Cyber security has become increasingly important for companies and Boards and this year, cyber represents two of the top five risk in the World Economic Forum’s Global Risk Report. Australia, has responded to this increasing concern, in part, by moving from a voluntary to a mandatory breach notification regime. The guidance to the updated regulations provide examples that now unambiguously link data disclosure to financial, physical, psychological and emotional harm.
Our ever increasing reliance on bio-mechanics, automation, artificial intelligence and the Internet of Things has also led to greater awareness of the impact that accidental or malicious cyber events could have on safety critical systems and the economies and people that rely on them.
LEARNING OUTCOMES
Why has cyber security become relevant for the OHS professional? How is “cyber security” relevant to “health and safety”
We now have to tell - privacy and mandatory breach reporting
What are the other regulations and requirements (in Australia)
What is contemporary practice, focusing on safety critical systems
What specialist advise do I need and where can get it?
All webinars will be recorded and distributed to registered attendees 3-4 days after the event.
SPEAKER
Ajoy has 20+ years experience in cyber security. After graduating as a Computer Engineer, he spent a number of years in various capacities in law enforcement, banking, consultancy and government and recently completed his tenure as the interim (and founding) CISO of Insurance and Care NSW, or icare.
Ajoy is the author of Standard Australia’s Handbook 171 Guidelines on the Management of IT Evidence and co-author of Handbook 231 Information Security Risk Management Guidelines (now ISO 27005). He advises a number of industry and government committees on cyber security and lectures in cybercrime, computer evidence and cyber warfare to post-graduate law and international studies students.
Ajoy is an accredited assessor, under the Australian Signals Directorate’s Infosec Registered Assessor Program (IRAP), a Certified Information Security Systems Practitioner (CISSP), a Certified Information Systems Auditor (CISA), an Australian Computer Society Certified Professional (ACS-CP) and a Graduate of the Australian Institute of Company Directors (GAICD).
In 2016 Ajoy was appointed by the Governor of NSW to the Board of St John Ambulance, serving the homes, workplaces and public gatherings of NSW.
Using international standards to improve EU cyber securityIT Governance Ltd
Cyber security expert Alan Calder takes you through the current cyber threat facing European organisations, the upcoming GDPR and NIS Directive, and how you can use international best practice to get your business cyber secure.
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
The webinar covers:
• What is Safe Harbour, and how companies were relied on it
• How the end of it will affect US firms
• What will happen next
• How companies will react
• The implications of this act
• What is the solution to this
Presenter:
This session was hosted by Mr. Graeme Parker, Managing Director of Parker Solutions Group, a PECB representative in UK. Mr. Parker has more than 20 years of experience in information security, and data privacy, and was also involved with many companies that were relied on Safe Harbour.
Link of the recorded session published on YouTube: https://youtu.be/cbPUTVtxem0
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
In October we organised an event in Amsterdam with our partner Scos and Jonathan Armstrong where we covered the changes on GDPR and challenges ahead for businesses.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
Digital forensics is the use of analytical and investigative techniques to identify, collect, examine and report on digital evidence or information. Digital evidence can provide valuable insights during investigations of theft of intellectual property involving multi-party collusion and the misappropriation of organizational assets and resources.
During this session participants will learn various methods of mitigating the “insider threats” to an organization’s digital data and methods of investigating digital evidence contained on computer and mobile systems during internal investigations.
Main points covered:
• Learn how to mitigate and investigate the theft of Intellectual Property from your company by adding digital forensic components into your Risk Management and Compliance programs.
• Learn and understand how Digital Forensics can augment your internal investigations.
• Learn where you and your organization fit into the Digital Forensic workflow, and when to call for help.
Presenter:
Our presenter for this webinar, Ryan Duquette is a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He took his zest for “focusing on the facts” from his days in Law Enforcement and founded Hexigent Consulting, a firm focusing on digital investigations, cyber security consulting services and litigation support.
Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches. During his days in Law Enforcement, he conducted digital investigations on a variety of criminal cases including homicide, child pornography, fraud, missing persons, and sexual assault cases.
He is a Sessional Lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications.
Ryan is a Director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide.
Link of recorded webinar:
Using international standards to improve EU cyber securityIT Governance Ltd
Cyber security expert Alan Calder takes you through the current cyber threat facing European organisations, the upcoming GDPR and NIS Directive, and how you can use international best practice to get your business cyber secure.
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
The webinar covers:
• What is Safe Harbour, and how companies were relied on it
• How the end of it will affect US firms
• What will happen next
• How companies will react
• The implications of this act
• What is the solution to this
Presenter:
This session was hosted by Mr. Graeme Parker, Managing Director of Parker Solutions Group, a PECB representative in UK. Mr. Parker has more than 20 years of experience in information security, and data privacy, and was also involved with many companies that were relied on Safe Harbour.
Link of the recorded session published on YouTube: https://youtu.be/cbPUTVtxem0
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
In October we organised an event in Amsterdam with our partner Scos and Jonathan Armstrong where we covered the changes on GDPR and challenges ahead for businesses.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
Digital forensics is the use of analytical and investigative techniques to identify, collect, examine and report on digital evidence or information. Digital evidence can provide valuable insights during investigations of theft of intellectual property involving multi-party collusion and the misappropriation of organizational assets and resources.
During this session participants will learn various methods of mitigating the “insider threats” to an organization’s digital data and methods of investigating digital evidence contained on computer and mobile systems during internal investigations.
Main points covered:
• Learn how to mitigate and investigate the theft of Intellectual Property from your company by adding digital forensic components into your Risk Management and Compliance programs.
• Learn and understand how Digital Forensics can augment your internal investigations.
• Learn where you and your organization fit into the Digital Forensic workflow, and when to call for help.
Presenter:
Our presenter for this webinar, Ryan Duquette is a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He took his zest for “focusing on the facts” from his days in Law Enforcement and founded Hexigent Consulting, a firm focusing on digital investigations, cyber security consulting services and litigation support.
Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches. During his days in Law Enforcement, he conducted digital investigations on a variety of criminal cases including homicide, child pornography, fraud, missing persons, and sexual assault cases.
He is a Sessional Lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications.
Ryan is a Director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide.
Link of recorded webinar:
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
The adoption of laws protecting the data of individuals and consumers is becoming a driving force to push organizations to revisit their security around client and personal data. In addition, with the rise of government legislated personal data protection laws such as GDPR, individuals in other jurisdictions are now looking for better personal data protection. In this presentation, we will examine two US laws as well as the ISO/IEC 27001 standard and we will look at commonalities and differences between these three and how data security is driven from each.
The webinar will covered:
• An overview of the state of data security/privacy today
• Current trends driving adoption of stronger data protection standards/laws
• An overview of data protection in ISO/IEC 27001, CCPA, and the NYC Shield Act
• A comparison of ISO/IEC 27001, CCPA and the NYC Shield Act
• Lessons to be applied
Recorded webinar:
This document is to guide in the basic topics of cryptographic and network security. The detail insight of classical encryption algorithm is given here. The step by step process is clearly explained in this document.
For more information visit https://www.brightpay.ie or https://www.thesaurus.ie
Given recent cyber-attacks, an updated security process is definitely required to protect the personal data that we manage. GDPR is not a new concept, it is simply a data protection process that is being upgraded to protect all individuals. Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data.
This webinar will uncover the ins and outs of the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligation.
We will walk you through some important steps to achieve GDPR compliance by examining the following topics:
Agenda
What does GDPR mean for your payroll processing?
