qantas group cyber security policy qantas group cyber security policy

Read about our approach to risk management. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. 4.91 The purpose of APP 1 is to ensure that APP entities manage personal information in an open and transparent way (APP 1.1). clear knowledge of information assets held and a range of ICT security measures in place to safeguard these. To do this, they must give Woolworths their QFF membership number so that Woolworths can arrange for the Qantas Points to be awarded. Contract Engagement, Review and Execution Policy; 4. If a query relates to a QFF membership, then the call is referred to the QFF specific customer care team. This commitment to security extends to our executives. "Qantas isn't just an iconic company, it's one with a long history of embracing new technology," Doniz said. Upgrade your web browser for an enhanced experience. 6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act. Cyber Security Graduate jobs now available in Greystanes NSW 2145. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. [1] The Point of Loyalty, For Love or Money 2017, viewed 9 January 2018, The Point of Loyalty website. In addition, QFFs information security controls should continue to be regularly reviewed and revisited in order to meet constantly evolving ICT risks related to personal information. 4.57 New projects may also be subject to meetings known as shark tanks. QFF anticipated that the next such large-scale change would occur in 2018 to reflect the commencement of both the Notifiable Data Breaches Scheme[7] and the European Union General Data Protection Regulation (GDPR). 4.96 In our review, the OAIC found that the Qantas privacy policy meets the prescriptive requirements of APP 1.4. This involves the project owners explaining to an executive panel, including the Group CEO and CFO, the risks of the project, including privacy and data risks, and justifying the need to accept those risks, as well as presenting mitigation strategies. Additionally, after the assessment fieldwork, QFF informed the OAIC that GCSC has since been renamed the Cyber Security and Privacy Committee. Group Business Resilience enables the Qantas Group to take a holistic and coordinated approach to crisis management, contingency planning and business continuity. 2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988 (Privacy Act). We are continually working to expand employee awareness of evolving data security risks, including through no notice simulations and structured training. Transparent Group Terms and Conditions. The shark tank proceedings are not recorded. There are multiple safeguards to prevent and detect this activity and on several occasions over the years we have worked closely with law enforcement to apprehend those involved. Qantas in late 2016 began the hunt for a CISO to oversee four Sydney-based reporting teams, leading security strategy across cyber strategy, cyber risk and resilience, security architecture and security operations. [5] Qantas EpiQure was re-branded as Qantas Wine after the assessment. 3.9 QFF is governed by and subject to Qantas Group policies. The Main Types of Security Policies in Cybersecurity. 4.75 At registration, QFF collects members personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed. Her remit will cover group-wide technology projects as well as Qantas' loyalty business. However, given that only one document was affected and that QFF staff demonstrated a strong understanding of Qantas information handling and management practices, including thorough PIA processes that do not heavily rely on this document (see Privacy impact assessments and security impact assessments below), the OAIC regards this as a low privacy risk for QFF. toby o'brien raytheon salary. 4.62 Qantas privacy training underwent a large-scale review in 20132014 due to the major changes made to the Privacy Act, and at the time of the assessment, was being revised to include the Notifiable Data Breaches scheme. Understand the effectiveness of protections in place for laptops, desktops, mobile devices, and all employee devices that access that companys network. The DISO may also determine that a more comprehensive security review or a formal PIA is needed. Qantas EpiQure,[5] Qantas Money, etc). The companys policy is in the consultation stage, and no direction yet has been made. The Prime Minister's $230 million Cyber Security Strategy The Australian Crime Commission estimates the annual cost of cyber crime to His appointment as Qantas group CISO was part of a significant revamp of the cyber security function at the airline. This includes the development and implementation of a privacy management plan (PMP). 4.45 The crisis management plan encompasses identification and notification, assessment and response. The airline said it would contact customers whose bookings were cancelled directly. This is supported by policies and procedures to ensure our people are treated fairly under what is known as just culture. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. Our Wellbeing program is designed to foster an environment that supports, enables and motivates our people to live healthier, happier and more productive lives. There is also no specific reference to the unique arrangement with Woolworths in the marketing section. We take active, quality measures to help our members keep safe online and also encourage our members to do what's possible to protect their account and personal Cann Group chief executive Peter Crock says the group has not been able to recover $3.6 million in payments after a cyber fraud. name, email address, phone number). 