4.54 All new projects require a security impact assessment (SIA), and staff have access to the relevant form on the Qantas Intranet. Legal also provides more tailored face-to-face privacy training to various QFF units on an ad hoc basis. QFF and the Qantas Group work to produce a co-ordinated response. However, they are only provided with de-identified data, and strong contractual protections are put in place against re-identification or use of data other than as stipulated. Manager, Qantas Group Cyber Security Centre @ Qantas Manager of Cyber Security Operations and Services @ Qantas Director of Security Services @ Accesshq see more Principal Security Consultant - Wealth @ Anz Principal Security Consultant @ Redcore Pty LTD Executive Manager and General Manager, Es Service Security @ Commonwealth Bank Head of Security Assurance Services @ Westpac [8] It is the responsibility of individual business units within Qantas to keep abreast of the legislative requirements that relate to their core business functions. Group Finance Policy; 7. 5.1 The OAIC recommends that QFF develops and implements a Privacy Management Plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. Group Business Resilience enables the Qantas Group to take a holistic and coordinated approach to crisis management, contingency planning and business continuity. When you're managing the travel needs of multiple people, we understand the size of the group can often change. 4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. Marketing campaigns are sent to different member lists. Enjoy a choice of fares to match your customers budget in Economy, Premium Economy, Business and First; with flexible conditions unique to group travel. Cyber Security Policy; 5. When we receive your email, we send an automatic email acknowledgment. By Darren Argyle, Group Chief Information Security Officer, Qantas Cybersecurity is moving from having purely technical relevance to increasingly societal relevance, affecting the way we live our lives and honour our obligations. Qantas plans to improve fuel efficiency by 1.5% annually and to reduce water consumption by 20% and electricity by 35% by 2020. In addition, Jetstar's head of cyber security Yvette Lejins started a broader Group role at Qantas this month as the head of 'cyber business protect', which covers the Jetstar Group, Qantas . 4.13 Qantas has target timeframes for response due dates, including for privacy complaints. Qantas Airways Limited ABN 16 009 661 901. Both QFF Legal and the CIO have veto power over any and all projects. Weve overcome many obstacles in our long history and this is because weve quickly responded to changing environments and worked hard to produce the right outcome helped by the resilience of our people and their commitment to the national carrier. 4.70 The OAIC considers QFF to have an adequate and effective privacy training regime and suggests that it regularly reviews its training to ensure that it remains effective and appropriate. The visibility gained from these assessments provides insight that helps guide high-level cybersecurity decisions, making them a valuable asset for organizations of all sizes. Past crises are often used in staff training. The GMC reports to the Board. covid 19 flight refund law; destroyer squadron 31 ships; french lullabies translated english; We acknowledge the traditional custodians of Australia and their continuing connection to land, sea and community. It is the responsibility of New York State Office of Information Technology Services (ITS) to provide centralized IT services to the State and its governmental entities with the awareness that our citizens are reliant on those services. Remote access is restricted to a needs-only basis. Risk Management Policy; 9. Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines, Likely ministerial involvement or censure (for agencies), Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation, Possible adverse or negative impact upon the handling of individuals personal information, Possible violation of entity policies or procedures. 6.7 The OAIC conducted a risk-based assessment of QFF and focused on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation. [3] See Qantas Annual Report 2016 at Annual Reports. Cyber security risk is, at the practical level, the responsibility of the QFF DISO. 4.22 QFF staff have a good awareness of privacy issues. 4.56 The findings of a SIA may determine whether or not a new project will go ahead. The OAIC recommended that QFF: 2.1 Loyalty programs are popular with consumers and businesses alike, with one Australian consumer research study reporting that 87 percent of Australians aged 18 and older were members of a loyalty program in 2017. 5.4 The OAIC recommends that QFF continues to build the profile of privacy across the Group by: 5.5 QFF will continue to support the expanded reach, effectiveness and reporting of the Qantas Groups new, dedicated Data Privacy team through the introduction of a network of privacy champions across all Group business units. This notice is located at the bottom of the QFF online registration form, just before members are asked to accept the terms and conditions and provide payment information. The Group is committed to raising awareness of our privacy compliance obligations and to manage our privacy risk by implementing a culture that considers privacy by design as a default position when handling personal information. Whether travelling for business or leisure, we understand that every group has unique travel needs; and that's why we offer a range of benefits available exclusively to group travellers to help make your customers journey a seamless one. The policy is dated to reflect when it was last reviewed. 