A business requires a cyber-secure digital platform to secure from physical and technological threats aiming to compromise the business’s data and systems. Such a platform requires a cycle of continual improvement to keep pace with hackers’ evolving techniques.
By the end of this topic, you will understand:
- the risks to a business’s digital platform from cybercriminals
- the function of a cyber security risk assessment matrix in threat management
- the importance of cyber security frameworks to cyber security
- typical cyber security policy and its relationship to cyber security frameworks
- the role of government cyber compliance regulations in moulding cyber security policy.
The requirement for cyber security is based on a need to protect businesses from malicious attacks by hackers. In Australia, attempting to or gaining unauthorised access to a business’s digital platforms is a criminal offence. However, the criminalisation of hacking is not a deterrent. Most cyber attacks on Australian businesses originate overseas. So, even if an attack is detected and the individuals behind the attack are identified, the bulk of attacks come from countries where it is extremely difficult or even impossible to secure extradition. For Australian businesses, aggressive defence of their data and systems from cyber attack is the real deterrent.
Reading
The Australian Cyber Security Centre (ACSC) provides a reporting mechanism for individuals and businesses to report hacking attempts and cybercrime. Read the report at the link below:
ASD's ACSC Annual Cyber Threat Report, July 2021 to June 2022 | Cyber.gov.au
Hackers have two methods for gaining access to a business’s digital platform:
- physically breaching a business’s cyber security, such as accessing unlocked server rooms or posting malware-infected portable hard disks to a business
- making a technology aack, such as using phishing and technical vulnerabilities in business software
As attacks come mostly from overseas, a technology attack is the most likely method hackers will use. Technology attacks range from the simple/crude through to complex probes looking for vulnerabilities in computer networks.
Simple attacks are the most common. While hackers are depicted in the media as using complex code and bypassing security protocols with advanced skills, most hackers use techniques that are simple, proven and rely on human nature. In effect, cybercriminals typically rely on a business’s own staff to provide them with the access they require.
Example
Take the hacker technique ‘phishing’ – phishing is connecting with a business’s staff by using fake emails and social media posts. When staff open emails or visit infected URLs (Uniform Resource Locators) embedded in social media posts, they are directed to a website that loads malware to their computer. ‘Malware’ is short for ‘malicious software’, and this software, when running on the staff member’s digital device, opens a connection for a cybercriminal to access not only the staff member’s device, but the business’s systems and networks.
The Risks to Businesses From a Cyber Attack
The risk to a business varies with the intentions of cybercriminals. In the event of a successful cyber security breach, it may take many business days if not weeks to realise its digital platform has been compromised. As a rule, hackers prefer to leave no trail so they can return to attack the business again using the same methods.
However, an emerging trend in cybercrime is the locking of systems and ransoming access – if the business does not pay extortion, the hackers will not allow the business back into its system, effectively destroying the business. This is achieved by encrypting the system’s database with a key that only the cybercriminals know. If the ransom is paid, the hackers provide the key (a complex digital code) to allow the database to be accessed again.
Tip
Ransomware is a form of malware software. When a cybercriminal infects a business, the malware encrypts data to make the business’s database unusable. In effect, the business’s data is held hostage. For example, any file with the extension BC5B has been encrypted for this purpose, and there is no way to unencrypt the file – the hacker has a unique ‘key’ that is the only way to open the file to access the data.
Malware that performs the encryption is often part of a ‘Trojan horse’ scam – a legitimate-looking email is opened by a user in a business. Malware that actively encrypts files is then loaded.
Malware that performs the encryption is often part of a ‘Trojan horse’ scam – a legitimate-looking email is opened by a user in a business. Malware that actively encrypts files is then loaded.
Prioritising Risks
Some risks are low level and manageable. Some risks threaten a business’s existence. For example, compare the theft of the business contacts on a mobile phone to the ransoming of a business’s database.
Managing cyber security risks requires a business to prioritise effort and resources, effecting changes and ‘hardening’ of its cyber security approach, with a focus on first closing gaps that expose the business to extreme risk.
No business has unlimited budget to apply to any business need. Cyber security, being no exception, requires evaluation of a business’s digital workplace to optimise resources.
The technique used in cyber security to perform this task uses a process called a ‘cyber security risk assessment’ (CSRA). This is a matrix of threats cross-referenced by threat levels and probability. The matrix is used to:
- identify threats to close gaps in security that allow the threat to exist
- identify threats that cannot be closed entirely, but can be mitigated
- prioritise the threats based on the damage potential and the probability a threat can become an actual attack.
A CSRA matrix:
- Changes over time as the business adopts new business practices and cyber security measures.
