The Office of the Australian Information Commission released a new Guide to Securing Personal Information which replaces the Guide to Information Security which was issued in April 2013.
The Guide now contains more details than the previous Guide and specifically addresses the requirements now contained in APP 11. It also refers to examples of incidents that were data breaches under the National Privacy Principles to assist entities in determining what may constitute reasonable steps to ensure security of information. The Guide places greater emphasis on privacy by design, risk assessments, the increased likelihood that information may be mishandled when it has been collected unnecessarily, and the importance of both designing security measures that factor in human error and insider breaches and driving a culture of privacy and security from the board level.
In a detailed consideration of steps and strategies which may be reasonable to take, the Guide covers topics including:
- Governance, cultures and training
- IT and software security
- Whitelisting and blacklisting
- 'Trusted insider' risk
- Access to non public content on web servers
- Audit logs and audit trails
- Third party providers, including clouds computing
- Destroying and de-identifying personal information
- Standards that may be appropriate to consult and follow.
The cloud computing checklist featured in the Guide is a very useful tool when determining whether to use a cloud computing service.
A copy of the Guide is available here.