Cloud Services Security
Summary
Datalink has a comprehensive approach to information management security.
Its ISO 27001 certified Information Security Management System follows a risk-based approach and contains a comprehensive set of controls to ensure Datalink has the necessary technical and organisational precautions to operate securely in line with industry best practice to prevent the loss, misuse or alteration of sensitive and personal information.
Information Security governance is driven at the top level
Its Information Security Management System implements a range of controls to protect customer data
Its Crisisworks application is engineered with security in mind, and provides security features to its customers for access control and audit.
Our network infrastructure (operated by AWS) is highly secure.
Datalink handles its customer data with great care, with numerous controls to manage PII and sensitive data from staff, contractors and other tenants.
This guide has been written to explain Datalink’s information security practices.
Cloud Services Security
Datalink is both a supplier and consumer of cloud services, and has integrated cloud services controls into its management system. The following summarises our controls.
Information Security Policies: Datalink's policies address virtualization, multi-tenancy, insider threats, customer data protection, and communication. These policies are version-controlled, authorised, and communicated to employees and contractors.
Organisation of Information Security: Roles and responsibilities are defined during contract negotiation. There's a clear division of responsibilities between Datalink and its suppliers. Datalink operates in multiple regions and uses a zone approach to data storage, ensuring data is located as required by the customer.
Human Resource Security: Datalink provides ongoing security awareness training to employees and encourages contractors to do the same.
Asset Management: Customers can align their information handling, classification, and labeling with Datalink's services. There’s an audited procedure for returning and removing customer assets, protecting sensitive information.
Access Control: Datalink provides an administration interface for customers to control access at various levels. User management is done via this interface, with multi-factor authentication available. Procedures for managing authentication information (passwords) are secure. Utility program use is controlled and audited. In multi-tenant environments, customer resources are segregated. Virtual machines are hardened against malware.
Cryptography: TLS encryption is used for transactions, and customer data is encrypted at rest. Customers can implement their own encryption with customer-managed keys.
Physical and Environmental Security: Datalink does not operate its own data centre, therefore most physical security controls are not applicable to our ISO 27001 certification. Our outsourced data centres are fully certified to ISO 27001 and other standards and implement all physical and environmental controls.
Operations Security: Customers are informed of planned changes. Capacity is monitored. Encrypted backups are taken and stored securely. Activity logs are available to customers. System clocks are synchronized. Vulnerability scans are regularly performed, and security patches are applied. Critical operations are controlled with specific procedures. Service monitoring is available to customers.
Communications Security: Customer networks are isolated in multi-tenant environments, and Datalink's internal network is also isolated. Virtual network resources are controlled like physical ones.
System Acquisition, Development, and Maintenance: Secure development procedures are used, including separated environments, secure coding, and security testing.
Supplier Relationships: Datalink audits suppliers to ensure they meet information security objectives.
Information Security Incident Management: Customers are informed of security events and incidents. An incident manager is appointed to handle incidents, including evidence preservation.
Information Security and Business Continuity Management: Datalink plans and tests responses to disruptive incidents, designing services to minimise impact.
Compliance: Legal jurisdiction is Australia. Datalink complies with data protection legislation and its services are ISO/IEC 27001 certified. Records are protected according to an information classification scheme and asset handling procedures.
Shared Responsibility
Datalink operates its services according to a Shared Responsibility Model which shares the responsibility for maintaining security between Datalink, AWS and the customer:
AWS handles infrastructure & physical security: AWS secures the hardware, software, networking, and facilities that power its cloud services.
Datalink ensures platform security: As a PaaS provider, Datalink secures its software, configures AWS infrastructure, and manages security assurance programs like ISO 27001 and penetration testing.
Customers manage security within their instance: Customers control user access, data privacy, and system configurations, ensuring responsible use within their allocated platform instance.
More details can be found on our Shared Responsibility Model page.
Key Security Controls
The following section provides additional detail on key controls.
Compliance
Datalink is certified to the ISO 27001 standard in information security management.
ISO 27001 is the most widely recognized and internationally accepted information security standards, and its certified organisations must implement and maintain best practices and strong, effective security controls to achieve certification.
This standard is one of the few standards that uses a top-down, risk-based approach to evaluation that identifies requirements and specifications for a comprehensive Information Security Management System (ISMS), defining how an organisation should manage and treat information more securely, including applicable security controls.
This top-down approach includes an alignment of the ISMS with the company’s contractual and regulatory requirements, meaning Datalink’s information security takes into account the evolving information security needs of its customers.
Achieving accredited certification to ISO 27001 provides an independent, expert assessment that Datalink’s information security is managed in line with international best practice and business objectives.
The assessment and certification extends to every level of an organisation’s IT infrastructure stack, including asset management, access control, human resource security, and application security.
