Staff are encouraged to clarify the members exact needs before proceeding with an access request. The COVID-19 pandemic presented many challenges to our organisation and our people to work through. With great support from agencies, we have achieved a lot in a short space of time to make sure that we are addressing the increasing risks to our systems and information, Milosavljevic wrote in a blog entry published in December.. She said that those achievements included establishing Cyber Security Senior Officers Group, writing a new Cyber Security Qantas is on firmer ground, having determined the majority of employees support its move. We brought grounded aircraft back into service, our employees came back to work after being stood down, and we opened or reopened flying to ports that we had not flown to in over a year and to some that had not seen an aircraft in that time. Design, develop, deliver and measure ongoing risk aligned Group (Qantas, Jetstar and Loyalty) Cyber Safety Awareness Campaigns to raise Qantas Group employees' cyber awareness, uplift their cyber capability and embed a Cyber Safety culture throughout the Qantas Group, incorporating . Villanova University Salary Bands, Possible reputational damage to the entity, such as negative publicity in local or regional media. It will compile threat forecasts and geopolitical assessments for airline safety/security committees, up to Board level, and will lead the Qantas Londons Heathrow airport last year outlined plans for a 50m project to implement The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check,and joint Commonwealth and private sector meetings, including the inaugural AustraliaUnited States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. However, the OAIC noted that the policy was complex, and the Flesch-Kincaid test indicated that it would be easily understood by people with an approximate reading age over 25. 4.61 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance to QFF in considering future PIAs. Qantas has been looking for a security head since August last year. 4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group privacy statement. Furthermore, crises are reviewed after resolution to determine the cause of the incident and whether it was preventable. The customer care section is comprised of three main teams: disruption, experience and corporate liaison. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. Safely returning to the skies: During the pandemic Qantas had to ground the majority of our fleet. We encourage our people to report safety and security-related matters, even when they are closely involved and might feel vulnerable to criticism. Undoubtedly Australias most iconic brand. clear knowledge of information assets held and a range of ICT security measures in place to safeguard these. [3] QFF is run by Qantas Loyalty, a business unit within Qantas Airways Limited (Qantas). Darren Argyle FCIIS - Group Chief Information Security Risk - LinkedIn This enhances the accountability of APP entities in relation to their personal information handling practices. Paula Searle - Qantas Group Cyber Security Awareness and - LinkedIn In Qantas Frequent Flyer and Qantas Business Rewards remain at the core of the program, while the business has evolved to include a number of new ventures and other businesses such as Qantas Money, Qantas Insurance and Qantas Wine. There have been a very small number of privacy-related complaints in the past three years. 4.97 Additionally, while the policy identifies that Qantas collects information about dietary requirements and health issues, this is not specifically identified as sensitive information. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. [1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. QFF requires two-factor authentication for making changes to member accounts. Security Policy. Automated reminders are sent to staff who have not completed their mandated refresher or induction training, and to their managers. QFF provides reasonable and adequate notifications to users of its services (QFF members) when collecting personal information (APP 5). 4.16 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant QFF policy and procedure documents and interviews with staff. Remote access is restricted to a needs-only basis. The time taken to resolve complaints depends on their complexity. Past crises are often used in staff training. Its current APP 5 collection notification practices appear reasonable and adequate. Security teams are able to react quickly to digital criminals, respond to Zero-Day incidents faster, and reduce the risk exposure timeline. 4.4 The OAIC also considered its APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act, in the privacy analysis below. 4.92 Under APP 1.3, APP entities must have a clearly expressed and up to date APP privacy policy that explains the entitys handling of personal information. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. Furthermore, marketing and analytics staff are in constant consultation with QFF Legal in relation to changes or new ideas. :The cyber safety of Qantas Frequent Flyers is a priority for us. Qantas Cyber Security Rating & Vendor Risk Report | SecurityScorecard The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed. The three principles that guide us are: operating with integrity (through our safety, people, community and environment strategies). The GCSC also monitors, reviews and enhances the compliance of all cyber risk management systems, policies and procedures, protocols and controls with all relevant laws and regulations. Such a plan could be linked to, or incorporated into, Qantas existing cyber security and privacy processes and policies. Login. To safeguard members personal information, QFF have implemented measures, such as overseas contract staff background checks and provisions in employment contracts related to the handling of personal information. Core Qantas Group policies are reviewed annually, and if any changes are made, they require approval of the Qantas Board (the Board). Former IHS Markits group chief information security officer, Darren Argyle, has been appointed ongoing CISO at the airline, with his tenure as its cyber security chief to begin later this month.. Argyle was appointed to the CISO role after a recruitment process that began last year as part of a cyber security strategy revamp.. Qantas in December appointed a new But it might still face a legal storm if its policy is tested before a tribunal or court. Additionally, the OAIC noted that the notice is labelled important information, which does not indicate what the notice is, or its purpose. Qantas Group Securityand Facilitation participates in several domestic and international committees to refine security measures, to plan for and acquire enhanced security equipment and to establish world best practices in aviation security. 