Overview
At Trinity, security is not just a priority; it’s an integral part of our core values. We understand that in today’s digital landscape, safeguarding sensitive information, ensuring the availability of critical systems, and defending against emerging threats are paramount to our success and the trust our stakeholders and clients place in us.

 

In this security statement, we outline our commitment to maintaining a secure environment, detailing the strategies, technologies, and practices we employ to protect our assets and the data entrusted to us. Our proactive approach to security, combined with industry-standard best practices, ensures that we are well-prepared to face the ever-evolving challenges of the digital world.

 
Event Management
Trinity utilises a SIEM combined with security orchestration, automation, and response (SOAR) for events across our environment, which enables us to proactively monitor and respond to security incidents.

 

Trinity maintains audit information and logs for all information technology resources, applications and network accesses. Our platforme monitors these logs for abnormal patterns and unauthorised access attempts, and maintains defined processes for security alerting, escalation and remediation. Logs are centralised in a limited-access system that prevents deletion and changes.

 

Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected client in the event of an incident.

 
Authentication & Authorisation
Trinity has implemented a robust zero-trust model across all our resources and systems, ensuring that trust is never assumed and that every access request is rigorously authenticated and authorised.

 

To further enhance our security posture, Trinity mandates strong Multi-Factor Authentication (MFA) for all systems. Once MFA has been successfully completed, additional credentials are required for key applications, adding an extra layer of security to our access controls.

 

Geographical restrictions play a vital role in our security strategy, ensuring that access to our systems is limited to authorised locations only, enhancing our control over who can reach our resources.

 
Access Control
Robust access controls ensure that all clients’ confidential information is secured against unauthorised access. Access to resources are controlled by explicit rights in all environments. Employees are given appropriate accounts on systems which they are authorised to access following the “least privilege” principle. Generally, access controls are provided by a directory service and appropriate configuration of the cloud platforms, operating systems, file systems and application settings.

 

Separate accounts are used to access elevated environments, administrative consoles and permissions which are only provided to authorised personnel. These accounts require the same stringent MFA practices outlined above.

 

Access to client data is limited to legitimate business need. Employees may only access resources relevant to their work duties.

 
Vulnerability Management
Trinity conducts regular and ongoing vulnerability scans on both our internal and external systems. These scans help us identify potential weaknesses and security gaps within our infrastructure. By doing so, we ensure that any vulnerabilities are promptly detected and addressed, reducing the risk of security incidents.

 

In addition to routine scans, we actively monitor all installed applications on our systems for vulnerabilities. This continuous monitoring approach allows us to stay vigilant and respond swiftly to emerging threats or vulnerabilities that may arise within our software and applications.

 

Annually, our organisation engages in comprehensive penetration tests conducted by internally qualified resources. These tests simulate real-world attack scenarios to evaluate the effectiveness of our security controls and defenses.

 
Securing Individuals
Trinity carefully screens people who do work for, or on behalf of, the organisation, including police background checks. All staff at Trinity are trained on information security and data protection.

 

Trinity requires confidentiality and nondisclosure from all those who work for the organisation. We maintain high ethical standards that are defined and enforced through the code of conduct.

 
Cryptography
Trinity adheres to a policy of encrypting all data at rest, including backups. This encryption is accomplished using the AES-265 encryption standard. By encrypting our data at rest, we ensure that even in the event of physical breaches or unauthorized access, our data remains secure and confidential.

 

To secure our application layer traffic, we enforce the use of Transport Layer Security (TLS) version 1.2 at a minimum. This industry-standard cryptographic protocol ensures that data transmitted between our systems and external parties is encrypted and protected from interception or tampering. The use of TLS 1.2 strengthens the security of our communications, enhancing trust and privacy.

 
Devices & Endpoints
Trinity utilised a well-known and trusted endpoint security solution for all devices and infrastrcture. This robust and comprehensive tool offers advanced threat protection, helping us detect, prevent, and respond to a wide range of security threats. It employs  threat intelligence and machine learning to identify and mitigate both known and emerging threats.

 

In conjunction with out above solution, we utilise policies to manage and secure our endpoints. This enables us to establish and enforce security configurations across our devices, ensuring that they adhere to our organisation’s security standards. This includes minimum baseline hardening configuration management, compliance checks, and remote wipe capabilities, providing an additional layer of protection.

 
Patch Managament
Trinity operates a patch management policy and solution to maintain network device, system, OS and application level security patches. Reviews are performed on a regular basis ensure patching is consistent and current based on industry standards, in particular, ASD Essential Eight.

 

Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible but no later than 48 hours, based on a Trinity review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications, storage), its relevance (i.e. is the service being patched enabled in the environment) and threat severity (likelihood x impact).

 

We can view our patch management status from a centralised console, streamlining security administration and ensuring that all devices are up to date with the latest security patches and policies.

 
Change Management
Trinity maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration) are tracked.

 

All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.

 

Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the environment to threats or compromise the privacy and confidentiality of client data.

 
Governance
Trinity has implemented an Information Security Governance Framework (ISGF) to manage and continually improve information security posture.

 

Trinity has a significant deployment of discrete internal policy requirements governing information security. We take a risk-based approach to information security which is aligned with the NIST Cyber Security Framework and ASD Essential Eight.

 
Data Sovereignty
All data generated, processed, or stored within our systems is hosted in data centers located exclusively within Australia. This means that your data never crosses international borders, safeguarding it from potential jurisdictional issues and ensuring compliance with Australian data protection standards.

 

We adhere rigorously to Australian data protection and privacy regulations, including the Privacy Act and the Australian Privacy Principles (APPs). Our data handling practices are aligned with these regulations, ensuring that your data remains protected and in accordance with legal requirements.

 

We firmly believe that our customers retain ownership of their data. We do not use or access your data for any purpose other than providing the agreed-upon services. Your data is yours, and we respect and protect that ownership.

 

Our data infrastructure is fortified with strong security measures, including encryption, access controls, and robust monitoring as outlined in this statement. We continuously invest in technologies and practices that bolster the security of your data, reducing the risk of unauthorised access or data breaches.

 
Suppliers
Trinity closely manages suppliers using risk management principles. We perform additional vulnerability checking on dependencies in the supply chain and addresses them in accordance with the Information Security Manual.

 
Business Continuity
Trinity has a documented Business Continuity Plan, recovery procedures and a trained response team.

 

The Business Continuity Plan and recovery procedures are tested annually, at a minimum, and incorporate any improvements into the Plan.

 

Redundancy is ensconced as an engineering principle, including self-healing features built-in to our infrastructure to automatically adjust to outages wherever possible.
—
 
 
If you would like to know more about how we secure our environment or have questions about deploying these controls, please reach out via one of the methods on our contact page or email us at [email protected]