Qantas is experiencing an extremely competitive market as the government strengthens the security laws for internationally and domestically which has led to huge drop in passenger number. 6.8 The assessment involved the following: 6.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. Legal generally relies on deductive reasoning rather than a formal document or checklist to identify any privacy issues. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. There have been a very small number of privacy-related complaints in the past three years. The OAIC guidance on the GDPR may be found at Australian entities and the EU General Data Protection Regulation (GDPR). 4.50 The OAIC was informed that, at the time of the assessment in June 2017, the Qantas Crisis Management Team processes were last externally audited in September 2016. The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check, and joint Commonwealth and private sector meetings, including the inaugural Australia-United States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. 4.80 Qantas Frequent Flyer does not permit access to, or disclosure of, members personal information to any of its program partners and is solely responsible for all communication with its members in relation to program partner products and benefits. However, they are only provided with de-identified data, and strong contractual protections are put in place against re-identification or use of data other than as stipulated. PDF Operating Responsibly and Transparently - Qantas 4.52 The OAIC encourages Qantas to continue its current practices for testing and reviewing its crisis management plan in the context of a data breach. Each members profile is assigned an anonymous identification number that is unrelated to their membership number. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. qantas group cyber security policy - prostarsolares.com 6.7 The OAIC conducted a risk-based assessment of QFF and focused on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation. The OAIC also notes that Qantas Group intends to create a network of privacy champions, co-ordinated through the Group Privacy Officer. Spoiler alert: SecurityScorecard customers realize investment payback in under a quarter. Safe growth: The Qantas Group has announced orders for a range of new aircraft. Contract Engagement, Review and Execution Policy; 4. ICT protections, such as firewalls for segregated zones, malware detection software, whitelisting, application patching, encryption of data in transit and regular penetration testing. Qantas has been looking for a security head since August last year. The cyber safety of Qantas Frequent Flyers is a priority for us. Qantas Risk Assessment Report COLLEGE OF BUSINESS, LAW & GOVERNANCE GROUP TASK COVER SHEET Subject code: BX3011 Subject title: Company Furthermore, human resource and other policies exist at entity or business unit level, which also outline the minimum expected standards for our people in the context of their employment. 3.4 Registration involves collecting a variety of personal information from individuals, including: 3.5 Following registration, members receive a membership number, confirmation email, and a membership pack including a QFF card. All user access is logged and monitored, with the logs regularly audited by the platform owners. View Finall.docx from BX 3011 at James Cook University. The policy is dated to reflect when it was last reviewed. Qantas Legal developed this privacy training. This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation. 4.55 If the project uses or is likely to use personal information, QFF Legal will also consult with the project owner and any relevant staff. The OAIC understands that data privacy and security is marked as one of the top three risks in this document. Only a small number of QFF staff can match the anonymous identification number back to a QFF members individual member profile. Additionally, after the assessment fieldwork, QFF informed the OAIC that GCSC has since been renamed the Cyber Security and Privacy Committee. Vit, collaborative privacy and security risk assessment processes, a culture that promotes privacy awareness, regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives, comprehensive and tested risk management and crisis management processes, including a data breach response process. Staff complete the training at induction and then every three years. 4.96 In our review, the OAIC found that the Qantas privacy policy meets the prescriptive requirements of APP 1.4. It describes the standards of conduct we expect. Our safety, health and security activities are supported by comprehensive governance processes that help us monitor and manage performance and risks. :The cyber safety of Qantas Frequent Flyers is a priority for us. All SIAs are recorded in the system and can be recalled or examined as needed. the policies and procedures of QFF were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1). Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. In addition to appointing a Group Privacy Officer, Qantas is also establishing a dedicated Data Privacy team to bring together its privacy experts under one team and implement a coordinated enterprise-wide strategy and framework, including further investment in resources and technology that will support the Qantas Group to effectively address the intensifying global privacy regulatory requirements. 