Segmentation
We have a large amount of network segmentation in our hosting environment. This means we split our networks into subnetworks and network segments, so our network structure isn’t visible from the outside. Almost like concealing your pack of Maltesers by hiding each delicious chocolate sphere in a separate spot in your bedroom.
In-Flight data security
Our encryption of information between you and Tic:Toc is provided by industry standard Transport Layer Security (TLS) 1.2. This is the current security encryption standard used by most banks in Australia.
At-Rest data security
All environmental servers are encrypted utilising AES-256 at the hardware layer.
Logging
All key actions on the application are centrally logged for auditing, monitoring and improving our services.
Secure code development
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development and we don’t use production data in our non-production environments (duh).
Dedicated security team
We have a dedicated security operations centre, which is responsible for securing the application, identifying vulnerabilities and responding to security events.
Security policies
We have a suite of policies with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use several sources, including the NIST Cyber Security Framework as well as the Australian Cyber Security Centre, to help us to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
To be allowed entry into the inner circle, all staff (Tictockers) and contractors go through a vetting process where they are subject to background checks and confidentiality agreements. Where applicable as part of their role, they will also undertake training on security awareness and related topics.