Cyber security has become increasingly important for companies and Boards and this year, cyber represents two of the top five risk in the World Economic Forum’s Global Risk Report. Australia, has responded to this increasing concern, in part, by moving from a voluntary to a mandatory breach notification regime. The guidance to the updated regulations provide examples that now unambiguously link data disclosure to financial, physical, psychological and emotional harm.
Our ever increasing reliance on bio-mechanics, automation, artificial intelligence and the Internet of Things has also led to greater awareness of the impact that accidental or malicious cyber events could have on safety critical systems and the economies and people that rely on them.
LEARNING OUTCOMES
Why has cyber security become relevant for the OHS professional? How is “cyber security” relevant to “health and safety”
We now have to tell - privacy and mandatory breach reporting
What are the other regulations and requirements (in Australia)
What is contemporary practice, focusing on safety critical systems
What specialist advise do I need and where can get it?
All webinars will be recorded and distributed to registered attendees 3-4 days after the event.
SPEAKER
Ajoy has 20+ years experience in cyber security. After graduating as a Computer Engineer, he spent a number of years in various capacities in law enforcement, banking, consultancy and government and recently completed his tenure as the interim (and founding) CISO of Insurance and Care NSW, or icare.
Ajoy is the author of Standard Australia’s Handbook 171 Guidelines on the Management of IT Evidence and co-author of Handbook 231 Information Security Risk Management Guidelines (now ISO 27005). He advises a number of industry and government committees on cyber security and lectures in cybercrime, computer evidence and cyber warfare to post-graduate law and international studies students.
Ajoy is an accredited assessor, under the Australian Signals Directorate’s Infosec Registered Assessor Program (IRAP), a Certified Information Security Systems Practitioner (CISSP), a Certified Information Systems Auditor (CISA), an Australian Computer Society Certified Professional (ACS-CP) and a Graduate of the Australian Institute of Company Directors (GAICD).
In 2016 Ajoy was appointed by the Governor of NSW to the Board of St John Ambulance, serving the homes, workplaces and public gatherings of NSW.
2. acs.org.au
The OHS Professional and Cyber Security
A webinar for the Safety Institute of Australia
Ajoy Ghosh
Alcheme Pty Ltd
ajoy@alcheme.com.au
3. acs.org.au
Why I’ve been asked to present
• Until recently, the interim CISO at Insurance & Care NSW or “icare”
• Lecture in cyberlaw, electronic evidence and computer forensics at Australian and international law schools
• Australian and international standards:
• On Standards Australia committee that oversees IT security, previously also on committee overseeing IT Governance standards
• Author of Australian handbook on Management of IT Evidence (now part of ISO 27037) and co-author of Australian standard on Information Security Risk
Management (now ISO 27005)
• Contributor to and reviewer of ISO 38500 Corporate Governance of Information Technology
• Expert witness:
• Complex technical crimes: hacking, cyber stalking, cyber bullying, child pornography, fraud and forgery, circumvention, white collar and corporate crimes
• Politically sensitive and high profile e.g. Sef Gonzales, James Hardie, Sydney terrorism trials, Simon Gittany
• Advisor to Government and industry:
• IRAP Assessor
• ACS Cyber Security technical committee
HB171: Guidelines for the Managementof IT Evidence (above)
HB231: Guidelines for Information SecurityRisk Management (below)
4. acs.org.au
World Economic Forum – Global Risks Report
• Cybersecurity risks are also growing, both in
their prevalence and in their disruptive
potential. Attacks against businesses have
almost doubled in five years, and incidents
that would once have been considered
extraordinary are becoming more and more
commonplace.
• Another growing trend is the use of
cyberattacks to target critical infrastructure
and strategic industrial sectors, raising fears
that, in a worst-case scenario, attackers could
trigger a breakdown in the systems that keep
societies functioning.