5.4 The OAIC recommends that QFF continues to build the profile of privacy across the Group by: 5.5 QFF will continue to support the expanded reach, effectiveness and reporting of the Qantas Groups new, dedicated Data Privacy team through the introduction of a network of privacy champions across all Group business units. timeless ink and piercing studio; how to make someone want to move out; how long does heparin stay in your system. CIOs and CSOs who need to present security issues to their board need to leave acronyms at the door, use PowerPoint presentations and tell stories, according to GPT Group CIO Greg Baster. Executive Summary. The safety and wellbeing of our customers and people is our highest priority. 4.41 Qantas Group and by extension, QFF, have comprehensive risk management processes which adequately encompass the identification, recording, reporting and mitigation of privacy risks within QFF. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. Doniz served as Qantas group CIO from January 2017, and at Boeing will the CIO and senior VP of information technology and data analytics. The OAIC also suggests, due to the varied and complex nature of such assessments, that QFF regularly revisit and revaluate their privacy assessment mechanisms. However, given that only one document was affected and that QFF staff demonstrated a strong understanding of Qantas information handling and management practices, including thorough PIA processes that do not heavily rely on this document (see Privacy impact assessments and security impact assessments below), the OAIC regards this as a low privacy risk for QFF. The Qantas Group Security Management System aims to increase security awareness through continuous improvement of security processes and enhancing the security culture across the Group (Qantas Sustainability Review, 2015). Some projects may be subjected to this process multiple times. If so, it was expected that a nominated senior member of Legal would serve this role. We comply with government and regulatory agencies to integrate risk strategies through a holistic approach ensuring a robust framework is in place to counter any crisis management, contingency planning and business continuity event. It will compile threat forecasts and geopolitical assessments for airline safety/security committees, up to Board level, and will lead the Qantas Londons Heathrow airport last year outlined plans for a 50m project to implement The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check,and joint Commonwealth and private sector meetings, including the inaugural AustraliaUnited States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. 4.1 This part of the report sets out the OAICs observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks. The Prime Minister's $230 million Cyber Security Strategy The Australian Crime Commission estimates the annual cost of cyber crime to His appointment as Qantas group CISO was part of a significant revamp of the cyber security function at the airline. The Group is keenly aware of the risk posed by trusted insiders people who seek to use privileged access provided in the context for doing their jobs to facilitate illegal activities, such as transporting illicit substances. Likely reputational damage to the entity, such as negative publicity in national or international media. Number of Employees: 25,000. The OAICs Guide to Securing Personal Information may be of assistance in considering reasonable steps to protect personal information. 4.25 Qantas cyber security governance is the responsibility of the Group Cyber Security Committee (GCSC), who monitors, reviews and ensures the effectiveness of cyber risk strategy, systems, policies and procedures. 4.86 The OAIC suggests that QFF continues to regularly review its APP 1 privacy policy and APP 5 collection notice to ensure they adequately explain the use of a members personal information, especially if the nature and scale of QFFs marketing and data analytics activities changes. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. Some complaints were caused by operator error, for example, passing on details to the wrong recipient. Management attention is suggested. formalising its current cyber security governance material to incorporate privacy. Join to connect Qantas. However, the OAIC suggests that QFF continues to regularly review its use of personal information in its marketing and data analytics activities to ensure its processes and policies remain effective and appropriate. Due to the investments made in resilience, the capability continues to be strengthened through the successful integration of external stakeholders ensuring the Group continues to possess a sophisticated holistic response and recovery system. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. We may contact you using the below methods: A phone call from one of our fraud analysts. What your policy needs to cover. How do you quantify cyber risk management? Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented. For example, the QFF cyber security strategy includes a breakdown of cyber risk, which utilises the QRAG to assess cyber risks and consider their mitigation strategies. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. 