Governance
Our audit, compliance and risk effort is open and collaborative, and we work with our customers to identify, align and implement relevant standards and practices as internet security evolves. Our governance processes are externally audited every year.
Through this process, we implement a range of common controls from best practice sources including ISO 27001 Annex A, Cloud Security Alliance’s CCM, Australian Government’s ISM and PSPF, and OWASP’s ASVS and Top-10 lists.
In particular, above and beyond the ISO 27001 controls, Datalink has embraced the Cloud Computing Security for Cloud Service Providers guidance and the Essential 8 Maturity Model from within the PSPF, which together define essential parts of the Australian Australian Government’s Protective Security Policy Framework targeted to SaaS companies.
Datalink is also a member of the Australian Cyber Security Centre for threat monitoring and education, and regularly and systematically engages external experts in ongoing scans, tests, reviews and consulting to constantly evolve and improve our product security and resilience.
Supplier Management
Our data centre and managed service providers undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC1, SOC2 and ISO 27001 audits thereafter.
Responsibilities for the provision of services, handling of information security risk and disruption is clearly defined between the parties.
Our consultants and contractors are also vetted, and must sign confidentiality agreements in alignment with our ISMS obligations.
Tiered access to infrastructure and data provides layered security to our software, our infrastructure and customer data, to ensure external contractors cannot access or manipulate systems or sensitive information.
Application Security
Datalink builds security into the core of its product, which is validated through numerous controls.
A sophisticated role-based security model is implemented at a low level. It is exposed to users in the application via the security policy, positions and event-based duty management screens.
All data changes within our products are audited, with the audit appearing on each record and in reporting.
Data is encrypted both in transit and at rest using approved technologies.
Authentication uses best practices and technologies including SAML, OAuth2 and JWT.
Privacy controls are built into the product at various levels. For example, the recovery module allows external affected persons to refuse consent to share data with other agencies, and users can opt out of the global contact list.
Audit logs are built into the product, and reports are customer accessible. Additional data access logging at the record level can be set up to monitor and log access to sensitive data.
Secure Software Development Practice
Datalink follows industry best practices in software development, including OWASP’s secure development guidelines, peer reviews, static code analysis, penetration testing, continuous integration, automated testing, platform monitoring and incident response.
Datalink has processes to identify, fix, and prevent security issues through security design reviews, automated and manual code assessment, security scans and developer education.
Vendor code libraries are vetted at selection, undergo ongoing security checks against vulnerability databases, and their use aligned with their stage with their lifecycle to plan for their eventual obsolescence.
Datalink implements change management practices to incorporate information security into each change.
Network Security
Datalink’s network security is protected using a variety of information security controls from ISO 27001, CSA, ISM, CIS, PCI and others, and the environment has ongoing independent, external penetration testing, network scanning and auditing.
Datalink products are built on top of Amazon Web Services (AWS), which is highly regarded and certified as a secure and resilient hosting environment. More information on AWS can be found at https://aws.amazon.com/compliance/programs/
The AWS infrastructure that underpins Datalink’s services undergoes regular IRAP assessments at AWS, AWS is on the Australian Government’s Certified Cloud Services List, and Datalink utilises components and patterns from the AWS IRAP PROTECTED Reference Architecture in its system design.
Datalink's AWS configuration and usage is reviewed by external certified AWS experts using AWS’s Well Architected Review process to ensure Datalink continues to evolve to follow emerging best practices.
Operations security
Datalink makes customers aware of planned changes that will affect the customer cloud environment or services. This information is published via email to affected customer administrators and will include the type of change, scheduled date and time and where appropriate technical details of the change being made. Further notifications will be issued at the start and end of the change.
The capacity of the overall cloud environment is subject to regular monitoring by Datalink engineers to ensure that our capacity obligations can be fulfilled at all times.
Encrypted backups of customer environments are taken and retained for a period of three months according to the 3-2-1 standard. Backups are stored in an airgapped storage facility at a separate location to the main location of customer data which is considered sufficient to represent a reasonable business continuity precaution. Backup samples are verified on a monthly basis to confirm their integrity.
Activity and transaction logs are recorded in the cloud environment and may be accessed by customer administrators. These include details of logins/logouts, data access and amendments/deletions.
All system and device clocks within the cloud environment are synchronized (via designated servers) to an external time source, details of which are available upon request.
The customer cloud environment is subject to regular vulnerability scanning using industry-standard tools. Critical security patches are applied in accordance with software manufacturers’ recommendations.
Operational activities which are deemed critical and, in some cases, irreversible (such as deletion of virtual servers) are subject to specially controlled procedures which ensure that adequate checking is performed prior to completion. We also recommend that customers put their own procedures in place in these areas.
Documented service monitoring facilities are available to cloud customers to allow them to monitor their environment for abuses such as data leakage and unauthorized control of servers etc. in conjunction with access to log information.
