Qantas group security head Steve Jackson has some simple rules for dealing with IT security: Dont panic, dont overstate the risk, and Section 1 - Summary. Security teams are able to react quickly to digital criminals, respond to Zero-Day incidents faster, and reduce the risk exposure timeline. The OAIC has not identified any privacy risks based on the assessment scope and the above-mentioned observations. It is understood neither Qantas Airways nor Virgin Australia Holdings has a separate cyber-security insurance policy but both have multi-layered security precautions in CHESS also has oversight of risks associated with regulatory compliance. Continuing Qantas collaboration with the Australian Government on cyber security to proactively monitor emerging threats, and to enhance the protection of our people, customers and assets. The economic contribution of the Qantas Group to Australia in FY 2017. How can I be sure my Frequent Flyer account details are secure? Additionally, the OAIC has recently released an online PIA learning tool which aims to better equip organisations with the knowledge to conduct an in-house assessment. The DISO owns the QFF cyber security incident response plan, and QFF staff are issued with role-specific crisis management resources. Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. Qantas Group Policies The Qantas Group has a set of 10 Group Policies, which reflect the Non-Negotiable Business Principles and outline the minimum expected standards across a range of governance areas where compliance is necessary for legal reasons and to protect our brands and reputation. 4.26 Additionally, QFF has entrusted specific teams with responsibility for various governance and privacy management functions, namely QFF Information Security, headed by the Data and Information Security Officer (DISO), and the Insights team, headed by the General Manager of QFF Insights. simplifies the notice to enhance readability, changes the title from important information to something that indicates to potential members that the notice relates to the collection of their personal information. Furthermore, it is the responsibility of each business unit to identify and report risks. 4.98 The OAIC considers that there is room for improvement in the readability of the policy, and suggests that QFF works with the Qantas Group to review and, where possible, simplify the language of the policy. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks. 4.58 For smaller projects, the assessment process is conducted throughout the evolution of the project. This was a difficult program of work that required careful planning and scheduling. CISAs Role in Cybersecurity. Cyber security for Qantas Frequent Flyer accounts There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. Matt Biber has been working as a Group of Qantas Cyber Security Centre Head (Gcsc) at Qantas for 8 years. Executive Summary. Code of Conduct and Ethics; 2. Business Resilience Policy; 3. We are at the forefront of improving security outcomes for customers and employees by operating within a security framework that is proportionate, agile and responsive to changing threats and risks across our network. As an airline, safety is core to all that we do. We acknowledge our responsibility to protect and maintain the privacy rights of individuals, and to maintain the security and the value of their personal information. During the pandemic, our Wellbeing program expanded from a focus on traditional areas of health and wellbeing physical health, nutrition, sleep, exercise and mental health to include financial wellbeing, healthy relationships and digital wellbeing. blue shield of northeastern ny customer service number qantas group cyber security policy. 4.11 QFF complaints are received centrally through the Qantas customer care centre by phone or online and are directed to the relevant customer care teams. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. CIOs and CSOs who need to present security issues to their board need to leave acronyms at the door, use PowerPoint presentations and tell stories, according to GPT Group CIO Greg Baster. 4.29 At the time of this assessment, neither QFF nor Qantas Group had a dedicated privacy officer, although there were plans to create such a role. Each members profile is assigned an anonymous identification number that is unrelated to their membership number. The OAIC also suggests, due to the varied and complex nature of such assessments, that QFF regularly revisit and revaluate their privacy assessment mechanisms. The DISO regularly briefs both the CEO and Chief Information Officer (CIO), formally and informally. Cyber security for Qantas Frequent Flyer accounts GCSC members are from a wide range of areas across the Group, including IT Security, Information Security, Legal/Privacy, the newly formed Business and Integrity Compliance Team, and other senior management staff. SecurityScorecard calculates scores based on 10 factors that reflect different cybersecurity practices and risks. [4] Qantas Points may then be redeemed for products or services. All activity is fully logged and audited. Possible ministerial involvement or censure (for agencies), Risks are limited, and may be within acceptable entity risk tolerance levels, Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit), Minimum compliance obligations are being met. Management attention is suggested. Spoiler alert: SecurityScorecard customers realize investment payback in under a quarter. Get your free Ratings report to see your custom score, SecurityScorecard Tower 49 12 E 49th St Suite 15-001 New York, NY 10017. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. The COVID-19 pandemic presented many challenges to our organisation and our people to work through. Cha c sn phm trong gi hng. 5.3 QFF is working with Qantas to develop a Privacy Management Plan to augment its well-established privacy policies and procedures. highlights the QFF/Woolworths relationship. The case management lists are checked daily by management to ensure their timely resolution. 6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act. The Main Types of Security Policies in Cybersecurity. Hilary Jackson on LinkedIn: It's an exciting time to join Qantas, as 4.100 The OAIC reviewed QFFs online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. Your use of these systems may be monitored and investigated to ensure compliance with the law and Qantas Policies. In Qantas Frequent Flyer and Qantas Business Rewards remain at the core of the program, while the business has evolved to include a number of new ventures and other businesses such as Qantas Money, Qantas Insurance and Qantas Wine. Qantas suffered a 30 percent turnover in its technology personnel as the airline battles staff loss, in the wake of repeated Covid-19 lockdowns. An automated voice-activated call from our telephone alert system, from 1300 754 566. However, they are only provided with de-identified data, and strong contractual protections are put in place against re-identification or use of data other than as stipulated. Jenks High School Football Roster, Vit, collaborative privacy and security risk assessment processes, a culture that promotes privacy awareness, regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives, comprehensive and tested risk management and crisis management processes, including a data breach response process. For many enterprise organizations, administering risk assessments is the first step in building an effective cyber threat management system. Additionally, there are contractual terms in place, which stipulate that only QFF may contact its members in relation to a program partner. (Rob Finlayson) The Qantas Group has updated its flight cancellation policy, as it gears up for The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. Staff are encouraged to clarify the members exact needs before proceeding with an access request. Due to the investments made in resilience, the capability continues to be strengthened through the successful integration of external stakeholders ensuring the Group continues to possess a sophisticated holistic response and recovery system. During 2021, the Group was vocal in its support of legislation that will enhance these efforts in future. Her remit will cover group-wide technology projects as well as Qantas' loyalty business. Our approach covers three main areas: operational safety, people safety and operational security. This plan encompasses all business units of the Qantas Group, including QFF, and is co-ordinated by the Group Crisis Management Team. QFFSC staff verify a customers identity before assisting the member with their query, including making any corrections. 4.60 The OAIC suggests that all informal privacy and other risk assessments be recorded in some form, such as email or file notes, and stored in an accessible location for relevant staff to access. Challenges. Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. 5.4 The OAIC recommends that QFF continues to build the profile of privacy across the Group by: 5.5 QFF will continue to support the expanded reach, effectiveness and reporting of the Qantas Groups new, dedicated Data Privacy team through the introduction of a network of privacy champions across all Group business units. [3] See Qantas Annual Report 2016 at Annual Reports. 4.7 A Qantas Group policy registry is kept by the Company Secretariat for all Qantas Group policies. As the Security Technology Controller, you will be accountable for day to day operational activities across the physical security team including access, surveillance and alarm monitoring services with a focus on Qantas Group ASIC program compliance. Cyber security risk is, at the practical level, the responsibility of the QFF DISO. The companys policy is in the consultation stage, and no direction yet has been made. 3.8 QFF stores data in a separate, partitioned section of the Qantas Group IT Environment. Our Wellbeing program is designed to foster an environment that supports, enables and motivates our people to live healthier, happier and more productive lives. The OAIC understands that data privacy and security is marked as one of the top three risks in this document. Login. The Qantas Loyalty segment specializes in customer loyalty recognition programs. Is Okra Good For Fibroid, 5.1 The OAIC recommends that QFF develops and implements a Privacy Management Plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. Qantas and its related bodies corporate are referred to as Qantas Group in this report. Qantas hiring Manager Aircraft Controlled Software and EDTO in Millers The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. 7 Essential Cybersecurity Risk Assessment Tools - SecurityScorecard However, as with the privacy policy, the language used in the notice is complex, and may be difficult for some readers, who are younger or with a lower literacy level, to understand. [11] See paragraphs 1.15-1.32 of the APP Guidelines. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO. However, the OAIC noted that the policy was complex, and the Flesch-Kincaid test indicated that it would be easily understood by people with an approximate reading age over 25. Qantas is part of the Airlines, Airports & Air Services industry, and located in Australia. It describes the standards of conduct we expect. Matt Biber Email & Phone Number - Qantas | ZoomInfo Specific complaints handling processes are embedded in the complaints handling system. 