Cyber Security

Security Posture Overview

At Pacific Detectors, the security and privacy of our clients’ data — including sensitive government information — is a foundational business priority. We operate across New Zealand and Australia and maintain a comprehensive Cyber Security Policy (CSP) aligned with the regulatory requirements and security standards of both jurisdictions. Our approach is governed by a “Security by Design” philosophy, meaning security is embedded into every aspect of our operations, not treated as an afterthought.

Regulatory & Standards Compliance

Our security practices are governed by and aligned with the following legislative and standards frameworks:

·        New Zealand Privacy Act 2020 and the New Zealand Information Security Manual (NZISM)

·        Australian Privacy Act 1988 and the Australian Government Information Security Manual (ISM)

·        ACSC Essential Eight (Maturity Level 2) — Australia

·        Protective Security Requirements (PSR) — New Zealand

·        Australian Protective Security Policy Framework (PSPF)

·        Australian Cyber Security Act 2024

·        NZ Public Records Act 2005 and Australian Archives Act 1983 (data retention)

·        Australian Smart Device Security Rules 2025 (IoT devices)

Data Privacy & Information Management

All information is classified under a four-tier framework — from Unclassified/Public through to Restricted/In-Confidence — ensuring that the highest levels of protection are applied to government and personally identifiable data. We uphold data minimisation principles, collecting only what is necessary, and apply robust encryption to all Sensitive and Restricted data both at rest and in transit.

Cross-border data transfers comply with Australian APP 8 and New Zealand IPP 12 requirements. Data is retained only for the periods mandated by applicable legislation, and secure disposal protocols — including cryptographic wiping and certified physical destruction — are strictly enforced. We also recognise Māori Data Sovereignty, applying principles of Kaitiakitanga to data concerning Māori individuals and interests.

Identity & Access Management

Access to all company systems is governed by the Principle of Least Privilege. Multi-Factor Authentication (MFA) is mandatory across all platforms, with phishing-resistant methods (FIDO2 security keys and authenticator apps) prioritised in alignment with ACSC Essential Eight Maturity Level 2 and New Zealand PIR/NZISM requirements. Passphrase standards, Single Sign-On (SSO) where available, and a dedicated password management solution further reduce the risk of credential compromise.

Access rights are reviewed every six months. Upon departure, all system access is revoked within four hours — a standard aligned with Tier 1 government expectations.

Network & Communication Security

Our network infrastructure is logically segmented to isolate corporate systems, warehouse/IoT devices, and guest access. All office and warehouse Wi-Fi operates on WPA3 encryption in alignment with Australian ISM and NZISM requirements. Remote access requires an approved VPN with split tunnelling disabled, ensuring all traffic is inspected and encrypted. A dedicated VPN IP address is used for Tier 1 government portal access.

E-commerce platforms are secured with a minimum of TLS 1.2 (TLS 1.3 where available), and all system integrations use OAuth 2.0 with least-privilege scopes. End-to-end encryption is required for all communications involving sensitive commercial or government information.

Supply Chain & Third-Party Risk

Before engaging any third-party provider that handles company or client data, we conduct formal Security Due Diligence. We prioritise vendors holding ISO 27001, SOC 2 Type II, or IRAP (Australia) certifications. Critical vendors are reviewed annually, and our contracts include provisions for data security, audit rights, and clear disposal procedures.

We utilise the NZ Cloud Risk Discovery Tool and the Australian IRAP framework to assess cloud service providers, and we maintain awareness of software supply chain risks — including open-source components and Software Bills of Materials — in accordance with ACSC and NCSC guidance.

Physical & Environmental Security

Our premises in New Zealand and Australia are structured across three security zones, consistent with the Australian PSPF and New Zealand PSR. Electronic security systems comply with AS/NZS 2201 (intruder alarms) and AS/NZS 62676 (CCTV). Access to restricted areas requires a second authentication factor, and all visitor access is logged and escorted.

Hardware is sourced only from authorised ANZ resellers, subject to annual asset stocktakes, and cryptographically wiped or physically destroyed prior to decommissioning.

Personnel Security & Training

All personnel complete a cyber security induction within 48 hours of joining and participate in mandatory six-monthly refresher training. Unannounced phishing simulations are conducted twice yearly. Background checks — including criminal record and credit checks — are required for all staff prior to system access being granted.

Staff engaged on Tier 1 government contracts may hold New Zealand National Security Clearances (administered by the NZSIS) or Australian AGSVA clearances as required.

Incident Response & Business Continuity

We maintain a structured Incident Response process with defined severity tiers, a dedicated Incident Response Team, and a Contain–Eradicate–Recover methodology. Mandatory breach reporting obligations are met in accordance with both the New Zealand NCSC and the Australian ASD/ACSC frameworks, including the Notifiable Data Breaches scheme. Privacy Commissioners are notified within the required timeframes where personal data is involved.

Our backup strategy follows the 3-2-1-1 rule — three copies, two media types, one off-site, one immutable offline — with restoration integrity tested every six months. A documented Business Continuity Plan ensures minimum viable operations can be maintained in the event of a significant disruption.