- Does not provide cyber security solutions but is a guiding cyber security activity. High-risk and high-probability cyber threats are given priority attention over low-risk and low-probability threats.
Case Study
Cyber Risk Assessment Matrix
ACE Pty Ltd is a manufacturer of garden supplies. As a wholesaler to large hardware stores, ACE Pty Ltd uses an integrated finance and inventory database to manage orders, pay bills and issue invoices. Based in a central warehouse in Sydney, orders and stock purchases are made by email and by computer-to-computer processing in some cases.
ACE has a staff of 30 people working in accounts, warehousing, management, procurement and sales who are networked to the central system from a single network in the central warehouse. Sales staff have laptops that are able to remotely access the ACE database when they are working with clients.
You are the recently appointed cyber security manager for ACE. You notice that ACE does not have a cyber risk assessment matrix, so you develop the following classification:
Risk Class | Low Short-term impact on operations but can be recovered quickly |
Medium Serious impact with some loss to the business |
Extreme Long-term impact with significant loss to the business |
---|---|---|---|
Unlikely to occur | Priority 3 | Priority 2 | Priority 2 |
May occur | Priority 3 | Priority 2 | Priority 1 |
Will occur | Priority 2 | Priority 1 | Priority 1 |
Priority 1 These gaps in policy and technology security must be closed first
Priority 2 These gaps in policy and technology security must be closed next when Priority 1 cyber security gaps are all closed.
Priority 3 These gaps in policy and technology security are closed last.
Note that when Priority 1 gaps are identified, they are always attended to first.
You identify the following risks at ACE:
- A sales laptop being stolen: Priority 1 (extreme/may occur) – Currently, ACE laptops do not use multifactor authentication (MFA), and it is technically possible to log on to the ACE network with the stolen laptop if the device is stolen and provided to hackers. We need to review cyber policies on passwords, encryption and data storage immediately, as the policy does not exclude/include cyber security best practices.
- Staff password sharing: Priority 2 (low/will occur) – Some staff share passwords in the warehouse, as there is only one computer available and logging on/off is time-consuming. This means there is no accurate way to audit who implements a change in the warehouse. This allows for potential stock loss. We need to ensure policy is followed and warehouse staff use their own usernames. Furthermore, the information technology (IT) department needs to install a further two workstations (one for each staff member) in the warehouse.
Risks to a business from cybercrime range from minor service interruptions impacting workplace productivity, to disastrous system loss that requires significant time and effort to recover from. A CSRA matrix rates threats and allows for cyber security resources to be put to optimal use.
Influences on Risk Assessment
Depending on the business, a CSRA matrix varies in complexity. This is due to:
- the scale of the business and the number of devices, applications and network resources requiring protection
- government regulations that require businesses to consider all threats to private information and services to be significant.
For example, businesses such as banks and large supermarket chains are classified as essential services in Australia by the Security Legislation Amendment (Critical Infrastructure) (SLAC) Bill (Cth). There are 11 business types in Australia classified as essential services, and the SLAC Act requires these businesses to deploy the highest levels of cyber security across their digital infrastructure.
In SLAC-classed businesses (such as the Commonwealth Bank, Woolworths, and Shell as a provider of fuels), there are significant resources to manage cyber security, and the threat tolerance is low.
Furthermore, any company in Australia that has revenue of more than $3 million and/or is in the financial or health industries must comply with the Privacy Act 1988 (Cth) and protect its data from cybercrime.
In the event of a successful cyber-attack, the SLAC Act and Privacy Act empower the Government to levy penalties.
A breach of the Privacy Act allows for fines of up to $2.1 million dollars. Consequently, a CSRA matrix in a bank compared to a town bakery will assess the same cyber threats differently.
Example
A bakery likely has a low cyber security budget and has a single cash register. A bank likely has thousands of registers across Australia, allowing bank tellers to service clients. The bakery assesses the risk of a hacker ransoming its register as low, and the impact as medium. If the register was offline, the bakery could still make cash sales while the register was restored to service. The bank assesses the risk of a hacker ransoming its registers as high, and the impact as extreme. If the registers were offline, customers would be severely disadvantaged and the bank would be negligent in their SLAC duties.
Types of Risk Mitigation
When cybercrime is detected, how long the business has been exposed may not be known. In the case of ransomware hacking, it may be weeks before the ransom is demanded. In that time, the hackers will ensure that backups of the target system are infected as well. This guarantees that the business cannot recover to a point in time before the attack.
Sophisticated hacking will employ sophisticated methods (such as in the case of ransomware); however, the initial method of attack is typically crude (such as a phishing attempt).
