Security

‍

Published on September 19, 2023

‍

Here at Zoomo, we recognise the importance of information security and consider it a top priority.

Whether it’s our information, or the information of our business partners or customers, we adhere to information security best practices in order to protect and fortify the information in our possession.

We aim to inspire trust in our partners and customers by being transparent regarding our security practices.

To find out more about our security practices, see the information page below.

‍

Principles

1. Comply with legal and regulatory requirements

Zoomo is committed to complying with relevant international laws and regulations relating to information security.

‍

2. Protect our assets

Zoomo works to ensure that we have appropriate controls in place to secure the information in our possession. This includes protecting any customer assets that have been entrusted with Zoomo, including any confidential customer data.

The appropriateness of the controls will vary depending on the sensitivity of the information we are handling and its value to our business and our customers.

3. Manage security risks

Understand the security risks to our information assets and business operations and take precautions to mitigate these risks.

‍

4. Ensure appropriate access to information and resources

Access to Zoomo’s information assets and resources is only given to those parties who strictly require access. We limit access on a need-to-know basis.

‍

5. Manage information security incidents

Zoomo aims to be on the front foot when it comes to responding to and managing security incidents. We do this by ensuring that we have the capability to detect security risks and respond quickly and efficiently if and when such incidents occur.

Our ultimate goal is to prevent any disruption to business activities and reduce the risk of harm to Zoomo’s customers and personnel.

‍

6. Provide assurance to our stakeholders

Here at Zoomo, we constantly work to validate our current security measures to ensure they are functioning effectively and as expected. From our validation efforts, we report on the results to relevant internal and external stakeholders in order to maintain transparency.

‍

7. Manage third-party risks

When engaging third parties, we vet these parties to ensure they can be trusted to protect Zoomo information assets under their care to reduce the risk of compromise of sensitive information.

‍

Measures

Set out below are some of the measures that Zoomo takes to ensure the security of our information. These measures are implemented through various internal policies, standards, guidelines and procedures.

Some of the measures are based upon ISO 27001 Information Security Management System Standard and the Cybersecurity Framework published by the U.S. National Institute of Standards and Technology.

‍

Security Awareness

Our employees and contractors are trained in information security as a part of the onboarding process, as well as receiving appropriate annual updates. Our employees are also equipped with information security policies and procedures at all times to assist them in taking correct security measures.

Zoomo’s information security awareness training and materials are constantly evolving due to the threat environment and being updated with learnings from incidents, security bulletins and phishing campaign results. We use a mixture of delivery methods, including web-based and self-paced delivery, to arm our employees and contractors with the necessary resources.

‍

Human Resources Security

It is Zoomo standard practice to carry out identity checks on our employees and contractors prior to an individual being provided access to Zoomo systems and data.

Any third-parties which are given access to Zoomo systems or data must also either submit to the Zoomo identity check process or provide evidence that identity checks have been carried out for that individual and produced no adverse findings.

We also require our employees and contractors to consent to obligations in respect of information security during the onboarding process. This obligation is ongoing, and employees and contractors are required to comply with information security policies and procedures as they evolve.

Upon termination of their relationship with us, all employees and contractors are made aware that their information security responsibilities and duties remain applicable during and after change of employment.

‍

Asset Management  

Zoomo has published internal guidelines and policies for the acceptable use of our employees’ and contractors’ digital devices.

The systems and platforms enabled on these devices are securely configured as per industry good practices. We also ensure adequate security controls to address risks within these devices.

We keep an accurate record of our employees’ and contractors’ devices to keep across the coverage of our security controls (e.g. anti-malware and patching). We also require a formal Standard Operating Environment configuration process to ensure all devices meet a minimum state of security (e.g. security updates, OS updates, endpoint security installation).

Our IT Acceptable Use and Bring Your Own Device policies mandate the use of the best security practices for all employees' and contractors' endpoint devices.

‍

Identity and Access Management  

To access Zoomo’s systems and information, we have implemented authentication processes, with particular types of authorisation and information types mandating the use of multi-factor authentication.

To begin with, during the onboarding processes we require our users to be properly verified prior to access being granted. Unique user identifiers must be used, with the sharing of these credentials being prohibited.

We also require our users to accept our internal policies applicable to information technology and security before being granted access. Once this is complete, both administrative and user access privileges will only be granted when the user is proven to have an established business requirement and relevant approval.

