Discussion in 'Business & Enterprise Computing' started by Gunna, Feb 9, 2018.
Health Service Providers industry sector reported the most breaches.
Sorry i thought you were referring to a policy i could have a gander at to look at how to word our one.
I'm late to the party in this thread, but yes, this has been a big chunk of my career to date. For decades now.
No. Australian IT is largely shithouse when it comes to security and related concepts (including things like being aware of breaches, being aware of the impact of a breach, having a policy on what to do after a breach, and giving two shits about the sensitivity of the data they store).
These laws came in Feb 22, and I know for a fact there are thousands (if not more) businesses that are at high risk right now, and have done fuck all about it.
It's going to be a fun couple of years ahead for sleepy Aussie IT.
The rules are the same everywhere, and are security 101: categorise your data, get the risky shit off edge devices.
It's going to annoy the people who like keeping crap on their laptops/phones. But IMHO they either need to understand why they can't, or change jobs if they can't deal with it.
Most uni's and gov dept have theirs online you can look at. I've just started writing a few for some of our clients, it doesn't have to be a long or complicated policy like iso27000 for example.
Not following legislation is a completely legitimate approach - assuming you have assessed the impacts.
Sure. My comment was more aligned to those that are "vulnerable but ignorant", which is guaranteed to be a large number.
The "don't know what they don't know" crowd.
It worked for the Banks .
Is anyone worried that these schemes promote, or reward ignorance?
If I have an IDS and do DLP, and notice data walking I have to report
Solution: No IDS, no DSP = No Reporting = No Problem
I think most people here are over reaching on the impact of the scheme. It won't harden a network or change a security policy in 90% of work places. This scheme has nothing to do with security and will have no impact on it. It is merely for reporting unauthorised access or loss of PPI.
It doesn't effect anyone having their IP stolen, nor does it matter if you are crypto lockered, neither require reporting.
So OAIC is moving to 6 monthly reporting on NDB because they are not suitably resourced to keep up with quarterly reporting. I also note they haven't enforced penalties on anyone. So pointless undertaking thus far? Other than 'awareness'?
I'm ignorant to these things, but I would assume that it's a year of data/stats gathering before the hammer of justice comes crashing down, no?
"Can't manage what you can't measure" kind of thing? Again, assumption on my behalf, but I'd assume there would be a grace period before things get tough. Or are we looking at this being toothless forever more?
Toothless is a very real possibility, I get the softly softly first year/two mindset also, however most of the things reported from memory were really basic lapses with no real impact to citizens.
I'm assuming it'll be like everything else, where there has to be a truly terrible event where high profile folks either lose lots of money or die, and then it'll change.
Yup. Equifax, cambridge analytica and this have shown most people don't give a shit until it directly impacts them and even then the laws and fines certainly dont match the repercussions.
Equifax got fined $4 per person. I think they have made much more than that over the years though.