qantas group cyber security policy qantas group cyber security policy

The Corporate segment provides centralized management and governance. 6.6 For more information about privacy risk ratings, refer to the OAICs Risk based assessments privacy risk guidance in Appendix A. 4.47 QFF maintains a cyber incident register, which includes data breaches and online fraud. The observations and information contained in this report reflect the circumstances as at the date of the assessment (June 2017). Join Qantas Frequent Flyerorsubscribe to Red Email today. Past crises are often used in staff training. 4.62 Qantas privacy training underwent a large-scale review in 20132014 due to the major changes made to the Privacy Act, and at the time of the assessment, was being revised to include the Notifiable Data Breaches scheme. blue shield of northeastern ny customer service number qantas group cyber security policy. 3.2 QFF is a points-based rewards program and members may earn Qantas Points by purchasing products and services from Qantas or any of its program partners. TPG Telecom announced on Tuesday it has picked up a five-year deal to handle fixed and mobile voice services for Qantas. 4.38 The QRAG contains the risk assessment and management frameworks for the Qantas Group. The main factor in the cost variance was cybersecurity policies and how well they were implemented. Its current APP 5 collection notification practices appear reasonable and adequate. 4.68 To further raise awareness of cyber security and privacy issues, staff are sent a weekly Friday Flyer email, which often contains information about how to avoid phishing scams and current privacy threats. enable the entity to deal with privacy related inquiries or complaints from individuals. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. Group Finance Policy; 7. It also includes a collaborative process for managers to ensure favourable safety, healthcare and support return-to-work outcomes for existing employees with physical and/or mental health conditions, and/or adverse social circumstances. 4.34 The OAIC notes that the charter document for the GCSC primarily focuses on cyber risks and their management and does not specifically refer to privacy. 4.63 Staff are required to undertake a thirty-minute online privacy training course, which summarises the law and includes a series of randomly generated series of test questions. QFF advised that this trial was being expanded and QFF would eventually roll out multi-factor authentication to all members. The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. [8] The European Union General Data Protection Regulation (the GDPR), which commenced 25 May 2018, contains new data protection requirements. 1.3 The assessment found that QFF has taken steps to foster a culture of privacy awareness that treats personal information as a valuable business asset. We are at the forefront of improving security outcomes for customers and employees by operating within a security framework that is proportionate, agile and responsive to changing threats and risks across our network. We brought grounded aircraft back into service, our employees came back to work after being stood down, and we opened or reopened flying to ports that we had not flown to in over a year and to some that had not seen an aircraft in that time. If staff clicked the enclosed link, they were redirected to a notification page informing them that they had failed a phishing test. Login. Member accounts are also bundled into segments based on these preferences, which dictates the type of marketing material QFF will send to them. The GCSC also monitors, reviews and enhances the compliance of all cyber risk management systems, policies and procedures, protocols and controls with all relevant laws and regulations. Across the Group, we are responsible for handling a substantial amount of personal information. This is discussed later in this report in the section titled risk management. This commitment to security extends to our executives. Some complaints were caused by operator error, for example, passing on details to the wrong recipient. 4.1 This part of the report sets out the OAICs observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks. All analytic insights work is run in a de-identified environment by a separate team using the anonymous identification number discussed above at 4.71, which enables analysts to examine behaviours and answer questions without referring to personal information. [9] Office of the Australian Information Commissioner (OAIC), Big data and privacy: a regulators perspective, viewed 26 September 2017. Over the past year, the return of domestic and international travel as borders reopened required a similar program of work to return our aircraft to the skies, including a focus on training for crew and support employees. All user access is logged and monitored, with the logs regularly audited by the platform owners. The OAIC recommends QFF works with Qantas to continue with the Group-wide implementation of a network of privacy champions, including a dedicated champion within QFF. The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Executive Summary. 4.21 The OAIC has developed a PMP template that should assist QFF in the development of a PMP. 4.94 The OAIC reviewed this privacy policy against the requirements of APP 1. 4.59 QFFs current approach to PIAs and other privacy assessments is collaborative and thorough. Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. Cyber Security Graduate jobs now available in Greystanes NSW 2145. the policies and procedures of QFF were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1). 6.5 OAIC assessments are conducted as a point in time exercise. Qantas Group declared at its recent investor day that it had made a significant investment in cyber security systems and capability. The OAIC has not identified any privacy risks based on the assessment scope and the above-mentioned observations. 4.49 QFF liaises with internal and Group staff, external stakeholders and regulators (such as the OAIC) as needed throughout the process. QFF has since advised the OAIC that a Group Privacy Officer was appointed in late July 2017 and one of the primary responsibilities of this Privacy Officer, on appointment, would be to set up and co-ordinate a network of privacy champions across the Qantas Group. The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. Strict role-based user access controls and physical protections to restrict access to QFF personal information and the systems it is housed in. Enterprise security management (ESM) issues directly revolve around the management of Qantas group itself. This privacy champions network will result in Qantas training staff to perform this key privacy role in each business unit to coordinate privacy matters across the different business units and report these issues to senior management. Our Fraud and Scams teams are monitoring 24/7 for any suspicious activity across the Westpac Group, using industry best practice security and fraud detection techniques. Additionally, the OAIC has recently released an online PIA learning tool which aims to better equip organisations with the knowledge to conduct an in-house assessment. simplifies the notice to enhance readability, changes the title from important information to something that indicates to potential members that the notice relates to the collection of their personal information. Qantas plans to improve fuel efficiency by 1.5% annually and to reduce water consumption by 20% and electricity by 35% by 2020. The Qantas Domestic, Qantas International, and Jetstar Group segments offer passenger flying, air cargo, and express freight services. 7 2022. qantas group cyber security policythe renaissance apartments chicago. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. Masar Group. :The cyber safety of Qantas Frequent Flyers is a priority for us. The Qantas Loyalty segment specializes in customer loyalty recognition programs. Specific complaints handling processes are embedded in the complaints handling system. The notice refers members to the Qantas privacy policy for further information. 4.88 Additionally, given the amount of personal information that QFF handles and the extent of its use in marketing and data analytics projects (whether in identified or de-identified forms), the OAIC also suggests that QFF continue to monitor and assess the risks of these projects as they progress, including any risk surrounding re-identification or the creation of new data sets. review of relevant policies and procedures provided by QFF, an analysis of QFFs APP 1 privacy policy. Our Wellbeing program is designed to foster an environment that supports, enables and motivates our people to live healthier, happier and more productive lives. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. If so, it was expected that a nominated senior member of Legal would serve this role. 4.56 The findings of a SIA may determine whether or not a new project will go ahead. During the pandemic, our Wellbeing program expanded from a focus on traditional areas of health and wellbeing physical health, nutrition, sleep, exercise and mental health to include financial wellbeing, healthy relationships and digital wellbeing. At the time, the airline said its new cyber security chief would identify and lead programs to "monitor the emergence of new threats and vulnerabilities, assess business impacts, and drive rapid responses to cyber security events." 4.48 The response triggered by an incident notification will depend on the nature and severity of the incident. A clean desk policy, and non-permanent seating arrangements, necessitating that all personal and confidential items be stored in secure staff lockers. Marketing campaigns are sent to different member lists. Section 1 - Summary. Both the General Counsel and CEO sit on the Group Management Committee (GMC), with the General Counsel reporting to the GMC on privacy. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. The OAIC recommends that QFF develops and implements a PMP that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. Security impact assessments explain and compare the value of the project in conjunction with any associated security risks, including privacy risks. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. How We Use Your Personal Information. Project managers are reminded periodically to undertake SIAs for all new initiatives. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. Despite these challenges, our operational safety performance was strong as we maintained a reporting culture where people are confident to report issues without fear and consistent operational performance across all parts of the organisation. Qantas Customer Story. These are the Qantas Group Policies: 1. Transparent Group Terms and Conditions. If a query relates to a QFF membership, then the call is referred to the QFF specific customer care team. 4.61 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance to QFF in considering future PIAs. The Qantas Group online Privacy Statement includes a link to a feedback form that is pre-populated to classify the matter as privacy related. In addition to appointing a Group Privacy Officer, Qantas is also establishing a dedicated Data Privacy team to bring together its privacy experts under one team and implement a coordinated enterprise-wide strategy and framework, including further investment in resources and technology that will support the Qantas Group to effectively address the intensifying global privacy regulatory requirements. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are always adopting more sophisticated techniques. [5] Qantas EpiQure was re-branded as Qantas Wine after the assessment. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are Only Qantas approved Users may use Qantas Information Technology systems, and must do so in accordance with the law and Qantas Policies, including the Information Technology Group Policy. Threats and exploits cant get through, and Umbrella gives us confidence because we know that our users are protected when theyre surfing the internet on or off the network.. 4.41 Qantas Group and by extension, QFF, have comprehensive risk management processes which adequately encompass the identification, recording, reporting and mitigation of privacy risks within QFF. -Adam Kinsella, Product Owner for Network, Network Security, Qantas. Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. Number of Employees: 25,000. Industry: Transportation. 4.78 As stated above, QFF holds all personal information in data warehouses, with highly restricted access. The need for shared vigilance on cyber issues is supported by formal recognition of employees who help detect attempted cyber scams. Once a SIA is formally underway, its progress is generally informal and collaborative, and may involve the project owner, the DISO, Legal, and any other relevant business units. During 2021, the Group was vocal in its support of legislation that will enhance these efforts in future. Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines, Likely ministerial involvement or censure (for agencies), Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation, Possible adverse or negative impact upon the handling of individuals personal information, Possible violation of entity policies or procedures. 4.91 The purpose of APP 1 is to ensure that APP entities manage personal information in an open and transparent way (APP 1.1). rockhaven homes jonesboro, ga; regular mail or courier citizenship application We take active, quality measures to help our members keep safe online and also encourage our members to do what's possible to protect their account and personal Cann Group chief executive Peter Crock says the group has not been able to recover $3.6 million in payments after a cyber fraud. IAPP Asia Advisory Board Member & Singapore Chapter Co-Chair, DPO & Privacy Program Manager, International SOS RAAF Base Curtin to see $244m upgrade; Bonza bound for Tamworth with flights from Melbourne, Sunshine Coast; Podcast: How Lockheed Martin 10.Security Policy. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. Qantas Airways Limited ABN 16 009 661 901. Qantas Frequent Flyer and Qantas could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information. Complex privacy queries and requests are also referred to Group Legal in the same manner as complaints. 4.87 Based on the OAICs review of documents and interviews with QFF staff, there appears to be effective privacy safeguards in place for QFFs marketing and data analytics activities. Qantas Risk Assessment Report COLLEGE OF BUSINESS, LAW & GOVERNANCE GROUP TASK COVER SHEET Subject code: BX3011 Subject title: Company Furthermore, human resource and other policies exist at entity or business unit level, which also outline the minimum expected standards for our people in the context of their employment. However, as with the privacy policy, the language used in the notice is complex, and may be difficult for some readers, who are younger or with a lower literacy level, to understand. IT Security Specialist, Security Supervisor, Information Security Analyst and more on Indeed.com Cadetship, Cyber Security Jobs in Sydney NSW (with Salaries) 2022 | Indeed.com Australia All employees receive security, privacy, and compliance training the moment they start. [2] See - Coles flybuys and Woolworths Rewards: what is the price of loyalty? Some projects may be subjected to this process multiple times. Protection from these attacks and the potential financial and public reputation implications associated with unauthorised access to the information we hold is key. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. 4.66 As a part of Qantas financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed. A select team within QFF have sole access to QFF member information (e.g. You need to explain: The objectives of your policy (ie why cyber security matters). Maintaining a regularly updated directory of all of the information assets (including personal information) held by QFF, and where these are stored. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. QFF Legal reports to the Qantas Group General Counsel, who has ultimate responsibility for all privacy compliance matters in the Qantas Group. Qantas Group also holds monthly direct reporting meetings, and risk is a regular agenda item. Once notified, incidents are escalated as appropriate. This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation. Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. We have rigorous security measures in place, as well as security teams working to protect our customers details and accounts. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. It will compile threat forecasts and geopolitical assessments for airline safety/security committees, up to Board level, and will lead the Qantas Londons Heathrow airport last year outlined plans for a 50m project to implement The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check,and joint Commonwealth and private sector meetings, including the inaugural AustraliaUnited States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. Multi-factor authentication of member accounts. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. Core Qantas Group policies are reviewed annually, and if any changes are made, they require approval of the Qantas Board (the Board). Cyber security risk is, at the practical level, the responsibility of the QFF DISO. Privacy Amendment (Notifiable Data Breaches) Act 2017, Australian entities and the EU General Data Protection Regulation (GDPR), Big data and privacy: a regulators perspective, Ting The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. SecurityScorecard calculates scores based on 10 factors that reflect different cybersecurity practices and risks. Staff are encouraged to clarify the members exact needs before proceeding with an access request. Management attention is suggested. This notice is located at the bottom of the QFF online registration form, just before members are asked to accept the terms and conditions and provide payment information. The Main Types of Security Policies in Cybersecurity. The security chief said foreign spy agencies posed a major threat to the privacy of the 40 million passengers flying Qantas each year. The Group is committed to raising awareness of our privacy compliance obligations and to manage our privacy risk by implementing a culture that considers privacy by design as a default position when handling personal information. Cyber Security Policy; 5. 2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia. 4.75 At registration, QFF collects members personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. taylor farms lemon garlic vinaigrette recipe; hakchi nes classic game list. Our Supporting Fitness for Work program is designed to help manage health-based risks in the operational environment, and to support employees more generally through injury or illness, including accommodating disability and diversity when there is a health component. The cyber safety of Qantas Frequent Flyers is a priority for us. 1.1 This report outlines the findings of an assessment of the Qantas Frequent Flyer (QFF) program undertaken by the Office of the Australian Information Commissioner (OAIC). 4.70 The OAIC considers QFF to have an adequate and effective privacy training regime and suggests that it regularly reviews its training to ensure that it remains effective and appropriate. Qantas suffered a 30 percent turnover in its technology personnel as the airline battles staff loss, in the wake of repeated Covid-19 lockdowns. 4.45 The crisis management plan encompasses identification and notification, assessment and response. Staff must complete the test with a 100% pass rate. We collect, share, use, store and process personal information in accordance with an ever changing and increasingly complex landscape of both international and domestic laws and regulations. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects, Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation, Timely management attention is expected. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. Your cyber security policy doesn't need to be very long; most SMEs should be able to fit theirs onto a single sheet of paper. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO. TH: A strong, consistent commitment to the vision and strategies for the Qantas group from our senior leadership team, and strong support for all initiatives in alignment with the vision. Design, develop, deliver and measure ongoing risk aligned Group (Qantas, Jetstar and Loyalty) Cyber Safety Awareness Campaigns to raise Qantas Group employees' cyber awareness, uplift their cyber capability and embed a Cyber Safety culture throughout the Qantas Group, incorporating . Qantas Group Policies The Qantas Group has a set of 10 Group Policies, which reflect the Non-Negotiable Business Principles and outline the minimum expected standards across a range of governance areas where compliance is necessary for legal reasons and to protect our brands and reputation. Manager, Qantas Group Cyber Security Centre @ Qantas Manager of Cyber Security Operations and Services @ Qantas Director of Security Services @ Accesshq see more Principal Security Consultant - Wealth @ Anz Principal Security Consultant @ Redcore Pty LTD Executive Manager and General Manager, Es Service Security @ Commonwealth Bank Head of Security Assurance Services @ Westpac ICT protections, such as firewalls for segregated zones, malware detection software, whitelisting, application patching, encryption of data in transit and regular penetration testing. All projects require sign-off by Legal and staff are encouraged to approach them early in the process. This Code sets out expectations for how we act, solve problems and make decisions. This may lead to the loss of vital information regarding identified privacy risks. How do you quantify cyber risk management? The OAIC recommended that QFF: 2.1 Loyalty programs are popular with consumers and businesses alike, with one Australian consumer research study reporting that 87 percent of Australians aged 18 and older were members of a loyalty program in 2017. [10] The Flesch-Kincaid test used to assess the readability of Qantas privacy policy can be accessed at The Readability Test Tool. The ability to respond seamlessly to events that impact the Group is fundamentally important in ensuring continued Group operations in the event of a discontinuity of service, mitigating risks and minimising disruptions to our customers. Risk Management Policy; 9. Queries and access requests are managed on Resolve and are checked daily by customer care managers. Qantas Frequent Flyer then uses this and other information collected at various points throughout their membership, including when members earn and redeem Qantas Points and their interactions with marketing campaigns, to analyse member behaviours and identify target members for marketing campaigns. [2] Building on these assessments, the OAIC decided to assess other popular loyalty schemes in Australia. An automated voice-activated call from our telephone alert system, from 1300 754 566. The COVID-19 pandemic presented many challenges to our organisation and our people to work through. Doniz has spent the last three years as head of IT and cyber security at Australia's national airline, including affiliates QantasLink, Qantas Loyalty and Theres The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. alfa romeo mito maserati usata; firehouse bakersfield bowling prices; keith winter fife council; cartel's cartel stallion Beware of fake websites. 4.15 The majority of corrections to personal information are completed by members themselves using the self-service facilities online, however, corrections may also be processed by telephone via an interactive voice system (where the member keys in their PIN) or manually via the QFF Service Centre (QFFSC) staff. 6.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs. Within this Group-wide plan, there are business unit specific plans, which are owned by key senior staff in each group. 4.101 The OAIC found that the QFF collection notice meets the requirements of APP 5, and that it refers readers to the Qantas privacy policy for further information. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. Risk assessments are conducted on relevant third party suppliers and we work with them to address any material risks identified. 2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988 (Privacy Act). 4.81 Program partners are tested for security, IT, and compliance requirements before QFF will agree to a partnership. [9] Where data analytics involves personal information, entities must ensure they are complying with the requirements of the Privacy Act. 4.28 Business units obtain advice and assessments of privacy related matters from the Legal team via formal PIAs, written email advice and oral advice given in pre-arranged meetings. However, the OAIC notes that it is heavily dependent on key staff involved and is not recorded unless it forms part of the SIA or includes written advice from Legal. 4.96 In our review, the OAIC found that the Qantas privacy policy meets the prescriptive requirements of APP 1.4. It is the responsibility of New York State Office of Information Technology Services (ITS) to provide centralized IT services to the State and its governmental entities with the awareness that our citizens are reliant on those services. Darren Argyle (CISM, CISSP) is an accomplished executive with close to 20 years international cyber risk and security experience. We are continually working to expand employee awareness of evolving data security risks, including through no notice simulations and structured training. Our safety, health and security activities are supported by comprehensive governance processes that help us monitor and manage performance and risks.