Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12^th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to: 

• Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
• Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
• Assess the privacy performance of businesses.

Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:

• trades in personal information
• provides services under a Commonwealth contract
• runs a residential tenancy database
• is related to a larger business
• is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.

Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business on the Office of the Australian Information Commissioner (OAIC) website.  http://www.oaic.gov.au


How will the changes affect you?

The changes will affect how businesses can:

• Handle and process personal information;
• Use personal information for direct marketing;
• Disclose personal information to people overseas.

Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.

How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

• How do you provide this assurance?
• Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?

You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:

• What personal information is collected, where, when, why and by whom?
• What controls do you have at the collection point?
• Do you collect consent?
• How do you record consent?
• Do you understand the purpose(s) for which information is collected?
• How is it kept relevant?
• Where does the information go?
• How is it stored?
• How is it kept up to date?
• What format is data stored? For how long?
• What happens at ‘end-of life’?

If you’re not confident you can answer these questions, we are here to help!

CQR Services


CQR is able to help organisations through the following services:

Service	Overview
Privacy Compliance Jumpstart	We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.
Privacy Impact Assessment (PIA)	We will conduct a series of interviews to understand how you currently use and protect personal information. Provide recommendations on how you can improve your processes to ensure the personal information is: ·         Processed fairly ·         Kept accurate, complete and up to date ·         Kept secure ·         Made available to data subjects
Update to Privacy Policy	We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.
Third Party Audit	We will conduct an audit on how you manage third party relationships.
Information Security Gap Analysis	We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.
Privacy Audit	We will conduct an audit on your privacy practices covering: ·         Consent management ·         Subject access requests ·         How you use and protect personal data ·         Defined roles and responsibilities ·         Review of Privacy Policies, Procedures and Guidelines ·         Risk Management

Social Bronze Age

In October 2013 I wrote a blog entitled Stone Aged Security, where I noted that we've been through the journey of Stone Age to Industrial Age twice before, first for civilisation taking 12,000 years, and then again for IT, but this time 200x faster and only taking 60 years, and that we had started the cycle again for the Social Stone Age.

The Social Stone Age (2000-2013) will be looked back on fondly.  It's the age when we discovered social media.  It's the age when we were encouraged to share.  It's the age when we naively assumed that private actually meant private, and that big brother didn't really exist - or at least if they did, they were only watching the bad guys.  It's the age when we weren't having discussions about metadata.

That age is over.  2014 is the start of the Social Bronze Age.  This age is marked by two distinct phase changes in the way that we communicate on the Internet.

The first phase change is that we are moving from a default unencrypted Internet, where we only encrypt that information that we consider to be sensitive, to a default encrypted Internet, where we encrypt everything all the time.  Facebook and Twitter moved from only encrypting logins, to encrypting everything.  Google started encrypting all searches.  This would have happened eventually, but it has really been forced this year by the realisation that the threat model has fundamentally changed.  We are no longer trying to protect ourselves just from cybercriminals, but also from the security services that are recording everything all the time.

The second phase change is that we have moved to a default "in" position for social media.  It is now assumed that everyone has at least one social media account, and that the only people who don’t have one have consciously chosen not to, and they are just a little odd.  Private mailing lists have almost entirely gone, replaced by social media groups.  Moreover social media is replacing e-mail as the normal way that people communicate with each other.

My calculations show that the Social Age is running 2.5x faster than the IT Age, and 500x faster than civilisation!  It's hardly surprising that we really aren't coping that well.  If this trend continues, then here are my predicted dates for the remainder of the Social Age, and some key expectations.

2018: Social Iron Age.  The end of centrally controlled social media, and the end of companies like Facebook and Twitter.  Social media will be peer-to-peer with all the processing, privacy and communication controlled by the users and happening in an app on their phones.  The Internet of things will be real and it will all be IPv6.

2021: Social Middle Age.  The end of e-mail and text based communication.  Everything will be voice controlled, and keyboards will seem quaint.  Real-time language transcription and translation will be practical for everyday use.  Language will no longer be a barrier to communication.

2023: Social Industrial Age.  Avatars will do most of the work for you.  Expect the first real cyber world war.  What we see as science fiction today, will be practical reality, except that we still won't have artificial intelligence, robots or flying cars.

2024: The next age starts - the Machine Stone Age.

It's going to be an interesting 10 years.

Autumn is coming, are you prepared?

With the Autumn season just a day away we look to changing our wardrobe for some warmer clothing, preparing our home for the relief of rain and looking forward to making it into the garden and seeing what the summer sun has left for you to revive. It’s a chance for us all to take a break from the long and busy summer and nestle down in our homes ready for winter.

But what are the risks involved, initially you might think that there can’t be much, with looking forward to catching up on some of those books on the book shelf you haven’t had time to start, decorating the dining room because the summer was too hot to even think about it or taking up a new hobby if that’s your thing.

