Security at VETtrak
VETtrak is committed to the security of your data. We use industry-standard security technologies, procedures and best practices, detailed below, to protect your information from unauthorised access, use, or disclosure.
The VETtrak Information Security Management System (ISMS) is certified to meet the ISO 27001 global standard.
To contact us about a security related issue: security@vettrak.com.au
Information Security Governance
VETtrak take a risk-based approach to Information Security. Risk management is an integral part of the organisation processes used to manage the protection of our information and systems. In our design and delivery of software, we use fundamental security principals.
Information Security Monitoring
Vulnerability management is conducted throughout the system life cycle. Software code, and infrastructure-as-code is subject to peer review. Penetration tests are performed by our security team against our products and environment. A formal change management process is used for all routine and urgent changes and even emergency changes require a retrospective change management process to be completed. All change requirements are planned, tracked and managed within various management systems across VETtrak.
Personnel Security
All VETtrak staff undergo security awareness training. Staff with privileged access to systems or data, receive additional job-specific training on privacy and security. Personnel requiring access to production systems or data are required to have undergone appropriate security clearance.
Physical & Comms Security
VETtrak hosted SaaS applications are located in a private cloud which is owned and operated by VETtrak staff. The data center and our upstream suppliers are accredited to ISO27001 or have been recognised with Cybersecurity Capability Maturity Model (C2M2) accreditation to ensure security of our supply chain. Your data is held onshore in Australia and is subject to all applicable Australian Data security and Privacy regulations.
Network Security
VETtrak divides its systems into separate networks to better protect systems and sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting production websites.
Network access to the production environment from open, public networks (the internet) is restricted and uses layers of threat detection such as Network Intrusion Detection Systems (NIDS), geo-blocking and Web Application Firewalls (WAF). Antivirus and malware scanners are also present on all hosts and systems where they are supported. Only network protocols essential for service delivery are open at the perimeter and changes to the production network configuration are restricted to authorised personnel.
Software Patching
Operating systems automatically apply security updates based on a rotating schedule to ensure coverage against vulnerabilities. Patching and upgrades of software components is a regular part of development procedures and anti-virus and malware signatures are updated every two hours for complete coverage.
Software Development
VETtrak use a series of software development stages with development, staging and production part of the process. Software is only able to progress to the next environment after it passes all the checks at each level. Internal peer code review, manual QA and UAT are all part of the processes and procedures that are followed before software is released.
Standard Operating Environments
VETtrak SaaS environments are wherever possible provisioned through code and all change to the environment goes through our secure development and testing practices. This is to ensure that all environments and SaaS deployments are consistent, and changes can be done with minimal human intervention and risk of misconfiguration.
Web Application Development
VETtrak web and desktop applications are developed using security best practices. All developers are trained to be aware of OWASP security guidelines (where applicable) and modern programming techniques are used. For extra security database queries are parameterised and application inputs and outputs are properly sanitised and encoded. Application errors and exceptions are logged and monitored for review.
Database Systems
Databases are securely provisioned with unique credentials. Database administrator accounts are only used to provision less privileged accounts for regular use. Our network architecture is designed to restrict access to the database server to the fewest necessary systems required. Production, test and development environments are strictly separated.
Access Control
Strong authentication and access controls are implemented to restrict administrative access to production systems, internal support tools, and customer data. Security events on the application, host, network and environment are logged and audited and are available for customer review.
Secure Administration
Administrative access to systems with customer data is limited to those engineers with a specific business need. Any access to customer data outside of the administration team requires written consent from the end user to be removed from production environment and will be automatically removed after a set period of time.
All administrator terminals are logically isolated to ensure additional security and integrity of administrative tasks.
Cryptography
VETtrak’s policy is to always use encryption, wherever possible.
Transport Layer Security (TLS) is used for all public network connections with a modern SSL security policy meeting an SSL Labs A rating. The preferred server negotiated connection will be on TLS 1.2 with Elliptic Curve Diffie-Helman session keys and perfect forward secrecy. HTTP Strict Transport Security (HSTS) ensures that a TLS connection is always used.
SSL Server certificates use min RSA-2048 encryption and SHA-256 hashing algorithms.
AES-256 is used to symmetrically encrypt data at rest.