A phishing attack uses an email or website to prompt a user to click on a link. If the link is clicked, malware attempts to load to the user’s device. Once loaded, what the malware does next depends on its code. The effect can range from allowing hackers access to the PC to copy/delete data, to attempting to access the wider systems/data/network of the business.
Phishing attacks can be mitigated by anti-malware software running on devices, but equally important is user education. Educating staff about the risks of cyber security is as important as any technical security. If staff know not to click on suspicious links in emails or to visit non-business websites using business devices, the threat of a phishing attack is greatly reduced.
Effective cyber security combines technical and cyber policy/procedures as a holistic approach.
Types of risk mitigation can be classified as:
- Technical - such as configuring a server to remove a threat
- Education Based - information staff about threats and cyber safe behaviours
- Prohibitive - providing 'can and cannot' rules that are delivered as business policy
To guide cyber security managers in the delivery of these three types of mitigation activity, peak bodies in the cyber security sector have produced guidelines known as ‘cyber security frameworks’.
Practice
Visit: Quiz library | Cyber.gov.au to test your knowledge against different threats
Over the last 20 years, there has been a move in business to view cyber security as more than an IT issue. There was a time when cyber security was the domain of IT departments, who reacted to cyber threats and provided little input to senior management on their activities – no news was good news.
Today, due to the power of malware and the significant damage that comes with a malware infection, cyber security takes on a whole-of-business approach. Cyber security now encompasses:
- User education
- Line of reporting to senior management
- Policy and procedures to prohibit and ensure cyber safe behaviours
- A continuous requirement for technology to adapt and toughen business networks to protect from illegal intrusion
To deliver a workplace with broad-ranging cyber security requirements, cyber security frameworks offer a road map for implementation.
A cyber security framework is a model that allows a methodical approach to cyber security management. It lists requirements that must be followed to maximise a business’s resilience to cyber security threats. It is a general minimum set of requirements, and businesses add their own cyber security tasks and procedures so as to customise the framework to the needs of their particular business. Quality cyber security frameworks are designed and maintained by leading cyber security agencies.
In Australia, several frameworks are used, including the Essential Eight and the National Institute of Standards and Technology (NIST) frameworks.
Essential Eight
The Essential Eight is a prominent security framework developed by the ACSC in 2017. Comprising eight security controls as three strategies, this framework is the preferred model for all Commonwealth agencies and departments. It became mandatory to comply in June 2021.
The Essential Eight is a prominent security framework developed by the ACSC in 2017. Comprising eight security controls as three strategies, this framework is the preferred model for all Commonwealth agencies and departments. It became mandatory to comply in June 2021.
Requirement | Strategy |
---|---|
1. Application control - Limit what software users run on business PCs to meet the requirements of the business. | Prevent cyber attacks |
2. Patch user applications - Patch software vulnerabilities within two weeks of a security patch being released and two days if the patch is reacting to a hacker exploit. Software security updates or 'patches' are to be applied to browsers four weeks from a patch being available. A user application is the local software that a user runs from their digital device (PC/ phone). Vulnerability scan application software daily to check that they are patched as needed. Vulnerability scan web browsers and office software at least every two weeks to determine whether they are patched as needed. | Prevent cyber attacks |
3. Configure Microsoft Office macro settings - Microsoft Office macros are disabled for users without a demonstrated business need. Microsoft Office macros online are blocked. Microsoft macro security settings are locked and cannot be changed. | Prevent cyber attacks |
4. User application hardening - Web advertisements and online Java do not run on organisation browsers. Web browser security settings are locked down. | Prevent cyber attacks |
5. Restrictive admin privileges - Admin accounts (also called 'privileged accounts') cannot access online web services with a web browser or use email. Admin accounts maintain the IT environment and are created on a needs | Limit extent of cyber attacks |
6. Patch operating systems - Patch operating systems with security updates two weeks from patch release or within two days if the patch is a response to a hacker exploit. Patch network devices and other digital devices (such as PCs) at least monthly. Vulnerability scan operating systems to check that they are patched as needed. Vulnerability scan network devices and other digital devices (such as PCs) every two weeks to determine they are patched as needed. Systems that are not maintained by vendors must be upgraded or replaced. | Limit extent of cyber attacks |
7. MFA - Multifactor authentication (such as needing a password, a real-time single-use generated passcode and a passphrase) is needed from users to access web services supplied by the organisation and third parties, including storing data online. MFA is optional if users are accessing an organisation's own web services. | Limit extent of cyber attacks |
8. Regular backups - Backups of critical data, applications and digital device settings are made. Restoration procedures from backups are tested to ensure they work. Users can access only their own backups. Users cannot modify or delete backups. | Recover data |
At first glance, there are gaps in the Essential Eight (e.g. banning portable storage devices, such as USB [Universal Serial Bus] sticks, which can carry malicious software). The Essential Eight maps eight essentials that will ‘harden’ an organisation to cyber threat at a minimum. By adopting the Essential Eight, a business can move to a further two levels of increased cyber security requirements and add their own requirements to further harden their digital systems to cybercrime.
