A global cyber attack hit 100 organisations in January earlier this year, including a NSW government organisation. The attack exposed identity and health-related personal information. Once becoming aware of the breach, the organisation contacted the individuals whose details were exposed and offered support services to take necessary actions. There is no evidence that the data exposed was misused.
While an attack occurred, the government organisation mitigated the impact of this cyber attack by meeting and following data security compliance standards. Ensuring your organisation’s compliance can reduce the likelihood of incidents like these and mitigate their impact on your business should they occur.
Which data security compliance laws apply to you?
Australian businesses need to check their governance structures thoroughly to ensure data security compliance according to the Notifiable Data Breaches (NDB) Scheme and GDPR. They also need to test their data handling practices and seek legal counsel where needed.
1. Data security compliance for all Australian businesses
Compliance with Notifiable Data Breaches Scheme
Under the (NDB) scheme, businesses have to report and notify all data breaches to the OAIC (Office of the Australian Information Commissioner). Organisations under the Privacy Act 1988 must notify individuals if a data breach has exposed their personal information and could cause serious harm.
When notifying individuals of a breach, organisations should offer recommendations for how individuals can protect themselves, as mentioned in the introduction.
The OAIC requires businesses to come up with a data breach response plan in case of emergencies. They should also train the relevant staff to deal with data breaches adequately. In my opinion, taking these measures is an excellent way to reduce the number of breaches reported under the NDB scheme.
Compliance with GDPR in Australia
If your business processes personal customer data, then it falls under the GDPR. The following list details all the entities that need to comply with the GDPR:
- Businesses that are data controllers: These organisations control the ‘how’ and ‘why’ of data processing.
- Businesses that are data processors: These act on behalf of the data controllers.
- Businesses that have an establishment in the European Union: These businesses are liable to the GDPR even if the data they process is not part of the EU itself.
- Businesses outside of EU that:
- Are offering goods and services to people residing in the European Union
- Observe the behaviour of individuals in the European Union
An Australian business needs to follow the GDPR if it:
- Has an office in the EU
- Has a website that mentions or targets customers in the EU
- Tracks individuals in the EU on the internet.
2. Data security compliance for APRA-regulated entities
In 2019, APRA introduced new regulations that focus on cyber security for all financial institutions.
Compliance with APRA CPS234
APRA’s CPS234 regulation commenced on July 1st 2019. It requires organisations to fortify their security measures according to size and assets. CPS 234 requires businesses to uplift information security by defining information security roles for the board, management and governing bodies.
You need to classify information assets according to how critical and sensitive they are. Moreover, you are required to extend information to third parties to protect sensitive data. Periodically testing security systems prepares you to deal with evolving threats.
APRA requires security reports of all incidents. Businesses also need to carry out internal audits to review security measures put in place.
3. Other data security compliance standards
PCI DSS aims to secure cardholder data around the world. Organisations that process, store and transmit data are liable to the PCI DSS. It consists of twelve requirements falling under six overarching categories.
PCI DSS includes creating and maintaining secure networks and systems and protecting the data of all cardholders. Additionally, you need to create a vulnerability management system and monitor test networks regularly.
Strengthening access control measures and establishing an information security policy also falls under requirements for the PCI DSS.
How does Experteq improve data security compliance?
Data security compliance can be tedious for many organisations. Failing to comply can lead to dire penalties. Here are a few ways Experteq can help you avoid data security compliance troubles.
Configuring the Microsoft 365 Compliance Centre
The Microsoft 365 Compliance Centre checks your organisation’s data security compliance. It is an administrative tool that enables you to navigate your legal and regulatory needs.
Some of its features include:
- Microsoft Compliance Scorecard: Analyses your company’s progress with taking measures to enhance data protection.
- Solution Catalog Card: Provides you with a list of solutions that help you manage end to end compliance scenarios.
- Active Alerts Card: Offers a summary with detailed information for some of your most active alerts.
Experteq can help you configure the Microsoft 365 Compliance Centre for your organisation.
Azure Information Protection
Azure Information Protection is Microsoft’s cloud-based solution. It helps businesses protect their emails and documents by labelling and classifying them. There are three ways AIP offers you advanced data protection:
- Helps you label and classify your documents by sensitivity. It offers standardised labels like “personal, public and confidential” to classify documents.
- Protects your data through encryption and authorisation policies.
- Allows integration with other office applications like Word and Excel. Furthermore, it helps track and report document access in case of data misuse.
Microsoft Data Loss Prevention (DLP)
Most organisations leverage email for critical business communication that contains sensitive information. DLP is an information management system that makes managing sensitive data easier.
To do so, it alerts users about sensitive information on their Outlook account. It allows admins to analyse and protect sensitive data going in and out of the organisation. Furthermore, it scans all data from individual clients and the server. DLP also does a deep content analysis to protect your sensitive information at every level.
Experteq helps you set up your DLP policies to keep your organisation’s information in-house.
Endpoint protection with Intune
Intune allows security admins to manage device security and lower risk. You can configure your device security with Intune. Moreover, you can manage security tasks when devices are at risk.
Intune helps you view device compliance from a higher level. You can also integrate with Microsoft Defender and manage security configurations through policies targeting different aspects. It allows you to set rules that devices and users should meet through compliance policies.
Intune also enables you to manage common endpoint protection features like Firewall and Microsoft Defender.
Experteq enable data security compliance for the enterprise
Experteq primarily works with government, financial services, and insurance organisations, whose industries demand some of the highest data security compliance standards. We can provide you with the latest advice in implementing and maintaining the standards applicable to these industries.
We provide standards assessment and consulting for regulations such as GDPR, APRA CPS 234 and NDB. Maintaining compliance with these standards requires dedicated attention to your security posture. Furthermore, we can reduce risk by continually assessing risk across your security posture. Once we have helped you attain these standards, we provide continuous risk and compliance management.
Visit our Compliance page to learn more about our capabilities.