Module Application
- Does your organisation understand the legal and regulatory cybersecurity obligations they must comply with?
- Is your organisation required to comply with data risk assessment and management requirements and procedures?
- Does your organisation understand how to navigate and comply with fundamental legislative and compliance requirements that surround the cybersecurity framework in Australia, such as data privacy policies?
Module Scope
The AU CYBERSECURITY module provides information to organisations on how to comply with legal responsibilities when doing the following:
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
- Identity Management, Authentication and Access Control
- Awareness and Training
- Data Security
- Information Protection Processes
- Maintenance
- Protective Technologies
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
- Response Planning
- Communication
- Mitigation
- Improvement of Response Activities
- Recovery Planning
- Recovery Communications
- Cybersecurity of Critical Infrastructure
Organisations, their employees, and authorised individuals are all expected to be familiar with the broad landscape of legal and regulatory obligations to which they are subject, as well as more specific obligations relevant to the particular sector in which they are operating. The AU CYBERSECURITY module should be subscribed to by every organisation who is involved with digital data. The aim of the module is to equip the subscriber with knowledge of their requirements under Australian cybersecurity laws and the relevant systems and processes that should be implemented to ensure an effective compliance management system within the organisation.
The specific questions and answers covered by the module are:
- How to implement an asset management process to defend the organisation’s data and digital processes from intruders
- How to collect and document a range of data that will serve as inputs to the organisation’s risk management process
- How to incorporate digital security into the organisation’s governance processes
- How to conduct a risk assessment process to determine digital security risks and to identify available responses
- How to establish a risk management strategy to govern the deployment of digital security controls
- How to address and manage cyber supply chain risks by performing risk assessments, designing contract provisions, conducting audits, and creating response and contingency plans
- How to implement authentication processes and security measures to control access to information systems
- How to provide digital security training activities to all personnel to equip them with the required knowledge and skills
- How to implement security measures to protect the confidentiality, integrity and availability of data, digital services and information systems
- How to establish the security policies, procedures and systems that are necessary to protect digital assets and information
- How to establish processes designed to ensure the security of information systems undergoing maintenance or repair
- How to deploy technological security measures and controls designed to protect stored data, network integrity and critical digital services
- How to detect network anomalies, identify the events causing the anomalies, assess the harm caused by anomalous events, and trigger incident response measures when appropriate
- How to monitor information system assets, network traffic and the activities of personnel to detect potential cybersecurity events
- How to implement processes to assist in detecting any potential cybersecurity events
- How to develop and execute effective response planning mechanisms
- How to conduct a thorough analysis of any incidents that occur and implement processes to prevent such incidents from occurring in the future
- How to prevent, mitigate and resolve any incidents that occur, and mitigate or document any new vulnerabilities
- How to ensure that the organisation’s response activities are improved by incorporating lessons from other detection and response activities
- How to ensure that the organisation’s recovery processes and procedures are executed and maintained so that all systems and assets affected by cybersecurity incidents are restored
- How to coordinate the organisation’s restoration activities with internal and external parties
- How to ensure that a related entity for a critical infrastructure asset meets its regulatory obligations in relation to reporting and complying with directions
The AU CYBERSECURITY module covers all an organisation’s obligations for protecting systems and data, including the application of the Privacy Act 1988 (Cth), and demonstrates practical assistance and guidance to ensure that these obligations are complied with through the implementation and maintenance of best practice processes throughout the organisation.
If the organisation fails to take all reasonable steps to secure digital information and systems, then it may result in the organisation becoming liable to compensate individuals and organisations that incur losses as a result of a security breach. Significant penalties can also be imposed if the organisation fails to meet the legislative obligations. Such penalties can include pecuniary penalties, enforcement actions, compliance, and compensation orders. The range of consequences that may be imposed on organisations is discussed in detail in this module.
The AU CYBERSECURITY module covers the role and responsibilities of an organisation. It does not cover the role or actions to be taken by consumers in the event of a breach of regulations or obligations by an organisation.
LexisNexis Regulatory Compliance is a legal obligations register and alerting solution that combines regulatory content with technology to empower you to take control of your compliance obligations.