The document discusses the rise of regulatory compliance requirements for organizations, especially regarding information technology (IT). It notes that regulation differs by industry and jurisdiction, and that both Australia and the US have increased regulation in response to corporate scandals. IT now plays a major role in meeting compliance rules relating to areas like financial reporting, risk management, privacy, and records retention. Chief information officers must ensure IT systems support compliance requirements and internal controls.

1. Forces for regulatory change –examining the rise of the compliance colossus Anthony Wong ICT Counsel, Aequitas Attorneys LLB, LLM (Technology), BSc (Computer Science), MACS email: [email_address] This presentation is intended to provide a summary of the subject matter covered. It does not purport to render legal advice. Professional advice should be sought before applying the information to specific circumstances. Opening Presentation IntegrIT 2005 26 May 2005

5. Set of Governance Principles for federal government agencies created by the Information Management Strategy Committee (IMSC) supported by the CIO Committee (CIOC) Australian Government Use of Information and Communications Technology: A New Governance and Investment Framework report Implemented by Australia as a member of OECD OECD Corporate Governance Principles 2004 Compliance Programs AS 3806 Corporate Governance of ICT AS 8015 Corporate Governance Standards Set AS 8000 Scope Standards & Principles

30. Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)

31. Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information

32. Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Legislation Using Spam & Cybercrime Laws

33. Protection of Electronic Information Using Technical & Physical Means IT Governance Compliance & Risk Management

34. Guidance to Australian Government agencies on protecting their information systems Australian Communications Electronic Security Instruction 33 by the Defence Signals Directorate Commonwealth protective security policies, principles, standards and procedures Protective Security Manual issued by the Attorney-General's Department Information Security Management Information security risk management guidelines AS 7799 HB231 Guidelines for the management of IT Security AS ISO/IEC 13335 Code of practice for information security management AS/NZS ISO/IEC 17799 Scope Security Management Standards (not exhaustive)

35. Protection of Electronic Information Using Privacy Laws IT Governance Compliance & Risk Management

39. Other Privacy laws including: Applies personal privacy to the public sector in NSW Privacy and Personal Information Act 1998 (NSW) Where telecommunications service providers are required to maintain confidentiality ( eg. ISPs in relation to internet logs of access to websites and time of access, copy of web contents accessed) where disclosure may be permitted with a subpoena Telecommunications Act 1991 (Fed) – Part 13 Protects privacy by prohibiting interception of communications passing over telecommunications systems. Interception may be permitted under warrant issued to eg. Police and ASIO Telecommunications (Interception) Act 1979 (Fed)

40. Other Privacy laws including: Regulates data matching between particular Federal departments eg. Tax Office and Social Security Data-Matching Program (Assistance and Tax) Act 1990 (Fed) Governs the handling of health information in both the public and private sectors in NSW including hospitals doctors, and other health care organisations Health Records and Information Privacy Act 2002 (NSW) Covers privacy of personal information collected from Health Medicare claims and Pharmaceutical benefits National Health Act 1953 (Fed)

42. Industry Privacy Codes: Protects customer privacy by contract as adjunct to the banker-customer relationship Code of Banking Practice Applicable to privacy, security, loss and misuse of smart cards Asia Pacific Smart Card Industry ATM, EFTPOS, telephone or internet banking, credit card, stored value smart cards Electronic Funds Transfer For participants in Direct Marketing Australian Direct Marketing Association Provisions Code of Conduct

48. Thank you Anthony Wong ICT Counsel Aequitas Attorneys