3.7 Members personal information continues to be collected at various points throughout their membership, including when they earn and redeem Qantas Points and Status Credits,[6] and when they interact with QFF marketing campaigns. by the Qantas Group exceed 2 per cent of Qantas annual consolidated gross revenue (other than banks, where materiality must be determined on a case-by-case basis); and in respect of customers where goods or services supplied by the Qantas Group exceed 2 per cent of Qantas annual consolidated gross revenue. We encourage our people to report safety and security-related matters, even when they are closely involved and might feel vulnerable to criticism. However, it is a difficult decision for Australia-based Qantas Group is set to order 12 Airbus A350-1000 planes and 40 narrowbody jets to improve services for passengers. 1.3 The assessment found that QFF has taken steps to foster a culture of privacy awareness that treats personal information as a valuable business asset. Renewed security awareness training for all employees and contractors, Renewed freight security training for all freight employees and contractors, Enhancing the relationship between the Group and Australian Federal Police (AFP) Air Security Officers, Collaborating with overseas regulators and airport authorities to enable the resumption of international operations, Participating in the governments review of the Australian security regulatory framework. 4.53 Formal PIAs are generally only undertaken for major projects. Qantas and its related bodies corporate are referred to as Qantas Group in this report. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. The Group Business Resilience Management System (GBRMS) is an integrated response and recovery system across Qantas Groups strategic, operational and tactical environments, and is subject to a variety of airline and safety standards and regulations. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. [11] See paragraphs 1.15-1.32 of the APP Guidelines. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are always adopting more sophisticated techniques. Members are required to undergo a telephone identity check and staff follow a security procedure and checklist to guide them through the process. 4.64 Privacy training is compulsory for all staff with access to personal information, which includes Qantas call-centre staff, reservations staff and the entirety of QFF. There is ongoing investment to improve the resources, processes and technology that will support the Group to effectively address the volumes of personal information that we manage, and to meet both intensifying regulatory requirements and individuals rising expectations regarding fair, ethical and responsible data use. Checking of all contractors and third parties (such as vendors), including security maturity testing, prior to selection and engagement. Risk assessments are conducted on relevant third party suppliers and we work with them to address any material risks identified. 4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines, Likely ministerial involvement or censure (for agencies), Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation, Possible adverse or negative impact upon the handling of individuals personal information, Possible violation of entity policies or procedures. 4.100 The OAIC reviewed QFFs online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. This may lead to the loss of vital information regarding identified privacy risks. The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. -Adam Kinsella, Product Owner for Network, Network Security, Qantas. The communications are then matched to member personal information by a separate team. As QFF is a popular loyalty program with a large member base, the OAIC conducted a privacy assessment of QFF in 2017. As part of the membership to the program, the entity operating the loyalty program can collect data about members and their purchasing activities. continues to build the profile of privacy across the Group by: continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management. We pay our respects to the people, the cultures and the elders past, present and emerging. All activity is fully logged and audited. He is currently in the role of Group Chief Information Security Risk Officer at Standard Chartered Bank, based in Singapore with a global scope. QFF utilises this document in conjunction with a number of its own risk management documents and strategies. Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking), Likely adverse or negative impact upon the handling of individuals personal information, Likely violation of entity policies or procedures. 4.70 The OAIC considers QFF to have an adequate and effective privacy training regime and suggests that it regularly reviews its training to ensure that it remains effective and appropriate. [8] The European Union General Data Protection Regulation (the GDPR), which commenced 25 May 2018, contains new data protection requirements. 2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia. Cyber security risk assessments Negar Salek. The recent increase in oil prices has been a threat for the aviation sector's success. This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation. 7 2022. qantas group cyber security policythe renaissance apartments chicago. simplifies the notice to enhance readability, changes the title from important information to something that indicates to potential members that the notice relates to the collection of their personal information. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. Its current APP 5 collection notification practices appear reasonable and adequate. Only a small number of QFF staff can match the anonymous identification number back to a QFF members individual member profile. CHESS also has oversight of risks associated with regulatory compliance. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. Additionally, at the time of the assessment, QFF was conducting a multi-factor authentication pilot with selected members. Project managers are reminded periodically to undertake SIAs for all new initiatives. Legal Matter Policy; 8. Cyber Security Policy; 5. Legal generally relies on deductive reasoning rather than a formal document or checklist to identify any privacy issues. However, as with the privacy policy, the language used in the notice is complex, and may be difficult for some readers, who are younger or with a lower literacy level, to understand. Qantas. If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training. 4.80 Qantas Frequent Flyer does not permit access to, or disclosure of, members personal information to any of its program partners and is solely responsible for all communication with its members in relation to program partner products and benefits. These are the Qantas Group Policies: 1. 4.27 In addition to the formal structures, the head of each business unit within QFF is responsible for privacy and risk identification within their unit and raising these issues with QFF Legal and the DISO. Specific complaints handling processes are embedded in the complaints handling system. QANTAS ANNUAL REIE 2017 18 Cyber Security The Qantas Group is constantly improving its cyber and data privacy capabilities. 3.4 Registration involves collecting a variety of personal information from individuals, including: 3.5 Following registration, members receive a membership number, confirmation email, and a membership pack including a QFF card. Staff are required to undertake a SIA at the beginning of a new project to identity any privacy and security risks. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. 4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group privacy statement. The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check, and joint Commonwealth and private sector meetings, including the inaugural Australia-United States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. 4.16 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant QFF policy and procedure documents and interviews with staff. 4.11 QFF complaints are received centrally through the Qantas customer care centre by phone or online and are directed to the relevant customer care teams. The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. With great support from agencies, we have achieved a lot in a short space of time to make sure that we are addressing the increasing risks to our systems and information, Milosavljevic wrote in a blog entry published in December.. She said that those achievements included establishing Cyber Security Senior Officers Group, writing a new Cyber Security Qantas is on firmer ground, having determined the majority of employees support its move. Learn all you how to incorporate ratings insights into workflows throughout your organization. The OAIC recommends QFF works with Qantas to continue with the Group-wide implementation of a network of privacy champions, including a dedicated champion within QFF. Sydney, Australia. Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. Within this Group-wide plan, there are business unit specific plans, which are owned by key senior staff in each group. As the Security Technology Controller, you will be accountable for day to day operational activities across the physical security team including access, surveillance and alarm monitoring services with a focus on Qantas Group ASIC program compliance. These lists are derived from mailing lists that members subscribe to in the my profile section of their QFF account and those that are designed and created using de-identified information linked to the anonymous identification number. Socio-cultural. Qantas works closely with the Australian Government and overseas agencies, regulators, law enforcement and its global partners across the industry to proactively monitor and manage threats and risks. A select team within QFF have sole access to QFF member information (e.g. QFF sometimes utilises independent third parties to conduct external PIAs, however, the majority are conducted informally and in-house, and are built into its project management processes. 4.90 For more information about relevant key concepts when considering data analytics and privacy, and how the APPs apply to data analytics, see the OAICs Guide to Data Analytics and the Australian Privacy Principles. This enhances the accountability of APP entities in relation to their personal information handling practices. Customer Name: Qantas. The Qantas Group is committed to complying with all applicable laws and regulations, and to conducting business with the highest standards of ethics and integrity. 4.32 Whilst QFF has numerous governance mechanisms and structures in place to facilitate privacy management, the OAIC notes that there are no specific, dedicated privacy roles within Qantas or QFF (with the exception of the recently appointed Group Privacy Officer). New Restaurants In Perrysburg Ohio, Credit: Qantas Airways Limited. With the assistance of the Qantas Group Cyber Security Centre, the website was detected not long after it was built and we have worked with the internet service provider to take it down.