4.10 Whilst all QFF personal information is stored in Australia, QFF use several offshore customer service centres. Additionally, there are contractual terms in place, which stipulate that only QFF may contact its members in relation to a program partner. SecurityScorecard calculates scores based on 10 factors that reflect different cybersecurity practices and risks. Oracle will provide its Siebel Loyalty Management platform to the airline so it can better manage its 7 million members. All user access is logged and monitored, with the logs regularly audited by the platform owners. Qantas Frequent Flyer and Qantas could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information. 7 Essential Cybersecurity Risk Assessment Tools - SecurityScorecard regularly evaluate its privacy risk management policies and practices to ensure their continued effectiveness. Get your free Ratings report to see your custom score, SecurityScorecard Tower 49 12 E 49th St Suite 15-001 New York, NY 10017. 4.18 Good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information is in line with QFFs privacy obligations. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are Only Qantas approved Users may use Qantas Information Technology systems, and must do so in accordance with the law and Qantas Policies, including the Information Technology Group Policy. contact details (postal address, mobile number and email address), APP 1.2 implementing practices, procedures and systems, ensure that the entity complies with the APPs; and. All activity is fully logged and audited. Creating cyber security policies - BSI Group strong corporate governance transparency in reporting. Manager, Qantas Group Cyber Security Centre @ Qantas Manager of Cyber Security Operations and Services @ Qantas Director of Security Services @ Accesshq see more Principal Security Consultant - Wealth @ Anz Principal Security Consultant @ Redcore Pty LTD Executive Manager and General Manager, Es Service Security @ Commonwealth Bank Head of Security Assurance Services @ Westpac Qantas EpiQure,[5] Qantas Money, etc). Despite these challenges, our operational safety performance was strong as we maintained a reporting culture where people are confident to report issues without fear and consistent operational performance across all parts of the organisation. Complaints files are assigned priorities, which determine team allocation and due date for response. Project managers are reminded periodically to undertake SIAs for all new initiatives. Queensland's First Nations children experiencing domestic and family violence are being harmed - and funnelled into risk-taking and criminal behaviour - by failures in the child protection, youth. 1.5 The OAIC identified two medium risks regarding QFFs privacy governance and evaluation of the continued effectiveness and appropriateness of its privacy practices, procedures and systems, and made two recommendations to address the risks identified. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. 4.35 Additionally, QFF should regularly evaluate its governance mechanisms to ensure their continued effectiveness. He is currently in the role of Group Chief Information Security Risk Officer at Standard Chartered Bank, based in Singapore with a global scope. "Qantas Frequent Flyer uses security protocols to protect our members' accounts, including multi factor authentication, to minimise the impact, if their travel data is accessed or lost by third parties." However, given that only one document was affected and that QFF staff demonstrated a strong understanding of Qantas information handling and management practices, including thorough PIA processes that do not heavily rely on this document (see Privacy impact assessments and security impact assessments below), the OAIC regards this as a low privacy risk for QFF. These emails are provided on an opt-out basis, so members can change or cancel the different types of marketing materials that they receive from QFF. SecurityScorecard collects billions of signals each week, helping organizations see risks, get more actionable information, and respond faster to keep up with threat actors. Cyber Security Graduate Jobs in Greystanes NSW 2145 (with Salaries If a query relates to a QFF membership, then the call is referred to the QFF specific customer care team. Legal generally relies on deductive reasoning rather than a formal document or checklist to identify any privacy issues. The cyber safety of Qantas Frequent Flyers is a priority for us. 4.9 The OAIC noted that one document contained references to the National Privacy Principles (NPPs), which were replaced by the APPs in March 2014. Checking of all contractors and third parties (such as vendors), including security maturity testing, prior to selection and engagement. Cha c sn phm trong gi hng. 6.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs. Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented. These controls include: 4.72 Overall, QFF has established robust ICT and user access policies, procedures and practices governing the security of personal information. We may contact you using the below methods: A phone call from one of our fraud analysts. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. By Darren Argyle, Group Chief Information Security Officer, Qantas Cybersecurity is moving from having purely technical relevance to increasingly societal relevance, affecting the way we live our lives and honour our obligations. This process is documented in a Qantas privacy procedure document, which is a high-level internal document that sets out broad privacy obligations. 4.39 The QFF CEO is ultimately responsible for business risks (including privacy risks), and the QFF finance manager has responsibility for the QFF risk profile. The cyber safety of Qantas Frequent Flyers is a priority for us. qantas group cyber security policy. Is Okra Good For Fibroid, The OAIC recommends QFF works with Qantas to continue with the Group-wide implementation of a network of privacy champions, including a dedicated champion within QFF. 4.84 Data analytics involves amassing, aggregating and analysing large amounts of data. QFF sometimes utilises independent third parties to conduct external PIAs, however, the majority are conducted informally and in-house, and are built into its project management processes. If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training. 1.3 The assessment found that QFF has taken steps to foster a culture of privacy awareness that treats personal information as a valuable business asset. Enterprise security management (ESM) issues directly revolve around the management of Qantas group itself. 1.1 This report outlines the findings of an assessment of the Qantas Frequent Flyer (QFF) program undertaken by the Office of the Australian Information Commissioner (OAIC). To do this, they must give Woolworths their QFF membership number so that Woolworths can arrange for the Qantas Points to be awarded. review of relevant policies and procedures provided by QFF, an analysis of QFFs APP 1 privacy policy. As part of this review, the OAIC applied a Flesch-Kincaid test to provide a general indication of the complexity and readability of the policy. A clean desk policy, and non-permanent seating arrangements, necessitating that all personal and confidential items be stored in secure staff lockers. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some QFF members. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. [4] For a current list of program partners, see the Earn Qantas Points page. What your policy needs to cover. As an airline, safety is core to all that we do. Challenges. 4.46 The QFF cyber security incident response plan is updated at least annually. Cyber security risk assessments Negar Salek. Doniz served as Qantas group CIO from January 2017, and at Boeing will the CIO and senior VP of information technology and data analytics. Our governance | Qantas AU highlights the QFF/Woolworths relationship. Due to this assessments scope, the OAIC did not consider most of these controls in detail. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. 4.23 QFF Legal has primary responsibility for advising QFF on privacy compliance matters. 4.50 The OAIC was informed that, at the time of the assessment in June 2017, the Qantas Crisis Management Team processes were last externally audited in September 2016. Code of Conduct and Ethics; 2. Business Resilience Policy; 3. simplifies the notice to enhance readability, changes the title from important information to something that indicates to potential members that the notice relates to the collection of their personal information. Iron Mountain Horizon, 4.76 In relation to the use of personal information for marketing and analytics purposes, QFFs APP 1 privacy policy and collection notice state that members personal information may be used to: 4.77 Potentially sensitive information gathered by the airline, such as meal preferences and medical conditions, is not used by, or accessible to, the QFF marketing and analytics teams. In addition, Jetstars head of cyber security Yvette Lejins started a broader Group role at Qantas this month as the head of cyber business RAAF Base Curtin to see $244m upgrade; Bonza bound for Tamworth with flights from Melbourne, Sunshine Coast; Podcast: How Lockheed Martin On 2 July 2019, we became aware of a fraudulent website that looked like the Qantas Super login page and used a similar website address. 6.3 The scope of this assessment was limited to the consideration of QFFs handling of personal information against the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). 4.71 During the assessment, the OAIC was advised of the security controls applied to QFFs systems. Qantas Group Policies The Qantas Group has a set of 10 Group Policies, which reflect the Non-Negotiable Business Principles and outline the minimum expected standards across a range of governance areas where compliance is necessary for legal reasons and to protect our brands and reputation. Understand how diligently a company is patching its operating systems, services, applications, software, and hardware in a timely manner. The OAIC guidance on the GDPR may be found at Australian entities and the EU General Data Protection Regulation (GDPR). The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. Access to this list is heavily restricted to a needs-only basis. While ensuring the Qantas Group had an effective platform to respond to the consequences of COVID-19, the Group ensured it also maintained a resilience capability to respond to events as we recovered. The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. Risk assessments are conducted on relevant third party suppliers and we work with them to address any material risks identified. The companys policy is in the consultation stage, and no direction yet has been made. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. The OAIC was informed that all new marketing and data analytics projects are subject to a robust in-house vetting process that involves an assessment of both cyber security and privacy risks.