- Understanding GDPR
- The contract between accountants & clients
- Template Data Processor Agreement
- Proof of compliance
- Securely storing employee data
Payslips & GDPR Compliance
- Employee consent
- Emailing payslips
- Recommended self-service access
Breaching GDPR
- Data breach plan of action
- Non-compliance and penalties
BrightPay & GDPR
- BrightPay Connect - online self-service portal
- Enhanced security measures
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
This PowerPoint covers:
-An overview of the regulatory landscape
-Subject matter, material and territorial scope
-Remedies, liabilities and penalties
-Personal data breaches under the GDPR
-The NIS Directive
-Operators of essential services
-Digital service providers
-GDPR vs NIS Directive
This webinar provides an overview of:
- The regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Risk management and the GDPR
- Legal requirement for a DPIA
- Why and how to conduct a data flow mapping exercise
- What are the challenges?
- What is an information flow?
- The questions to ask
- Data flow mapping techniques.
A recording of this webinar is available here:
https://youtu.be/EZFgrmzmPYE
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
11 European Privacy Regulations That Could Cost You €1 Million in Fines Skyhigh Networks
If your company is based in Europe or you store data on EU residents, there are some privacy regulations you have to follow or risk fines. Using cloud apps can expose you to additional compliance risk if not managed properly.
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
This webinar covers:
-The GDPR’s impact and the benefits of conducting a DPIA
-The legal requirements for a DPIA under the GDPR
-High-risk DPIAs and prior consultation with the supervisory authority
-DPIAs and their links to an organisation’s risk management framework
-The practical steps to conduct a DPIA
You can watch the webinar here https://www.youtube.com/watch?v=fm9Ysg4LUQg&t=640s
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
This webinar will cover the best practices for penetration testing and vulnerability assessments, and how to use staff training to create a strong information security management system that address people, processes and technology.
You will learn about:
- Conducting penetration testing
- Vulnerability assessments and monitoring
- The need to provide employees with training and monitoring controls
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=gsFmP34K8z0
Gdpr demystified - making sense of the regulationJames Mulhern
Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
The adoption of laws protecting the data of individuals and consumers is becoming a driving force to push organizations to revisit their security around client and personal data. In addition, with the rise of government legislated personal data protection laws such as GDPR, individuals in other jurisdictions are now looking for better personal data protection. In this presentation, we will examine two US laws as well as the ISO/IEC 27001 standard and we will look at commonalities and differences between these three and how data security is driven from each.
The webinar will covered:
• An overview of the state of data security/privacy today
• Current trends driving adoption of stronger data protection standards/laws
• An overview of data protection in ISO/IEC 27001, CCPA, and the NYC Shield Act
• A comparison of ISO/IEC 27001, CCPA and the NYC Shield Act
• Lessons to be applied
Recorded webinar:
This document is to guide in the basic topics of cryptographic and network security. The detail insight of classical encryption algorithm is given here. The step by step process is clearly explained in this document.
For more information visit https://www.brightpay.ie or https://www.thesaurus.ie
Given recent cyber-attacks, an updated security process is definitely required to protect the personal data that we manage. GDPR is not a new concept, it is simply a data protection process that is being upgraded to protect all individuals. Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data.
This webinar will uncover the ins and outs of the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligation.
We will walk you through some important steps to achieve GDPR compliance by examining the following topics:
Agenda
What does GDPR mean for your payroll processing?
- Understanding GDPR
- The contract between accountants & clients
- Template Data Processor Agreement
- Proof of compliance
- Securely storing employee data
Payslips & GDPR Compliance
- Employee consent
- Emailing payslips
- Recommended self-service access
Breaching GDPR
- Data breach plan of action
- Non-compliance and penalties
BrightPay & GDPR
- BrightPay Connect - online self-service portal
- Enhanced security measures
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
This PowerPoint covers:
-An overview of the regulatory landscape
-Subject matter, material and territorial scope
-Remedies, liabilities and penalties
-Personal data breaches under the GDPR
-The NIS Directive
-Operators of essential services
-Digital service providers
-GDPR vs NIS Directive
This webinar provides an overview of:
- The regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Risk management and the GDPR
- Legal requirement for a DPIA
- Why and how to conduct a data flow mapping exercise
- What are the challenges?
