Security statement

Introduction

→ About us

simplylogical.net (SL, we, our) is the registered business name of Sharrowlane Pty Ltd (ABN: 84 099 636 709, ACN: 099 636 709), operating from Ngunnawal Country – Unit 11, Level 3, 161 London Circuit, Canberra City ACT 2601.

SL is a small, privately owned business that owns, develops, and manages 360 – Evaluation & Reporting Software and other software products (our software) that are licenced to our customers as software as a service (SaaS). SL also develops and manages SaaS products that are owned by third parties.

→ Purpose of this statement

We are committed to providing quality services with confidence, value, and integrity. As such, we are committed to:

• Ensuring our software is safe to use and the information we manage is protected at all times
• Implementing and complying with the Australian Cyber Security Centre’s (ACSC) best practices
• Helping our customers meet their cyber security obligations

This statement outlines our ongoing obligations to our software users in respect to cyber security and protecting the information entrusted with us.

This is our public statement of commitment regarding protecting the information within our software.

This statement is not to be confused with our customers’ information security statements and obligations.

Our approach to security

SL is providing services to government at all levels. We are a small business providing a niche product. Our culture and our standards must satisfy our customers’ needs for information security, transparency, and factual dealings.

→ Our culture

Information security management permeates nearly every aspect of our business. From the people we hire and the suppliers we engage, to the place we work and the equipment we use, to the work we do and the way we do it, security is incorporated deep into our day-to-day activities.

→ Our standards

Our core standard is to ensure information security officers of Commonwealth government agencies are satisfied that our software is safe to use for procurement activities.

We meet this standard by:

• Using an Australian Signals Directorate (ASD) approved Cloud Service Provider (CSP) to host our software.
• Using Platform as a Service (PaaS) services.
• Applying the Essential Eight maturity model recommendations as published by the ACSC for both our published software and our internal software and systems.
• Having our software independently tested for security vulnerabilities – including allowing our Commonwealth government customers to penetration test our software themselves in accordance with our Vulnerability disclosure policy.
• Ensuring our staff are well trained, trustworthy, suitably qualified, AGSVA cleared, and adequately supported to work with trusted information.
• Ensuring our monitoring and incident response systems are ready and regularly reviewed
• Ensuring our office and office equipment is secure.

→ Our risk assessment

Our software facilitates best-practice procurement activities – e.g. requests for tender.
The system contains:

• Requests for tender within their various stages: in preparation, open for responses, being evaluated, and finalised.
• Business details including staff contact details
• Tenders and contract details

Tender and contract data is usually OFFICIAL: Sensitive in nature. However, some tenderers may enter details of a highly sensitive nature (i.e., PROTECTED information).

The risks associated with information being lost, destroyed, damaged, compromised or misused are:

• Probity leak: unauthorised access to the details of a request for tender that potentially gives a business an unfair advantage when a tender is issued, thus compromising and potentially invalidating a procurement activity, as well as potentially having further impacts on the commercial practices of any business(es) whose commercial-in-confidence information is compromised.
• Industrial espionage: unauthorised access to commercial-in-confidence information that a business has entered into the Software trusting that it will be made available to the evaluation team alone, only for the purposes of the procurement activity.
• Privacy breach: unauthorised access to business and personnel contact details intended only for access and use in line with the terms and conditions for use of the software.
• Data corruption: an external ‘hacker’ or authorised users not protecting their login credentials, leading to, for example, manipulation of evaluation scores or other aspects of a procurement activity, to alter an outcome.

How we secure our systems

Based on our risk assessment, we have adopted security practices suitable for the receipt and storage of information with OFFICIAL, OFFICIAL: Sensitive, and PROTECTED classifications. Our software is not to be used for information of higher classifications.

→ Carefully selected technologies and responsibilities

We run lean, highly efficient systems that reduce human error and critical points of failure.

For example, we use:

• PaaS systems that our CSP ensures is always up to date
• Geo-redundant back-up systems managed by our CSP
• Gateways with built-in security controls managed and monitored by both us and our CSP
• An end-to-end application development framework that accelerates development, improves product performance, and improves product security by:
  • Greatly reducing the potential for developer error
  • Making it easier to mitigate newly identified threats
  • Ensuring all Create, Read, Update, and Delete operations are processed through strict algorithms
  • Structurally aligning data and code (which helps protect the database from data corruption)
  • Ensuring system execution errors are carefully managed to provide us with diagnostic data without exposing the system’s internal workings to hackers
• Step-by-step guides for both routine and irregular activities

All measures have been selected, reviewed, and are overseen by our Director.

→ Comprehensive documentation

We have plans, policies, processes, procedures, and registers that cover all aspects of our product and product administration security:

• Staff roles, training, and certification
• Office security
• Office IT systems security
• Risk management
• Design and configuration
• Development
• Quality assurance
• Monitoring
• Incident response
• Disaster recovery

→ Independent assessments

Our software and our cloud environment have been reviewed by independent security assessors (most recently January 2025).

→ Focus on what matters to our customers

Our customers include government agencies (Commonwealth, State, and Local) and critical infrastructure entities. As such, our customers are legally required to ensure systems are secure and report cyber security incidents to the ACSC.

We work closely with our customers to ensure they are comfortable with our cyber security measures and their obligations are met.

Related information

For further information, please refer to our related policies and statements:

• Vulnerability disclosure policy
• Incident notification policy
• Privacy statement