Penetration testing
Datalink conducts penetration tests at least annually and quarterly random security scans on its environment within AWS using external vendors, plus it works with customers to support their own penetration testing regime.
Datalink’s penetration testing scope is “clear-box”, meaning the penetration tester has full access to source code and configuration-as-code. Customer penetration tests are “black box”.
Datalink’s penetration test is on the general platform; customers may also elect to conduct their own independent penetration testing on their specific services with prior arrangement.
Vulnerability, Malware and Intrusion Detection
A range of technical controls monitor for vulnerabilities, malware and intrusion detection.
Anti-malware is installed and maintained to cover the infrastructure.
Software packages are monitored for vulnerabilities using the CVE threat database and patched in line with the CVSS severity rating, with critical patches being applied within 24 hours.
AI-based monitoring is used for intrusion detection and alerting for unusual system behaviours.
Data Sensitivity
Datalink has an Information Classification Policy that classifies, labels and treats information according to its sensitivity, and a Data Protection Policy that guides the way Datalink maintains the security of the important information it holds and processes.
Datalink’s technical and organisational processes are mature and externally audited to maintain best practice in handling sensitive data.
The underlying AWS technology that hosts Datalink’s services is within the scope of AWS’s annual IRAP assessments, and Crisisworks 5 uses the AWS IRAP Reference Architecture as the architectural basis for its own system. Datalink holds ISO 27001 certification and the underlying AWS technologies are IRAP certified.
Datalink works with its customers on specific Data Protection Plans to define the guard rails for the treatment and handling of customer data, which allows for specific additional controls or technologies to be ruled in or out on a per-project basis, and allows customers to get deeper involvement into Datalink’s control selection for more sensitive workloads.
Privacy and PII
Datalink’s Data Protection Policy and data handling procedures are compliant with Australian Privacy Principles, the Victorian Information Privacy Principles and ISO 27001.
Personally Identifiable Information (PII) may be captured as part of the usage of our software, and this forms part of our shared responsibility model with our customers. Our responsibility is to design and operate systems to securely capture, store, search and report on data. Our customers’ responsibility is to design forms to ensure personal data is collected only if needed, that data is removed from our system when no longer needed, and in the ongoing management of users credentials and user behaviour.
Incident and breach reporting
Where Datalink believes it is appropriate to inform the customer of an information security event (before it has been determined if it should be treated as an incident) we will do this to the nominated customer administrator or deputy. Similarly, the customer may report security events to our support desk where they will be logged, and the appropriate action decided. Information about the progress of such events may be obtained from the support desk.
Datalink will report information security incidents to the customer where it believes that the customer service or data has or will be affected. We will do this to the nominated customer administrator or deputy as soon as reasonably possible and will share as much information about the impact and investigation of the incident as we believe to be appropriate for its effective and timely resolution. An incident manager will be appointed in each case who will act as the Datalink point of contact for the incident, including matters related to the capture and preservation of digital evidence if required.
Datalink is committed to informing its customers of any breach or potential breach in customer data, in accordance with the Notifiable Data Breach scheme. Datalink is also committed to work with its customers and provide forensic data and support in the event the customer suspects a breach in its data from its own responsibilities.
Business Continuity and Disaster Recovery
Datalink has rigorous processes for release management, data treatment, monitoring, backup and disaster recovery, and a business continuity plan is in place and regularly tested to cover service disruptions and incidents.
Datalink’s disaster recovery processes include specific controls for cybersecurity, data integrity and security incident management. Datalink has a 24 hour priority response service to report security and business continuity incidents.
Our Business Continuity plans are audited annually.
Continuous improvement
Datalink has implemented continuous improvement processes into its ISMS, which evolve the way it protects the data security of its customers by reviewing and improving its cyber-security posture and information security management practises with industry best practice.
Datalink works collaboratively with our customers, AWS and the information security industry to regularly update its cybersecurity practice. It is a member of the Australian Cyber Security Centre and receives and acts on updates to government cyber threats. It regularly works with AWS trusted partners to independently evaluate and help evolve its usage of AWS to meet best practice. It consults with its customers to keep informed on the expectations and requirements its customers have on it, and works collaboratively and constructively to improve its security operation or implement new controls if required by our customers.
Datalink’s ISMS has been externally audited and certified to conform to ISO 27001, and its controls have been audited against ISO 27001 Annex A.
Compliance
The legal jurisdiction of the cloud service provided will depend upon the country in which the contract is made. Where personal data are held, Datalink will comply with the requirements of the applicable privacy and data protection legislation.
Records collected by Datalink as part of its provision of the cloud service will be subject to protection in accordance with our information classification scheme and asset handling procedures.
Datalink’s cloud services are certified to the ISO/IEC 27001 international standard for information security and are audited on an annual surveillance basis.
More information
More information can be provided upon request. Contact your Datalink representative.
Approved by CISO
6 March 2025
Next review before
6 March 2026
Last updated