We require all access to systems and applications to be appropriately authorised. Such authorisation can be revoked, where:

• there have been consecutive unsuccessful login attempts;
• users are offboarded; or
• an access review is undertaken and Zoomo determines that the user no longer requires access.  

‍

Encryption and Key Management

Zoomo requires cryptographic controls to be adhered to at all times. We have a set of approved cryptographic algorithms and protocols which are permitted to be used.

Information in transit and at rest shall follow the following cryptography and algorithm strengths:

• Advanced Encryption Standard (AES) 192 or 256 bits Encryption
• SSL/TLS for Encryption in transit
• Secure Hash Algorithm (SHA) SHA-256 and SHA-512 Hashing/Digital Signing
• RSA HS256/RS256 Key Distribution and Digital Signatures
• Triple Data Encryption Algorithm (3DES) Encryption

We restrict access keys to our systems to only those personnel who have obtained necessary authorisation from IT. This access is monitored and reviewed on a quarterly basis. Access to high value/critical keys is strictly limited to the same extent as the security level that those keys provide.

‍

Physical Security

In terms of our physical sites, we enforce limited access for restricted areas to personnel that have an established access requirement to meet business obligations or carry out their duties. Restrictions apply to the hours of access and security and surveillance measures are in place to protect the premises.

We ensure that IT equipment is stored appropriately on site and locked when not in use. Hard copy documents are secured on site, and any sensitive documents are disposed of using appropriate methods.

‍

Information Classification and Handling

We require our employees and contractors to appropriately classify the items they create and receive. Any such classifications are based upon internal standards, and classified information is reviewed annually to ensure the applied classification is equal to the data it contains.

Depending on the classification, information is handled differently in accordance with internal handling processes.

‍

Secure Deletion and Disposal

We have internal processes in place to ensure our data is deleted, and assets are disposed of, securely.

We utilise different deletion methods depending on the technology. For example, we may use specific solid state drive wiping tools or erase according to the manufacturer’s instructions for storage media.

When disposing of equipment, we ensure to erase all information and restore the devices back to factory settings. We then remove any asset labelling or company specific markings and dispose in accordance with internal recycling/disposal policies.

We also mandate that any data held by a third party must be deleted within 21 days.

‍

Malicious Code

Zoomo enforces strict internal compliance with the installation and enabling of approved anti-malware software on all Zoomo systems and end point devices.

We also employ content filtering mechanisms to detect malicious content from external sources, and implement application whitelist across the organisation.

‍

Backup and Archiving

We implement general full and incremental daily backups in order to secure the information in our possession.

We check these processes regularly and document these checks in backup and archiving logs. The length of time these logs are stored depends on immediate business, legal and regulatory requirements. Access to these backups is restricted and only shared on a need to know basis.

‍

Vulnerability and Patch Management

Zoomo maintains an asset inventory to provide oversight of all systems and applications within the Zoomo environment.

We also have established methods for analysing patches prior to deployment. We review patches on a case by case basis to identify any potential vulnerabilities and proceed accordingly.

‍

Logging and Monitoring

Our security monitoring program includes active scanning of our assets, system logs and responding to security threats.

‍

Network Security

We have general network security requirements that we adhere to in order to keep our information safe. This includes internal requirements for configuration, documentation, authentication and encryption.

At a minimum, we require that all Zoomo devices undergo formal configuration processes to ensure that they meet a minimum state of security. From there, all network infrastructure is built and documented using an industry accepted security baseline. We also regularly test the security of our devices.

‍

Secure Software Development

Zoomo implements a variety of controls to ensure the ongoing security of software environments.

When developing software, security is a top priority and is considered throughout the development lifecycle. Secure coding practices are followed and access to source code is restricted and reviewed on a monthly basis. All Zoomo software is security tested prior to release.

‍

Baseline Hardware Configuration Standard

All of Zoomo’s hardware infrastructure is built and documented based upon industry and vendor-specific best practice guidelines.

To ensure the ongoing security of our hardware, we apply baseline configuration requirements to benchmarks, workstations, mobile devices and servers, as well as to our firewalls and routers.

‍

Third Party Risk Management

When we engage with third party suppliers, we execute legally binding agreements which set out the obligations of each party in respect of Zoomo’s minimum security requirements. We continue to monitor and manage our suppliers throughout the lifecycle of their relationship with Zoomo to minimise security risks.

‍