The first big downpour of 2014 left my gutters overflowing and my garden turning into a swimming pool, all of which was unexpected. I didn’t know it was going to rain that hard and we had already cleared out the gutters a few weeks before but with those record breaking 40 degree temperatures in Adelaide that had a big effect on the trees around my house and when the wind picked up they shed all their dry leaves back on to my roof and into my gutters, hence them overflowing and my husband getting soaked to his socks clearing them out and hoping he cleared them before the water got into the roof.

We hear it all too often on the radio and the news of people like you and I having their information hacked and money stolen from their bank accounts, and when we find out it’s happening we go into defence mode and change our passwords and have a rant to the bank until its fixed. But what if it’s your workplace and your office holds the information of others or your organisation is closed down for the day what then? It may not be just you who is affected and it doesn’t take long for someone on a laptop sat in their own home to leave you with a wealth of problems which can’t be fixed with a phone call or a password change. The risk of a cyber-attack isn’t your only threat; losing power to your premises for a long period of time can be just as harmful if you become out of contact or are unable to complete your daily tasks.

Having a disaster recovery plan in place can be a challenging and difficult task but in the event of a breach or natural event it could possibly be your only hope of maintaining service and being able to recover as quickly and efficiently as possible.

So what can I do?

For an organisation who have not taken a great deal of time to consider their disaster recovery CQR can assist any business to analyse a business and look at where experiencing a disruptive event can have an effect on a business through a Business Impact Analysis, this will provide a risk register, business continuity and recovery plans and most importantly enable show if the business can recover within a desired timeframe.

We can provide an independent review of your IT Service Recovery Plans through an IT Service Recovery Technical Review, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.

In having a Vulnerability Assessment completed CQR have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture. We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.

In addition to these services CQR can also provide Exercise / Test Facilitation, Document Development, Review of Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard and Business Continuity Management System (BCMS) Development. All of these services are done through partnering with the organisation and developing a scope to ensure that what is delivered is exactly what is needed in order to prevent the worst happening. 

So before the winter arrives I have my own plan in place to make sure that my gutters no longer get clogged with leaves and debris and that I reduce the risk of my garden becoming flooded again, and that will involve my husband getting back up onto the roof again, but hopefully this time he will be dryer.

Sarah Taylor

www.cqr.com

Managing a Data Breach

If you've ever watched a home renovation show on TV, you'll know that one of the biggest problems is the weather.  Rain in particular is a real pain if you don't yet have a roof, as it leaks everywhere, damages everything and stops work completely.  If you are doing the renovation privately, the best thing to do is patch up the damage, redecorate and tell no-one.  However if there is a TV crew around you don't have that option.

With the impending revisions to the privacy laws, this is exactly the place Australian business is about to find itself.  If you have a breach today the best advice is to patch up the damage, redecorate and tell no-one.  Within a couple of months however it will be as if there is a virtual TV crew around all the time, and businesses won't have a choice about having to admit their failure to protect personal information.

Unsurprisingly, vendors are having a field day promoting the new privacy laws, trying to sell umbrellas, wallpaper and camera blinding equipment.  Personally I think businesses should just build a watertight roof and stop the leaks happening in the first place.

 

Phil Kernick @philkernick

www.cqr.com

 

Benefits of Aligning Business Continuity Management with IT Service Recovery

IT departments within many organisations are likely to have well defined processes to support their own disaster recovery requirements.  General ‘good practice’ states that we need:
·         Backups;
·         Resiliency designs within the network architecture;
·         Data centre etc…etc…

IT Service Recovery is a legacy approach that many are comfortable with.  From the early mainframe computer days in the 1950’s initial recovery simply focused on restoring the mainframes, the systems were simply off line and business would have to wait, it could actually take a matter of days before affecting the business in anyway. 

However, with the explosion of the internet since 1995 and greater dependence on up-to-the-second information, the impact of loss can now be felt, not in days, but in minutes… if not seconds! 

The role of Business Continuity within an organization developed throughout the 90’s as it became obvious there was a need to provide protection and resilience spanning the entire business.  This led to Business Continuity professionals sitting well outside of IT, focusing on Business Impact Assessments, Crisis Management, and Business Continuity Plans, detailing how the business can continue to provide products and services at an acceptable minimum service level. 

IT has continued to support ‘general good practice’ and has kept up to date, where possible, on the technology that supports system resiliency and recovery, however, often choosing solutions without discussing requirements with the business.  Likewise, the business has been developing Business Continuity Plans on the assumption that IT services will be able to support their strategies.

It is therefore essential that you re-align Business Continuity Management with IT Service Recovery to ensure that the business clearly understands how it may implement strategies that either prevent incidents occurring, or reduce the impact if they do occur. 

