In order to provide greater transparency for customers, the OAIC suggests that the policy clearly identify this information as sensitive information.. (1) This Policy: Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. 4.62 Qantas privacy training underwent a large-scale review in 20132014 due to the major changes made to the Privacy Act, and at the time of the assessment, was being revised to include the Notifiable Data Breaches scheme. 4.75 At registration, QFF collects members personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. Your cyber security policy doesn't need to be very long; most SMEs should be able to fit theirs onto a single sheet of paper. [2] See - Coles flybuys and Woolworths Rewards: what is the price of loyalty? If staff clicked the enclosed link, they were redirected to a notification page informing them that they had failed a phishing test. 4.45 The crisis management plan encompasses identification and notification, assessment and response. The COVID-19 pandemic presented many challenges to our organisation and our people to work through. 7 2022. qantas group cyber security policythe renaissance apartments chicago. It is understood neither Qantas Airways nor Virgin Australia Holdings has a separate cyber-security insurance policy but both have multi-layered security precautions in CHESS also has oversight of risks associated with regulatory compliance. What your policy needs to cover. The three principles that guide us are: operating with integrity (through our safety, people, community and environment strategies). Make sure your good security posture has a presence on your website: show it off and share the news by adding a Badge from SecurityScorecard. Underpinning the policies and procedures should be strong leadership from senior management, with governance arrangements that support effective privacy practices. However, they are only provided with de-identified data, and strong contractual protections are put in place against re-identification or use of data other than as stipulated. Doniz served as Qantas group CIO from January 2017, and at Boeing will the CIO and senior VP of information technology and data analytics. This anonymous identification number is used for most internal transactions relating to the members account to limit the number of staff with access to personal information. While ensuring the Qantas Group had an effective platform to respond to the consequences of COVID-19, the Group ensured it also maintained a resilience capability to respond to events as we recovered. The main factor in the cost variance was cybersecurity policies and how well they were implemented. Code of Conduct and Ethics; 2. Business Resilience Policy; 3. Core Qantas Group policies are reviewed annually, and if any changes are made, they require approval of the Qantas Board (the Board). :The cyber safety of Qantas Frequent Flyers is a priority for us. highlights the QFF/Woolworths relationship. The Main Types of Security Policies in Cybersecurity. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. Former IHS Markits group chief information security officer, Darren Argyle, has been appointed ongoing CISO at the airline, with his tenure as its cyber security chief to begin later this month.. Argyle was appointed to the CISO role after a recruitment process that began last year as part of a cyber security strategy revamp.. Qantas in December appointed a new But it might still face a legal storm if its policy is tested before a tribunal or court. There is ongoing investment to improve the resources, processes and technology that will support the Group to effectively address the volumes of personal information that we manage, and to meet both intensifying regulatory requirements and individuals rising expectations regarding fair, ethical and responsible data use. 4.60 The OAIC suggests that all informal privacy and other risk assessments be recorded in some form, such as email or file notes, and stored in an accessible location for relevant staff to access. "For Qantas, doing business responsibly isn't just the right thing to do it's also the smart thing to do. 4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group privacy statement. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some QFF members. IAPP Asia Advisory Board Member & Singapore Chapter Co-Chair, DPO & Privacy Program Manager, International SOS RAAF Base Curtin to see $244m upgrade; Bonza bound for Tamworth with flights from Melbourne, Sunshine Coast; Podcast: How Lockheed Martin 10.Security Policy. The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed. The OAIC has not identified any privacy risks based on the assessment scope and the above-mentioned observations. 5.3 QFF is working with Qantas to develop a Privacy Management Plan to augment its well-established privacy policies and procedures. This was a difficult program of work that required careful planning and scheduling. Transparent Group Terms and Conditions. However, given that only one document was affected and that QFF staff demonstrated a strong understanding of Qantas information handling and management practices, including thorough PIA processes that do not heavily rely on this document (see Privacy impact assessments and security impact assessments below), the OAIC regards this as a low privacy risk for QFF. QFF has since advised the OAIC that a Group Privacy Officer was appointed in late July 2017 and one of the primary responsibilities of this Privacy Officer, on appointment, would be to set up and co-ordinate a network of privacy champions across the Qantas Group. Flexible Fare options. Benefits. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. We take active, quality measures to help our members keep safe online and also encourage our members to do what's possible to protect their account and personal Cann Group chief executive Peter Crock says the group has not been able to recover $3.6 million in payments after a cyber fraud. At the time of the assessment, the staff on the GCSC were raising privacy issues. These are documented in email form and stored on a shared drive. 6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act. It may also be updated on an ad hoc basis as needed, for example, following key personnel changes. Qantas is experiencing an extremely competitive market as the government strengthens the security laws for internationally and domestically which has led to huge drop in passenger number. All SIAs are recorded in the system and can be recalled or examined as needed. 4.96 In our review, the OAIC found that the Qantas privacy policy meets the prescriptive requirements of APP 1.4. Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. Threats and exploits cant get through, and Umbrella gives us confidence because we know that our users are protected when theyre surfing the internet on or off the network.. blue shield of northeastern ny customer service number qantas group cyber security policy. 4.50 The OAIC was informed that, at the time of the assessment in June 2017, the Qantas Crisis Management Team processes were last externally audited in September 2016. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. 4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. Information Technology Specialist, 2022 Cloud Graduate Program, Locator and more on Indeed.com The observations and information contained in this report reflect the circumstances as at the date of the assessment (June 2017). 4.32 Whilst QFF has numerous governance mechanisms and structures in place to facilitate privacy management, the OAIC notes that there are no specific, dedicated privacy roles within Qantas or QFF (with the exception of the recently appointed Group Privacy Officer). Privacy related matters will also be raised during short stand-up meetings, where staff consult each other or offer suggestions on different matters and projects. All user access is logged and monitored, with the logs regularly audited by the platform owners. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. Multi-factor authentication of member accounts. During the pandemic, our Wellbeing program expanded from a focus on traditional areas of health and wellbeing physical health, nutrition, sleep, exercise and mental health to include financial wellbeing, healthy relationships and digital wellbeing. It is the responsibility of New York State Office of Information Technology Services (ITS) to provide centralized IT services to the State and its governmental entities with the awareness that our citizens are reliant on those services. Marketing campaigns are sent to different member lists. Flexible deposit conditions. Credit: Qantas Airways Limited. contact details (postal address, mobile number and email address), APP 1.2 implementing practices, procedures and systems, ensure that the entity complies with the APPs; and. [3] QFF is run by Qantas Loyalty, a business unit within Qantas Airways Limited (Qantas). In Qantas Frequent Flyer and Qantas Business Rewards remain at the core of the program, while the business has evolved to include a number of new ventures and other businesses such as Qantas Money, Qantas Insurance and Qantas Wine. regularly evaluate its privacy risk management policies and practices to ensure their continued effectiveness. Assessment undertaken: MayJune 2017 Draft report issued: 9/10/2018 Final report issued: 30/6/2019. In addition, QFFs information security controls should continue to be regularly reviewed and revisited in order to meet constantly evolving ICT risks related to personal information. 4.10 Whilst all QFF personal information is stored in Australia, QFF use several offshore customer service centres. This may lead to the loss of vital information regarding identified privacy risks. Remote access is restricted to a needs-only basis. [9] Where data analytics involves personal information, entities must ensure they are complying with the requirements of the Privacy Act. Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check, and joint Commonwealth and private sector meetings, including the inaugural Australia-United States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. The notice refers members to the Qantas privacy policy for further information. develops and implements a privacy management plan that considers privacy goals and targets, and how to meet them. 4.24 Qantas Group General Counsel reports to the Qantas Group Chief Executive Officer (CEO). Security Policy. January 24, 2017 by AJ Kumar Security policy Security policy is the statement of responsible decision makers about the protection mechanism of a company crucial physical and information assets. QANTAS ANNUAL REIE 2017 18 Cyber Security The Qantas Group is constantly improving its cyber and data privacy capabilities. These are the Qantas Group Policies: 1. Furthermore, it is the responsibility of each business unit to identify and report risks. These emails are provided on an opt-out basis, so members can change or cancel the different types of marketing materials that they receive from QFF. 4.16 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant QFF policy and procedure documents and interviews with staff. 