific;
  • informed;
  • unambiguous.

Your data can only be used by the Data Recipient for the data uses you have approved.

SISS will never ask you for the username and password to your Internet Banking or Financial Service provider.  These are the keys to your personal and financial data and should not be shared with anyone.

SISS will only ask for consent in the following approved methods:

  1. Paper based Customer Authority Form (CAF) – An approved form from your Financial Institution.
  2. Web Authority – Authorisation built by your Financial Institution within their Internet banking service.
  3. OAuth/OpenID Connect – OAuth is an open-standard authorisation protocol (framework) that provides applications with time based secure access to your information.

You may withdraw you consent at any time by contacting:

  • your Financial Institution
  • the Data Recipient you have granted access to your data
  • SISS Data Services.