Security is how we protect the trust you place in us
Noice runs a documented cyber security program, governed at director level, aligned to ISO/IEC 27001 and the ACSC Essential Eight, and built to support the Victorian Protective Data Security Standards. This page summarises how we protect client and departmental data. Our policies and audit evidence are available to clients on request.
A program, not a poster.
Our security program is structured around governance, risk management, technical controls, monitoring, awareness, incident response, and continuous improvement. The director is accountable as our security lead, with quarterly reviews of risk, incidents, and compliance, and an annual review of every policy.
We hold ourselves to recognised standards. The program is aligned to ISO/IEC 27001 and the ACSC Essential Eight, and built to support the Victorian Protective Data Security Standards. We complete third-party security assessments such as the ISSRA questionnaire, and pursue formal certification in step with client and contractual requirements.
The controls behind the posture.
Access and identity
Multi-factor authentication and least-privilege, need-to-know access on sensitive systems. Federated single sign-on is supported where it reduces credential sprawl.
Encryption
Client and departmental data is encrypted in transit (TLS 1.2+) and at rest (AES-256), governed by a documented encryption policy.
Patch and vulnerability
Secure standard operating environments, regular vulnerability scanning, and critical patches applied within 48 hours.
Network security
Firewalls, intrusion detection and prevention, and network segmentation protect the environments we operate.
Monitoring and resilience
Centralised logging and alerting tied to a documented incident response plan, with daily backups and quarterly restoration tests behind a tested business continuity plan.
People and third parties
Mandatory induction and annual security training with phishing simulations, and subcontractors assessed for security maturity and bound to our standards by contract.
Sixteen policies, reviewed annually.
Our program is documented across the domains below. The full policies are commercial in confidence; we share them with clients and assessors on request.
- 01Information Security
- 02Information Risk Management
- 03Access Management
- 04Encryption
- 05Patch & Vulnerability Management
- 06Network Security
- 07Secure Configuration & SOE
- 08Audit & Logging
- 09Data Handling & Classification
- 10Asset Management
- 11Email & Web Security
- 12Physical Security
- 13Acceptable Use
- 14Awareness & Training
- 15Third-Party & Subcontractor Security
- 16Compliance & Audit
Evidence on request
Clients and assessors can request our policies, risk register summary, access and backup records, and incident reports as part of due diligence or an ISSRA-style assessment.
Independent assurance
We commission penetration tests and reviews, and where a managed security operations centre is required we arrange it with a trusted partner under a clear SLA.
Reporting a concern
Found a security issue with one of our sites or services? Email [email protected] and we will route it to our security lead promptly.
Running a procurement or security review?
We are happy to complete your security questionnaire and share the evidence behind this page. Tell us what you need.