Notice that there is a strategy to limit the effectiveness of cyber attacks. Such a strategy acknowledges that, just like no bank vault can ever be 100% uncrackable, dedicated hackers will always try to find a way in. As human behaviour is manipulated to discover passwords (e.g. using phishing), all digital systems have vulnerabilities that cannot be closed as a vector (a way into system), because humans access computers.
Notice that there is a strategy to limit the effectiveness of cyber attacks. Such a strategy acknowledges that, just like no bank vault can ever be 100% uncrackable, dedicated hackers will always try to find a way in. As human behaviour is manipulated to discover passwords (e.g. using phishing), all digital systems have vulnerabilities that cannot be closed as a vector (a way into system), because humans access computers.
Vulnerability Scanning
Vulnerability scanning is an important tool in securing a computer network. The Essential Eight framework makes it a requirement to be performed regularly.
A vulnerability scanner is automated software that relies on a database of known security flaws, such as in user software (e.g. browsers) and business software (e.g. customer relationship management software). Scanning is performed externally to establish whether firewall vulnerabilities exist that hackers can exploit to gain unauthenticated access. Scanning is also performed internally to discover vulnerabilities after access to a network.
The NIST framework, like the Essential Eight, requires that vulnerability scans are performed to ensure continuous assessment and remedy of cyber threats.
NIST Framework
The National Institute of Standards and Technology functions as an agency that is a part of the US Department of Commerce. The cyber security framework the NIST developed has been adopted around the world as a de facto standard. In Australia, the framework is often referenced to provide a model of cyber security implementation. The Australian Energy Sector Cyber Security Framework (AESCSF), used by the Australian energy sector, uses the NIST framework blended with other frameworks to develop a best-case custom framework.
The NIST framework relies on three components:
- A core of cyber security activities.
- Tiers that map these activities to degrees of ‘hardening’, from Tiers 1 to 4. Activities can be delivered in four ways, from partial (Tier 1) to adaptive (Tier 4).
- A profile that comprises policies and procedures that are aligned to the framework core.
Tiers that map these activities to degrees of ‘hardening’, from Tiers 1 to 4. Activities can be delivered in four ways, from partial (Tier 1) to adaptive (Tier 4). • A profile that comprises policies and procedures that are aligned to the framework core.
The five functions of the NIST framework are:
- Identify - act to identify cyber security threat potential by creating a digital registry of critical assets
- Protect - protect from the impact of cyber attacks
- Detect - detect suspicious activity before a cyber attack is made
- Respond - take action to harden systems and defeat attacks
- Recover - recover from attacks with minimal impact
The functions require activities (subcategories) to be completed in order, starting with identify and ending with recover.
Function | Subcategories |
---|---|
Identify |
|
Protect |
|
Detect |
|
Respond |
|
Recover |
|
All subcategories have a naming convention, such as ‘RC.RP-1’ for the activity Recovery/Recovery Plan/Activity 1 or ‘DE.CM-4’ for Detect/Continuous Monitoring/Activity 4. Each is a specific task to ensure a business is administering its cyber security effectively.
Example
The NIST framework has a readymade framework for businesses in the manufacturing sector – in which, 120 actions are listed in order of when they are to be actioned.
Each action belongs to one of the six categories (such as identify or protect), and each category has subcategories. For example, identify has four subcategories:
- asset management
- business environment
- governance
- risk assessment.
The identify category has the following six actions to be performed in the asset management subcategory. These are the initial six tasks in the NIST framework:
- Create an asset inventory of physical assets.
- Create an asset inventory of software assets.
- Map all data flows as they occur in the business and include what the data is.
- Map all external systems that connect to the business.
- Prioritise the necessity to the business of all assets (see points 1, 2 and 3; and include personnel).
- Identify the cyber security roles in the business.
The complete NIST framework for manufacturing can be found at the link below: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov)
The guideline below addresses all industries, and NIST also provides for specific industries, such as the manufacturing sector: Cybersecurity Framework Version 1.1 Manufacturing Profile (nist.gov)
Watch
Watch the video below to learn about the NIST framework:
Watch the video below to learn about the ISO 27001 framework:
Case Study
Creating Cyber Security Training Using the NIST Framework
You are a cyber security manager at ACE Pty Ltd, a manufacturing company. You are using the NIST framework. To deliver the NIST protect function, you plan to roll out the subcategory ‘awareness and training’.
