APF Policy Statement on Information Security

Organisations hold a great deal of personal data. All of it is at least to some degree sensitive, and some of it highly so. Inappropriate handling of personal data represents a threat variously to the safety, wellbeing and peace of mind of the people it relates to. Primary privacy concerns are in the areas of unauthorised use and disclosure of data, with other issues including loss of data and threats to data integrity. Personal data needs the same level of care as financial information.

The privacy interest shares a great deal of common ground with organisations’ own needs for protection of data of financial and competitive value, with commercial confidentiality, and with government and national sovereignty desires for the protection of sensitive data.

Information and Information Technology Security are well-established fields of professional endeavour, supported by a substantial array of products and services and a busy industry.

Organisations have moral and legal obligations to apply the available knowledge and to thereby ensure privacy protection. This applies to:

  • all government agencies at federal, State and Territory, and local levels
  • large and medium-sized business enterprises and not-for-profit organisations
  • small business enterprises and not-for-profit organisations that handle personal data
  • service-providers, including to small organisations and consumers, where the services provided involve personal data that is under the control of the service-provider’s customer (particularly personal health records and credit-card data, but also, for example, records of goods and services purchased, social media, dating services and business-contact lists)

The following, specific obligations exist, must be recognised by organisations throughout the public and private sectors, and must be enforced by regulatory agencies.

Security Governance

All organisations have obligations to:

  • conduct Information Security Risk Assessment (SRA), which identifies and evaluates threats, vulnerabilities and potential harm, including a focus on risks to the privacy of individuals whose data the organisation handles
  • establish an Information Security Risk Management Plan (SRMP), which specifies the information security safeguards that are to be established and maintained, including safeguards against risks to the privacy of individuals whose data the organisation handles
  • establish and maintain business processes to ensure the implementation, maintenance, review and audit of those information security safeguards

Resources to guide and support these activities include:

  • ISO/IEC 27005:2008 ‘Information technology – Security techniques – Information security risk management’
  • NIST (2012) ‘Guide for Conducting Risk Assessments’ US National Institute for Standards and Technology, SP 800-30 Rev. 1 Sept. 2012, pp. 23-36

Security Safeguards

All organisations have obligations to establish and maintain a sufficiently comprehensive set of information security safeguards in the following areas, commensurate with the sensitivity of the data:

  • Physical Access Controls, such as locks, and authorisation processes for entry to premises
  • Logical Access Controls, such as user account management, privilege assignment, and user authentication
  • Data Protection in Transit, such as channel encryption and authentication of devices
  • Data Protection in Storage, such as access logs, backup and recovery procedures, and encryption
  • Perimeter Security, such as firewalls, malware detection, and intrusion detection
  • Internal Security, such as vulnerability testing, patch management, software whitelisting, malware detection, and automated detection of security incidents
  • Software Security, such as pre-release testing, change control and configuration management
  • Organisational Measures, such as staff training, staff supervision, separation of duties, security incident management, log monitoring and audits
  • Legal Measures, such as terms of use for employees, and terms of contract for suppliers
  • Data Breach Notification Processes
  • Formal Audit of data protection measures

Resources to guide and support the design and implementation of effective safeguards include:

Sanctions

All organisations, and individuals within organisations, must be subject to sanctions where they fail to fulfil their information security obligations.

Sanctions must exist, and must be applied, at all of the following levels:

  • civil liability by organisations
  • civil liability by directors
  • staff disciplinary action, up to and including dismissal in serious cases
  • criminal liability for serious and repeated cases