- What is an information flow?
- The questions to ask
- Data flow mapping techniques.
A recording of this webinar is available here:
https://youtu.be/EZFgrmzmPYE
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
11 European Privacy Regulations That Could Cost You €1 Million in Fines Skyhigh Networks
If your company is based in Europe or you store data on EU residents, there are some privacy regulations you have to follow or risk fines. Using cloud apps can expose you to additional compliance risk if not managed properly.
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
This webinar covers:
-The GDPR’s impact and the benefits of conducting a DPIA
-The legal requirements for a DPIA under the GDPR
-High-risk DPIAs and prior consultation with the supervisory authority
-DPIAs and their links to an organisation’s risk management framework
-The practical steps to conduct a DPIA
You can watch the webinar here https://www.youtube.com/watch?v=fm9Ysg4LUQg&t=640s
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
This webinar will cover the best practices for penetration testing and vulnerability assessments, and how to use staff training to create a strong information security management system that address people, processes and technology.
You will learn about:
- Conducting penetration testing
- Vulnerability assessments and monitoring
- The need to provide employees with training and monitoring controls
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=gsFmP34K8z0
Gdpr demystified - making sense of the regulationJames Mulhern
Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced data privacy and security solutions has become even more critical. French regulators cited GDPR in fining Google $57 million and the U.K.'s Information Commissioner's Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by US regulators.
This session will take a practical approach to address guidance and standards from the Federal Financial Institutions Examination Council (FFIEC), EU GDPR, California CCPA, NIST Risk Management Framework, COBIT and the ISO 31000 Risk management Principles and Guidelines.
Learn how new data privacy and security techniques can help with compliance and data breaches, on-premises, and in public and private clouds.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Presentación del Webinar de nuestra hermana Mind Your Privacy y Cardinal Path
En el actual escenario digital, más que nunca los analistas, marketeros y demás profesionales de datos deben conocer los cambios en las normativas nacionales e internacionales así como una serie de principios básicos para respetar la privacidad y la protección de los que sus datos recogen.
Digital Marketing meets Privacy
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
Multiple security regulations became effective across the globe in 2018, most notably the European Union’s General Data Protection Regulation (GDPR), and additional regulations are on their heels. The California Consumer Privacy Act, with its GDPR-like requirements, is just one of the regulations that requires planning and preparation today.
If you need to implement security policies for IBM i systems and data that will meet today’s compliance requirements and prepare you for those that are on the way, this webinar will help you get on the right track.
Slides CapTechTalks Webinar April 2024 Ilia Kolochenko.pptxCapitolTechU
Slides from a webinar presented by Capitol Technology University on April 18, 2024. Features a presentation given by Dr. Ilia Kolochenko and Cyber Law, Cybercrime Investigations and Response.
