Overview of Australian data protection strategy

The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.

Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been maintained accurately. The lack of availability of information when required can have the same consequences as loss or loss of integrity.

The first step in the preparation of a data protection strategy is to understand the regulatory context in which you operate and identify applicable rules and guidelines. Next, you should identify the relevant classes of information that you need to protect, consider the risk exposure that accompanies each class of information and whether or not the measures currently in place are adequate having regard to the potential risk to your organisation.

See Developing a strategy for Australian data protection.

It is important to consider the components that make up a secure framework. It is a common mistake to focus on the protection of IT systems. While the protection of IT systems from unauthorised access and careful control of access privileges is a critical component, it is also necessary to consider employee related issues such as background checking, the terms and conditions of employment, the adequacy of training, supervision and audit. Control of the physical environment is also relevant.

See Procedures for implementation and Systems for improvement.

In this chapter, we step through the development of an Australian specific cybersecurity strategy having regard to the Australian regulatory context.