Possible ministerial involvement or censure (for agencies), Risks are limited, and may be within acceptable entity risk tolerance levels, Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit), Minimum compliance obligations are being met. The Qantas Loyalty segment specializes in customer loyalty recognition programs. QFF also has contractual rights to audit the third party and the QFF information they hold throughout the course of the relationship. 4.57 New projects may also be subject to meetings known as shark tanks. These controls include: 4.72 Overall, QFF has established robust ICT and user access policies, procedures and practices governing the security of personal information. To do this, they must give Woolworths their QFF membership number so that Woolworths can arrange for the Qantas Points to be awarded. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. This Code sets out expectations for how we act, solve problems and make decisions. These recommendations are set out in Part 5 of this report. Underpinning the policies and procedures should be strong leadership from senior management, with governance arrangements that support effective privacy practices. fieldwork, which included interviewing key members of staff and reviewing further documentation, at the QFF offices in Mascot on 25 May and 1 June 2017. Iron Mountain Horizon, 4.69 At the time of the assessment, QFF had recently undertaken a test exercise, where IT sent false phishing emails to selected QFF staff email accounts. 4.55 If the project uses or is likely to use personal information, QFF Legal will also consult with the project owner and any relevant staff. 3.6 Members may choose to provide further information in relation to product preferences to receive targeted emails from QFF or its affiliates (e.g. Privacy related matters will also be raised during short stand-up meetings, where staff consult each other or offer suggestions on different matters and projects. qantas group cyber security policy - prostarsolares.com Heres why. All projects require sign-off by Legal and staff are encouraged to approach them early in the process. Group Finance Policy; 7. Access to QFF data requires specific authorisation. Assessment undertaken: MayJune 2017 Draft report issued: 9/10/2018 Final report issued: 30/6/2019. The visibility gained from these assessments provides insight that helps guide high-level cybersecurity decisions, making them a valuable asset for organizations of all sizes. Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. [11] See paragraphs 1.15-1.32 of the APP Guidelines. Project managers are reminded periodically to undertake SIAs for all new initiatives. Please refer to Qantas Group Policies available on the Qantas Intranet or from your manager or people representative for details. Sydney, Australia. 2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia. 4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. In Qantas Frequent Flyer and Qantas Business Rewards remain at the core of the program, while the business has evolved to include a number of new ventures and other businesses such as Qantas Money, Qantas Insurance and Qantas Wine. 4.81 Program partners are tested for security, IT, and compliance requirements before QFF will agree to a partnership. It also includes a collaborative process for managers to ensure favourable safety, healthcare and support return-to-work outcomes for existing employees with physical and/or mental health conditions, and/or adverse social circumstances. review of relevant policies and procedures provided by QFF, an analysis of QFFs APP 1 privacy policy. The team selecting those aircraft has made sure we consider safety in our preparations; thinking about technology available to improve information pilots receive, to improve data the aircraft measures, aircraft performance, and to ensure that people using the aircraft (cabin crew stowing luggage, or ground crew loading bags) have a safer experience. To report security or privacy issues affecting The Emirates Group products or web servers, you can contact security@emirates.com. Beware of fake websites. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. 4.68 To further raise awareness of cyber security and privacy issues, staff are sent a weekly Friday Flyer email, which often contains information about how to avoid phishing scams and current privacy threats. Qantas Groups policies and business practices over the next 12 months. See the quantity and duration of malware infections, along with other factors influence the overall assessment of an organizations IP Reputation. When expanded it provides a list of search options that will switch the search inputs to match the current selection. Design, develop, deliver and measure ongoing risk aligned Group (Qantas, Jetstar and Loyalty) Cyber Safety Awareness Campaigns to raise Qantas Group employees' cyber awareness, uplift their cyber capability and embed a Cyber Safety culture throughout the Qantas Group, incorporating . Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. Cyber Security Consultant at Qantas Group Greater Melbourne Area 500+ connections. However, one current exception is QFFs partnership with Woolworths, as Woolworths Everyday Rewards (WER) members may opt-in to earn Qantas Points as their reward under the WER program, automatically converting WER points they earn when shopping at Woolworths into Qantas Points. The OAIC was informed that all new marketing and data analytics projects are subject to a robust in-house vetting process that involves an assessment of both cyber security and privacy risks. However, based on practices at the time of the assessment, there is a medium risk that privacy issues from the various business units will not be communicated effectively through the existing channels. A Group data privacy, ethics and governance function has been established to assist us to better ensure personal information is handled fairly, ethically and responsibly. QFF regards personal information as its chief business asset and has invested multiple resources to safeguard it. While membership of the GCSC includes representatives from Legal/Privacy, and a reference to the Privacy Commissioner, the objectives and responsibilities of the Committee outlined in the charter document focus on cyber risks and do not specifically call out privacy issues. 4.65 Training is conducted through an internal online training database. 4.34 The OAIC notes that the charter document for the GCSC primarily focuses on cyber risks and their management and does not specifically refer to privacy. Management attention is suggested. Joint advisory released for Managed Service Providers and Customers to mitigate cybersecurity risks The Australian Cyber Security Centre (ACSC) has today joined with international cyber security agency partners, to warn Managed Service Providers (MSP) of pressing cyber risks and provide guidance on suitable mitigations for them and their customers. 1.5 The OAIC identified two medium risks regarding QFFs privacy governance and evaluation of the continued effectiveness and appropriateness of its privacy practices, procedures and systems, and made two recommendations to address the risks identified. Cyber security for Qantas Frequent Flyer accounts This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation. As the Security Technology Controller, you will be accountable for day to day operational activities across the physical security team including access, surveillance and alarm monitoring services with a focus on Qantas Group ASIC program compliance. 4.13 Qantas has target timeframes for response due dates, including for privacy complaints. We may use your personal information for the following purposes: Qantas Groups policies and business practices over the next 12 months. Qantas Group Securityand Facilitation participates in several domestic and international committees to refine security measures, to plan for and acquire enhanced security equipment and to establish world best practices in aviation security. We are continually working to expand employee awareness of evolving data security risks, including through no notice simulations and structured training. 4.32 Whilst QFF has numerous governance mechanisms and structures in place to facilitate privacy management, the OAIC notes that there are no specific, dedicated privacy roles within Qantas or QFF (with the exception of the recently appointed Group Privacy Officer). Safely returning to the skies: During the pandemic Qantas had to ground the majority of our fleet. Incident notifications may come from a variety of channels. "Qantas Frequent Flyer uses security protocols to protect our members' accounts, including multi factor authentication, to minimise the impact, if their travel data is accessed or lost by third parties." Qantas has been looking for a security head since August last year. Risk Management Policy; 9. For many enterprise organizations, administering risk assessments is the first step in building an effective cyber threat management system. I have a proven track record of leadership and performance in a range of strategic cyber security, risk, compliance and finance roles while working in the UK, Canada, India and Australia. 6.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs. The DISO may also determine that a more comprehensive security review or a formal PIA is needed. 4.74 Qantas Frequent Flyer applies data analytic techniques, and then uses this data for targeted advertising and marketing. [1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. ProStarSolar > Blog Classic > Uncategorized > qantas group cyber security policy. Maintaining a regularly updated directory of all of the information assets (including personal information) held by QFF, and where these are stored. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. A select team within QFF have sole access to QFF member information (e.g. [4] For a current list of program partners, see the Earn Qantas Points page. Qantas Customer Story. Once notified, incidents are escalated as appropriate. 4.54 All new projects require a security impact assessment (SIA), and staff have access to the relevant form on the Qantas Intranet. Security Policy. Qantas Frequent Flyer and Qantas could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information. strong corporate governance transparency in reporting. Research Institute in Science of Cyber Security (RISCS) - The primary objective of the Institute is to develop novel, innovative social-science and socio-technical techniques for cyber security. Wonderful video celebrating so much of who we are as Australians. qantas group cyber security policy [8] The European Union General Data Protection Regulation (the GDPR), which commenced 25 May 2018, contains new data protection requirements. QFFSC staff verify a customers identity before assisting the member with their query, including making any corrections. Additionally, there are contractual terms in place, which stipulate that only QFF may contact its members in relation to a program partner. This enhances the accountability of APP entities in relation to their personal information handling practices. The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. 4.76 In relation to the use of personal information for marketing and analytics purposes, QFFs APP 1 privacy policy and collection notice state that members personal information may be used to: 4.77 Potentially sensitive information gathered by the airline, such as meal preferences and medical conditions, is not used by, or accessible to, the QFF marketing and analytics teams. QFF provides reasonable and adequate notifications to users of its services (QFF members) when collecting personal information (APP 5). Some projects may be subjected to this process multiple times. Within this Group-wide plan, there are business unit specific plans, which are owned by key senior staff in each group. Protection from these attacks and the In addition, Jetstar's head of cyber security Yvette Lejins started a broader Group role at Qantas this month as the head of 'cyber business protect', which covers the Jetstar Group, Qantas . Over the past year, the return of domestic and international travel as borders reopened required a similar program of work to return our aircraft to the skies, including a focus on training for crew and support employees. What your policy needs to cover. In addition, Jetstars head of cyber security Yvette Lejins started a broader Group role at Qantas this month as the head of cyber business RAAF Base Curtin to see $244m upgrade; Bonza bound for Tamworth with flights from Melbourne, Sunshine Coast; Podcast: How Lockheed Martin On 2 July 2019, we became aware of a fraudulent website that looked like the Qantas Super login page and used a similar website address. Immigration, customs, border security and other regulatory authorities; Other companies within Qantas and companies in the Jetstar Group; and; Your share broker when you purchase shares in Qantas Airways Limited. 4.21 The OAIC has developed a PMP template that should assist QFF in the development of a PMP. Qantas keeps relationship with various regional carriers. In ever-increasing times of uncertainty, the resilience of an organisation plays a significant role in effectively meeting market demands and supporting the delivery of strategy. The aviation industry continues to face complex threats from individuals and organisations globally. Members are required to undergo a telephone identity check and staff follow a security procedure and checklist to guide them through the process. 4.75 At registration, QFF collects members personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed. Staff are encouraged to clarify the members exact needs before proceeding with an access request. Cyber Security Graduate Jobs in Greystanes NSW 2145 (with Salaries 4.9 The OAIC noted that one document contained references to the National Privacy Principles (NPPs), which were replaced by the APPs in March 2014. Both the General Counsel and CEO sit on the Group Management Committee (GMC), with the General Counsel reporting to the GMC on privacy. Complying with Qantas Group and other Policies Security begins on day one here. 4.1 This part of the report sets out the OAICs observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks. Darren Argyle FCIIS - Group Chief Information Security Risk - LinkedIn 4.86 The OAIC suggests that QFF continues to regularly review its APP 1 privacy policy and APP 5 collection notice to ensure they adequately explain the use of a members personal information, especially if the nature and scale of QFFs marketing and data analytics activities changes. Matt Biber's email & phone | Qantas's Manager, Qantas Group Cyber Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are always adopting more sophisticated techniques. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. By continuing to use this system you confirm your acceptance of the above. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. We monitor global developments in governance, laws and business practices, and work collaboratively across our global footprint to ensure we continue to meet these standards. As part of this review, the OAIC applied a Flesch-Kincaid test to provide a general indication of the complexity and readability of the policy. Qantas Airways Limited ABN 16 009 661 901. Learn all you how to incorporate ratings insights into workflows throughout your organization. the policies and procedures of QFF were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1). 4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. Understand the effectiveness of protections in place for laptops, desktops, mobile devices, and all employee devices that access that companys network. Specifically, the assessment examined whether: 6.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to QFF about how to address those risks. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. Qantas Group also holds monthly direct reporting meetings, and risk is a regular agenda item. 4.61 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance to QFF in considering future PIAs. Request access from Qantas's to view their private documentation available on demand only. With the assistance of the Qantas Group Cyber Security Centre, the website was detected not long after it was built and we have worked with the internet service provider to take it down. Threat prevention may be hard to compute, but Forrester Consulting has done the work or you. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. As QFF is a popular loyalty program with a large member base, the OAIC conducted a privacy assessment of QFF in 2017. The OAIC recommends that QFF develops and implements a PMP that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. 3.2 QFF is a points-based rewards program and members may earn Qantas Points by purchasing products and services from Qantas or any of its program partners. :The cyber safety of Qantas Frequent Flyers is a priority for us. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. We may contact you using the below methods: A phone call from one of our fraud analysts. Matt Biber Email & Phone Number - Qantas | ZoomInfo 4.38 The QRAG contains the risk assessment and management frameworks for the Qantas Group. 4.29 At the time of this assessment, neither QFF nor Qantas Group had a dedicated privacy officer, although there were plans to create such a role. clear knowledge of information assets held and a range of ICT security measures in place to safeguard these. Join to connect Qantas. Legal also provides more tailored face-to-face privacy training to various QFF units on an ad hoc basis. [9] Office of the Australian Information Commissioner (OAIC), Big data and privacy: a regulators perspective, viewed 26 September 2017. This commitment to security extends to our executives. The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. Information Technology Specialist, 2022 Cloud Graduate Program, Locator and more on Indeed.com Join Qantas Frequent Flyerorsubscribe to Red Email today. Risk assessments are conducted on relevant third party suppliers and we work with them to address any material risks identified. The three principles that guide us are: operating with integrity (through our safety, people, community and environment strategies). All SIAs are recorded in the system and can be recalled or examined as needed. Cyber fraud techniques evolve into confidence trick arms race. Qantas Investors | Sustainability and governance Who has issued the policy and who is responsible for its . IT Security Specialist, Security Officer, Security Engineer and more on Indeed.com Cyber Security Jobs in Sydney Western Suburbs NSW (with Salaries) 2022 | Indeed.com Australia To comply with our legal obligations and for health, safety and security purposes: to ensure the safety and security of all passengers, including investigating security and screening issues and to take appropriate steps to prioritise the health of those passengers and our crew. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. Security Policy. Year founded 1920 Employees 20.6K Qantas Airways is an airline that provides the transportation of customers using Qantas and Jetstar brands. Understand how diligently a company is patching its operating systems, services, applications, software, and hardware in a timely manner. Qantas in late 2016 began the hunt for a CISO to oversee four Sydney-based reporting teams, leading security strategy across cyber strategy, cyber risk and resilience, security architecture and security operations. 4.33 A network of privacy champions across business units within the Qantas Group, including a dedicated QFF privacy champion, would help to identify and communicate privacy risks, as well as good privacy practices, across the Group. IT Security Specialist, Security Supervisor, Information Security Analyst and more on Indeed.com Cadetship, Cyber Security Jobs in Sydney NSW (with Salaries) 2022 | Indeed.com Australia All employees receive security, privacy, and compliance training the moment they start. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. Jenks High School Football Roster, If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training. This process is documented in a Qantas privacy procedure document, which is a high-level internal document that sets out broad privacy obligations. Darren Argyle (CISM, CISSP) is an accomplished executive with close to 20 years international cyber risk and security experience. 5.2 QFF sincerely appreciates the OAIC assessment finding that it has robust and effective privacy practices, and QFF acknowledges that an ongoing compliance commitment is required to protect the privacy and maintain the security of the personal information it holds. continues to build the profile of privacy across the Group by: continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management. QFF, as a business unit, would have the opportunity to share its learnings, as well as to learn from the experiences of other business units. This notice is located at the bottom of the QFF online registration form, just before members are asked to accept the terms and conditions and provide payment information. 4.46 The QFF cyber security incident response plan is updated at least annually. Executive Summary. CISAs Role in Cybersecurity. Across the Group, we are responsible for handling a substantial amount of personal information. 4.66 As a part of Qantas financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. Remote access is restricted to a needs-only basis. QFF Legal reports to the Qantas Group General Counsel, who has ultimate responsibility for all privacy compliance matters in the Qantas Group. The policy is dated to reflect when it was last reviewed. These emails are provided on an opt-out basis, so members can change or cancel the different types of marketing materials that they receive from QFF. Contract Engagement, Review and Execution Policy; 4. 6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act. Environment Policy; 6.