You note the following subcategories in the awareness and training subcategory:
- All users are informed and trained.
- Privileged users understand their roles/responsibilities.
- Third-party companies the business works with understand their roles.
- Senior executives understand their roles
Reviewing the NIST framework, you find that there are various informative references to describe who should implement awareness and training. Focusing on point 1 you find references, including:
- CIS (Centre for Internet Security) CSC (Critical Security Control) 17
- COBIT (Control Objectives for Information Technologies) 5 – APO07.03, BAI05.07
- ISO/IEC 27001:2013 A.8.2.2, A.12.2.1
- NIST SP 800-53 Rev. 4 – AT-2, PM-13.
These are all varieties of cyber securities frameworks. Reviewing the references, you find the following requirements for ensuring all users are informed and trained:
CIS There are 20 items in the CIS framework. Point 17 requires a skill gap analysis that is followed by training in cyber threats to close gaps in comprehension.
COBIT This requires sustained training to ensure that new staff are informed, existing staff have key cyber security principles enforced, and stakeholders are committed to cyber security. Staff gaps in comprehension are identified and closed relevant to the business operation.
ISO/IEC All staff, contractors and third parties, as needed, shall receive cyber security awareness training.
NIST Physical and technical training is to be provided on cyber threats, with practical exercises provided. Threats examined come from external agents and from staff behaviour. Who receives training, and when is it to be recorded.
As a next step, you review the training requirements and decide that:
- A new assessment of ACE’s cyber security vulnerabilities is required, with the most damaging threats classified as high priority.
- The assessment is to be followed by a gap analysis of staff in their cyber security readiness to deal with identified threats.
- Training is to be prioritised to meet gaps in staff comprehension of the highest-priority cyber security threat. Contractors and third parties should be trained if they interact with the business in areas where gaps exist. Training is to be contextual to how ACE operates.
- Training is to be recorded and ongoing to appraise new staff, enforce cyber-safe behaviours with existing staff and keep cyber security visible to stakeholders.
These requirements satisfy the protect function: awareness and training, point 1.
Cyber security frameworks such as the NIST provide a holistic approach to cyber security management and identify tasks while leaving the specific action to be selected by the business.
Activity 1
Within holistic cyber security frameworks, the creation of applicable cyber security policy and procedures is identified as an early requirement when securing a business. This process creates the governance on which all subsequent activities rely – cyber security is delivered within approved policy-based guidelines. In reputable cyber security frameworks, this is addressed in similar ways:
- The NIST framework specifies to create of ‘policies, procedures, and processes to manage and monitor the organisation’s regulatory, legal, risk, environmental, and operational requirements’.Furthermore, business management is engaged to understand the cyber security risks the policy responds too (see identify rule ID.GV-1).
- The COBIT 5 framework describes policy creation as governance approved by stakeholders that provide controls for the management of data and a compliance environment that sets operational boundaries: prohibited and allowed workplace behaviour.
- The ISO 27001:2013 framework notes management-approved policy that sets a business’s ‘security objectives’ needs to be in place and regularly accessed/improved.
Cyber security would seem at first to be the practice of technologists closing gaps in software, segmenting systems, and patching network/user and system digital devices. If this were the case, there would be no need for cyber security policy as IT departments would remove/adapt the digital environment to be safe. However, no matter how much technical activity is undertaken to secure computer systems, there remains a human factor: the users of computer systems. If a password and username to a high-value system are identified by cybercriminals, the technology protecting the system is breached.
Cyber security policy is fundamental to building cyber security frameworks. Policy exists to ensure the:
- confidentiality of data
- integrity of data
- availability of systems.
These three points comprise the acronym CIA: confidentiality, integrity, and availability. CIA is a well-known concept in cyber security and is often used to simply and clearly express what cyber security policy aims to deliver.
While a focus of policy is managing user behaviour, policy will also exist to ensure the management and design of digital systems themselves are cyber secure, for example, policy on:
- developing/implementing cyber-safe systems and software
- monitoring cyber activity for cybercrime
- improving cyber security protocols
- reporting of suspicious behaviour.
Cyber security policy in a business covers all aspects of how the environment is designed, built, used, monitored and secured. A business cannot be secure if work practices are cyber safe but the business software that is being used is not patched to close known gaps in the software.
Typical Cyber Security Business Policy
Typical cyber security policy within a business includes:
Cyber Security Risk Assessment Policy
Cyber Security Risk Assessment policy allows prioritising of cyber security risks across a business, using a model to identify typically low-, medium- and high-priority impacts from cyber security breaches. The policy describes the action to be taken for each priority in the event of a breach; and prioritises areas by identifying gaps in cyber security, and assessing the potential impact.
