Redefine organisational opportunities and risk management.
Turn your strategy into reality.
Consistently deliver effective projects and portfolios.
Measure individual and collective performance.
Transform your manual meeting processes.
Digitise and streamline workflows and reporting.
Better and more confident reporting.
Deliver data to your stakeholders in style.
We enable better businesses.
We work closely with a wide-ranging partner network.
Board of directors & Executive management
Our Camms Trust methodology takes input from each of our customers’ security requirements and industry best-practices, to arrive at a framework unique to us and our environment.
Camms maintains ISO 27001 certification – an independent validation that we take information processes and services seriously, underpinned by our partnership with third party suppliers and our clients to maintain data security.
Trust begins with transparency. Beginning with a foundation of trust is an important building block for us. Here you’ll learn how extensively our framework can support you. Let’s get you connected to the security, reliability, privacy, and compliance of our products and services.
Camms implements the ISO/IEC 27001:2013 standard as the framework for our Information Security Management System (ISMS) creating a systematic approach to managing information and ensuring security. This includes ongoing mitigation actions, qualitative and quantitative assessment of risk, monitoring of existing controls and tracking, investigating and reporting on incidents and events. We employ rigorous security measures at the organizational, operational and architectural levels to continually ensure that your data, application and infrastructure remain safe.
Access to the live environment’s infrastructure is granted only to our IT administrator users, who are authenticated through a secure server using the latest security communication methodologies.
Our support teams will only access customer data when necessary to resolve an open ticket. Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes.
Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.
Quarterly performed Access Reviews to in-scope systems ensure limited administrative access to product systems based on appropriate roles and responsibilities. Reviews are completed and results are approved by an Information Security Analyst and the Chief Information Security Oﬃcer.
Camms comes equipped with meticulous operating policies and procedures designed to manage the overall quality and integrity of the Camms environment. This includes implementing proactive security processes, such as perimeter defense.
Camms employees undergo a comprehensive training on information security and data privacy before coming on-board, followed by continued training as a refresher. We proudly count on our very own training solution, Camms College, to deliver the required training through questionnaires reinforcing understanding and practical applications on information security and data privacy.
Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible. The security team at Atlassian aggregates information from various sources in the hosting infrastructure and monitors for any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through Camms Support. In the event of a serious security incident, Camms has access to the expertise internally – and through external subject matter experts – to investigate incidents and drive them until closure.
Camms’ formal Change Management Policy and Procedures mitigate un-authorized changes occurring in production systems. These address the production infrastructure and software development lifecycle and include change requests, approvals, and standard change implementation procedures guiding employees through the implementation of commonly applied changes.
Camms employees are given access to and review our Acceptable Usage Policy document, after which an acknowledgement form is signed. This includes an agreement with Camms to abide by the policy when using Camms owned information assets.
The Camms product’s infrastructure is hosted and managed on Microsoft Azure and runs in datacenters managed and operated by Microsoft. These datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. To avoid the risk of single infrastructure site failure, backups are stored in a secondary datacenter by Microsoft on a separate site.
Software development staﬀ perform source code reviews, security, functional and performance testing on all major application changes prior to deployment to the live environment. Camms quality assurance staﬀ who perform these tests do so independently of the original developer. Development and testing activities are carried out in a logically separate environment from the live environments to ensure any changes made to the testing environment have no impact on the live environment.
Your conﬁdential data is protected and encrypted in-transit, over a Transport Layer Security connection. Web server authenticity is veriﬁed by SHA2 256 and encrypted using RSA 2048 bits, with certiﬁcates issued by Rapid SSL and ensures all web data packets are received to and from authorized parties. All CAMMS Solutions enforce web access via HTTPS. Encryption at rest is enabled by default for both Azure VM instances and backup services, encryption using AES 256.
Camms solutions are deployed in both multi-tenant and single-tenant environments. While single-tenant environments only host cloud client tenants within the environment, multi-tenant environments permit multiple clients. In the multi-tenancy environment, customer data is logically separated through strict coding standards, while segregated access to organizations’ data is stored in a separate database for each client. A unique customer identifier is included in each record of data within the solution, where users are authenticated to their respective database. Role-based permissions allow CAMMS Solutions to segregate access to the data through the application as well.
Camms offers several options for authentication to our solutions including:
Cloud Hosted Environments (Private and Public Cloud):
Camms solutions allow you to restrict content for certain users with permission to view / edit based on the assigned roles. All user roles and permissions are managed in the staﬀ management section of the application
CAMMS follows secure development guidelines with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. In the development life cycle, Camms utilizes a Static Application Security Testing (SAST) tool which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards. Vulnerability assessments are performed monthly using Dynamic Application Security Testing (DAST) which utilize tools such as Burp suite and Nessus. Additionally, Camms performs manual penetration tests annually. Internal processes are in place to review any reported vulnerabilities and act on them.
Camms has adopted a layered approach to network access, with controls at each layer of our solutions.
We implement controls at each layer of our solution portfolio, dividing our infrastructure by zones, environments, and services. Zone restrictions include limiting office, data center and platform network traffic. Environment separation segregates production and development connectivity. Services must be explicitly authorized to communicate with other services through an authentication whitelist.
We control access to our sensitive networks various ways via routing, firewall rules and software defined networking.
Staff connectivity leverages various protection protocols including device certificates, multi-factor authentication, and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.
Threat modeling is used to ensure we’re designing the right controls for the threats we face during the product planning and design phase, Camms uses threat modeling to understand the specific security risks associated with a product or feature. Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development. We use the Microsoft Threat Modelling Tool and the STRIDE Threat Model framework. STRIDE is an acronym for a common set of security concerns: Spoofing, Tampering, Reputation, Information Disclosure, Denial of Service, and Elevation of Privilege.
