Under the Commonwealth’s Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA), duties are imposed on Commonwealth entity officials, and Commonwealth company directors.
Commonwealth entities include departments or bodies corporate established by a law of the Commonwealth. Commonwealth companies are companies incorporated under the Corporations Act 2001 (Cth) (Corporations Act) that the Commonwealth ‘controls’.
In a previous article, we discussed directors’ duties under the Corporations Act as they extend into the field of cyber security. Commonwealth entity officials are required under the PGPA to perform their powers and functions and discharge their duties with care and diligence. These duties are analogous to directors’ duties under the Corporations Act.
The duties of Commonwealth company directors are broader still. Not only must Commonwealth company directors comply with their Corporations Act directors’ duties, they must also comply with additional duties and obligations under the PGPA, including keeping the responsible Minister informed of significant issues affecting the relevant Commonwealth company. In our view, this duty to inform extends to informing the responsible Minister of any significant cyber breach or cyber security related issues.
In this article we discuss the PGPA duties on Commonwealth entity officials and Commonwealth company directors as they apply to cyber security. As an officer of a Commonwealth entity or a Commonwealth company director, how can you satisfy yourself that you have taken sufficient steps in this regard?
We provide below a concise guide to six cyber security standards that Commonwealth directors and officers should know about. Familiarity with these six standards will:
- give Commonwealth directors and officers a basic grasp of cyber security issues in their organisation
- allow Commonwealth directors and officers to have appropriate conversations with, and to ask the questions that need to be asked of, their managers, colleagues and staff with responsibility for IT and cyber security.
The six cyber security standards
NUMBER 1: THE AUSTRALIAN SIGNALS DIRECTORATE’S TOP FOUR MITIGATION STRATEGIES TO PROTECT YOUR ICT SYSTEM
The Australian Signals Directorate (ASD) is the Commonwealth’s peak advisory body on cyber security. Its 2012 publication, Top four mitigation strategies to protect your ICT system, sets out four cyber security strategies which it says, if implemented, can address up to 85% of targeted cyber intrusions. The Top four mitigation strategies to protect your ICT system are a subset of a wider suite of ASD’s published cyber security strategies (see ASD’s Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details).
NUMBER 2: THE AUSTRALIAN GOVERNMENT CYBER SECURITY OPERATIONS CENTRE’S QUESTIONS SENIOR MANAGEMENT NEED TO BE ASKING ABOUT CYBER SECURITY
The Cyber Security Operations Centre (CSOC) is a joint agency under the responsibility of the Commonwealth Attorney-General and the Minister for Defence. The CSOC suggests senior management should be asking the following questions:
- What would a serious cyber incident cost our entity or company?
- Who would benefit from having access to our information?
- What makes us secure against threats?
- Is the behaviour of our staff enabling a strong security culture?
- Are we ready to respond to a cyber security incident?
- Has the entity or company applied ASD’s top four mitigation strategies? (see Number 1, above).
NUMBER 3: ASIC’S CYBER RESILIENCE: HEALTH CHECK (ASIC REPORT 429)
Developed principally for directors and officers of corporations and other ASIC regulated entities, this report from the corporate regulator should also be compulsory reading for Commonwealth entity and company directors and officers. The Cyber Resilience: Health Check (ASIC Report 429) contains a number of ‘Health Check Prompts’ which provide useful guidance as to the questions officers and directors and their colleagues and staff can ask in assessing their entity or company’s awareness of, and preparedness, for cyber security risks.
In March 2016, ASIC released its assessment report on the cyber resilience of the ASX Group and Chi-X Australia. This assessment report was produced by reference to the benchmarks set out in ASIC’s Health Check Report. ASIC concluded that the ASX and Chi-X Australia met their obligations by having adequate resources to manage their cyber resilience. More importantly, the assessment report highlights the observed good practices, which included:
- cyber-security strategy and governance
- risk management and threat assessment
- collaboration and information sharing
- proactive measures and controls
- detection systems and processes
NUMBER 4: THE OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER’S GUIDE TO SECURING PERSONAL INFORMATION – ‘REASONABLE STEPS’ TO PROTECT PERSONAL INFORMATION
The Privacy Act 1988 (Cth) requires Commonwealth entities and companies to ‘take such steps as are reasonable in the circumstances’ to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure (Australian Privacy Principle (APP) no. 11). But what constitutes ‘such steps as are reasonable in the circumstances‘?
The OAIC’s Guide to securing personal information – ‘reasonable steps’ to protect personal information provides useful information and should be read in conjunction with the other documents referred to in this article.
NUMBER 5: THE PAYMENT CARD INDUSTRY’S DATA SECURITY STANDARD (DSS): REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURE
If your entity or company processes card payments, it should comply with the PCI Data Security Standard (DSS): Requirements and Security Assessment Procedures. If your entity or company outsources, or is considering outsourcing, card payment processing, your outsourced service provider should also comply with this standard.
NUMBER 6: ISO/IEC STANDARDS
The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) publish a number of standards used across the IT industry, including specific standards relating to IT security. The key IT and cyber security standards are the ISO 27000 series.
These are highly technical and detailed publications and it is not suggested that Commonwealth officers and directors become experts in these standards and their implementation. However officers and directors can ask whether their entity or company, suppliers and third party products and services are compliant with applicable ISO/IEC standards such as ISO 27000. Such compliance will not be necessary or appropriate in all cases but to ask these questions may serve as a useful prompt for a discussion with your IT manager or CIO about whether you, your suppliers and third party products are or should be ISO/IEC compliant.
Your entity or company’s most basic (but arguably not sufficient) cyber security strategy must include the following:
- implement ASD’s top 4 cyber intrusion mitigation strategies
- implement the other ASD published strategies, as applicable
- in respect of any of the ASD strategies that are not implemented, ensure that your entity or company has a clearly documented audit trail of the reasons why it decided not to implement a particular strategy. That documentation should include an appropriate risk analysis
- ask CSOC’s six questions of your IT manager or CIO – are you happy with the answers you get?
- apply ASIC’s ‘Health Check Prompts’ to your entity or company – what do the outcomes tell you about your entity or company’s cyber-preparedness?
- if your entity or company collects, stores, handles or processes personal information, ask whether it meets the standards set out in OAIC’s Guide to securing personal information – ‘reasonable steps’ to protect personal information
- if your entity or company processes card payments, does it (or its service provider) comply with the PCI Data Security Standard (DSS): Requirements and Security Assessment Procedures?
- does your entity or company, its suppliers and third party products meet any applicable ISO/IEC standards, if appropriate?
The six cyber security standards referred to above are by no means exhaustive. This article is intended as an introductory guide to allow officers and directors to ask the right questions of those with managerial responsibility for IT and cyber security.
We have not, for example, discussed the publications put out by the Australian Prudential Regulation Authority (APRA). While APRA’s publications are aimed particularly at the banking, insurance and superannuation industries, they are of relevance to a wider audience.1