This article is for IT and security professionals
External Policies
FMI understands and respects the privacy of our customers. While FMI ensures that our privacy policy conforms to Australian minimum standards, we strive to exceed these standards internally.
Privacy Policy
FMI maintains a public privacy policy at https://www.fmiworks.com/privacy-policy. This covers our current stance on privacy across jurisdictions and with relation to Personally Identifiable Data (PID).
Government Regulations
FMI has a policy to maintain customers privacy, however FMI must also act within the law of the jurisdictions it operates in (Australia and New Zealand), and as such will comply with legally mandated requests for information.
Internal Policies
FMI recognizes that the single largest threat to our systems is people which can maliciously or unintentionally provide access to our systems. Threat actors consistently start with "social engineering" for their attacks. However, FMI also sees our employees as the last and best defence we have against threats, and empowers them with the knowledge and authority to act to stop threat actors.
Phishing
FMI has a dedicated policy related to phishing. This policy requires all staff to undergo training on phishing attacks. This is done annually as well as during new staff onboarding.
Additionally, from time to time, FMI conducts white-hat phishing attacks against our own employees. This is designed for training and awareness, as well as to keep employees ever diligent to these threats.
Password Hygiene
Both applications and employees have secure password practice requirements. Applications for or production systems are the most rigorous, including:
- System passwords are individual and unique per application, and/or per client
- System passwords are cryptographically generated
- System passwords are automatically stored in Azure KeyVault
- System passwords are never seen by employees, including the DevOps engineers who administer them
- System passwords are regularly rotated, or immediately if they're ever used by an employee
- Access to systems that store passwords are managed with least-privileges, including only a subset of DevOps engineers
- Access to systems that store passwords are secured through Active Directory accounts (using Microsoft 365)
Password policies are also in place for employees and require that employees have high levels of password hygiene as well, including:
- No use of shared accounts or shared passwords
- Requirement to use MFA on any and all organization systems that support it
- Use of generated or high complexity passwords for all systems
- No re-use of any passwords across systems
Antivirus
All systems that are part of, or have access to corporate infrastructure are required to run antivirus software. This includes access to corporate systems such as e-mail, and production systems such as FMI Works. This includes:
- Infrastructure servers
- Application servers
- Employee desktops and laptops, both corporate owned and BYOD
- Employee phones and mobile devices, both corporate owned and BYOD
Compliance
FMI runs an internal security committee which meets monthly to monitor and manage security risks, both internal and external. This includes:
- Maintaining a risk register scored by both potential and residual CVSS.
- Tracking risks from multiple sources, including penetration tests, vulnerability tests, OWASP, community articles, or any other source that might be relevant.
- Addressing risks to customer data and business continuity from both internal and external sources, whether accidental or intentional.
- Creating and updating internal policies.
- Curation of required online training courses for staff.
- Ensuring staff completed training or demonstrated understanding of their responsibilities to policies.
- Regularly audit the ongoing understanding and compliance with policies.