Who is responsible for the security and use of a particular set of information in an organization?

• Who can collect your personal information
• How they can collect your personal information
• What you should be aware of

Organisations and agencies sometimes need personal information about you to carry out their work. Australian privacy law sets out what personal information they can collect and what they need to tell you.

An organisation may only collect your personal information that is reasonably necessary for their work. An agency may only collect your personal information that is directly related to their work. They don’t need your consent unless the information is sensitive.

Sensitive information

An organisation or agency must usually ask for your consent to collect sensitive information. There are situations where they don’t need to, for example, where an individual, in need of urgent medical treatment, is unable to consent to the collection of their health information because they’re unconscious.

How can an organisation or agency collect personal information?

An organisation or agency must only collect personal information in a lawful and fair way. If practical, they must collect the information from you personally and not from third parties. But there are situations where organisations and agencies are allowed to collect information about you from third parties. For example:

• where you would reasonably expect it or where you’ve consented to your personal information being shared
• a law enforcement agency may collect personal information about an individual who is under investigation without asking the individual directly because to do so may jeopardise the investigation
• if a legal or official document mailed to an individual is returned to the sender, then the sender may need to get the individual’s current contact details from another source

For more information, see the Australian Privacy Principles (APP) Guidelines, Chapter 3.

Sometimes an organisation or agency may receive your personal information when they haven’t asked for it. For example, they may receive misdirected mail. How the organisation or agency handles such a situation is explained in the APP Guidelines, Chapter 4.

What you must be told when your personal information is collected

When an organisation or agency collects your personal information they must take reasonable steps to tell you the following information, as close as possible to the time they collected your personal information:

• the organisation or agency’s identity and contact details
• the fact and way in which the organisation or agency collected your personal information
• if collecting your personal information is required or authorised by law
• the reasons the organisation or agency collected your personal information
• the consequences if the organisation or agency doesn’t collect your personal information
• the organisation or agency’s usual disclosures of the kind of personal information being collected
• information about the organisation or agency’s privacy policy
• if the organisation or agency is likely to disclose personal information to overseas recipients, and if practical, the countries where they are located

For more information, see the APP Guidelines, Chapter 5.

Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices.

A.6 seems like an odd place to cover off mobile devices and teleworking policies but it does, and almost everything in A.6.2 connects up with other Annex A controls as much of working life includes mobile and teleworking.

Teleworking in this instance also includes home workers and those in satellite locations that may not need the same physical infrastructure controls as (say) the Head Office but are nonetheless have exposure to valuable information and related assets.

A.6.2.1 Mobile Device Policy

A policy and supporting security measures need to be adopted to manage the risks introduced by using mobile phones and other mobile devices such as laptops, tablets etc. As mobile devices get increasingly smarter this policy area becomes much more significant beyond the traditional use of a mobile phone. The use of mobile devices and teleworking are at the same time an excellent opportunity for flexible working and a potential security vulnerability.

BYOD or Bring Your Own Device is also a major part of the consideration. Whilst there are tremendous benefits to enable staff to use their own devices, without adequate controls on in life use and especially exit, the threats can be considerable too.

An organisation needs to be sure that when mobile devices are used or staff are working off-site its information and that of customers and other interested parties remains protected and ideally within its control. That becomes increasingly difficult with consumer cloud storage, automated backup and personally owned devices shared by family members.

An organisation should consider implementing a “Defence in Depth” strategy with a combination of complementary physical, technical and policy controls. One of the most important aspects is education, training and awareness around the use of mobile devices in public places too, avoiding the risk of ‘free’ wifi that could compromise information quickly or restricting the uninvited observers from looking at the screen on the train journey home.

The auditor will want to see that there are clear policies and controls put into place which provide assurance that information remains secure when working away from organisational physical sites. Policies should cover off the following areas:

• registration and management
• physical protection
• restrictions on what software can be installed, what services and apps can be added & accessed, use of authorised and unauthorised developers
• operating device updates and patching applications
• the information classification accessible and any other asset access constraints (e.g. no infrastructure critical asset access)
• cryptography, malware and antivirus expectations
• log on, remote disabling, erasure, lockout and ‘find my device’ requirements
• backup and storage
• family and other user access conditions (if BYOD) e.g. separation of accounts
• use in public places
• connectivity and trusted networks

A.6.2.2 Teleworking

A policy and supporting security measures must also be implemented to protect information accessed, processed or stored at teleworking sites. Teleworking refers to home-working and other off-site working such as on supplier or customer sites. For teleworking staff, education, training and awareness relating to potential risks is critical.

The auditor will expect to see decisions relating to mobile device and teleworking use and security measures based on appropriate risk assessment, balancing the need for flexible working against the potential threats and vulnerabilities such use would introduce.

Teleworking is also closely related to many of the other Annex A controls areas in A.6, A.8, A.9, A .10, A.11, A.12 and A.13 so join those up as part of the office and teleworking approach to avoid duplication and gaps. A.7 is also essential to get right for screening and recruitment of teleworkers and management over the lifecycle becomes key to include in audits and demonstrate to auditors that teleworkers are not a poorly managed threat.