4.53 Formal PIAs are generally only undertaken for major projects. To report security or privacy issues affecting The Emirates Group products or web servers, you can contact security@emirates.com. It operates through five segments: Qantas Domestic, Qantas International, Jetstar Group, Qantas Loyalty, and Corporate. (Rob Finlayson) The Qantas Group has updated its flight cancellation policy, as it gears up for The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. 4.33 A network of privacy champions across business units within the Qantas Group, including a dedicated QFF privacy champion, would help to identify and communicate privacy risks, as well as good privacy practices, across the Group. 4.23 QFF Legal has primary responsibility for advising QFF on privacy compliance matters. QANTAS ANNUAL REIE 2017 18 Cyber Security The Qantas Group is constantly improving its cyber and data privacy capabilities. 4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group privacy statement. The time taken to resolve complaints depends on their complexity. The team selecting those aircraft has made sure we consider safety in our preparations; thinking about technology available to improve information pilots receive, to improve data the aircraft measures, aircraft performance, and to ensure that people using the aircraft (cabin crew stowing luggage, or ground crew loading bags) have a safer experience. Contract Engagement, Review and Execution Policy; 4. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members. Incident notifications may come from a variety of channels. However, it is a difficult decision for Australia-based Qantas Group is set to order 12 Airbus A350-1000 planes and 40 narrowbody jets to improve services for passengers. Get your free Ratings report to see your custom score, SecurityScorecard Tower 49 12 E 49th St Suite 15-001 New York, NY 10017. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. The aviation industry continues to face complex threats from individuals and organisations globally. Additionally, the DISO sends a monthly cyber update email to QFF staff to reiterate the importance of good privacy practices and current threats. The OAIC also suggests, due to the varied and complex nature of such assessments, that QFF regularly revisit and revaluate their privacy assessment mechanisms. The companys policy is in the consultation stage, and no direction yet has been made. 4.17 The OAIC noted that one of the documents contained outdated references to the NPPs that was based on an older OAIC document that was updated in 2014. (1) This Policy: Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach. ICT protections, such as firewalls for segregated zones, malware detection software, whitelisting, application patching, encryption of data in transit and regular penetration testing. Heres why. Qantas EpiQure,[5] Qantas Money, etc). Protection from these attacks and the We ensure the safety and welfare of our people, the protection of our reputation and the maintenance of critical services. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. 3.1 QFF was established in 1987, and had over 11.4 million members in June 2016. The main factor in the cost variance was cybersecurity policies and how well they were implemented. The safety and wellbeing of our customers and people is our highest priority. Read about our approach to risk management. The OAIC also notes that Qantas Group intends to create a network of privacy champions, co-ordinated through the Group Privacy Officer. Qantas Location 10 Bourke Rd, Mascot, New South Wales, 2020, Australia Description Industry Airlines, Airports & Air Services Transportation Members are required to undergo a telephone identity check and staff follow a security procedure and checklist to guide them through the process. the policies and procedures of QFF were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1). The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rate and Lost Work Case Frequency Rate both improved compared to the prior year. 4.7 A Qantas Group policy registry is kept by the Company Secretariat for all Qantas Group policies. 4.16 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant QFF policy and procedure documents and interviews with staff. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. Industry: Transportation. The cyber safety of Qantas Frequent Flyers is a priority for us. Join to connect Qantas. Code of Conduct and Ethics; 2. Business Resilience Policy; 3. These emails are provided on an opt-out basis, so members can change or cancel the different types of marketing materials that they receive from QFF. 4.47 QFF maintains a cyber incident register, which includes data breaches and online fraud. Complex privacy queries and requests are also referred to Group Legal in the same manner as complaints. Qantas and its related bodies corporate are referred to as Qantas Group in this report. As the Security Technology Controller, you will be accountable for day to day operational activities across the physical security team including access, surveillance and alarm monitoring services with a focus on Qantas Group ASIC program compliance. Like many large organisations, we operate in an environment of ever-evolving cyber threat, where external attackers are always adopting new and more sophisticated techniques. The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. The cyber safety of Qantas Frequent Flyers is a priority for us. Section 1 - Summary. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some QFF members. This includes the development and implementation of a privacy management plan (PMP). All projects require sign-off by Legal and staff are encouraged to approach them early in the process. develops and implements a privacy management plan that considers privacy goals and targets, and how to meet them. 4.10 Whilst all QFF personal information is stored in Australia, QFF use several offshore customer service centres. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. "For Qantas, doing business responsibly isn't just the right thing to do it's also the smart thing to do. The three principles that guide us are: operating with integrity (through our safety, people, community and environment strategies). Cyber Security Policy; 5. TPG Telecom announced on Tuesday it has picked up a five-year deal to handle fixed and mobile voice services for Qantas. 4.18 Good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information is in line with QFFs privacy obligations. The Prime Minister's $230 million Cyber Security Strategy The Australian Crime Commission estimates the annual cost of cyber crime to His appointment as Qantas group CISO was part of a significant revamp of the cyber security function at the airline. 4.64 Privacy training is compulsory for all staff with access to personal information, which includes Qantas call-centre staff, reservations staff and the entirety of QFF. QFF advised that this trial was being expanded and QFF would eventually roll out multi-factor authentication to all members. 4.63 Staff are required to undertake a thirty-minute online privacy training course, which summarises the law and includes a series of randomly generated series of test questions. Safe growth: The Qantas Group has announced orders for a range of new aircraft. There are multiple safeguards to prevent and detect this activity and on several occasions over the years we have worked closely with law enforcement to apprehend those involved. 4.46 The QFF cyber security incident response plan is updated at least annually. This involves the project owners explaining to an executive panel, including the Group CEO and CFO, the risks of the project, including privacy and data risks, and justifying the need to accept those risks, as well as presenting mitigation strategies. Over the past year, the return of domestic and international travel as borders reopened required a similar program of work to return our aircraft to the skies, including a focus on training for crew and support employees. QFF also has contractual rights to audit the third party and the QFF information they hold throughout the course of the relationship. 6.6 For more information about privacy risk ratings, refer to the OAICs Risk based assessments privacy risk guidance in Appendix A. 1.1 This report outlines the findings of an assessment of the Qantas Frequent Flyer (QFF) program undertaken by the Office of the Australian Information Commissioner (OAIC). We are continually working to expand employee awareness of evolving data security risks, including through no notice simulations and structured training. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO. 4.88 Additionally, given the amount of personal information that QFF handles and the extent of its use in marketing and data analytics projects (whether in identified or de-identified forms), the OAIC also suggests that QFF continue to monitor and assess the risks of these projects as they progress, including any risk surrounding re-identification or the creation of new data sets. A select team within QFF have sole access to QFF member information (e.g. :The cyber safety of Qantas Frequent Flyers is a priority for us. I have a proven track record of leadership and performance in a range of strategic cyber security, risk, compliance and finance roles while working in the UK, Canada, India and Australia. (Opens your email client) . At the time, the airline said its new cyber security chief would identify and lead programs to "monitor the emergence of new threats and vulnerabilities, assess business impacts, and drive rapid responses to cyber security events." Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. For example, the QFF cyber security strategy includes a breakdown of cyber risk, which utilises the QRAG to assess cyber risks and consider their mitigation strategies. As an airline, safety is core to all that we do. Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. Cha c sn phm trong gi hng. Your use of these systems may be monitored and investigated to ensure compliance with the law and Qantas Policies. 