The Office of the Australian Information Commissioner (OAIC) has released comprehensive guidance on the information security provisions it expects organisations to have in place to ensure they stay on the right side of the Privacy Act.
According to Australia’s IT News, the new legislation applies to all entities turning over more than $3 million in a year and states that in the case of a company’s information stores being violated or destroyed, the entity will be held in breach of the Act unless it took “reasonable steps” to protect that data in the first place.
To address uncertainty, the OAIC today released a comprehensive guide to avoiding the Privacy Commissioner’s condemnation. The document is not binding, but the Office said it is the checklist it plans to use when assessing whether an entity is liable for a data breach or whether it has met its obligations under the Privacy Act. These include:
- Maintaining an information asset register
- Always keeping software patches up to date
- Whitelisting and/or blacklisting applications
- Having security software deployed across all network components
- Maintaining an intrusion detection system and event logs
- Segmenting the network into security zones with protection dependent on each level of risk
- Independent penetration testing at regular intervals
- Making sure private information hosted on web servers can only be accessed by authenticated users
- Independently assessing the compliance of third party contractors hosting data