ISMS.online includes policies for Annex 6 alongside tools to manage the Organisation of Information Security

A perfect fusion of knowledge and technology for your early ISMS success

Information security, often shortened to infosec, is the practice, policies and principles to protect digital data and other kinds of information. infosec responsibilities include establishing a set of business processes that will protect information assets, regardless of how that information is formatted or whether it is in transit, is being processed or is at rest in storage.

Generally, an organization applies information security to guard digital information as part of an overall cybersecurity program. infosec's three primary principles, called the CIA triad, are confidentiality, integrity and availability.

In short, infosec is how you make sure your employees can get the data they need, while keeping anyone else from accessing it. It can also be associated with risk management and legal regulations.

The CIA triad: confidentiality, integrity and availability

Principles of information security

The CIA triad

The overall goal of infosec is to let the good guys in, while keeping the bad guys out. The three primary tenants to support this are confidentiality, integrity and availability. This is called the CIA triad, or the three pillars or principles of information security.

Confidentiality is the principle that information should only be available to those with the proper authorization to that data. Integrity is the principle that information is consistent, accurate and trustworthy. Availability is the principle that information is easily accessible by those with proper authorization and will remain so in case of failure to minimize interruptions to users.

These three principles do not exist in isolation, but they inform and affect one another. Therefore, any infosec system will involve a balance of these factors. As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available. Information carved into stone displayed in the lobby has a lot of integrity but is not confidential or available.

For an in-depth discussion, please see: confidentiality, integrity and availability (CIA triad).

Other infosec principles

While the CIA triad forms the basis of infosec policy and decision-making, other factors should be included in a complete infosec plan.

Because infosec involves a balance of competing factors, it is associated with risk management. The goal here is to maximize positive outcomes, while minimizing negative ones. Organizations uses risk management principles to determine the level of risk they are willing to take on when implementing a system. They can also put into place guards and mitigations to reduce risk.

Data classification should also be taken into account with infosec to give extra attention to information that needs to remain either highly confidential or data that needs to remain highly available.

Information security is not limited to digital data and computer systems. A full infosec policy will also cover physical information, printed information and other kinds of media. It may also include confidentiality agreements.

Businesses should also employ user training to protect data, as well as both computer controls and organizational policy as risk mitigation factors. For example, to limit the risk of an accounting analyst changing financial data, an organization can put in place a technical control limiting change rights and logging changes. Alternatively, an organizational policy of having a second person audit completed records can mitigate this risk as well.

Another important infosec factor is nonrepudiation, which is the ability to prove that information hasn't been tampered with. No one should tamper with data at rest or in transit, its source should be trustworthy and it shouldn't be accidentally or maliciously modified.

Business continuity and disaster recovery (BCDR) are additional considerations of infosec. Data should remain available and unchanged in the case of a software or hardware failure. Organizations can accomplish this though backups or redundant systems.

The business continuity and disaster recovery planning, as part of an overall infosec strategy, consists of multiple layers.

Consider change management an infosec policy as well. Poorly managed changes may cause outages that affect the availability of a system. System changes may also affect the overall security of stored data.

Local laws and governmental regulations also inform infosec decisions. Regulatory bodies often regulate personally identifiable information (PII) depending on region. Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for medical data, Payment Card Industry Data Security Standard (PCI DSS) for payment information or the European Union's (EU) General Data Protection Regulation (GDPR) legislation, for example, may require that some information be treated differently or have special controls in place.

Jobs in information security

Most roles working with computers involve an element of information security. Therefore, infosec jobs may vary in their titles between organizations and be cross-disciplinary or interdepartmental.

The information technology (IT) chief security officer (CSO) or chief information security officer (CISO), in collaboration with the chief information officer (CIO), is responsible for overall cybersecurity and infosec policy. A security engineer or security systems administrator (sys admin) may be responsible for implementing or evaluating infosec controls.

An information security analyst or IT security consultant may be responsible for making risk evaluations, evaluating effectiveness of controls or analyzing a failure and its impact.

infosec professionals have many paths they can take in their information security career.

Learn more about the types of infosec jobs that are available.

Information security certifications

A number of certifications are available to IT professionals who already -- or would like to -- focus on infosec and cybersecurity more broadly, including the following:

• CompTIA Security+. This certification covers core cybersecurity knowledge and is used to qualify for entry level IT and infosec roles.
• Certified Information Systems Auditor (CISA). ISACA, a nonprofit and independent association that advocates for professionals involved in information security, assurance, risk management and governance, offers this certification. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
• Certified Information Security Manager (CISM). CISM is an advanced certification offered by ISACA that validates individuals who have demonstrated the in-depth knowledge and experience required to develop and manage enterprise information security programs. ISACA aims this certification at information security managers, aspiring managers or IT consultants who support information security program management.
• GIAC Security Essentials (GSEC). Created and administered by the Global Information Assurance Certification (GIAC) organization, this certification is geared toward security professionals who want to demonstrate they are qualified for hands-on roles with respect to security tasks related to IT systems. The exam requires candidates demonstrate an understanding of information security beyond simple terminology and concepts.
• Certified Information Systems Security Professional (CISSP). CISSP is an advanced certification offered by (ISC)², an international nonprofit cybersecurity certification body. For experienced cybersecurity professionals, the exam covers the ability to design and implement an infosec program.