4.14 Requests to access personal information and privacy queries are also handled through the Customer Care Centre. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. This involves the project owners explaining to an executive panel, including the Group CEO and CFO, the risks of the project, including privacy and data risks, and justifying the need to accept those risks, as well as presenting mitigation strategies. Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. Oct 2016 - Present6 years 4 months. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. Number of Employees: 25,000. Possible reputational damage to the entity, such as negative publicity in local or regional media. 4.99 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters. 4.28 Business units obtain advice and assessments of privacy related matters from the Legal team via formal PIAs, written email advice and oral advice given in pre-arranged meetings. In the matter of the Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Court found that a financial services provider had breached its licence obligations, and failed to act efficiently or fairly by not having in place adequate risk management systems to cater for risks arising in relation to cyber security. Qantas Customer Story. Qantas. For example, the QFF cyber security strategy includes a breakdown of cyber risk, which utilises the QRAG to assess cyber risks and consider their mitigation strategies. 4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. Qantas Groups policies and business practices over the next 12 months. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. If you're booking a group of 10 or more, or have 20 or more passengers travelling to the same destination for a common purpose, Qantas Group Travel has you covered. This enhances the accountability of APP entities in relation to their personal information handling practices. 4.61 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance to QFF in considering future PIAs. 3.1 QFF was established in 1987, and had over 11.4 million members in June 2016. This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects, Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation, Timely management attention is expected. Safely returning to our ports: Many of the ports we fly to had no or limited activity during the pandemic. We comply with government and regulatory agencies to integrate risk strategies through a holistic approach ensuring a robust framework is in place to counter any crisis management, contingency planning and business continuity event. This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed. 4.33 A network of privacy champions across business units within the Qantas Group, including a dedicated QFF privacy champion, would help to identify and communicate privacy risks, as well as good privacy practices, across the Group. The OAICs Guide to Securing Personal Information may be of assistance in considering reasonable steps to protect personal information. How to access Australian Government information, Privacy management framework: enabling compliance and encouraging good practice, Privacy impact assessments and security impact assessments, Guide to undertaking privacy impact assessments, De-identification Decision-Making Framework, Guide to Data Analytics and the Australian Privacy Principles. [10], 4.95 APP 1.4 contains a prescriptive list of information that an APP entity must include in its privacy policy,[11] as well as a list of other information that could be included, depending on the circumstances of the entity, to describe how the entity manages personal information.[12]. Qantas Group declared at its recent investor day that it had made a significant investment in cyber security systems and capability. It covers the occupational lifecycle from recruitment, ensuring that employees have optimal health, as well as any necessary accommodations and support. Masar Group. High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation, Immediate management attention is required. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. In addition, Jetstars head of cyber security Yvette Lejins started a broader Group role at Qantas this month as the head of cyber business RAAF Base Curtin to see $244m upgrade; Bonza bound for Tamworth with flights from Melbourne, Sunshine Coast; Podcast: How Lockheed Martin On 2 July 2019, we became aware of a fraudulent website that looked like the Qantas Super login page and used a similar website address. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. Like many large organisations, we operate in an environment of ever-evolving cyber threats, where external attackers are always adopting more sophisticated techniques. 4.35 Additionally, QFF should regularly evaluate its governance mechanisms to ensure their continued effectiveness. These controls include: 4.72 Overall, QFF has established robust ICT and user access policies, procedures and practices governing the security of personal information. This includes aviation safety, WHS, environment, security (including cyber security) and business resilience matters. The Qantas Group continues to support key external initiatives under the Australian Governments Cyber Security Strategy, the voluntary ASX100 Cyber Health Check,and joint Commonwealth and private sector meetings, including the inaugural AustraliaUnited States Cyber Security Dialogue to discuss ways to collaborate on better security outcomes.