Perenso’s basic principles for Access Management are as follows.

• Access to information systems will be restricted to authorised users who need to access data.
• Access will be provided to the least amount of functionality required.
• User accounts and strong passwords will be used to manage access.
• Users have a responsibility to manage access to their systems.

Perenso’s policy around asset management is as follows:

• Perenso will maintain a detailed inventory of assets, physical and virtual.
• Assets in the inventory will have identified owners/users.
• Acceptable use of assets will be identified, documented, and implemented.
• Perenso will investigate where there is a credible allegation of misuse or misconduct.
• All users, internal and external should return assets to Perenso upon any termination of employment or contract agreement.
• Any hosting provider should protect Perenso’s environment and data.
• Perenso will review services provided for acceptable risk levels.
• Perenso will monitor security compliance provided by external service providers.

Please refer to Microsoft Azure’s trust and security center for further reading on the Azure hosting platform. See https://azure.microsoft.com/en-au/overview/trusted-cloud/

The below lists the security considerations for Perenso staff and users.

• Security responsibilities will be outlined in job definitions.
• A Non-disclosure Agreement will be signed as part of Employment.
• User authentication will be enabled where feasible.
• Perenso intends to be as flexible as possible with BYOD usage while ensuring corporate and customer data is protected.
• Access and usage restrictions applied will focus on the sensitivity of data.

Perenso ensures that information is protected and treated relevant to its importance to the organisation. The following is to ensure that all employees should consider how to handle internal and external (customer) data.

• Information will be labeled to ensure appropriate handling in accordance with the classification.
• Handling of information will be restricted as per the classification.
• Any owner of data is required to ensure appropriate encryption mechanisms are used to protect information on media being transported.
• Perenso will retain information as required by law for the relevant period.
• Any information will be disposed of in a secure manner.

The following are the high-level encryption principles which Perenso employs.

• Asset owners/custodians will ensure information is encrypted using relevant cryptographic mechanisms.
• Transmission across internal and external networks is encrypted as necessary.
• Where practical using service providers, obtain assurances of any necessary data encryption.

These are the physical access guidelines and policies that are used by Perenso to protect buildings, offices, and information systems from environmental hazards.

• Perenso will restrict access to information systems to authorised users.
• Users will ensure unattended equipment has appropriate protection.
• Perenso will conduct Risk Assessments annually or upon major change to information systems/networks.
• Removal of equipment and other information systems will be prohibited without approval.
• Storage access will be controlled and monitored.
• Work areas should be clear of any sensitive data when not in use.
• Remote users should not have any sensitive information stored, accessible, or unattended locally.

Perenso’s principles around operating practices are as follows.

• Processes will be documented and made available to those who need them.
• Information systems will have a concept about how Perenso intends to operate them securely and periodically reviewed.
• Perenso management will review quarterly that users are following operational procedures.
• Perenso will conduct the appropriate testing, implementation, and review of changes to critical systems.
• Perenso will document, review and update configuration management controls regularly.
• Users will have appropriate awareness of malware and protection systems.
• Systems not capable of utilising anti-malware will be documented and processes in place to minimise risk to these systems.
• Backups will be taken regularly, securely stored, and tested.
• Perenso will perform an internal and external vulnerability scan quarterly or after significant changes in the network.
• Penetration testing will be performed annually based on industry-accepted approaches.
• Risks will be assessed, remediated, and/or documented with the relevant outcome.

Perenso has the following principles to provide protection for the confidentiality and integrity of communications.

• Insecure protocols or features will be restricted, or a business justification is in place for their use.
• Connections between untrusted networks and internal systems will be restricted.
• Where possible, we will separate applications from storage or management/database services either physically or logically.
• Access for users to information systems will require access agreements and any agreements will be reviewed regularly.
• Usage restrictions and guidance will be provided for various communication technologies (email, messaging, etc) based on the ability to cause potential damage.
• Perenso will obtain the necessary assurances from partners and third parties when being permitted to create, receive, maintain, or transmit sensitive information.

Below are the general principles and guidelines for the development of applications, internal and customer-facing.

• The least functionality will be enforced by only allowing the necessary security services and protocols.
• Software development will be in accordance with industry recognised leading practices.
• Perenso will review code prior to release to production to identify any vulnerability.
• Perenso will incorporate security throughout the development lifecycle.
• Change controls will be used for the implementation of security patches and modifications, including the update of documentation.
• Applications will be developed based on secure coding guidelines.
• Perenso will maintain a segmented network to separate development from production environments.
• Data retention will be limited to that which is required for legal or business requirements and securely disposed of when no longer needed.

Perenso has the following general principles and guidelines for managing vendors' and third parties’ access and data.

• Perenso will be diligent in vendor selection and in managing vendors where the security of shared data could be affected.
• Perenso will maintain a list of service providers and which security requirements are managed by service providers or by Perenso.
• Perenso will review periodically service providers' security stance to ensure it meets Perenso standards.

• An Incident Response (IR) plan will be maintained that is capable and prepared to respond immediately to potential incidents.
• Perenso requires users to report suspected security incidents through appropriate channels in a timely manner.
• Perenso IT staff are responsible for reporting, managing, and documenting system weaknesses that could lead to an incident.
• Incidents and risks will be recorded and tracked and Perenso will implement lessons learned from incidents.

The below are the general principles around continuity and resilience for systems and services at Perenso.

• Plans will be developed for information systems that provide recovery objectives, and restoration priorities in line with the tolerance for disruption of these systems.
• No mission-critical system, process, or function will be deployed in production without an appropriate continuity plan.
• Information systems will have a degree of redundancy based on the business tolerance for disruption.
• Redundancy measures and contingency plans will be reviewed and updated at regular periods.

The following Perenso policies are to ensure safeguards are in place to be aware of and comply with all applicable legal requirements.

• Critical information systems and sensitive data will be kept in accordance with any legal requirements.
• Perenso will ensure that all software used is in accordance with contract and copyright laws.
• Users and systems will only identify the minimum amount of information necessary to accomplish the purpose of the collection.
• Perenso will only transfer personal information to third parties or affiliates for the purposes the information was originally collected for or with the subject’s consent or to comply with legal obligations.