To achieve continuity and recovery objectives an organisation should be able to answer questions such as:
·         Can IT recover the business systems within an acceptable period of time?
·         Has the business discussed what the “acceptable period of time” is?
·         Have you ever completed a full restore from backup?
·         Do you carryout vulnerability scans or penetration tests to examine the adequacy of your network designs?
·         Is your Data Center far enough away? Or is it likely to be impacted by the same disruptive incident as you?

CQR Services

CQR is able to help you define your Business Continuity and Service Recovery Strategies through a number of services, such as:

Service	Benefit
Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard	We will review existing business continuity plans, supporting documentation and governance against the industry standard ISO 22301
Business Continuity Management System (BCMS) Development	We can work with you to create a BCMS that can be certified to ISO 22301 or simply be ‘compliant to’ the requirements of the standard
Business Impact Analysis	We will work with you to analyse the consequences of a disruptive incident on your most time sensitive business processes. Output will feed into your risk register, business continuity and recovery plans and most importantly verify whether IT are able to recover within the desired timeframes.
IT Service Recovery Technical Review	We will provide an independent review of your IT Service Recovery Plans, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.
Vulnerability Assessment	We have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture. We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.
Exercise / Test Facilitation	CQR can work with you to design and facilitate an exercise that will test the limits of your documentation and ensure that it is: -       Accurate and up to date -       Relevant -       Complete -       Appropriate The exercise will also ensure that staff get to understand their roles and responsibilities in an event. We can also help you to test the continuity and recovery strategies outlined in the documentation to ensure that they will work as expected.
Document Development	We can review, update and create relevant business continuity and recovery documentation as per your requirements.

Yvonne Sears

Senior Security Specialist

www.cqr.com

How do you keep your family safe online?

Tuesday 11^th February is Safety Internet Day with this year’s theme on ‘Let’s create a better internet’ focusing on our children and being safe online.

Helping positive digital citizenship across Australian communities, Coordinated by Insafe, the European network for internet safety, the event is supported in Australia by Cybersmart.

In the car on the way to school my son will occasionally ask “Mum, can I have an iPhone?” my answer to him is, “No, you can’t have one because you are 6 and you won’t be getting a mobile phone until you are much older, especially an iPhone”, his response to me is then one of discontentment with a bit of moaning thrown in for extra measure to which his 4 year old sister happily accompanies him on.

I have seen kids at his primary school stood at the gates on their phone’s they could be talking to their mum or their nan or even checking the automated clock (if that still even exists), but I am a firm believer that children of that age group do not need to have mobile phones of their own because as a parent it is my responsibility to know that they are always in an environment which is safe and with people who will look after them if I cannot be there myself, so what would they need it for?

This being said in school they are taught how to use computers from reception age and with this comes the use of the internet. When he came home from school one day and asked if he could use the laptop, after a bit of a debate I said yes, then I watched him switch it on, log in with my password, which made me think maybe I should be a little more secure with my home laptop access, and then open internet explorer. He typed into the search engine the word games, and it came up with a ream of websites, he seemed to know what he was looking for and through a series of clicks he got himself onto some car racing game and happily played on it for the next 10 minutes.

Now our children are the epitome of innocence which is what we all want for them. But inevitably as they get older and more inquisitive this can be a time when they can get up to things that we as parents are unaware of and it is important that we are educated in how we support and educate them to make the best of what technology offers without any of the negatives that we hear about in the media.

Recently I have been reading up on how I can ensure that my children are safe online and although much of it can seem obvious, it is sometime those things that we can forget to explain to our children.

Here are some tips that I feel are important:

·         Spend some time with your child at the computer and let them show them you how they use it. This is a better way of working out any do’s and don’ts together and you can show them the best way of doing things safely.

·         Give a time limit – it is easy when the kids are nice any quiet to forget and get on with some of your own jobs, maybe a timer will help so they aren’t spending too long on the computer, game console or tablet.

·         Bookmark a list of favourites for your child, this way their favourite websites are easily accessible and there is no need to use a search engine and parents can work with your child in setting it up and checking those websites.

·         Keep your computer in a space in the house where it is visible so you can see what they are doing at all times.

·         Look into installing filters, labels or safe zones to help manage their access. Also check your anti-virus or e-security software is up to date.

·         Teach them that if they come across anything that scares them or that they think is wrong to tell a trusted adult.

·         Helping them understand how to open and close programs safely can be useful if they come across something they don’t like.

·         Talk to them about using personal information and to never share things like phone numbers and home addresses without speaking to a trusted adult first.

·         If you are unsure or have any concerns seek help, the Australian Government Cybersmart website has lots of advice and also an online helpline which provides free, confidential advice.

Giving them the tools to make safe and conscientious decisions is a life skill that we all value and in the process we as parents can learn something too and this can make the online world less of a daunting place to explore.

Sarah Taylor
Sales Coordinator
www.cqr.com