http://reports.weforum.org/global-risks-2018/
5. acs.org.au
WEF Global Risks (cont)
• In this year’s report, cyber risks
are prominent:
• Cyber attacks are likely with higher
than average impact
• Data fraud/theft is likely and less
than average impact
• Critical infrastructure breakdown
(caused by accident or cyber
attack) are less likely with average
impact
6. acs.org.au
In Australia
Australian Institute of Company Directors
Director’s Sentiment Index
• Survey of Directors on Australian Boards
• Conducted each half year
Cybercrime and data is a growing concern
Compliance and reputation continue to
concern
First half 2017
First half 2018
https://aicd.companydirectors.com.au/advocacy/research
8. acs.org.au
Harm
Cyber security incidents can cause harm in a number of ways,
such as:
• A software “glitch” causing an accident of an automated or
autonomous system, such as a car or heavy machinery
• Hacking into a control system and causing a machine to have
an accident or do something dangerous, such as overheating
and catching on fire
• Disclosure of personal and health data, which is then used
causing financial, emotional and even physical harm
• Cyber bullying and harassment in the workplace or of
workers
Some Australian examples:
• In 2000, Vitek Boden “hacked” into his former employer’s
network causing raw sewage to spill and contaminate a large
area, including the grounds of the Marriott hotel
• in 2003, accidental changes to the software of a food
manufacturer caused excessive iron to be added to a
breakfast cereal. Line closed for one month
• In 2014, a former IT worker hacked into a mine site network
to copy some code. In the process stopping a telemetry
system which caused a drilling rig to suddenly turn, just
missing a worker
• In 2016, a computer virus caused the building management
system of a shopping centre to shut down trapping an elderly
person in a lift where they suffered a heart attack
9. acs.org.au
OAIC Mandatory Breaches
9
• 63 breaches reported in Q1 2018
• Only 6 weeks since scheme started
on 22 February
https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-
statistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pdf
11. acs.org.au
Obligations
11
COMPANY
andWORKPLACE
CRITICALINFRASTRUCTRE
GOOD PRACTICE
INTERNATIONAL STANDARDS
• ISO 38500
• ISO 31000
• ISO 27001/2
NIST
• Cyber security framework
• Others
PAYMENTS
SUPPLY CHAIN
CRITICAL INFRASTRUCTRE & INDUSTRY
• Security of Critical Infra (Home
Affairs)
• Sectorial specific e.g.
Telecommunication, Mines, Health
etc
FUNDING and GRANTS
• Contractual obligations
INDUSTRY PRACTICE
• IEC 61508, etc
• Sectorial specific
PRIVACY
• EU General Directive on Privacy
Regulation
SECURITY LAW
• Allow access to data and
communications
• Allow step-in to provide service
AUSTRALIAN LAW
• Privacy (OAIC)
• Crime and evidence (AGD)
• Company (ASIC)
• Consumer Law (ACCC)
• Human rights/Discrimination/Vilification
(AHRC)
NSW LAW
• Privacy & Health records
• Fair trading
• Work health and safety
• Workplace surveillance
• Crime and evidence
PRACTICE
• ASX Cyber health check
EXTRA-
TERRITORIAL
12. acs.org.au
Security of Critical Infrastructure
1. Register of Critical Infrastructure Assets
• owners and operators of relevant critical
infrastructure assets will have six months from
11 July 2018 to register ownership and
operational information on the register
2. Information gathering power
• power to obtain more detailed information
from owners and operators of assets
3. Ministerial directions
• direct an owner or operator of critical
infrastructure to do, or not do, a specified
thing to mitigate against a national security
risk
• Risk assessments in consultation with State
governments
• company’s security policies, i.e. data security
and physical security
• security audits undertaken by a company
• emergency management plans
• redundancies
• offshoring and outsourcing of operations
• existing regulatory regimes and controls
• Risk assessments support foreign investment
assessments by The Treasury and the Foreign
Investment Review Board (FIRB)
13. acs.org.au
PRIVACY
Why has privacy become so important?
• Unlike most wrongdoing, Australian companies are now obligated to tell
whenever they become compromised
• Notifiable Data Breach 22 February 2018
• Turnover >$3m annually
• Community has become hyper aware due to pervasiveness, familiarity and
the media frenzy over (alleged) data breaches
• Recent examples include Equifax, Uber, Facebook, Grindr, etc
• Overseas regimes have large fines and even jail
• Australian Privacy Commissioner $10k and compel action (usually the more expensive)
• EU up to €20m or 4% of annual turnover
• China Cybersecurity Law for “important data” to/from China
13
14. acs.org.au
State Laws are similar but different
e.g. NSW Privacy Laws
• 2 laws:
• Privacy and Personal Information Protection Act
• Health Records and Information Privacy Act
• Similar to Australian Privacy Act, with some differences. Key ones are:
• NSW Public Sector Agencies required to comply and exempted from Australian Act
• Covers government schools and Department of Education
• Other entities also required to comply (e.g. health service providers), but not
exempted from Australian Act
• Allows sharing with other NSW agencies, as long as certain things are met
• NSW Privacy Commissioner responsible
• Reporting of “incidents” to NSW Privacy Commissioner
• Requirement to keep health records in NSW, with limited exemptions
14
15. acs.org.au
Personal information
• Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.
• Personal Information: such as a person’s name, address, financial information, marital status or billing details.
• Sensitive Information: includes information with respect to an individual’s racial or ethnic origin; political opinions; membership of
a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association;
membership of a trade union; sexual preferences or practices; criminal record as well as health and genetic information.
• Health Information: any information collected about an individual’s health or disability and any information collected in relation to
a health service that is provided. It includes such things as notes of symptoms , diagnosis or treatments, doctor’s reports,
appointment times and prescriptions.
