APF Policy Statement on Information Security
Organisations hold a great deal of personal data. All
of it is at least to some degree sensitive, and some of it highly so.
Inappropriate handling of personal data represents a threat variously to the
safety, wellbeing and peace of mind of the people it relates to. Primary privacy
concerns are in the areas of unauthorised use and disclosure of data, with other
issues including loss of data and threats to data integrity. Personal data needs
the same level of care as financial information.
The privacy interest shares a great deal of common ground with
organisations' own needs for protection of data of financial and competitive
value, with commercial confidentiality, and with government and national
sovereignty desires for the protection of sensitive data.
Information and Information Technology Security are well-established fields
of professional endeavour, supported by a substantial array of products and
services and a busy industry.
Organisations have moral and legal obligations to apply the available knowledge
and to thereby ensure privacy protection. This applies
to:
- all government agencies at federal, State and Territory, and local levels
- large and medium-sized business enterprises and not-for-profit organisations
- small business enterprises and not-for-profit organisations that handle
personal data
- service-providers, including to small organisations and consumers, where
the services provided involve personal data that is under the control of the
service-provider's customer (particularly personal health records and credit-card
data, but also, for example, records of goods and services purchased, social
media, dating services and business-contact lists)
The following, specific obligations exist, must be recognised by organisations
throughout the public and private sectors, and must be enforced by regulatory
agencies.
Security Governance
All organisations have obligations to:
- conduct Information Security Risk Assessment (SRA), which identifies and
evaluates threats, vulnerabilities and potential harm, including a focus on
risks to the privacy of individuals whose data the organisation handles
- establish an Information Security Risk Management Plan (SRMP), which specifies
the information security safeguards that are to be established and maintained,
including safeguards against risks to the privacy of individuals whose data
the organisation handles
- establish and maintain business processes to ensure the implementation,
maintenance, review and audit of those information
security safeguards
Resources to guide and support these activities include:
- ISO/IEC 27005:2008 'Information technology – Security techniques –
Information security risk management'
- NIST (2012) 'Guide
for Conducting Risk Assessments' US National Institute for Standards and
Technology, SP 800-30 Rev. 1 Sept. 2012, pp. 23-36
Security Safeguards
All organisations have obligations to establish
and maintain a sufficiently comprehensive set of information security safeguards
in the following areas, commensurate with the sensitivity of the data:
- Physical Access Controls, such as locks, and authorisation processes for
entry to premises
- Logical Access Controls, such as user account management, privilege assignment,
and user authentication
- Data Protection in Transit, such as channel encryption and authentication
of devices
- Data Protection in Storage, such as access logs, backup and recovery procedures,
and encryption
- Perimeter Security, such as firewalls, malware detection, and intrusion
detection
- Internal Security, such as vulnerability testing, patch management, software
whitelisting, malware detection, and automated detection of security incidents
- Software Security, such as pre-release testing, change control and configuration
management
- Organisational Measures, such as staff training, staff supervision, separation
of duties, security incident management, log monitoring and audits
- Legal Measures, such as terms of use for employees, and terms of contract
for suppliers
- Data Breach Notification Processes
- Formal Audit of data protection measures
Resources to guide and support the design and implementation of effective safeguards
include:
- Andress J. (2011) 'The Basics of Information Security' Syngress, www.syngress.com,
208 pp.
- Clarke R. (2013) 'Information
Security for Small and Medium-Sized Organisations' Xamax Consultancy Pty
Ltd, 2013
- PCI-DSS (2010) 'Payment
Card Industry (PCI) Data Security Standard: Requirements and Security Assessment
Procedures' Version 2.0, PCI Security Standards Council, October 2010
- ISM (2012) 'Information
Security Manual – Controls' Defence Signals Directorate, 2012
- ISO/IEC 27001:2006 'Information technology — Security techniques –
Information security management systems – Requirements', Annex A, pp.
13-29
- Goodrich M. & Tamassia R. (2011) 'Introduction to Computer Security'
Addison-Wesley, 2011, 576 pp.
Sanctions
All organisations, and individuals within organisations,
must be subject to sanctions where
they fail to fulfil their information security obligations.
Sanctions must exist, and must be applied, at all of the following levels:
- civil liability by organisations
- civil liability by directors
- staff disciplinary action, up to and including dismissal in serious cases
- criminal liability for serious and repeated cases