Introduction

BDO Australia (BDO) has an active digital security program in place governed by the following:

• BDO Global’s IT & Digital Security obligations as required by the BDO International Digital Risk Management Manual (DRMM) which requires compliance with a number of technical and governance information security controls.
• BDO’s Information Security Policy and regular assessments against industry standard certifications and/or industry-standard frameworks.
• Regular information security audits of IT services, infrastructure and office locations.
• Digital security is incorporated as an integral component of our risk management programs.

Privacy

Where necessary to enable us to conduct our business, clients may provide BDO with information relating to an identified or identifiable individual (‘personal data’).  BDO is committed to protecting the privacy of personal data.

At BDO, personal data shall not be collected, used or disclosed except in compliance with governing legislation and the main principles of the protection of personal data.

BDO will take appropriate technical and organisational measures designed to protect against misuse and accidental loss or disclosure, and from unauthorised or unlawful processing, destruction or alteration of personal data, and will comply with applicable laws in the event of any personal data breach.

Information Security

Confidentiality

All employees are requested to sign a confidentiality agreement and are subject to background and police checks before commencing employment with the relevant BDO member firm to maintain the confidentiality of any sensitive client information they may have access to when carrying out their duties.

Roles and Responsibilities

BDO’s Board and Executive Leadership Team own information security as defined by BDO’s Information Security Policy. Information Security reporting is provided to the Risk Management Committee, IT Governance Committee, and Board regularly. Information security responsibilities are assigned in accordance with the document Information Security Roles and Responsibilities Plan.

Policy Framework

BDO maintains security-related policies and standards. Policies and standards are reviewed in accordance with the review cycle or any significant change to our environment.

Incident Management

BDO has established an Incident Response Plan, supported by Incident Response Procedure and Playbooks that describe processes (and escalation procedures) during an incident.

Incident response artefacts are reviewed and updated annually. More frequent reviews and updates may be conducted if there are material changes to BDO’s environment or should improvement opportunities be discovered during incident response exercises.

A specially nominated officer is responsible for reporting security-related incidents and any relevant information security developments.

Testing Control Effectiveness

We conduct regular audit and assurance activities to ensure continuous improvement of our security controls and security posture. Audit and assurance activities are reported to the Board, IT Governance Committee, and the Risk Management Committee.

Audit / assurance / assessment activities are conducted by appropriately skilled personnel in alignment with BDO’s ISMS Assurance Plan.