4.15 The majority of corrections to personal information are completed by members themselves using the self-service facilities online, however, corrections may also be processed by telephone via an interactive voice system (where the member keys in their PIN) or manually via the QFF Service Centre (QFFSC) staff. This is an internal control or risk management issue that may lead to the following effects, Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation. All activity is fully logged and audited. Access to QFF data requires specific authorisation. The Qantas Groups FY21 performance for Total Recordable Injury Frequency Rateimproved compared to the prior year, while our Lost Work Case Frequency Rate was slightly higher. As part of the membership to the program, the entity operating the loyalty program can collect data about members and their purchasing activities. If a privacy complaint must be escalated, the corporate liaison manager reports the complaint to the Customer Care Manager who then reports it to Group Legal. Cyberspace and its underlying infrastructure are vulnerable to a wide range of risks stemming from both physical and cyber threats and hazards. Was lucky enough to work for the Qantas Group for almost 5 years. The Qantas Loyalty segment specializes in customer loyalty recognition programs. With great support from agencies, we have achieved a lot in a short space of time to make sure that we are addressing the increasing risks to our systems and information, Milosavljevic wrote in a blog entry published in December.. She said that those achievements included establishing Cyber Security Senior Officers Group, writing a new Cyber Security Qantas is on firmer ground, having determined the majority of employees support its move. 4.73 The OAIC particularly welcomes the use of multi-factor authentication and encourages QFF to continue its expansion. The Qantas Group is constantly improving its cyber capabilities as part of its overall data and privacy protection. These recommendations are set out in Part 5 of this report. 4.100 The OAIC reviewed QFFs online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. clear knowledge of information assets held and a range of ICT security measures in place to safeguard these. 4.99 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. 3.4 Registration involves collecting a variety of personal information from individuals, including: 3.5 Following registration, members receive a membership number, confirmation email, and a membership pack including a QFF card. QFF requires two-factor authentication for making changes to member accounts. The legal team confirms any material advice given as part of these hallway discussions via email. These are the Qantas Group Policies: 1. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. Security impact assessments explain and compare the value of the project in conjunction with any associated security risks, including privacy risks. The OAIC was informed that all new marketing and data analytics projects are subject to a robust in-house vetting process that involves an assessment of both cyber security and privacy risks. Immigration, customs, border security and other regulatory authorities; Other companies within Qantas and companies in the Jetstar Group; and; Your share broker when you purchase shares in Qantas Airways Limited. While membership of the GCSC includes representatives from Legal/Privacy, and a reference to the Privacy Commissioner, the objectives and responsibilities of the Committee outlined in the charter document focus on cyber risks and do not specifically call out privacy issues. Darren Argyle (CISM, CISSP) is an accomplished executive with close to 20 years international cyber risk and security experience. 4.8 Policies are also reviewed when major legislative changes occur, such as the significant amendments to the Privacy Act that commenced in 2014. This commitment to security extends to our executives. Worst Streets In Rochester, Ny, Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. 4.51 The Qantas crisis management plan and its various supporting documents serve as a data breach response plan. Our Wellbeing program is designed to foster an environment that supports, enables and motivates our people to live healthier, happier and more productive lives. See the quantity and duration of malware infections, along with other factors influence the overall assessment of an organizations IP Reputation. Due to the investments made in resilience, the capability continues to be strengthened through the successful integration of external stakeholders ensuring the Group continues to possess a sophisticated holistic response and recovery system. Our approach covers three main areas: operational safety, people safety and operational security. Once a SIA is formally underway, its progress is generally informal and collaborative, and may involve the project owner, the DISO, Legal, and any other relevant business units. At the time of the assessment, the staff on the GCSC were raising privacy issues. The Group is keenly aware of the risk posed by trusted insiders people who seek to use privileged access provided in the context for doing their jobs to facilitate illegal activities, such as transporting illicit substances. Vit, collaborative privacy and security risk assessment processes, a culture that promotes privacy awareness, regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives, comprehensive and tested risk management and crisis management processes, including a data breach response process. The observations and information contained in this report reflect the circumstances as at the date of the assessment (June 2017). Our safety, health and security activities are supported by comprehensive governance processes that help us monitor and manage performance and risks. Last month, a group of 24 Qantas workers filed legal action against Qantas in the Federal Court, arguing that the airlines mandatory COVID-19 Across the Qantas Group, we collect, share, use, store and process personal information in accordance with an ever-changing and increasingly complex landscape of both international and domestic laws and regulations. However, the OAIC notes that it is heavily dependent on key staff involved and is not recorded unless it forms part of the SIA or includes written advice from Legal.