4.78 As stated above, QFF holds all personal information in data warehouses, with highly restricted access. CHESS also has oversight of risks associated with regulatory compliance. Once notified, incidents are escalated as appropriate. These lists are derived from mailing lists that members subscribe to in the my profile section of their QFF account and those that are designed and created using de-identified information linked to the anonymous identification number. 4.53 Formal PIAs are generally only undertaken for major projects. This plan encompasses all business units of the Qantas Group, including QFF, and is co-ordinated by the Group Crisis Management Team. Maintaining a strong security program is an investment that your prospects will want to know about. Darren Argyle FCIIS - Group Chief Information Security Risk - LinkedIn This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects, Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation, Timely management attention is expected. CHESS also has oversight of risks associated with regulatory compliance. 4.84 Data analytics involves amassing, aggregating and analysing large amounts of data. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. Further detail on this approach is provided in Chapter 7 of the OAICs Guide to privacy regulatory action. During 2021, the Group was vocal in its support of legislation that will enhance these efforts in future. Get your free Ratings report to see your custom score, SecurityScorecard Tower 49 12 E 49th St Suite 15-001 New York, NY 10017. This button displays the currently selected search type. qantas group cyber security policy - spokenwordoutreach.org QFF has robust and effective privacy practices, procedures and systems, including: 1.4 Additionally, QFFs APP 1 privacy policy adequately describes how the company manages personal information. Socio-cultural. In 2020, security breaches cost businesses an average of $3.86 million, but the cost of individual incidents varied significantly. To report security or privacy issues affecting The Emirates Group products or web servers, you can contact security@emirates.com. Benefits. Cyber fraud techniques evolve into confidence trick arms race. November 3, 2021. 3.7 Members personal information continues to be collected at various points throughout their membership, including when they earn and redeem Qantas Points and Status Credits,[6] and when they interact with QFF marketing campaigns. Undoubtedly Australias most iconic brand. Understand the effectiveness of protections in place for laptops, desktops, mobile devices, and all employee devices that access that companys network. Upgrade my browser. The three principles that guide us are: operating with integrity (through our safety, people, community and environment strategies). Across the Group, we are responsible for handling a substantial amount of personal information. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are Only Qantas approved Users may use Qantas Information Technology systems, and must do so in accordance with the law and Qantas Policies, including the Information Technology Group Policy. Case Study on 'Qantas Airlines' Management Report (Assessment) Staff are encouraged to clarify the members exact needs before proceeding with an access request. QANTAS ANNUAL REIE 2017 18 Cyber Security The Qantas Group is constantly improving its cyber and data privacy capabilities. Enterprise security management (ESM) issues directly revolve around the management of Qantas group itself. 4.99 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters. 6.3 The scope of this assessment was limited to the consideration of QFFs handling of personal information against the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). 4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. Jenks High School Football Roster, Oracle will provide its Siebel Loyalty Management platform to the airline so it can better manage its 7 million members. 4.98 The OAIC considers that there is room for improvement in the readability of the policy, and suggests that QFF works with the Qantas Group to review and, where possible, simplify the language of the policy. We monitor global developments in governance, laws and business practices, and work collaboratively across our global footprint to ensure we continue to meet these standards. The ability to respond seamlessly to events that impact the Group is fundamentally important in ensuring continued Group operations in the event of a discontinuity of service, mitigating risks and minimising disruptions to our customers. 4.37 QFF risks are locally identified, assessed and resolved using the QRAG, and reported at a Group Level, following the Qantas Group risk reporting process, which includes coverage of privacy risks. The Qantas Group is committed to complying with all applicable laws and regulations, and to conducting business with the highest standards of ethics and integrity. Safely returning to the skies: During the pandemic Qantas had to ground the majority of our fleet. Qantas Group also holds monthly direct reporting meetings, and risk is a regular agenda item. This is supported by policies and procedures to ensure our people are treated fairly under what is known as just culture. The Qantas Loyalty segment specializes in customer loyalty recognition programs. Your cyber security policy doesn't need to be very long; most SMEs should be able to fit theirs onto a single sheet of paper. [4] Qantas Points may then be redeemed for products or services. QFF Legal reports to the Qantas Group General Counsel, who has ultimate responsibility for all privacy compliance matters in the Qantas Group. -Adam Kinsella, Product Owner for Network, Network Security, Qantas. 