• According to the OAIC: A person’s name, signature, home address, email address, telephone number, date of birth, medical
records, bank account details and employment details will generally constitute personal information (OAIC Guide – What is
personal information)
15
16. acs.org.au
Australian Privacy Principles
1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure of personal information
9. Adoption, use or disclosure of government related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information
16
17. acs.org.au
Consider safe disclosure and use data for analytics
17
Safe people
Safe project
Safe setting
Safe data
(input)
Safe output
• UK 5 safes model has been adopted by
Australia’s National Statistical Service
• Also to be used for risk management of shared
Commonwealth Data
• Means that it is a reasonable choice as a
benchmark model
• ACS Data Sharing Framework
• Non-Personal Data
• Services Based on Highly Aggregated Data
• Lightly Aggregated Data
• Personally Identifiable Data
https://www.acs.org.au/insightsandpublications/publications.html
18. acs.org.au
APP 11 - Security
18
• Reasonable steps:
1. governance, culture and training
2. internal practices, procedures
and systems
3. ICT security
4. access security
5. third party providers (including
cloud computing)
6. data breaches
7. physical security
8. destruction and de-identification
9. standards
https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
19. acs.org.au
OAIC Guide to Securing Personal Information
19
• The guide says:
• This guide is not legally binding. However, the Office of
the Australian Information Commissioner (OAIC) will
refer to this guide when undertaking its Privacy Act
functions, including when investigating whether an
entity has complied with its personal information
security obligations or when undertaking an
assessment
• In essence, it is the measure used by the OAIC when
assessing if “reasonable measures” have been put in
place (or not)
• About checklist style 70 questions, including a
checklist for cloud. Some key ones:
• Policies and staff awareness
• Human error
• Certification against international security standards,
such as ISO 27000 group i.e. ISO 27001 and 27002
• Latest versions of software and applications. Patch and
security updates
• Effective encryption, including backups
• Whitelist/blacklist harmful material
• Testing – security, recovery and breach response
• Authentication, access and audit logs
• Supply chain (third party suppliers)
• Destruction and de-identification
• Securing email
• Physical access
20. acs.org.au
Australian Government clouds
20
• Australian Signals Directorate Certified Cloud
Services List
• The government's experts have reviewed and
approved
• Reasonable for you to also use
• Most commercial/consumer services are at the
Unclassified level DLM level
• Allows for storage of personal and health data
• ~930 security items:
• Some process and some technical configuration
• Some things for provider
• Some things for customer
www.asd.gov.au/infosec/cloudsecurity.htm
21. acs.org.au
Notifiable Data Breach
21
• Eligible Data Breach
• there is unauthorised access to or disclosure of or a loss of,
personal information
• this is likely to result in serious harm to one or more
individuals
• has not been able to prevent the likely risk of serious harm
with remedial action
• Serious harm may include serious physical, psychological,
emotional, financial, or reputational harm
• Some types of information increase the risk of serious
harm:
• sensitive information
• documents commonly used for identity fraud, including
Medicare card, driver licence, and passport details
• financial information
• a combination of types of personal information
• Promptly notify:
• Individuals at likely risk of harm
• All individuals
• Only those individuals at risk of serious harm
• Publish notification
• Privacy Commissioner
• Use OAIC website or specific form
• Must include:
• the identity and contact details of the organisation
• a description of the data breach
• the kinds of information concerned; and
• recommendations about the steps individuals should take in
response to the data breach
22. acs.org.au
Data breach preparation and response
22
• Data Breach Response Plan
• A clear explanation of what constitutes a data breach
• A strategy for containing, assessing and managing data breaches
• The roles and responsibilities of staff
• Documentation
• Review
• Breach response team
• Team leader: leading the response team and reporting to senior
management
• Project manager: coordinate the team and provide support
• Senior member with overall accountability for privacy: bring privacy
expertise to the team
• Legal: to identify obligations and provide advice
• Risk management: assess the risks from the breach
• ICT support/forensics: help establish the cause and impact of a data
breach that involved ICT systems
• Records management: reviewing security and monitoring controls
(e.g. access, authentication, encryption, audit logs) and provide advice
on recording the response
• HR: if the breach was due to the actions of a staff member
• Media/communications expertise: communicating with affected
individuals and dealing with the media and external stakeholders
https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response#part-2-preparing-a-data-breach-response-plan
23. acs.org.au
Be aware of special cases in your industry
e.g. records retention, incl in the cloud
• Child safety = 45years Other examples
• Dust e.g. asbestos, coal, silica =
patient aged 100yrs, or 25yrs
• Radiation = patient aged 75yrs
or 15yrs since last radiated
23