Our Approach to Security

Overview

At The Instillery, we take security seriously. Keeping our, and our customers’ systems and data protected at all times is our highest priority. This security statement provides a high-level overview of the security practices we have in place to ensure we meet that objective.

Governance

Policies

Good security starts at the top. We recognise the importance of having a robust set of policies in place that set out our expectations for how our people should behave with regard to security and data confidentiality. These policies are regularly reviewed to ensure they remain relevant and fit for purpose.

Assurance

As a service and support provider, we are regularly asked by our customers to provide assurance around our operational procedures. We undertake internal audits of our policies and procedures, and operate a rigorous change management process. We also provide annual assurance reports on request, to support our customers’ own compliance requirements.

Testing

We undertake regular security tests performed by our own in-house security experts and independent security consultants. These tests include external penetration tests, internal ‘red/blue team’ exercises, vulnerability assessments and incident response exercises.

Data destruction

Secure shredding bins are in use for safe disposal of hardcopy data, and end of life IT equipment is disposed of through a registered e-waste provider who can provide destruction certificates if required. When off-boarding customers, all sensitive information (e.g. network diagrams, systems information, user names, passwords etc.) is purged from our systems and proof of destruction can be provided.

Employee vetting

We take pride in employing the best people. We undertake pre-employment checks that include Ministry of Justice checks, visa/right to work status and personal reference checks. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.

Education and awareness

We understand that our people play an integral part in our security efforts. We ensure our people understand their responsibilities through regular individual feedback and ongoing security awareness. All staff are required to undertake anti-phishing training and we run monthly phishing tests to ensure this training is effective.

Infrastructure

At The Instillery, we have a cloud-first philosophy. Wherever possible, we use SaaS or cloud-hosted systems and applications. This allows us to leverage the providers’ massive investments in security as well as reducing our own systems footprint and minimising our attack surface. As New Zealand’s leading cloud migration specialists, we understand how to build these environments safely and security is an integral part of our cloud architecture design.

Authentication

We recognise that passwords alone are no longer sufficient to secure our systems and wherever supported we use additional authentication methods to bolster our security. We follow modern best-practice when it comes to systems access and authentication, including:

 - a modern password policy that favours length over complexity
 - enforcing two factor authentication wherever supported
 - conditional access rules e.g. when logging in from overseas or untrusted locations
 - biometrics and
 - zero-trust networking principles

For our systems administrators and other privileged users, we enforce separation of duties between their normal day to day accounts and their privileged access accounts. We also use named admin accounts to ensure admin activities can be audited.

All privileged account passwords are held in a secure password vault and service accounts have randomly generated alpha-numeric passwords of at least 25 characters length.

Encryption

Encryption in transit: all data sent to or from our infrastructure is encrypted in transit using industry standard TLS.

Encryption at rest: laptops are encrypted using Bitlocker or an equivalent disk encryption solution.

Vulnerability management

We conduct monthly vulnerability scans of our infrastructure and prioritise remediation actions based on criticality and likelihood of exploitation. Critical patches and updates are typically applied within 48 hours of release, and all other patches are applied at the next monthly server maintenance weekend.

Workstation operating systems and applications are set to auto-update where possible, and central management tools are used to push out updates if required. This process is proactively monitored to ensure patches are applied correctly and within an acceptable timeframe.

Threat prevention

We have firewalls in place for our on-premise and co-located infrastructure, and use web-application firewalls to protect our cloud-hosted workloads. All externally accessible on-premise systems are located in a DMZ. Endpoints connections are protected through Zscaler Internet Access, which provides secure, auditable, centrally managed connections regardless of where the device is connecting from. Access to offensive, unethical, illegal or high-risk websites is also controlled through ZIA via central policies.

All servers and workstations have antivirus/anti-malware software. This software is centrally managed to ensure it is kept up to date with the latest signature files/threat prevention intelligence. It is also monitored to ensure the agents are active and connected to the management console.

Mail filtering is provided by a dedicated secure email gateway, with additional protection through cloud spam filtering.

From a physical perspective, our offices have swipe access and are protected out-of-hours by perimeter and motion-detection alarm systems. CCTV cameras are in use at the entrances and exits. Sensitive areas within the offices are additionally secured through swipe, digi-pad or biometric locks, and covered by CCTV cameras depending on the sensitivity.

Monitoring and alerting

The Instillery is an industry-leading information security provider and we know that ‘building walls’ around our assets will only get us so far. Having comprehensive detection, monitoring and alerting in place is an essential part of an effective security ecosystem. We provide a full Security Operations Centre (SOC) service to our clients based on industry-leading SIEM (Security Information and Event Monitoring) technology platforms. We subscribe to this service ourselves and our infrastructure (including cloud and SaaS-based services) is monitored 24/7 by our team of highly skilled and experienced SOC Analysts.

In addition to the SIEM, this monitoring service includes technologies such as:

 - Intrusion detection / prevention systems (IDS/IPS)
 - Network behavioural analysis
 - File integrity monitoring
 - Access and authentication monitoring

Business resilience

The Instillery has robust business continuity and disaster recovery plans in place, that include separate security incident response plans. The Incident response plans include the team structure, roles and responsibilities for the SIRT (Security Incident Response Team), a detailed response process (based on the NIST framework) and supplier and support contact details. They also include playbooks for the most common threat types.
We run scenario-based table-top exercises to test our incident response plans, including post-response reviews to ensure that opportunities for improvement are identified and incorporated.

Further information

Got any questions? For further information on our approach to security or any of the services we provide, please speak to your representative at The Instillery, or contact us here.