Access Policy
Access policy details how users and external parties (users/computers) gain authenticated access to a business’s IT platform. The policy includes requirements for:
- using MFA or dual-factor authentication (such as requiring two forms of authentication rather than more than two, which is multifactor)
- connecting externally, such as using virtual private networks (VPNs), which encrypt data between the user and the business so the data cannot be intercepted and read by a hacker
- ensuring staff access data only as needed for business purposes.
Password Policy
A password policy identifies rules that must be followed in the creation of passwords. These rules are maintained by cyber security administrators to ensure all passwords are, for example:
- changed every three months
- contain capital letters, numbers and special characters (such as ! or %)
- do not contain common names.
In effect, users have these rules automatically enforced. Some rules, such as users cannot share accounts/ passwords with other staff, rely on staff following business policy.
Consequently, regular refresher training and auditing of workplace behaviours is needed to support compliance.
Case Study
Password Formula
You are a Software Developer in the IT team you have been tasked with evaluating the strength of passwords used by employees. The head of IT, has assigned you a task that involves interpreting mathematical data related to password strength and conducting basic calculations.
Designing the Password Complexity Formula:
You need to create a simple formula to calculate password complexity. The formula should consider the following factors:
- Length of the password (multiplied by 2).
- Number of special characters (multiplied by 3).
- Number of uppercase letters (multiplied by 2).
Formula:
Password Complexity=
(Length×2)+(Number of Special Characters×3)+(Number of Uppercase Letters×2)
Example Calculation for "Secur3PwD!":
Apply the formula to the password "Secur3PwD!" as an example:
- Length: 10 characters
- Number of Special Characters: 1 (!)
- Number of Uppercase Letters: 3 (S, P, D)
Complexity=(10×2)+(1×3)+(3×2) Complexity=20+3+6=29
Password Evaluation:
Now, You can evaluate the password based on the calculated complexity.
Password: "Secur3PwD!"
Complexity: 29
Conclusion:
The password "Secur3PwD!" has a complexity of 29. This evaluation considers factors like length, special characters, and a mix of uppercase and lowercase letters.
Cyber Security Monitoring Policy
Not all cyber security policy applies to all staff. A cyber security monitoring policy is designed to list regular tasks (such as vulnerability scanning) that a business’s cyber security is to perform. Furthermore, this policy will note how senior management are to be kept informed of monitored outcomes.
Cyber Incident Response Policy
Applicable to a business’s management and cyber security personnel, the responses to a cyber threat or attack are described in sufficient detail to allow a business to move rapidly to respond/secure its IT space. The severity of a threat ranges from minor to major. A threat may have the potential to damage a business’s IT – ranging from ‘low chance to occur’ to ‘will occur’ – and may result in minor damage or a major impact if the cyber attack is successful. Using a CSRA matrix (see ‘Prioritising Risks’ in section 1.1 for more on CSRA matrices) with the cyber incident response policy will identify cyber threats to be prioritised.
Asset and Usage Policy
For digital assets such as PCs, mobile phones and other digital devices (such as connected Internet of Things (IoT) devices, e.g. intelligent whiteboards), the following need to be identified:
- the unit type and software
- who has control of the device in the business
- how the device is to be used.
An asset and usage policy will specify operational requirements and prohibitions, such as users may not browse internet websites not required by their role, or mobile phones cannot use public Wi-Fi when connecting to the business network.
A digital device registry (typically required by cyber security frameworks and can be as simple as a spreadsheet) should be included as a requirement in the asset and usage policy. The policy should require that updates of new and expired devices be regularly performed. A device registry allows for:
- ‘whitelisting’, which is using the unique MAC (media access control) addresses of the devices in the registry to facilitate access and provide access security
- ensuring retired devices have all business data and access information removed before disposal.
Tip
Unique to a device, a MAC address is a series of hexadecimal numbers used to identify the device, for example, A8:54:89:89:9F:90.
‘Whitelisting’ means adding the MAC address into a firewall – which is a network device that allows external access to a business’s systems – to allow access. Any MAC address not in the whitelist will not be allowed access to the business’s network.
Social Media Policy
Social media policy may be included within usage policy. However, such is the potential for malware to infect users of social media, a business may choose to create a separate policy addressing cyber safe behaviour when using social media.
Users without a specific business need to access social media should be prohibited from accessing portals such as Facebook and Instagram.
Note - Communication of Cyber Security Requirements
Effective business cyber security policy integrates cyber security personnel with management to ensure cyber security decisions are informed by the needs of the business. Furthermore, staff must be kept updated on the nature of discovered threats so they either adjust their workflow to a cyber safe process or adjust to allow for changes in the applications/ systems they use.
