OAIC releases guide to information security

April 30, 2013

A significant data breach can lead to devastating consequences for businesses – which is why undertaking a security audit or penetration testing can be so important.

The need for vulnerability management is even more important when personal or private information is concerned.

To help Australian entities improve their security processes, the Office of the Australian Information Commissioner (OAIC) has released a new guide to information security that outlines "reasonable steps" to help protect personal information.

The guide is aimed at entities (including Australian, ACT and Norfolk Island government agencies) as well as private sector organisations who are covered by the Privacy Act 1988.

These organisations and agencies can look to the guide for a list of reasonable steps and strategies to take to ensure that personal information is secured adequately.

"Entities should build privacy and information security measures into their processes, systems, products and initiatives at the design stage," the report reads.

"This, and other preventative steps, assists entities to ensure that they have appropriate measures in place to minimise the security risks to personal information they hold."

The guide was developed with feedback from the industry, and while it is not binding, it will be used by the OAIC during assessments of data breaches, according to Australian Privacy Commissioner Timothy Pilgrim.

Some of the key steps and strategies that the guide recommends entities take include the practice of whitelisting and blacklisting, assessing software security and access (such as passwords and security tokens) and encryption.

Network security, ICT systems testing, backing up procedures and communications security are also identified as key areas of focus for entities who wish to bolster their information protection policies.

In the event of a data breach, the guide recommends developing a thorough response plan to mitigate the effects act appropriately, taking steps to ensure that physical security is strengthened, and improving information handling and security practices through personnel security and training.

In addition, the guide says entities should "consider undertaking a Privacy Impact Assessment and an Information security risk assessment for new acts or practices".

If you are worried about the security policies in your own organisation, an easy way to set your mind at ease is to consult a trusted security solutions provider about an assessment of your ICT systems – this may involve ethical hacking and other measures.

If any flaws are identified, the provider will then work with you to help establish a robust security policy that will protect important data and information.

Leave a Reply

Your email address will not be published. Required fields are marked *