WHS lessons from Major Transport & Infrastructure projects
Presented by Harvey Fernandez, Director Transport Project for Infrastructure Delivery,
Department for Infrastructure and Transport SA
Keynote, SafeWork’s SA priorities and the Merritt review/ Working with the new
Advisory Committee
Presented by Glenn Farrell, Executive Director, SafeWork SA
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
2. acs.org.au
The OHS Professional and Cyber Security
A webinar for the Safety Institute of Australia
Ajoy Ghosh
Alcheme Pty Ltd
ajoy@alcheme.com.au
3. acs.org.au
Why I’ve been asked to present
• Until recently, the interim CISO at Insurance & Care NSW or “icare”
• Lecture in cyberlaw, electronic evidence and computer forensics at Australian and international law schools
• Australian and international standards:
• On Standards Australia committee that oversees IT security, previously also on committee overseeing IT Governance standards
• Author of Australian handbook on Management of IT Evidence (now part of ISO 27037) and co-author of Australian standard on Information Security Risk
Management (now ISO 27005)
• Contributor to and reviewer of ISO 38500 Corporate Governance of Information Technology
• Expert witness:
• Complex technical crimes: hacking, cyber stalking, cyber bullying, child pornography, fraud and forgery, circumvention, white collar and corporate crimes
• Politically sensitive and high profile e.g. Sef Gonzales, James Hardie, Sydney terrorism trials, Simon Gittany
• Advisor to Government and industry:
• IRAP Assessor
• ACS Cyber Security technical committee
HB171: Guidelines for the Managementof IT Evidence (above)
HB231: Guidelines for Information SecurityRisk Management (below)
4. acs.org.au
World Economic Forum – Global Risks Report
• Cybersecurity risks are also growing, both in
their prevalence and in their disruptive
potential. Attacks against businesses have
almost doubled in five years, and incidents
that would once have been considered
extraordinary are becoming more and more
commonplace.
• Another growing trend is the use of
cyberattacks to target critical infrastructure
and strategic industrial sectors, raising fears
that, in a worst-case scenario, attackers could
trigger a breakdown in the systems that keep
societies functioning.
http://reports.weforum.org/global-risks-2018/
5. acs.org.au
WEF Global Risks (cont)
• In this year’s report, cyber risks
are prominent:
• Cyber attacks are likely with higher
than average impact
• Data fraud/theft is likely and less
than average impact
• Critical infrastructure breakdown
(caused by accident or cyber
attack) are less likely with average
impact
6. acs.org.au
In Australia
Australian Institute of Company Directors
Director’s Sentiment Index
• Survey of Directors on Australian Boards
• Conducted each half year
Cybercrime and data is a growing concern
Compliance and reputation continue to
concern
First half 2017
First half 2018
https://aicd.companydirectors.com.au/advocacy/research
8. acs.org.au
Harm
Cyber security incidents can cause harm in a number of ways,
such as:
• A software “glitch” causing an accident of an automated or
autonomous system, such as a car or heavy machinery
• Hacking into a control system and causing a machine to have
an accident or do something dangerous, such as overheating
and catching on fire
• Disclosure of personal and health data, which is then used
causing financial, emotional and even physical harm
• Cyber bullying and harassment in the workplace or of
workers
Some Australian examples:
• In 2000, Vitek Boden “hacked” into his former employer’s
network causing raw sewage to spill and contaminate a large
area, including the grounds of the Marriott hotel
• in 2003, accidental changes to the software of a food
manufacturer caused excessive iron to be added to a
breakfast cereal. Line closed for one month
• In 2014, a former IT worker hacked into a mine site network
to copy some code. In the process stopping a telemetry
system which caused a drilling rig to suddenly turn, just
missing a worker
• In 2016, a computer virus caused the building management
system of a shopping centre to shut down trapping an elderly
person in a lift where they suffered a heart attack
9. acs.org.au
OAIC Mandatory Breaches
9
• 63 breaches reported in Q1 2018
• Only 6 weeks since scheme started
on 22 February
https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-
statistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pdf
11. acs.org.au
Obligations
11
COMPANY
andWORKPLACE
CRITICALINFRASTRUCTRE
GOOD PRACTICE
INTERNATIONAL STANDARDS
• ISO 38500
• ISO 31000
• ISO 27001/2
NIST
• Cyber security framework
• Others
PAYMENTS
SUPPLY CHAIN
CRITICAL INFRASTRUCTRE & INDUSTRY
• Security of Critical Infra (Home
Affairs)
• Sectorial specific e.g.