We utilize threat modeling early and often and can ensure that relevant security configuration and controls are designed to mitigate threats specific to each product or feature we develop.
Camms clients run business critical projects and operations on Camms products, which is why we are committed to delivering products, applications and services that are stable and secure.
We choose our cloud hosting provider to ensure our customers have the advantage of elastic scalability, multi-layer redundancy, and maintain reliability, and scale with your organization’s needs.
Camms has a 99.99% uptime across our primary and failover servers. Any interruptions to access and availability of these servers immediately activates the Camms Business Continuity Plan.
Our commitment to maintaining strong Business Continuity (BC) and Disaster Recovery (DR), ensures minimal effect to our customers in case of any disruption to our operations. Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:
Leadership involvement is a key part of our DR Program, which allows us to have both business and technical drivers accounted for in our strategy for resilience. Furthermore, Camms emphasizes continual improvement throughout the DR Program.
Our diskiplined approach to governance, risk, and compliance when monitoring and managing our DR program, enables us to operate more eﬃciently and eﬀectively, remediating key activities within our DR program.
As part of our DR lifecycle, Camms conducts regular testing and strives for continual improvement to ensure your data and the use of it, is highly available and performant. Backup and restore procedures are tested on a regular basis, so that when data needs to be restored, our professionally trained support staff is fully prepared to get you up and running.
Support and activities covered by Customer Care include:
Support and activities not covered by Customer Care include:
Camms continuously looks for ways to improve product and infrastructure performance by monitoring key performance metrics, such as load times and search responsiveness. We have continuously achieved to reduce latency for customers located around the globe, by enabling hosting closer to the customer’s region.
Data privacy regulations are complex and vary from country to country, imposing stringent requirements. When choosing an application, select one that can comply with your data protection obligations and protect the privacy of your data. With Camms, you gain leading privacy functionality and practices that enable you to meet your privacy obligations.
Customers can understand and validate the privacy and compliance requirements of their organization, via the compliance and legal teams offered by Camms.
Protecting our customer’s data is of paramount importance to us. Which is why Camms does not transfer personal information to third parties. Our solutions minimize the collection of personal data when identifying/authenticating users, and when administering new users into our products.
Access to customer data stored within applications is restricted on a ‘need to access’ basis
Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.
Within Camms, only authorized employees have access to customer data stored within our applications.
Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.
Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
Camms remains committed to global privacy standards, as shown by our dedication to programs such as GDPR and the Australian Privacy Act.
The General Data Protection Regulation (GDPR), a European Union (EU) regulation, repeals and replaces Data Protection Directive 95/46/EC, as well as Member States implementing legislation. The GDPR applies to companies in the EU as well as all companies that process or store the personal data of EU citizens, regardless of their location.
Camms has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure compliance with the GDPR. These include:
Internal reviews and independent legal counsel have conﬁrmed that our various policies, procedures and implemented controls meet GDPR regulations. These initiatives include:
Camms has conducted comprehensive evaluations of the requirements and implemented numerous privacy and security practices to ensure compliance with the Australian Privacy Act. These include:
Camms fully complies with all legal and regulatory requirements in the location of hosting. Associated with this is Camms data breach policy which deﬁnes the Camms response to an eligible data breach. This has a number of process-driven steps to identify, investigate and rectify any data breach. In addition to this Camms notiﬁes customers of any data breach regardless of size and scale on its cloud infrastructure even if the breach does not impact the data of the customer.
In an environment of increasingly complex security threats, technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies. Companies must also comply with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf. Our formal and comprehensive security program is designed to ensure the security, confidentiality, integrity and availability of customer data, while protecting them against security threats or data breaches and prevent unauthorized access to customer data.
To help your compliance and legal teams understand and validate the compliance requirements for your organization, below are the compliance resources, standards and frameworks that are used by Camms and our third parties:
ISO/IEC 27001:2013 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). Camms undergoes multiple ISO/IEC 27001:2013 audits annually, which include internal audits by qualiﬁed and experienced auditors and external audits by the certiﬁcation body, to assure customers that our security controls are designed and operating eﬀectively. Camms was awarded ISO27001:2013 certification.
Camms has established an ISO/IEC 27001:2013 accreditation plan, to support achieving compliance with the standard.
Camms has undergone IRAP Assessments and is experienced in the processes that are required to meet customer requirements as they relate to IRAP Compliance.
All client application environments are running on Azure public cloud with SOC 1,2, 3 Standards, ISO27001, ISO9001, CIS Benchmarks, ISO27018, ISO27017, ISO22301, ISO20000, CSA Star Attestation, Certification and Self-Assessment Cyber Essentials and IASME – currently in the implementation stage.
The UK Government’s Cyber Essentials Scheme focuses on the ﬁve most important technical security controls, while the IASME standard is risk-based and includes holistic aspects such as physical security, staﬀ awareness, and data backup. Certification against both indicates a good level of all-round information security. The IASME assessment process includes the Cyber Essentials element, where a company can be accredited to both standards with just one self-assessment.
By accessing this WebSite you agree to the following terms:
The contents of this Web Site are Copyright © to CA Technology Pty Limited trading as Camms 2015 herein referred to as Camms. Any rights not expressly granted herein are reserved. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, transfer, or sell any information, software, products or services obtained from the site. Camms is a trademark of CA Technology Pty Ltd. and may not be used without permission.
With integrated solutions in risk, strategy, projects and people, Camms business software will help you make the right decisions, manage risks, align the talents of your organisation, and focus on what matters.