Frequently Asked Questions

Yes.

We maintain documented infrastructure standards and baseline configurations for:

• Cloud environments
• Operating systems
• Identity and access management
• Network configurations
• Logging and monitoring settings

Infrastructure is provisioned using Infrastructure-as-Code (IaC) where possible to ensure consistent, repeatable configurations aligned to our security standards.

Security issues can be reported via our Jira Service Management Desk or incidents@obietech.com.au

Reports are triaged according to severity under our documented Incident Response Plan. We acknowledge receipt promptly and provide updates aligned with incident severity.

Yes.

Regular reviews of the Rules and subscribed to all Data Standards Newsletters. Work closely with ADR's in the industry to confirm rule interpretation. Professional relationship with RSM, one of the leading advisors on CDR implementations.

Governance & Policy:

• A dedicated Security Officer is accountable for oversight of CDR and client data security.
• A documented CDR Information Security Policy and risk management framework, reviewed annually.

Data Protection:

• Encryption of all Client and CDR-related data in transit and at rest.
• Strict data minimisation and segregation practices.

Access Management:

• Role-based access controls and least-privilege principles.
• Multi-factor authentication for all administrative and privileged accounts.
• Regular access reviews and logging of all privileged activity.

Monitoring & Assurance:

• Centralised event logging and monitoring with alerts for anomalous activity.
• Regular penetration testing, vulnerability scanning, and annual independent security audits.
• Incident response and breach notification processes aligned with OAIC/ACCC and client requirements.

Third-Party Controls:

• Supplier due diligence and contractual security requirements for any service providers with potential access to Client data.

Yes.

All sensitive data stored within ObieTech-managed environments is encrypted at rest using industry-standard encryption (e.g., AES-256 via cloud provider-managed encryption services).

Where solutions are deployed within client-owned cloud environments, encryption is implemented in accordance with the client’s security baseline requirements.

• Encryption enabled by default
• Key management via cloud-native KMS
• Access to keys restricted by least privilege
• Configuration reviewed during infrastructure deployment.

Yes. Security incidents are managed according to severity-based SLAs defined in our Incident Response Policy and, where applicable, customer agreements.

Typical response targets:

• Critical severity: Immediate triage, continuous response until containment
• High severity: Same business day response
• Medium/Low severity: Defined remediation timelines based on risk impact.

Post-incident reviews are conducted for material incidents.

We maintain formal policies addressing:

• Anti-discrimination
• Equal opportunity
• Workplace conduct
• Grievance handling procedures

Employees may raise concerns confidentially through management or designated reporting channels. Complaints are investigated in accordance with documented procedures and Australian workplace law.

Serious matters may be escalated to external advisors where appropriate.

No.

We currently have no third party suppliers other than AWS.