Cyber security adapts and requires change in a business’s processes and/or technology. While some threats require rapid response, key personnel and management need to be engaged with early. Management must assess cyber security recommendations and staff (and other users as applicable) to adapt to change. Cyber security policies, such as cyber incident response and monitoring policies, will address requirements to communicate with stakeholders on matters of cyber security.
Creating Cyber Security Policy
Any business that makes use of a cyber security framework will have policy that describes all the cyber security attributes, mechanisms, tasks, prohibitions and obligations expected. While extensive, policy must be:
- concise
- clear
- simple to interpret and easy to comply with
- relevant to the business
- backed by management
Example
The South Australian Government has a cyber security framework that relies on 21 short policy statements that cover the expectations of cyber safe workplace behaviours, including technical vulnerability management and reporting.
A single document, the policy relies on senior management ultimately being responsible for cyber security (the South Australian Government cabinet of ministers).
A cyber security program coordinator is responsible for:
- identifying threats and managing escalation
- monitoring cyber threats
- informing management of cyber security incidents
- coordinating changes to improve cyber security
- ensuring cyber security operational tasks are conducted
- providing guidance on implementing cyber security policies, procedures and other operational documents.
Relevant to SA Government operations, the 21 policy statements, which are clear and easy to comprehend, are backed by senior government, and importantly, the roles and communication requirements are clearly identified.
Activity 2
While cyber security policy is designed to protect a business and is a core requirement of a cyber security framework, effective cyber security is a government mandated compliance requirement.
Australian Governments (federal/state and territory) require Australian businesses to comply with Acts of Parliament regarding cyber security requirements. Federal Government legislation compliance requirements aim to regulate confidentiality, data integrity and accessibility. When a business does not meet these requirements, it faces financial penalties, and directors who fail in their security duties of directorship face jail time.
In Australia, businesses need to comply with regulations relating to:
- data privacy (such as securing the private information of individuals)
- data security (to ensure that Australian businesses are resilient, and services are maintained if a cyber attack occurs).
Federal Regulations
Compliance regulations depend on the scale of the business and its type of operation. There are two federal cyber security regulations in Australia:
- regulations requiring protection of personal data (required by the Privacy Act 1988)
- regulations impacting businesses classified as essential services, which must meet higher expectations of compliance than regular business operations (required by the Security Legislation Amendment (Critical Infrastructure) Bill 2021 – referred to as ‘SLAC’).
Other federal acts with requirements for data management exist (such as the My Health Records Act 2012 and Electronic Transactions Act 1999). However, these acts rely on the Privacy Act 1988 for enforcement. The Privacy Act provides complete coverage of data management requirements, whereas other acts provide specificity on types or records (such as health records). For Australian businesses, compliance with the Privacy Act ensures compliance with all other data compliance acts.
Reading
Visit the links below to access the federal data management acts:
The following table identifies the types of businesses that are required to comply with the Privacy Act and SLAC Act, and what the compliance requirements are.
Business Type | Compliance Requirements |
---|---|
Essential services |
SLAC Regulations There are 11 classes of essential services in Australia covered by the Security Legislation Amendment (Critical Infrastructure) Bill (Cth). The bill was amended in 2021 from an original four classes. If you are a business providing significant national service delivery in any of the following sectors, you are required to create a register of all critical assets (including digital) and report any cyber penetration attempts to the ACSC:
A further requirement to create extensive disaster recovery plans with the ACSC is being considered. Of note, the SLAC Act allows the Federal Government to take over a business operation if it is in the national interest and speeds up recovery of services. These businesses are called 'systems of national significance' (SoNS). Data Privacy (Privacy Act) Drafted in 1988, the Privacy Acy relies on 13 privacy principles that describe how personal data is to be collected and stored. Originally applicable only to government agencies, the act was extended in 2000 to apply to private businesses as well. The privacy principles, called 'Australian Privacy Principles' (APPs), detail the conditions for applicable businesses to collect, handle, store and dispose of personal records and the information the records contain |
Government agencies | Government agencies must comply with the Privacy Act. This includes all federal departments and institutions. State and territory health facilities such as hospitals are also covered by the act. |
Finance sector |
Businesses operating in the finance sector must comply with the Privacy Act. There are specific regulatory bodies in the finance industry, such as the Australian Transaction Reports and Analysis Centre (AUSTRAC), the Australian Securities and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA). APRA requires mandatory information security under APRA regulation CPS 234. APRA members, such as finance businesses (e.g. banks, insurance companies and private health insurance companies), must comply. There are 11 requirements to secure against, monitor and report on cyber security breaches. In cases of non-compliance, APRA may consider deregulating members. ASIC and AUSTRAC have voluntary codes of practice and are considering creating compliance requirements. |
Private health sector |
The private health sector must comply with the Privacy Act. There are specific acts that pertain to health records, such as the My Health Records Act 2012 (Cth), that require the protection and confidentiality of an individual's health records. Like all Australian regulations that relate to data privacy, the power to fine and investigate non-compliance with the My Health Records Act is based on the powers provided by the Privacy Act 1988. |
Service providers to government |
Service providers to government must comply with the Privacy Act. |
Businesses earning over $3 million per annum |
All businesses earning over $3 million per annum must comply with the Privacy Act. |
Reading
Visit the link for an overview of the 13 APPs: Australian Privacy Principles quick reference | OAIC
Visit the link for detailed coverage of the 13 APPs: Australian Privacy Principles guidelines (oaic.gov.au)
National Data Breaches Amendment
In 2017, an amendment was made to the Privacy Act to require the reporting of data breaches, such as when breaches occur due to a successful cyber-attack. The amendment is called the Privacy Amendment (National Data Breaches [NDB]) Act 2017. Businesses must comply with the NDB scheme if they have turnovers of more than $3 million, operate in the finance industry or private health services sector, or are contracted to work for government. Essential services that comply with the SLAC Act must also comply with the NDB.
