PDF Operating Responsibly and Transparently - Qantas There is ongoing investment to improve the resources, processes and technology that will support the Group to effectively address the volumes of personal information that we manage, and to meet both intensifying regulatory requirements and individuals rising expectations regarding fair, ethical and responsible data use. Additionally, the OAIC noted that the notice is labelled important information, which does not indicate what the notice is, or its purpose. Cyber fraud techniques evolve into confidence trick arms race. Australia's largest domestic and international airline, Qantas, needed a holistic security solution that would not only protect remote workers, but also support its secure access service edge (SASE) initiative. However, based on practices at the time of the assessment, there is a medium risk that privacy issues from the various business units will not be communicated effectively through the existing channels. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. Defines Victoria Universitys high-level information security requirements based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and other industry best practices, enabling the University to minimize information security risk and efficiently respond to incidents. Weve overcome many obstacles in our long history and this is because weve quickly responded to changing environments and worked hard to produce the right outcome helped by the resilience of our people and their commitment to the national carrier. 4.55 If the project uses or is likely to use personal information, QFF Legal will also consult with the project owner and any relevant staff. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse. When a members accumulated Status Credits reach a designated level, their membership tier level increases (for example from Silver to Gold) and they can receive additional membership benefits, including earning higher rates of Qantas Points. Whether travelling for business or leisure, we understand that every group has unique travel needs; and that's why we offer a range of benefits available exclusively to group travellers to help make your customers journey a seamless one. Qantas in late 2016 began the hunt for a CISO to oversee four Sydney-based reporting teams, leading security strategy across cyber strategy, cyber risk and resilience, security architecture and security operations. In order to provide greater transparency for customers, the OAIC suggests that the policy clearly identify this information as sensitive information.. All activity is fully logged and audited. fieldwork, which included interviewing key members of staff and reviewing further documentation, at the QFF offices in Mascot on 25 May and 1 June 2017. Security impact assessments explain and compare the value of the project in conjunction with any associated security risks, including privacy risks. 4.78 As stated above, QFF holds all personal information in data warehouses, with highly restricted access. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. We are continually working to expand employee awareness of evolving data security risks, including through no notice simulations and structured training. Qantas will operate Airbus A350-1000s flights from Australia to other international cities. The most important thing is clarity. This commitment to security extends to our executives. Manager, Qantas Group Cyber Security Centre @ Qantas Manager of Cyber Security Operations and Services @ Qantas Director of Security Services @ Accesshq see more Principal Security Consultant - Wealth @ Anz Principal Security Consultant @ Redcore Pty LTD Executive Manager and General Manager, Es Service Security @ Commonwealth Bank Head of Security Assurance Services @ Westpac However, the OAIC suggests that QFF continues to regularly review its use of personal information in its marketing and data analytics activities to ensure its processes and policies remain effective and appropriate. In addition, QFFs information security controls should continue to be regularly reviewed and revisited in order to meet constantly evolving ICT risks related to personal information. The DISO may also determine that a more comprehensive security review or a formal PIA is needed. provide and operate competitions, promotions and events, distribute newsletters and other communications either directly or through a third party, facilitate participation in Qantas and program partner loyalty programs, conduct marketing activities for Qantas or third party products and services (the collection notice states that this is one of the primary purposes of QFF), conduct market and other research to improve Qantas products, services and marketing activities. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO. Cybersecurity 'gaps' exposed by hacks, paper says - as it happened 4.57 New projects may also be subject to meetings known as shark tanks. Cyber risk ratings influence business activity from the loading dock to the board room. Underpinning the policies and procedures should be strong leadership from senior management, with governance arrangements that support effective privacy practices. Qantas Groups policies and business practices over the next 12 months. Staff are encouraged to clarify the members exact needs before proceeding with an access request. Remote access is restricted to a needs-only basis. Qantas suffered a 30 percent turnover in its technology personnel as the airline battles staff loss, in the wake of repeated Covid-19 lockdowns. Qantas Legal developed this privacy training. Further detail on this approach is provided in Chapter 7 of the OAICs Guide to privacy regulatory action. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. Section 1 - Summary. Qantas Group declared at its recent investor day that it had made a significant investment in cyber security systems and capability. The Qantas Domestic, Qantas International, and Jetstar Group segments offer passenger flying, air cargo, and express freight services. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. 4.81 Program partners are tested for security, IT, and compliance requirements before QFF will agree to a partnership. Safety | Qantas US Renewed security awareness training for all employees and contractors, Renewed freight security training for all freight employees and contractors, Enhancing the relationship between the Group and Australian Federal Police (AFP) Air Security Officers, Collaborating with overseas regulators and airport authorities to enable the resumption of international operations, Participating in the governments review of the Australian security regulatory framework. Assessment undertaken: MayJune 2017 Draft report issued: 9/10/2018 Final report issued: 30/6/2019. The GCSC also monitors, reviews and enhances the compliance of all cyber risk management systems, policies and procedures, protocols and controls with all relevant laws and regulations. 4.49 QFF liaises with internal and Group staff, external stakeholders and regulators (such as the OAIC) as needed throughout the process. strong corporate governance transparency in reporting. January 24, 2017 by AJ Kumar Security policy Security policy is the statement of responsible decision makers about the protection mechanism of a company crucial physical and information assets. [1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. Project managers are reminded periodically to undertake SIAs for all new initiatives. Our governance | Qantas AU 3.1 QFF was established in 1987, and had over 11.4 million members in June 2016. November 3, 2021. Qantas has ordered 20 Airbus A321XLRs and 20 A220-300s narrow jets. Frequent fliers warned on data breach | Information Age | ACS clear knowledge of information assets held and a range of ICT security measures in place to safeguard these. Risk assessments are conducted on relevant third party suppliers and we work with them to address any material risks identified. By continuing to use this system you confirm your acceptance of the above. The Cyber Cooperation Program and Singapores Ministry of Transport has partnered with the Association of Asia-Pacific Airlines, Qantas Group and EY to support the Aviation Cyber Resilience Project, a series of workshops aimed at building cyber capacity in the aviation industry throughout the Asia-Pacific. Make sure your good security posture has a presence on your website: show it off and share the news by adding a Badge from SecurityScorecard. Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. contact details (postal address, mobile number and email address), APP 1.2 implementing practices, procedures and systems, ensure that the entity complies with the APPs; and. This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed. highlights the QFF/Woolworths relationship. The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. 4.66 As a part of Qantas financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. Get Qantas Airways Ltd (QAN-AU:ASX) real-time stock quotes, news, price and financial information from CNBC. 4.18 Good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information is in line with QFFs privacy obligations. 4.47 QFF maintains a cyber incident register, which includes data breaches and online fraud. For many enterprise organizations, administering risk assessments is the first step in building an effective cyber threat management system. If so, it was expected that a nominated senior member of Legal would serve this role. Qantas Airways Limited ABN 16 009 661 901. Specifically, the assessment examined whether: 6.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to QFF about how to address those risks. 5.4 The OAIC recommends that QFF continues to build the profile of privacy across the Group by: 5.5 QFF will continue to support the expanded reach, effectiveness and reporting of the Qantas Groups new, dedicated Data Privacy team through the introduction of a network of privacy champions across all Group business units.