Security of client data is of utmost importance to our business. Our security policy covers a number of areas including:
- Internal security policies
- External provider security policies
- Security policies of our key software partner (Class Super)
Below is a summary of these policies.
Internal security policies
Superfund Wholesale has a business culture that has a focus on client privacy and security awareness. We acknowledge that we handle important personal financial information on behalf of our clients (or more specifically the clients of the advisers we work with) and that makes us a potential target for fraud and cyber attack activities.
The Superfund Wholesale business and all team members are located in Australia. We nor any of our business partners utilise offshoring, overseas outsourcing or any type of international team to support the provision of our services.
Part of our team induction includes a comprehensive module on handling confidential financial information, security obligations, data security systems and procedures and fraud detection and prevention. An overview of our obligations under the Privacy Act 1988 are explained in detail. Appropriate background checks are also undertaken for staff being employed in key positions. Security and privacy issues are also regular agenda items for internal training sessions and team meetings.
Our business employs a full time ICT manager whose time is split across our business and our sister businesses (common Australian-based parent company).
We utilise SSO (single sign-on) technology wherever possible including for applications that contain key client financial information. This means that the vast majority of staff with the exception of senior management so not have visibility on their credentials to these applications. The SSO is also configured to only work within our local network which prevents off site access by staff.
Biometric security is scheduled to be implemented during the 2015 calendar year which will compliment our SSO technology.
Superfund Wholesale physically retains very few client records at our office. Any records which are retained are typically for a short time period, and are kept in a locked file storage room on premises. Access is only granted to key staff. Our office is located in an office building that has on-site management as well as a monitored security system.
Superfund Wholesale utilises hosted servers via our internet service provider which are based in a data center on the Gold Coast, Australia. For more information about this service a Information Summary is available here (PDF).
External provider security policies
Superfund Wholesale only works with other providers who are Australian based and who do not offshore any key aspects of their services. This means that the risk of any client records or data being accessed outside of Australia is extremely low.
Our key business partner is ASF Audits based in Adelaide with all staff in Australia. ASF is one of the largest independent SMSF audit providers in the country and they undertake work for large SMSF administration businesses including AMP SMSF who like ourselves undertook detailed due diligence and testing prior to engaging their services.
Key Superfund Wholesale staff have toured their facilities in Adelaide and we are satisfied that their policies, company culture and ICT infrastructure adheres to the same high levels of our own business.
Class Super security policies
Class Super is a key software supplier to Superfund Wholesale and this a key repository of confidential client financial information. Superfund Wholesale undertook significant due diligence of Class Super prior to selecting it as a key software partner.
Any overview of the Class Super security policy is provided below or is available on their website here: http://www.classsuper.com.au/security-policy/
Data security and protection
We at Class Super are committed to maintaining a secure environment for transmission of data between our service and you and for storage of data at all times. We take a malifaceted approach to meet this commitment. A fundamental element of safeguarding your confidential information is to provide protection against unauthorised access or use of this information. Unauthorised access takes many forms and requires a comprehensive response.
Sensitive information is encrypted during transmission over the Internet, because it is easy and common for a hacker to intercept and/or divert data while in transit.
Strong cryptography is used for B2B transfers of customer data as well as end-user point-to-point transmission channels. The encryption used for end-user Web access takes the form of TLS encryption using strong ciphers with older vulnerable protocols being disabled.
Authentication and authorisation:
Class Super’s entire system is based on the concept of access on a need-to-know basis only. This is coupled with the use of privileges based on individual credentials. These are mapped in a highly granular fashion to ensure an individual user has access to only the data that they are entitled to view and modify. Clients are entirely partitioned off from each-other.
This is a logical partitioning. Our access control mechanism conforms to a rigidly implemented Business, Brand, Fund hierarchy. These elements permeate the system and prevent any unauthorised access.
Intrusion and system vulnerabilities:
Class conducts various activities to guard against these vulnerabilities. These largely fall into four areas:
- Topologies and devices: Network design and configuration
- Change Control: Process and procedure safeguards
- Vulnerability management: Regular security patches, Periodic Penetration Tests, Password Strength measures, Control of Credentials.
- Defense in depth: In addition to these specific individual areas, we use a layered architecture (with a clear separation of User Interface, Business Logic and Data Access code) which prevents against most opportunistic intrusion techniques such as SQL injection. Appropriate validation is also used to guard against such attacks.
Hardware and system failure:
Class expressly protects against two specific risks – loss of system availability and loss of data. The measures below apply to both risks.
Class operates a High Availability system. Hardware redundancy exists at all layers, and in most cases failover is automatic.
Class’ redundant database hardware receives an automatic data replication which duplicates the production data with a Business-Day Response Point Objective (RPO) of fifteen minutes.
The automatic data replication service also targets two off-site locations (with the same PRO).
One of those offsite locations is Class’ Disaster Recovery (DR) site. This is located in another state and if a Disaster occurs that permanently disables Class’ primary production location then operations can be shifted to the DR site.
If you or any of your client require additional information about Class Super and the applicable security features and policies, please contact us.
The following support article may also be relevant: