Australian Cyber Security Regulations and Compliance

Cyber Security Strategy 2009

Recognising ‘that Australia’s national security, economic prosperity and social wellbeing are critically dependent upon the availability, integrity and confidentiality of a range of information and communications technologies’, the Australian Government launched its Cyber Security Strategy in November 2009 to provide a framework that addressed the increasing risk of online threats to the country.

Applicability

The Strategy is a guidance document for all Australian Internet users and as such is advisory, not enforceable.

Principles

The Strategy aims to maintain ‘a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the benefits of the digital economy’. It is based on six guiding principles consistent with the Prime Minister’s National Security Statement:

  • National leadership
  • Shared responsibilities
  • Partnerships
  • Active international engagement
  • Risk management
  • Protecting Australian values.

Objectives

The Cyber Security Strategy has three objectives:

  • That all Australians are aware of cyber risks, secure their computers and take steps to protect their identities, privacy and finances online.
  • That Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers.
  • That the Australian Government ensures its information and communications technologies are secure and resilient.

Strategic priorities

In order to achieve these objectives, the Australian Government aims:

  • To improve the detection, analysis, mitigation and response to sophisticated cyber threats, with a focus on government, critical infrastructure and other systems of national interest.
  • To educate and empower all Australians with the information, confidence and practical tools to protect themselves online.
  • To partner with business to promote security and resilience in infrastructure, networks, products and services.
  • To model best practice in the protection of government ICT systems, including the systems of those transacting with government online.
  • To promote a secure, resilient and trusted global electronic operating environment that supports Australia’s national interests.
  • To maintain an effective legal framework and enforcement capabilities to target and prosecute cyber crime.
  • To promote the development of a skilled cyber security workforce with access to research and development to develop innovative solutions.

Telecommunications Act 1997 (Commonwealth)

The Telecommunications Act 1997 (Cth) regulates the Australian telecommunications industry and applies specifically to telecommunications ‘carriers’ and ‘carriage service providers’. Technological changes since its enactment in 1997 have required numerous amendments to the Act, including those of the Cybercrime Legislation Amendment Act (see below). The term ‘carriage service providers’ now includes internet service providers (ISPs).

Jurisdiction

The Act applies both within and outside Australia, and is regulated by the Australian Communications and Media Authority (ACMA). Significant parts of the Act are detailed below.

Obligations of ACMA, carriers, and carriage service providers in the national interest

Part 14 (‘National interest matters’) states that ‘The ACMA, carriers and carriage providers must do their best to prevent telecommunications networks and facilities from being used to commit offences. The ACMA, carriers and carriage service providers must give the authorities such help as is reasonably necessary for the purposes of: (a) enforcing the criminal law and laws imposing pecuniary penalties; and (b) protecting the public revenue; and (c) safeguarding national security.’

Primary disclosure/use offences

Part 13 (‘Protection of Communications’) regulates the use and disclosure of information obtained by certain bodies during the supply of telecommunication services. Section 276(3) makes it an offence punishable by up to two years’ imprisonment for certain telecommunications service providers and their employees to use or disclose information or documents relating to:

  • The contents of communications that have been, or are being, carried by carriers or carriage service providers.
  • Carriage services supplied by carriers and carriage service providers.
  • The affairs or personal details of other persons.

A number of exceptions to these strictures are included in Sections 279-294, including when the disclosure is necessary for law enforcement purposes. The use of and access to stored data is affected by amendments made under the Cybercrime Legislation Amendment Act (see below).

Civil penalties for non-compliance

Part 31 (‘Civil penalties’) states that ‘Pecuniary penalties are payable for contraventions of civil penalty provisions’ as determined by the Federal Court. The scale of those penalties varies, but Sections 570(3) and (4) give guidance:

  • Corporate bodies are liable for penalties of up to $10 million (AUSD$) for each contravention of service provider rules, and penalties of up to $250,000 (AUSD$) for each contravention in the case of other offences under the Act.
  • Persons – including partnerships – are liable for fines of up to $50,000 (AUSD$) for each contravention.

The Cybercrime Legislation Amendment Act

The Cybercrime Legislation Amendment Act 2012 amended the Mutual Assistance in Criminal Matters Act 1987, the Criminal Code Act 1995, and the Telecommunications (Interception and Access) Act 1979 as well as the Telecommunications Act 1997, and also allowed Australia to accede to the Council of Europe Convention on Cybercrime. It came into effect on 1 March 2013. Its most significant effect on the Telecommunications Act relates to data preservation: since the 2006 amendment to the Telecommunications (Interception and Access) Act 1979, electronic communications (e.g. email and SMS messages) stored on a carrier’s equipment have been afforded greater protection against interception and access, but under the Cybercrime Legislation Amendment Act, carriers may be required to preserve communications in relation to domestic or foreign criminal investigations.

Cyber security, compliance and ISO27001

Despite having absorbed many of the measures normally associated with information security, cyber security really only addresses the security of digital information. Information security is a broader approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.

In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.

ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an Information Security Management System (ISMS) and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.

Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.

The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.

Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

How ISO27001 can help you comply with Asia-Pacific data protection legislation

How ISO27001 can help you comply with data protection legislation in the Asia-Pacific region

Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to many cyber security laws across the Asia-Pacific region.

Enter your name and email address below to read our free guide on complying with cyber security legislation in the Asia-Pacific region:

Why IT Governance?

IT Governance is a specialist in the field of information security and IT Governance, and has led more than 140 successful certifications to ISO27001 around the world.

IT Governance has created ISO 27001 packaged solutions to give Asia Pacific organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Get started today >>