Introduction
This publication has been developed to assist business owners and information technology managers, particularly those unfamiliar with cyber security, with ten things they should know about data security.
Fundamentals of data security
Know what data you have
Know what data your organisation produces, collects or is otherwise accountable for and why. Not doing so makes it very difficult to determine its value, where it resides, who has access to it, how it is protected, and what legislative or regulatory obligations may apply. Consider whether it is absolutely necessary to produce or collect data in the first place and whether it needs to be retained or not, especially when it relates to customer data.
Know the value of your data
Know the value of your data. Identify data for which the confidentiality, integrity or availability is critical to the function of your organisation and the provision of your services. Consider not only the value of individual pieces of data but also the aggregated value of your data.
Know where your data resides
Know where your data is stored, especially data that is critical to your organisation and services. Identify what data is kept on employee devices (both corporate and personal), in the cloud (both onshore and offshore), in corporate data repositories and on removable media. Consider external parties that have or may retain copies of your data and where.
Know who has access to your data
Know who has access to your data. Identify both internal and external parties that have access, such as employees, professional service providers, managed service providers and cloud service providers. Identify the extent of access, including whether it is onsite or remote.
Know your threat environment
Know the threat environment your organisation operates within, as this is integral to understanding what malicious actors may gain from compromising your data. Seek out accurate and timely information on cyber threats from reputable sources, such as the Australian Signals Directorate (ASD). Join ASD’s Cyber Security Partnership Program as a deeded partner to access near real-time cyber threat intelligence through the Cyber Threat Intelligence Sharing platform. Being a deeded partner also provides access to ASD publications, services and tools that aren’t available to non-deeded partners. Finally, look within your organisation to your experts, such as your Chief Information Security Officer or Chief Security Officer if you have one.
Know how your data is protected
Know who is accountable for the protection of your data and what mitigation strategies are in place. ASD’s Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies designed to assist in protecting your data from a range of cyber threats. While no set of mitigation strategies are guaranteed to protect against all cyber threats, a recommended baseline known as the ‘Essential Eight’ makes it much harder for malicious actors to compromise your data. To assist with implementing the Essential Eight, ASD’s Essential Eight Maturity Model can be used to prioritise and tailor its implementation based upon varying levels of malicious actor sophistication and the extent of their targeting.
ASD’s Information Security Manual is a cyber security framework that you can holistically apply to protect your data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with the Essential Eight and its Essential Eight Maturity Model, complement this framework.
Finally, ASD provides an extensive range of cyber security resources, including advice tailored for small-to-medium businesses (such as Exercise in a Box activities), on its cyber.gov.au website.
Know how to verify your data is protected
Know your organisation’s cyber security maturity and identify areas that require remediation or further investment. ASD endorses suitably qualified cyber security professionals, as part of its Infosec Registered Assessor Program (IRAP), to provide assessment services in order to validate and verify cyber security measures, identify cyber security risks, and where appropriate, recommend suitable mitigation measures. ASD has also partnered with TAFEcyber to provide education opportunities throughout Australia on how to conduct assessments against the Essential Eight Maturity Model.
Know how to backup and restore your data
Know how to backup and restore your data in case you are a victim of a disruptive or destructive cyber attack. Backups of data, ideally segregated into critical backups, essential backups and non-essential backups, should be performed and retained with a frequency and retention timeframe that aligns with your business criticality and business continuity requirements. In performing backups, make sure they are synchronised to enable restoration to a common point in time and are retained in both a secure and resilient manner, such as with a reputable cloud service provider. Finally, restoration of data from backups to a common point in time should be periodically tested in a coordinated manner to identify any issues and dependencies prior to a disruptive or destructive cyber attack.
Know how to respond to cyber security incidents
During a cyber security incident, such as a data breach, your organisation may experience both significant internal and external pressures. To prepare yourself beforehand, you should know how to respond and recover. Developing a cyber security incident response plan, that aligns with your organisation’s emergency, crisis and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements, can be highly beneficial. Cyber security incident response plans should be regularly reviewed and tested alongside activities that target strategic decision making, operational responses and communication strategies.
One person should also be identified as the cyber security incident response coordinator for your organisation, such as the Chief Information Security Officer, to ensure clarity of direction and timely operational decisions can be made. In large organisations this person should be supported by a director with relevant cyber security or risk management skills who can act as the interface to the board to ensure information can be communicated quickly and critical business decisions can be made.
Importantly, all cyber security incidents should be reported to ASD via ReportCyber.
Know your legislative and regulatory obligations
Know what legislative and regulatory obligations apply to your data. Depending on your organisation’s sector, you may be subject to the requirements of the Security of Critical Infrastructure Act 2018. Furthermore, certain customer data that your organisation produces or collects may be subject to archival, financial, privacy or taxation requirements, for example, protection under the Privacy Act 1988, including the Australian Privacy Principles. Also, depending on the locality of your business operations and customers, you may be subject to the European Union’s General Data Protection Regulation.
In the event of a cyber security incident, you may also have regulatory obligations under the Notifiable Data Breach Scheme, which require you to notify the Office of the Australian Information Commissioner and affected individuals when an eligible data breach has occurred.
Independent legal advice should be sought on any legislative and regulatory obligations that may apply to your data.
Contact details
If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).