4.76 In relation to the use of personal information for marketing and analytics purposes, QFFs APP 1 privacy policy and collection notice state that members personal information may be used to: 4.77 Potentially sensitive information gathered by the airline, such as meal preferences and medical conditions, is not used by, or accessible to, the QFF marketing and analytics teams. The policy is dated to reflect when it was last reviewed. Iron Mountain Horizon, ProStarSolar > Blog Classic > Uncategorized > qantas group cyber security policy. Qantas has been looking for a security head since August last year. Combining the expenditure of both domestic and international tourists who travel on Qantas and Jetstar, the additional total value added to the Australian economy associated with the role of the Qantas Group in facilitating tourism in FY 2017 is estimated to be $10.7 billion. -Adam Kinsella, Product Owner for Network, Network Security, Qantas. Some projects may be subjected to this process multiple times. Qantas in late 2016 began the hunt for a CISO to oversee four Sydney-based reporting teams, leading security strategy across cyber strategy, cyber risk and resilience, security architecture and security operations. Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. 4.9 The OAIC noted that one document contained references to the National Privacy Principles (NPPs), which were replaced by the APPs in March 2014. GCSC members are from a wide range of areas across the Group, including IT Security, Information Security, Legal/Privacy, the newly formed Business and Integrity Compliance Team, and other senior management staff. The Group Management Committee has steadfastly supported the change we needed to make, despite the many challenges we face in the aviation industry. strong corporate governance transparency in reporting. 4.54 All new projects require a security impact assessment (SIA), and staff have access to the relevant form on the Qantas Intranet. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. Cyber security risk assessments Negar Salek. I have a proven track record of leadership and performance in a range of strategic cyber security, risk, compliance and finance roles while working in the UK, Canada, India and Australia. 4.1 This part of the report sets out the OAICs observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks. Design, develop, deliver and measure ongoing risk aligned Group (Qantas, Jetstar and Loyalty) Cyber Safety Awareness Campaigns to raise Qantas Group employees' cyber awareness, uplift their cyber capability and embed a Cyber Safety culture throughout the Qantas Group, incorporating . All projects require sign-off by Legal and staff are encouraged to approach them early in the process. We encourage our people to report safety and security-related matters, even when they are closely involved and might feel vulnerable to criticism. Welcome to Qantas Group Travel. However, one current exception is QFFs partnership with Woolworths, as Woolworths Everyday Rewards (WER) members may opt-in to earn Qantas Points as their reward under the WER program, automatically converting WER points they earn when shopping at Woolworths into Qantas Points. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. 4.66 As a part of Qantas financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. When a members accumulated Status Credits reach a designated level, their membership tier level increases (for example from Silver to Gold) and they can receive additional membership benefits, including earning higher rates of Qantas Points. While membership of the GCSC includes representatives from Legal/Privacy, and a reference to the Privacy Commissioner, the objectives and responsibilities of the Committee outlined in the charter document focus on cyber risks and do not specifically call out privacy issues. We monitor global developments in governance, laws and business practices, and work collaboratively across our global footprint to ensure we continue to meet these standards. snoopy happy dance emoji The OAIC recommends QFF works with Qantas to continue with the Group-wide implementation of a network of privacy champions, including a dedicated champion within QFF. Furthermore, marketing and analytics staff are in constant consultation with QFF Legal in relation to changes or new ideas. The airline said it would contact customers whose bookings were cancelled directly. As part of the business integrity and compliance function, Qantas is Cyber security (particularly in terms of data protection) The program will be implemented during financial year 2017/18. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. 3.8 QFF stores data in a separate, partitioned section of the Qantas Group IT Environment. by the Qantas Group exceed 2 per cent of Qantas annual consolidated gross revenue (other than banks, where materiality must be determined on a case-by-case basis); and in respect of customers where goods or services supplied by the Qantas Group exceed 2 per cent of Qantas annual consolidated gross revenue. Our Fly Well program included a number of temporary and existing wellbeing measures to safeguard travel during the pandemic, to give our customers peace-of-mind at each point of their journey across our Australian domestic, trans-Tasman and international networks. Cyber risk ratings influence business activity from the loading dock to the board room. Cyber Security Consultant at Qantas Group Greater Melbourne Area 500+ connections. Qantas Frequent Flyer and Qantas could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. Request access from Qantas's to view their private documentation available on demand only. [4] For a current list of program partners, see the Earn Qantas Points page. Additionally, the DISO sends a monthly cyber update email to QFF staff to reiterate the importance of good privacy practices and current threats. [6] As well as earning and redeeming Qantas Points, QFF membership allows members to earn Status Credits. Staff are encouraged to clarify the members exact needs before proceeding with an access request. Specifically, the assessment examined whether: 6.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to QFF about how to address those risks. The cyber safety of Qantas Frequent Flyers is a priority for us. 4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. 4.51 The Qantas crisis management plan and its various supporting documents serve as a data breach response plan. Contester Contravention Repentigny, Security impact assessments explain and compare the value of the project in conjunction with any associated security risks, including privacy risks. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks. It would be unlikely that all of the Qantas Group 22,000 employees are exposed or create the same level of risk to COVID-19. Complaints files are assigned priorities, which determine team allocation and due date for response. The card is posted to the members nominated postal address. An automated voice-activated call from our telephone alert system, from 1300 754 566. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. Qantas Frequent Flyer then uses this and other information collected at various points throughout their membership, including when members earn and redeem Qantas Points and their interactions with marketing campaigns, to analyse member behaviours and identify target members for marketing campaigns. 4.41 Qantas Group and by extension, QFF, have comprehensive risk management processes which adequately encompass the identification, recording, reporting and mitigation of privacy risks within QFF. Though the extent of involvement may vary by role, security is everybodys responsibility at Workday. For many enterprise organizations, administering risk assessments is the first step in building an effective cyber threat management system. 4.49 QFF liaises with internal and Group staff, external stakeholders and regulators (such as the OAIC) as needed throughout the process. Qantas Group declared at its recent investor day that it had made a significant investment in cyber security systems and capability. 2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988 (Privacy Act). [8] The European Union General Data Protection Regulation (the GDPR), which commenced 25 May 2018, contains new data protection requirements. These lists are derived from mailing lists that members subscribe to in the my profile section of their QFF account and those that are designed and created using de-identified information linked to the anonymous identification number. The Group has a structured employee wellbeing and mental health program which has the dual focus of understanding and protecting our people from wellbeing and mental health-related risks, along with amplifying the opportunities for our work to positively impact on our wellbeing and mental health. Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented. Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training. The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. 4.52 The OAIC encourages Qantas to continue its current practices for testing and reviewing its crisis management plan in the context of a data breach. QFF, as a business unit, would have the opportunity to share its learnings, as well as to learn from the experiences of other business units. Queensland's First Nations children experiencing domestic and family violence are being harmed - and funnelled into risk-taking and criminal behaviour - by failures in the child protection, youth. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. It identifies specific, measurable privacy goals and targets and sets out how an entity will implement the four steps outlined in the OAICs Privacy management framework and meet its goals for managing privacy. This privacy champions network will result in Qantas training staff to perform this key privacy role in each business unit to coordinate privacy matters across the different business units and report these issues to senior management. 4.63 Staff are required to undertake a thirty-minute online privacy training course, which summarises the law and includes a series of randomly generated series of test questions. 4.87 Based on the OAICs review of documents and interviews with QFF staff, there appears to be effective privacy safeguards in place for QFFs marketing and data analytics activities. 4.83 All new marketing and analytics data uses are subject to the SIA process described above at 4.54, which includes assessment of privacy risks and a flag to complete a PIA. The recent increase in oil prices has been a threat for the aviation sector's success. QFF regards personal information as its chief business asset and has invested multiple resources to safeguard it. 2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia. 4.100 The OAIC reviewed QFFs online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. 4.8 Policies are also reviewed when major legislative changes occur, such as the significant amendments to the Privacy Act that commenced in 2014. Get your free Ratings report to see your custom score, SecurityScorecard Tower 49 12 E 49th St Suite 15-001 New York, NY 10017.