BDO New Zealand takes data security very seriously and we have put policies, processes and safeguards in place to maintain a high security posture. This includes all BDO Member firms in New Zealand and BDO NZ Ltd.
While we can’t publicise every detail of our security processes, we would like to provide a level of assurance by demonstrating a careful, pragmatic approach alongside some of the key tenets that we operate by.
Data security is ongoing
Data security is not a ‘set-and-forget’ operation. At BDO we are continuously evaluating and reinforcing our security approach through an internal documentation & review process.
We also engage independent security specialists on a regular basis. An independent review by experienced security professionals provides a fresh set of eyes and keeps us up to date with the latest developments in the security industry.
BDO’s security policy has been developed and aligned with ISO27001, an internationally recognised standard for information security.
BDO New Zealand also performs mandatory security reporting to BDO Global on a regular reporting rhythm.
When engaging with IT Vendors, BDO has a process to review Vendor Privacy and Security processes.
Data security incidents
BDO’s incident response policy defines how data security incidents are to be managed and reported.
BDO utilises technology to monitor, alert and log events across that support and facilitate our incident response processes.
All employees are engaged under a confidentiality agreement and are subject to background and policy checks before commencing employment with the relevant BDO member firm to maintain the confidentiality of any sensitive client information they may have access to when carrying out their duties.
Employees also agree to an Acceptable Use Policy (which includes password policies) and undertake regular security awareness training programs.
Hosting & Physical Security
BDO New Zealand is hosted on Microsoft Azure, a highly scalable cloud computing platform with end-to-end security and privacy features built in. Our team takes additional measures to maintain a secure infrastructure and application environment. This includes site recovery and backup procedures.
For more specific details regarding Azure security, please refer to http://azure.microsoft.com/en-us/support/trust-center/.
User access to data and systems is carefully managed and controlled, based on the least privilege principle where applicable.
We utilise several layers of security including conditional access policies and multi-factor authentication.
Best practices are used in the storage of passwords within BDO.
All users must choose a strong password and an automatic lockout is enforced when incorrect passwords are incorrectly entered.
Privileged access to all systems is controlled and monitored.
Data encryption is provided as standard on all staff devices. All mobile devices that have access to corporate systems and data are mandatory enrolled to a specific mobile device management system.
Transfer of sensitive data is recommended to be conducted via secure means. We recommend the use of our Global Portal tool to exchange files and data with BDO NZ.
Data is encrypted at rest and in transit.
Data protection & backup
All data is backed up and protected within the Microsoft Azure data centres. BDO undertakes regular vulnerability scanning and remediates any items based on critical priorities.
Third party audits and inspections
BDO engages independent security specialists on a regular basis. Our third-party audits provide penetration testing and network scanning.