4.33 A network of privacy champions across business units within the Qantas Group, including a dedicated QFF privacy champion, would help to identify and communicate privacy risks, as well as good privacy practices, across the Group. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. Qantas Group Securityand Facilitation participates in several domestic and international committees to refine security measures, to plan for and acquire enhanced security equipment and to establish world best practices in aviation security. Over the past year, the return of domestic and international travel as borders reopened required a similar program of work to return our aircraft to the skies, including a focus on training for crew and support employees. [4] For a current list of program partners, see the Earn Qantas Points page. The Group Management Committee has steadfastly supported the change we needed to make, despite the many challenges we face in the aviation industry. Qantas works closely with the Australian Government and overseas agencies, regulators, law enforcement and its global partners across the industry to proactively monitor and manage threats and risks. qantas group cyber security policy Request access from Qantas's to view their private documentation available on demand only. 4.12 All customer complaints, including QFF privacy complaints, are managed through a case management system, which enables staff to monitor all complaints received and their status. 4.59 QFFs current approach to PIAs and other privacy assessments is collaborative and thorough. Section 1 - Summary. The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. This may lead to the loss of vital information regarding identified privacy risks. Code of Conduct and Ethics; 2. Business Resilience Policy; 3. 4.91 The purpose of APP 1 is to ensure that APP entities manage personal information in an open and transparent way (APP 1.1). qantas group cyber security policy Additionally, QFF works to internationally certified standards, including ISO and ISF. Furthermore, marketing and analytics staff are in constant consultation with QFF Legal in relation to changes or new ideas. You can also use The Emirates Group's CyberSecurity PGP key to encrypt sensitive information that you send by email. See the quantity and duration of malware infections, along with other factors influence the overall assessment of an organizations IP Reputation. 1.2 The scope of this assessment was limited to the consideration of QFFs handling of personal information under Australian Privacy Principle (APP) 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). 5.3 QFF is working with Qantas to develop a Privacy Management Plan to augment its well-established privacy policies and procedures. This involves the project owners explaining to an executive panel, including the Group CEO and CFO, the risks of the project, including privacy and data risks, and justifying the need to accept those risks, as well as presenting mitigation strategies. If staff clicked the enclosed link, they were redirected to a notification page informing them that they had failed a phishing test. Queensland's First Nations children experiencing domestic and family violence are being harmed - and funnelled into risk-taking and criminal behaviour - by failures in the child protection, youth. 4.51 The Qantas crisis management plan and its various supporting documents serve as a data breach response plan. We encourage our people to report safety and security-related matters, even when they are closely involved and might feel vulnerable to criticism. 2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988 (Privacy Act). 4.58 For smaller projects, the assessment process is conducted throughout the evolution of the project. Qantas in late 2016 began the hunt for a CISO to oversee four Sydney-based reporting teams, leading security strategy across cyber strategy, cyber risk and resilience, security architecture and security operations. [12] See paragraphs 1.33 and 1.34 of the APP Guidelines. Please refer to Qantas Group Policies available on the Qantas Intranet or from your manager or people representative for details. Our Fly Well program included a number of temporary and existing wellbeing measures to safeguard travel during the pandemic, to give our customers peace-of-mind at each point of their journey across our Australian domestic, trans-Tasman and international networks. Both the General Counsel and CEO sit on the Group Management Committee (GMC), with the General Counsel reporting to the GMC on privacy. 4.67 QFF staff are also required to undertake mandatory risk management and cyber security training. Staff are required to undertake a SIA at the beginning of a new project to identity any privacy and security risks. However, based on practices at the time of the assessment, there is a medium risk that privacy issues from the various business units will not be communicated effectively through the existing channels. Wonderful video celebrating so much of who we are as Australians. If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training.