AI-Integrated Reporting: This content is generated from our live system configurations and policies to ensure transparency. While our team reviews all data for accuracy, please note that AI-generated summaries may occasionally vary from exact technical implementations.
Overview
Savant Private employs a defence-in-depth strategy to protect client data. This portal outlines the specific technical controls, governance structures, and operational practices we maintain to safeguard information.
Our security architecture aligns with the Australian Cyber Security Centre's Essential Eight maturity model. We enforce comprehensive protections across identity, endpoints, application control, and data handling to mitigate modern cyber threats.
For specific enquiries regarding our security posture, please contact security@savantprivate.com.au.
Incident Response Guides
Step-by-step guidance for data breaches, compromised email accounts, and financial fraud
Last reviewed March 2026
Multi-Factor Authentication
Access to company systems requires phishing-resistant multi-factor authentication, including support for FIDO2 hardware security keys. This mitigates credential theft and advanced attacks such as adversary-in-the-middle phishing.
Single Sign-On
A centralised identity provider manages authentication across all business applications, enforcing consistent security policies and eliminating password fatigue.
Conditional Access
Authentication requests are evaluated against real-time risk policies. Access is granted only when device compliance, user risk level, and location signals meet security requirements.
Privileged Access Management
Administrative privileges are restricted to dedicated accounts. Role-based access control (RBAC) ensures least-privilege access, and all administrative actions are logged and audited.
Break-Glass Procedures
Emergency access accounts are secured physically and logically. Activation triggers immediate high-priority alerts to executive leadership and security personnel.
Account Lifecycle
Automated provisioning and deprovisioning workflows ensure access is revoked immediately upon role change or departure.
Disk Encryption
Full-disk encryption (BitLocker) is enforced on all endpoints to protect data at rest. Recovery keys are escrowed securely in Microsoft Entra ID.
Endpoint Detection & Response
Enterprise EDR provides real-time behavioural analysis and automated threat containment. Security teams monitor alerts to investigate and remediate potential incidents.
Mobile Device Management
All corporate devices are enrolled in Mobile Device Management (MDM) to enforce security configurations and enable remote wipe capabilities.
Operating System Patching
Critical operating system updates are deployed automatically. Compliance policies block devices from accessing corporate resources if they fall behind on security updates.
Application Patching
Third-party applications are managed and updated centrally. Vulnerability scanning identifies and remediates outdated software.
Device Compliance
Conditional access policies require devices to meet health standards—including encryption status, firewall configuration, and OS version—before granting access.
Application Allowlisting
Execution of unauthorised software is blocked. Only approved applications and publishers are permitted to run on corporate endpoints.
Macro Restrictions
Microsoft Office macros are disabled by default. Execution is permitted only for signed macros from trusted locations where strictly necessary.
Script Control
PowerShell and other scripting environments are restricted to prevent fileless malware and unauthorised administrative actions.
User Application Hardening
Web browsers and PDF viewers are hardened to block malicious code execution. Unnecessary plugins and extensions are disabled.
Software Installation Control
Standard user accounts do not have local administrator privileges, preventing unauthorised software installation and system modification.
Encryption at Rest
Data is encrypted at rest using industry-standard algorithms across endpoints, servers, and cloud storage repositories.
Encryption in Transit
Network communications are secured using TLS 1.2 or higher. We enforce HTTPS and disable weak ciphers.
Data Loss Prevention
DLP policies identify and prevent the transmission of sensitive information such as PII and financial data outside the organisation.
Backup Strategy
Immutable backups of critical data are maintained across geographically resilient locations to protect against ransomware and data loss.
Backup Testing
Restoration procedures are tested regularly to verify data integrity and recovery time objectives (RTO).
Data Residency
Client data is stored within Australian data centres to ensure compliance with local privacy regulations and data sovereignty requirements.
Anti-Phishing Protection
Advanced threat protection filters incoming email for phishing, impersonation, and malware. Machine learning models analyse sender reputation and content in real-time.
Domain Authentication
We enforce DMARC, SPF, and DKIM alignment on all sending domains to prevent spoofing and ensure message integrity.
Brand Verification
Brand Indicators for Message Identification (BIMI) are implemented to display our verified logo in supported email clients, authenticating our communications.
Safe Attachments
Attachments are detonated in a secure sandbox environment to identify malicious behaviour before delivery to the recipient.
Safe Links
Time-of-click verification scans links in emails and office documents when accessed. This protects against malicious sites that cloak themselves during initial delivery.
Impersonation Protection
User and domain impersonation intelligence detects and blocks targeted business email compromise (BEC) attacks.
Firewall Protection
Next-generation firewalls inspect traffic at the application layer, blocking intrusions and enforcing granular access policies.
DNS Security
DNSSEC is enabled to validate DNS responses. Recursive DNS filtering blocks connections to known malicious domains and command-and-control infrastructure.
Web Content Filtering
Secure Web Gateways (SWG) enforce acceptable use policies and protect users from web-based threats, phishing sites, and malvertising.
Cloud Security
Cloud resources are hardened according to CIS Benchmarks. CSPM (Cloud Security Posture Management) tools continuously monitor for misconfigurations.
Secure Remote Access
Zero Trust Network Access (ZTNA) principles govern remote connections, validating identity and device health before permitting access to specific resources.
Australian Data Centres
Primary cloud infrastructure is hosted in Australian regions to ensure data sovereignty and optimal performance.
Security Logging
Centralised log ingestion consolidates telemetry from identity, endpoint, and cloud systems for correlation and analysis.
Threat Detection
Automated investigation and response capabilities identify suspicious patterns such as impossible travel or unusual volume.
Security Alerting
Security alerts from identity, endpoint, and cloud services are centralised in the Microsoft 365 Defender portal for correlation and review.
Incident Alerting
High-fidelity alerts for critical events—such as break-glass account usage or privilege escalation—notify security stakeholders immediately.
Audit Trails
Immutable audit logs record administrative actions and configuration changes to support forensic investigation and compliance requirements.
Incident Response
Formal incident response plans are tested regularly. Retained external incident response partners are available for escalation and forensic support.
Security Training
Staff complete mandatory security awareness training upon onboarding and annually thereafter. Monthly micro-training modules reinforce key concepts.
Phishing Simulations
Regular phishing simulations test resilience against social engineering. Results inform targeted training interventions.
Facility Security
Access to physical offices is controlled via electronic access systems. Video surveillance monitors entry points and critical areas.
Offshore Office Security
International operations enforce enhanced controls including biometric access, clean desk policies, and strict prohibitions on personal devices in secure zones.
Removable Media Controls
Mass storage devices are blocked by default. Exceptions require specific approval and are subject to activity logging.
Personnel Processes
Background checks are conducted for all staff. Exit procedures ensure immediate revocation of physical and digital access upon termination.
Essential Eight
We align with the ACSC Essential Eight Maturity Model to mitigate the most prevalent cyber security threats facing Australian organisations.
Security Posture
Our security posture is evaluated continuously against industry benchmarks. We maintain a Secure Score significantly above the industry average.
Vendor Assessment
Third-party risk management processes evaluate vendors based on data sensitivity and operational criticality. High-risk vendors undergo rigorous security reviews.
Cyber Insurance
Comprehensive cyber liability insurance covers first-party and third-party costs, including incident response, legal counsel, and notification expenses.
Continuous Improvement
We regularly review and implement security recommendations from vendors, threat intelligence feeds, and external audits.
Documentation
Information security policies are formally documented, approved by leadership, and communicated to all personnel.