Telecommunication, Mines, Health
etc
FUNDING and GRANTS
• Contractual obligations
INDUSTRY PRACTICE
• IEC 61508, etc
• Sectorial specific
PRIVACY
• EU General Directive on Privacy
Regulation
SECURITY LAW
• Allow access to data and
communications
• Allow step-in to provide service
AUSTRALIAN LAW
• Privacy (OAIC)
• Crime and evidence (AGD)
• Company (ASIC)
• Consumer Law (ACCC)
• Human rights/Discrimination/Vilification
(AHRC)
NSW LAW
• Privacy & Health records
• Fair trading
• Work health and safety
• Workplace surveillance
• Crime and evidence
PRACTICE
• ASX Cyber health check
EXTRA-
TERRITORIAL
12. acs.org.au
Security of Critical Infrastructure
1. Register of Critical Infrastructure Assets
• owners and operators of relevant critical
infrastructure assets will have six months from
11 July 2018 to register ownership and
operational information on the register
2. Information gathering power
• power to obtain more detailed information
from owners and operators of assets
3. Ministerial directions
• direct an owner or operator of critical
infrastructure to do, or not do, a specified
thing to mitigate against a national security
risk
• Risk assessments in consultation with State
governments
• company’s security policies, i.e. data security
and physical security
• security audits undertaken by a company
• emergency management plans
• redundancies
• offshoring and outsourcing of operations
• existing regulatory regimes and controls
• Risk assessments support foreign investment
assessments by The Treasury and the Foreign
Investment Review Board (FIRB)
13. acs.org.au
PRIVACY
Why has privacy become so important?
• Unlike most wrongdoing, Australian companies are now obligated to tell
whenever they become compromised
• Notifiable Data Breach 22 February 2018
• Turnover >$3m annually
• Community has become hyper aware due to pervasiveness, familiarity and
the media frenzy over (alleged) data breaches
• Recent examples include Equifax, Uber, Facebook, Grindr, etc
• Overseas regimes have large fines and even jail
• Australian Privacy Commissioner $10k and compel action (usually the more expensive)
• EU up to €20m or 4% of annual turnover
• China Cybersecurity Law for “important data” to/from China
13
14. acs.org.au
State Laws are similar but different
e.g. NSW Privacy Laws
• 2 laws:
• Privacy and Personal Information Protection Act
• Health Records and Information Privacy Act
• Similar to Australian Privacy Act, with some differences. Key ones are:
• NSW Public Sector Agencies required to comply and exempted from Australian Act
• Covers government schools and Department of Education
• Other entities also required to comply (e.g. health service providers), but not
exempted from Australian Act
• Allows sharing with other NSW agencies, as long as certain things are met
• NSW Privacy Commissioner responsible
• Reporting of “incidents” to NSW Privacy Commissioner
• Requirement to keep health records in NSW, with limited exemptions
14
15. acs.org.au
Personal information
• Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.
• Personal Information: such as a person’s name, address, financial information, marital status or billing details.
• Sensitive Information: includes information with respect to an individual’s racial or ethnic origin; political opinions; membership of
a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association;
membership of a trade union; sexual preferences or practices; criminal record as well as health and genetic information.
• Health Information: any information collected about an individual’s health or disability and any information collected in relation to
a health service that is provided. It includes such things as notes of symptoms , diagnosis or treatments, doctor’s reports,
appointment times and prescriptions.