The NDB requires that, in the event of a data breach that may cause significant harm to an individual, the business must notify the individuals affected and inform the Office of the Australian Information Commissioner of the breach. Notifications are to include:
- the name of the organisation that experienced the breach
- a description of the breach and what data was exposed
- what individuals should do as a result
A ‘data breach’ is defined by the NDB scheme as the physical loss or theft of data, or the loss or theft of data because of a cyber-attack.
State and Territory Regulations
State and Territory governments have their own privacy policies that apply to in their jurisdictions. A complex subject, the relationship of federal to state/territory regulations can be roughly summarised as federal regulations are:
- Complimentary where the regulations are compatible to state/territory regulations
- where there is a contradiction between the jurisdictions, the states and territories take precedence.
In the case of the SLAC Act, states and territories looked to provide input to the drafting of the act rather than create additional local regulations.
See blow specific privacy acts in the states and territories:
South Australia and Western Australia rely on the federal Privacy Act.
The various state and territory acts, like the federal Privacy Act, require compliance with the management of personal data, and apply to digital data. Each regional act relies on varied privacy principles from the federal Privacy Act. For example, Victoria has 10 privacy principles rather than 13. The Australian Capital Territory rely on 13 principles, like the federal act, but the ACT’s act notes that there are textual variations with the federal Privacy Act.
Tip
Compliance With Cyber Security and Personal Records in Australia
Depending on the location a business operates in, the business may be required to comply with federal and state/territory regulations.
In the ACT, NT, NSW, Queensland and Victoria, only government agencies are required to comply with the regional privacy acts. However, private businesses that meet the criteria of the Federal Government’s Privacy Act (such as earning more than $3 million or being in the finance business) are expected to comply with the federal act. In Tasmania, private individuals and businesses have compliance obligations under the state act as well. Note too that businesses dealing with state or territory governments may be required to comply with regional privacy laws.
Compliance regulation in Australia can be complex. When addressing cyber security requirements in Australia, businesses should:
- Evaluate and comply with federal compliance requirements.
- Evaluate and comply with state/territory compliance requirements in all locations in which the business operates.
Case Study
ASIC’s Cyber Security Breach
In December 2020, ASIC had its cyber security boundary breached, and a sever containing sensitive data was accessed. The server contained credit licence applications.
The breach occurred in a file transfer program (called Accellion) used by ASIC. Once the breach was identified, Accellion released a patch to close the breach three days after the reported incident.
As a result of this breach, ASIC was required to comply with the NDB scheme. In response to the incident, ASIC has:
- disabled the relevant server;
- ascertained that no other ASIC information technology (IT) infrastructure is impacted;
- provided alternative arrangements for submitting attachments;
- written to all identified credit licence applicants (via the contact email address nominated by the applicant) to advise and update them about the incident;
- assessed the incident in accordance with our obligations under the Privacy Act 1988;
- informed relevant authorities; and
- engaged independent cybersecurity experts to complete a forensic investigation.
International Legislation Requirements
Australian businesses that trade with overseas clients are required to also comply with applicable overseas data protection regulations to protect the data of the other country’s citizens. If an Australian business has sales from clients outside Australia (using a credit card, PayPal or other banking method), the resident country may have data privacy regulations that are expected to be complied with. For example, the General Data Protection Regulation (GDPR) is the data privacy convention adopted in the European Union.
Watch
Watch the video below for a quick summary of the NDB scheme: