qantas group cyber security policy qantas group cyber security policy

Through the application of data analytic techniques, entities can then use this data for a variety of purposes including profiling for targeted advertising and marketing. We monitor global developments in governance, laws and business practices, and work collaboratively across our global footprint to ensure we continue to meet these standards. The Group has continued to deliver safe aircraft operations through programs such as: The safety and wellbeing of our customers and people is our highest priority. Possible reputational damage to the entity, such as negative publicity in local or regional media. Symphony Communication Services Holdings LLC. 4.78 As stated above, QFF holds all personal information in data warehouses, with highly restricted access. While ensuring the Qantas Group had an effective platform to respond to the consequences of COVID-19, the Group ensured it also maintained a resilience capability to respond to events as we recovered. Together with our government and industry partners, some of the key security improvements in FY22 were: Like most industries, the aviation sector is dependent on data, systems and networks and we take our customers trust in the security of their personal data seriously. The communications are then matched to member personal information by a separate team. 4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group privacy statement. 4.14 Requests to access personal information and privacy queries are also handled through the Customer Care Centre. The card is posted to the members nominated postal address. There is also no specific reference to the unique arrangement with Woolworths in the marketing section. Industry: Transportation. [11] See paragraphs 1.15-1.32 of the APP Guidelines. Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented. Former IHS Markits group chief information security officer, Darren Argyle, has been appointed ongoing CISO at the airline, with his tenure as its cyber security chief to begin later this month.. Argyle was appointed to the CISO role after a recruitment process that began last year as part of a cyber security strategy revamp.. Qantas in December appointed a new But it might still face a legal storm if its policy is tested before a tribunal or court. The OAIC recommends that QFF develops and implements a PMP that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. 6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act. 4.87 Based on the OAICs review of documents and interviews with QFF staff, there appears to be effective privacy safeguards in place for QFFs marketing and data analytics activities. Marketing campaigns are sent to different member lists. Legal generally relies on deductive reasoning rather than a formal document or checklist to identify any privacy issues. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. Challenges. Cyber fraud techniques evolve into confidence trick arms race. QANTAS ANNUAL REIE 2017 18 Cyber Security The Qantas Group is constantly improving its cyber and data privacy capabilities. Automated reminders are sent to staff who have not completed their mandated refresher or induction training, and to their managers. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. As the Security Technology Controller, you will be accountable for day to day operational activities across the physical security team including access, surveillance and alarm monitoring services with a focus on Qantas Group ASIC program compliance. [1] The Point of Loyalty, For Love or Money 2017, viewed 9 January 2018, The Point of Loyalty website. Access to QFF data requires specific authorisation. Assessment undertaken: MayJune 2017 Draft report issued: 9/10/2018 Final report issued: 30/6/2019. The OAIC is of the view that the clarification and formalisation of the existing cybersecurity arrangements to explicitly include privacy would adequately provide good privacy governance. The Group Business Resilience Management System (GBRMS) is an integrated response and recovery system across Qantas Groups strategic, operational and tactical environments, and is subject to a variety of airline and safety standards and regulations. Privacy Amendment (Notifiable Data Breaches) Act 2017, Australian entities and the EU General Data Protection Regulation (GDPR), Big data and privacy: a regulators perspective, Ting Doniz has spent the last three years as head of IT and cyber security at Australia's national airline, including affiliates QantasLink, Qantas Loyalty and Theres The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. 4.25 Qantas cyber security governance is the responsibility of the Group Cyber Security Committee (GCSC), who monitors, reviews and ensures the effectiveness of cyber risk strategy, systems, policies and procedures. At ITS, we set statewide technology policy for all state government agencies and monitor all large technology expenditures in the Last year the Business leaders must respond by engaging cybersecurity specialists who understand psychology, sociology and criminology aspects, but The Qantas Group consists of four operating segments, which work together as an integrated portfolio: Qantas Domestic is the largest carrier in the Australian domestic market measured by capacity. 4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. [8] It is the responsibility of individual business units within Qantas to keep abreast of the legislative requirements that relate to their core business functions. It is understood neither Qantas Airways nor Virgin Australia Holdings has a separate cyber-security insurance policy but both have multi-layered security precautions in CHESS also has oversight of risks associated with regulatory compliance. TPG Telecom announced on Tuesday it has picked up a five-year deal to handle fixed and mobile voice services for Qantas. [10] The Flesch-Kincaid test used to assess the readability of Qantas privacy policy can be accessed at The Readability Test Tool. The case management lists are checked daily by management to ensure their timely resolution. timeless ink and piercing studio; how to make someone want to move out; how long does heparin stay in your system. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. The legal team confirms any material advice given as part of these hallway discussions via email. With the assistance of the Qantas Group Cyber Security Centre, the website was detected not long after it was built and we have worked with the internet service provider to take it down. To report security or privacy issues affecting The Emirates Group products or web servers, you can contact security@emirates.com. Group Business Resilience enables the Qantas Group to take a holistic and coordinated approach to crisis management, contingency planning and business continuity. [10], 4.95 APP 1.4 contains a prescriptive list of information that an APP entity must include in its privacy policy,[11] as well as a list of other information that could be included, depending on the circumstances of the entity, to describe how the entity manages personal information.[12]. ProStarSolar > Blog Classic > Uncategorized > qantas group cyber security policy. Complaints files are assigned priorities, which determine team allocation and due date for response. 4.29 At the time of this assessment, neither QFF nor Qantas Group had a dedicated privacy officer, although there were plans to create such a role. This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation. This commitment to security extends to our executives. Cyber Security Policy; 5. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. 4.57 New projects may also be subject to meetings known as shark tanks. Qantas is experiencing an extremely competitive market as the government strengthens the security laws for internationally and domestically which has led to huge drop in passenger number. How can I be sure my Frequent Flyer account details are secure? 4.91 The purpose of APP 1 is to ensure that APP entities manage personal information in an open and transparent way (APP 1.1). SecurityScorecard collects billions of signals each week, helping organizations see risks, get more actionable information, and respond faster to keep up with threat actors. 4.19 A PMP assists with embedding a culture of privacy that enables privacy compliance. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are always adopting more sophisticated techniques. The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed. The team selecting those aircraft has made sure we consider safety in our preparations; thinking about technology available to improve information pilots receive, to improve data the aircraft measures, aircraft performance, and to ensure that people using the aircraft (cabin crew stowing luggage, or ground crew loading bags) have a safer experience. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. 4.2 The key findings of the QFF assessment are set out below under the following headings: 4.3 The OAIC has applied its guide, Privacy management framework: enabling compliance and encouraging good practice, to its consideration of the reasonable steps that QFF has taken to address the requirements of APP 1.2. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. provide and operate competitions, promotions and events, distribute newsletters and other communications either directly or through a third party, facilitate participation in Qantas and program partner loyalty programs, conduct marketing activities for Qantas or third party products and services (the collection notice states that this is one of the primary purposes of QFF), conduct market and other research to improve Qantas products, services and marketing activities. These lists are derived from mailing lists that members subscribe to in the my profile section of their QFF account and those that are designed and created using de-identified information linked to the anonymous identification number. We are at the forefront of improving security outcomes for customers and employees by operating within a security framework that is proportionate, agile and responsive to changing threats and risks across our network. 4.21 The OAIC has developed a PMP template that should assist QFF in the development of a PMP. This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects, Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation, Timely management attention is expected. [12] See paragraphs 1.33 and 1.34 of the APP Guidelines. Qantas EpiQure,[5] Qantas Money, etc). Todays business environment is characterised by rapid, unpredictable change that brings demands in responding to a variety of challenges. Masar Group. Due to this assessments scope, the OAIC did not consider most of these safeguards in detail. This Code sets out expectations for how we act, solve problems and make decisions. CISAs Role in Cybersecurity. 4.48 The response triggered by an incident notification will depend on the nature and severity of the incident. You can also use The Emirates Group's CyberSecurity PGP key to encrypt sensitive information that you send by email. Contract Engagement, Review and Execution Policy; 4. Despite these challenges, our operational safety performance was strong as we maintained a reporting culture where people are confident to report issues without fear and consistent operational performance across all parts of the organisation. There have been a very small number of privacy-related complaints in the past three years. Complex privacy queries and requests are also referred to Group Legal in the same manner as complaints. Joint advisory released for Managed Service Providers and Customers to mitigate cybersecurity risks The Australian Cyber Security Centre (ACSC) has today joined with international cyber security agency partners, to warn Managed Service Providers (MSP) of pressing cyber risks and provide guidance on suitable mitigations for them and their customers. "For Qantas, doing business responsibly isn't just the right thing to do it's also the smart thing to do. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO. highlights the QFF/Woolworths relationship. This was a difficult program of work that required careful planning and scheduling. Specifically, the assessment examined whether: 6.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to QFF about how to address those risks. The program covers both work-related and non-work-related conditions. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. QFF requires two-factor authentication for making changes to member accounts. Cyber fraud techniques evolve into confidence trick arms race. 4.85 For this assessment, the OAIC considered that QFFs APP 1 privacy policy and APP 5 collection notice adequately describe how a members personal information may be used for marketing and data analytics purposes. 4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. 3.7 Members personal information continues to be collected at various points throughout their membership, including when they earn and redeem Qantas Points and Status Credits,[6] and when they interact with QFF marketing campaigns. Our Code of Conduct is the ultimate guide for how we do things at Commonwealth Bank. Incident notifications may come from a variety of channels. This is supported by policies and procedures to ensure our people are treated fairly under what is known as just culture. 4.75 At registration, QFF collects members personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. Combining the expenditure of both domestic and international tourists who travel on Qantas and Jetstar, the additional total value added to the Australian economy associated with the role of the Qantas Group in facilitating tourism in FY 2017 is estimated to be $10.7 billion. 4.71 During the assessment, the OAIC was advised of the security controls applied to QFFs systems. We learned from nearly 12 million ratings that companies with an F are 7.7 times more likely to be impacted by a breach versus those with an A. develops and implements a privacy management plan that considers privacy goals and targets, and how to meet them. The OAIC recommends that QFF continues to build the profile of privacy across the Group by: 4.36 QFF follows the Qantas Group risk management practices, policies and procedures. Join Qantas Frequent Flyerorsubscribe to Red Email today. Contester Contravention Repentigny, Report a cyber security incident for critical infrastructure Get alerts on new threats Alert Service Become an ACSC partner Report a cybercrime or cyber security incident About the A Qantas Boeing 787-9 at Brisbane Airport. This enhances the accountability of APP entities in relation to their personal information handling practices. (Rob Finlayson) The Qantas Group has updated its flight cancellation policy, as it gears up for The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. 4.67 QFF staff are also required to undertake mandatory risk management and cyber security training. TH: A strong, consistent commitment to the vision and strategies for the Qantas group from our senior leadership team, and strong support for all initiatives in alignment with the vision. A Qantas 747-438(ER) VH-OEH departs runway 16 at YMML bound for the Antarctic (Victor Pody) Qantas has pushed back its plan to restart international flying from 31 October to late December 2021 following the news that borders are unlikely to open until mid-2022. Each members profile is assigned an anonymous identification number that is unrelated to their membership number. As QFF is a popular loyalty program with a large member base, the OAIC conducted a privacy assessment of QFF in 2017. 4.100 The OAIC reviewed QFFs online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. Security Policy. 4.15 The majority of corrections to personal information are completed by members themselves using the self-service facilities online, however, corrections may also be processed by telephone via an interactive voice system (where the member keys in their PIN) or manually via the QFF Service Centre (QFFSC) staff. CHESS also has oversight of risks associated with regulatory compliance. QFF advised that this trial was being expanded and QFF would eventually roll out multi-factor authentication to all members. Additionally, after the assessment fieldwork, QFF informed the OAIC that GCSC has since been renamed the Cyber Security and Privacy Committee. 6.8 The assessment involved the following: 6.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. We take active, quality measures to help our members keep safe online and also encourage our members to do what's possible to protect their account and personal Cann Group chief executive Peter Crock says the group has not been able to recover $3.6 million in payments after a cyber fraud. Additionally, QFF has developed a number of business unit specific policies and documents, including the QFF APP 5 collection notice, various QFF training materials and documents, and the QFF terms and conditions. It may also be updated on an ad hoc basis as needed, for example, following key personnel changes. QFF also has contractual rights to audit the third party and the QFF information they hold throughout the course of the relationship. Our Fly Well program included a number of temporary and existing wellbeing measures to safeguard travel during the pandemic, to give our customers peace-of-mind at each point of their journey across our Australian domestic, trans-Tasman and international networks. June 14, 2022 . The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. Checking of all contractors and third parties (such as vendors), including security maturity testing, prior to selection and engagement. The Prime Minister's $230 million Cyber Security Strategy The Australian Crime Commission estimates the annual cost of cyber crime to His appointment as Qantas group CISO was part of a significant revamp of the cyber security function at the airline. "Qantas Frequent Flyer uses security protocols to protect our members' accounts, including multi factor authentication, to minimise the impact, if their travel data is accessed or lost by third parties." Qantas has ordered 20 Airbus A321XLRs and 20 A220-300s narrow jets. [1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. What your policy needs to cover. Flexible Fare options. If you're booking a group of 10 or more, or have 20 or more passengers travelling to the same destination for a common purpose, Qantas Group Travel has you covered. Cyber Security Consultant at Qantas Group Greater Melbourne Area 500+ connections. Members may also call the customer care centre and centre staff will register the member. Therefore, the OAIC recommends that QFF, along with Qantas, formalises the current cyber security governance material, such as the GCSC charter documents, to specifically encompass privacy. (Opens your email client) . 4.76 In relation to the use of personal information for marketing and analytics purposes, QFFs APP 1 privacy policy and collection notice state that members personal information may be used to: 4.77 Potentially sensitive information gathered by the airline, such as meal preferences and medical conditions, is not used by, or accessible to, the QFF marketing and analytics teams. Benefits. The notice refers members to the Qantas privacy policy for further information. 4.7 A Qantas Group policy registry is kept by the Company Secretariat for all Qantas Group policies. Our Work Well program drives a coordinated approach to maintaining COVID-safe work environments, ensuring compliance with government restrictions and minimising the risk of transmission of the COVID-19 virus between employees, contractors and passengers during operations. The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check, and joint Commonwealth and private sector meetings, including the inaugural Australia-United States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. January 24, 2017 by AJ Kumar Security policy Security policy is the statement of responsible decision makers about the protection mechanism of a company crucial physical and information assets. Qantas Airways is an airline that provides the transportation of customers using Qantas and Jetstar brands. All projects require sign-off by Legal and staff are encouraged to approach them early in the process. Security teams are able to react quickly to digital criminals, respond to Zero-Day incidents faster, and reduce the risk exposure timeline. Cyber security risk is, at the practical level, the responsibility of the QFF DISO. Qantas Risk Assessment Report COLLEGE OF BUSINESS, LAW & GOVERNANCE GROUP TASK COVER SHEET Subject code: BX3011 Subject title: Company Furthermore, human resource and other policies exist at entity or business unit level, which also outline the minimum expected standards for our people in the context of their employment. All analytic insights work is run in a de-identified environment by a separate team using the anonymous identification number discussed above at 4.71, which enables analysts to examine behaviours and answer questions without referring to personal information. Is Okra Good For Fibroid, Whether travelling for business or leisure, we understand that every group has unique travel needs; and that's why we offer a range of benefits available exclusively to group travellers to help make your customers journey a seamless one. GCSC members are from a wide range of areas across the Group, including IT Security, Information Security, Legal/Privacy, the newly formed Business and Integrity Compliance Team, and other senior management staff. How to access Australian Government information, Privacy management framework: enabling compliance and encouraging good practice, Privacy impact assessments and security impact assessments, Guide to undertaking privacy impact assessments, De-identification Decision-Making Framework, Guide to Data Analytics and the Australian Privacy Principles. The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. Only a small number of QFF staff can match the anonymous identification number back to a QFF members individual member profile. 4.58 For smaller projects, the assessment process is conducted throughout the evolution of the project. Legal also provides more tailored face-to-face privacy training to various QFF units on an ad hoc basis. The Qantas Group Security Management System aims to increase security awareness through continuous improvement of security processes and enhancing the security culture across the Group (Qantas Sustainability Review, 2015). [2] See - Coles flybuys and Woolworths Rewards: what is the price of loyalty? The business resilience framework assists the Qantas Group in the preparation for, and recovery from, adverse incidents affecting the business and our interests. 2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988 (Privacy Act). Privacy related matters will also be raised during short stand-up meetings, where staff consult each other or offer suggestions on different matters and projects. Spoiler alert: SecurityScorecard customers realize investment payback in under a quarter. November 3, 2021. 4.42 However, in view of the complexity of Qantas current risk management structure and framework, the OAIC suggests that QFF: 4.43 The Qantas Group has a co-ordinated Group-wide approach to crisis management, which includes a crisis management plan. Qantas Domestic has a growing margin advantage over competitors, with a brand, network and product offering targeted at business and premium leisure customers who value Qantas has joined other sectors in asking the government to at least partially cover the cost of complying with proposed laws aimed at better defending the countrys critical infrastructure networks and systems from cyber attacks. 5.2 QFF sincerely appreciates the OAIC assessment finding that it has robust and effective privacy practices, and QFF acknowledges that an ongoing compliance commitment is required to protect the privacy and maintain the security of the personal information it holds. Make sure your good security posture has a presence on your website: show it off and share the news by adding a Badge from SecurityScorecard. review of relevant policies and procedures provided by QFF, an analysis of QFFs APP 1 privacy policy. In order to provide greater transparency for customers, the OAIC suggests that the policy clearly identify this information as sensitive information.. Staff are required to undertake a SIA at the beginning of a new project to identity any privacy and security risks. Coles flybuys and Woolworths Rewards: what is the price of loyalty? As part of the business integrity and compliance function, Qantas is Cyber security (particularly in terms of data protection) The program will be implemented during financial year 2017/18. 4.32 Whilst QFF has numerous governance mechanisms and structures in place to facilitate privacy management, the OAIC notes that there are no specific, dedicated privacy roles within Qantas or QFF (with the exception of the recently appointed Group Privacy Officer). All activity is fully logged and audited. 4.13 Qantas has target timeframes for response due dates, including for privacy complaints. These are the Qantas Group Policies: 1. This is discussed later in this report in the section titled risk management. continues to build the profile of privacy across the Group by: continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management. There is ongoing investment to improve the resources, processes and technology that will support the Group to effectively address the volumes of personal information that we manage, and to meet both intensifying regulatory requirements and individuals rising expectations regarding fair, ethical and responsible data use. The OAIC recommended that QFF: 2.1 Loyalty programs are popular with consumers and businesses alike, with one Australian consumer research study reporting that 87 percent of Australians aged 18 and older were members of a loyalty program in 2017. 4.52 The OAIC encourages Qantas to continue its current practices for testing and reviewing its crisis management plan in the context of a data breach. Research Institute in Science of Cyber Security (RISCS) - The primary objective of the Institute is to develop novel, innovative social-science and socio-technical techniques for cyber security. Its current APP 5 collection notification practices appear reasonable and adequate. Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking), Likely adverse or negative impact upon the handling of individuals personal information, Likely violation of entity policies or procedures. The OAIC was informed that all new marketing and data analytics projects are subject to a robust in-house vetting process that involves an assessment of both cyber security and privacy risks. 6.7 The OAIC conducted a risk-based assessment of QFF and focused on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.