Security
We recognise that clients place their trust in us when they supply us with access to their data, websites and premises, and we take trust that very seriously.
We have a comprehensive set of security policies and practices covering personnel vetting and new employee induction, staff training, onsite and remote physical and data security, and cloud data security. Our security policies and practices are audited annually by an independent provider.
Our security policies and practices
Personnel vetting and new employee induction
We have a contract in place for the Online Delivery of Criminal Conviction Histories with the NZ Ministry of Justice to vet new employees. We refresh these checks annually and record the outcome in our HR records. We follow a multi-step selection process to ensure new employees are trustworthy and understand their obligations to Pikselin and our clients. New employees must understand, accept and sign on to our security policies before commencing their employment.
Staff training
We use a formal training framework provided by external security consultant SEQA that includes secure coding practice and quality assurance processes. All Pikselin web-developers undertake an OWASP security course to learn techniques to mitigate against some of the most common online security issues.
Office security
We have extensive on-site physical security arrangements, including electronic door locks which only authorised staff can unlock, monitored after-hours swipe card access and security cameras. We have no physical servers or server room.
Remote, cloud and data security
We have comprehensive cloud and remote work security arrangements, including strong laptop security, policies preventing the use of public wi-fi when working on sensitive material, rules to ensure the security of client data, access and authentication policies and detailed access logging. Preventing unauthorised access to physical devices and cloud-based services is the cornerstone of our approach to maintaining data security.
Annual security audit
External security consultant SEQA conducts an annual security audit for Pikselin covering:
- Cyber Security Readiness – an assessment of Pikselin against the top 10 most relevant security controls, considering best practices such as NZISM, PSR, NIST, ASD and CERTNZ.
- Internet Threat Assessment – a high level technical assessment of Pikselin’s internet facing website and infrastructure from an unauthenticated user’s perspective.
- Physical Security Audit – an assessment of the physical systems and processes designed to prevent unauthorised access to facilities and systems.
After SEQA presents its audit findings to Pikselin, we take active steps to address any issues based on best practice recommendations.