Information Security and Privacy Statement
BDO Australia (BDO) has an active digital security program in place governed by the following:
- BDO Global’s IT & Digital Security obligations as required by the BDO International Digital Risk Management Manual (DRMM) which requires compliance with a number of technical and governance information security controls.
- BDO’s Information Security Policy and regular assessments against industry standard certifications and/or industry-standard frameworks.
- Regular information security audits of IT services, infrastructure and office locations.
- Digital security is incorporated as an integral component of our risk management programs.
Where necessary to enable us to conduct our business, clients may provide BDO with information relating to an identified or identifiable individual (‘personal data’). BDO is committed to protecting the privacy of personal data.
At BDO, personal data shall not be collected, used or disclosed except in compliance with governing legislation and the main principles of the protection of personal data.
BDO will take appropriate technical and organisational measures designed to protect against misuse and accidental loss or disclosure, and from unauthorised or unlawful processing, destruction or alteration of personal data, and will comply with applicable laws in the event of any personal data breach.
Information Security Policy
BDO’s Information Security Policy has been developed to align with ISO 27000, an internationally-recognised standard for information security.
The responsibility to comply with these standards lies with the BDO National Executive Committee and the relevant executive Committees at each member firm.
Information Security Incidents
BDO’s Incident Response Policy defines how information security incidents are to be managed and reported.
A specially-nominated officer is responsible for reporting security-related incidents and any relevant information security developments.
All employees are requested to sign a confidentiality agreement and are subject to background and police checks before commencing employment with the relevant BDO member firm to maintain the confidentiality of any sensitive client information they may have access to when carrying out their duties.
Employees also agree to an Acceptable Usage Policy (which includes password policies) and undertake regular security awareness programs.
Privileged access to all systems is controlled and monitored.
User access to data and systems is carefully managed and controlled, based on the least privilege principle where applicable.
Data encryption is provided as standard on all staff devices, and enrolment in a specific mobile device management system is mandatory for all mobile platforms and devices that have access to corporate systems and data.
For sensitive data, file transfers are conducted via secure means, an appropriate levels of security are applied when exchanging information.