• According to the OAIC: A person’s name, signature, home address, email address, telephone number, date of birth, medical
records, bank account details and employment details will generally constitute personal information (OAIC Guide – What is
personal information)
15
16. acs.org.au
Australian Privacy Principles
1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure of personal information
9. Adoption, use or disclosure of government related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information
16
17. acs.org.au
Consider safe disclosure and use data for analytics
17
Safe people
Safe project
Safe setting
Safe data
(input)
Safe output
• UK 5 safes model has been adopted by
Australia’s National Statistical Service
• Also to be used for risk management of shared
Commonwealth Data
• Means that it is a reasonable choice as a
benchmark model
• ACS Data Sharing Framework
• Non-Personal Data
• Services Based on Highly Aggregated Data
• Lightly Aggregated Data
• Personally Identifiable Data
https://www.acs.org.au/insightsandpublications/publications.html
18. acs.org.au
APP 11 - Security
18
• Reasonable steps:
1. governance, culture and training
2. internal practices, procedures
and systems
3. ICT security
4. access security
5. third party providers (including
cloud computing)
6. data breaches
7. physical security
8. destruction and de-identification
9. standards
https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
19. acs.org.au
OAIC Guide to Securing Personal Information
19
• The guide says:
• This guide is not legally binding. However, the Office of
the Australian Information Commissioner (OAIC) will
refer to this guide when undertaking its Privacy Act
functions, including when investigating whether an
entity has complied with its personal information
security obligations or when undertaking an
assessment
• In essence, it is the measure used by the OAIC when
assessing if “reasonable measures” have been put in
place (or not)
• About checklist style 70 questions, including a
checklist for cloud. Some key ones:
• Policies and staff awareness
• Human error
• Certification against international security standards,
such as ISO 27000 group i.e. ISO 27001 and 27002
• Latest versions of software and applications. Patch and
security updates
• Effective encryption, including backups
• Whitelist/blacklist harmful material
• Testing – security, recovery and breach response
• Authentication, access and audit logs
• Supply chain (third party suppliers)
• Destruction and de-identification
• Securing email
• Physical access
20. acs.org.au
Australian Government clouds
20
• Australian Signals Directorate Certified Cloud
Services List
• The government's experts have reviewed and
approved
• Reasonable for you to also use
• Most commercial/consumer services are at the
Unclassified level DLM level
• Allows for storage of personal and health data
• ~930 security items:
• Some process and some technical configuration
• Some things for provider
• Some things for customer
www.asd.gov.au/infosec/cloudsecurity.htm
21. acs.org.au
Notifiable Data Breach
21
• Eligible Data Breach
• there is unauthorised access to or disclosure of or a loss of,
personal information
• this is likely to result in serious harm to one or more
individuals
• has not been able to prevent the likely risk of serious harm
with remedial action
• Serious harm may include serious physical, psychological,
emotional, financial, or reputational harm
• Some types of information increase the risk of serious
harm:
• sensitive information
• documents commonly used for identity fraud, including
Medicare card, driver licence, and passport details
• financial information
• a combination of types of personal information
• Promptly notify:
• Individuals at likely risk of harm
• All individuals
• Only those individuals at risk of serious harm
• Publish notification
• Privacy Commissioner
• Use OAIC website or specific form
• Must include:
• the identity and contact details of the organisation
• a description of the data breach
• the kinds of information concerned; and
• recommendations about the steps individuals should take in
response to the data breach
22. acs.org.au
Data breach preparation and response
22
• Data Breach Response Plan
• A clear explanation of what constitutes a data breach
• A strategy for containing, assessing and managing data breaches
• The roles and responsibilities of staff
• Documentation
• Review
• Breach response team
• Team leader: leading the response team and reporting to senior
management
• Project manager: coordinate the team and provide support
• Senior member with overall accountability for privacy: bring privacy
expertise to the team
• Legal: to identify obligations and provide advice
• Risk management: assess the risks from the breach
• ICT support/forensics: help establish the cause and impact of a data
breach that involved ICT systems
• Records management: reviewing security and monitoring controls
(e.g. access, authentication, encryption, audit logs) and provide advice
on recording the response
• HR: if the breach was due to the actions of a staff member
• Media/communications expertise: communicating with affected
individuals and dealing with the media and external stakeholders
https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response#part-2-preparing-a-data-breach-response-plan
23. acs.org.au
Be aware of special cases in your industry
e.g. records retention, incl in the cloud
• Child safety = 45years Other examples
• Dust e.g. asbestos, coal, silica =
patient aged 100yrs, or 25yrs
• Radiation = patient aged 75yrs
or 15yrs since last radiated
23