FAQ

Information security is all about protecting important information, both in electronic and paper form, from unauthorised disclosure, modification and loss. This may include your customers’ personal information, employee information, business contracts, marketing strategies, credit card details, etc. We advise organisations on how to implement appropriate and cost effective solutions to keep their valuable information secure.

The rapid growth of information technology and the Internet have afforded organisations huge increases in efficiency, but have also made information much easier to copy, modify or delete. Organisations are increasingly reliant on information to achieve their objectives. As such, they must ensure that their information remains accurate, confidential and is available when needed.

An information security strategy will help you to identify the most important information within your organisation and the main risks to that information. This understanding will allow you to focus on the high risk areas and allocate resources where they will provide the most benefit.

Demonstrating effective management of information security can also provide reassurance to clients that they can trust you to keep their information secure.

To find out more, download our free whitepaper on the business case for information security.

No. Information security should encompass all forms of information, including paper documents. Most organisations have at least some reliance on paper documentation, so it’s important to consider the risks associated with this information too.

ISO, the International Organization for Standardization, is the world’s largest developer and publisher of International Standards. It is a network of the national standards institutes from 160 countries, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. So far it has developed over 18,500 International Standards on a variety of subjects.

The standards are designed to facilitate trade, spread knowledge, and share technological advances and good management practices. ISO standards avoid having to reinvent the wheel. They distil the latest in expert knowledge and make it available to all.

Being certified to ISO standards shows that an organisation has reached an international standard of best practice in that particular field. This levels the playing field and allows for transparency when comparing organisations’ capabilities.

To find out more, call us in Melbourne today on 1300 977 774.

On  the 12th of June 2014 new legislation was introduced into Parliament to strengthen the protection of individuals’ private information held by the Victorian public sector. The legislation was passed on the 19th of August 2014 and received Royal Assent on the 2nd of September 2014.

The Act merges the existing roles of Privacy Commissioner and the Commissioner for Law Enforcement Data Security (CLEDS) to create a single Commissioner for Privacy and Data Protection with responsibility for the oversight of the privacy and data protection regime in Victoria.

The key protective data security provisions in the Act concern development, by the new Commissioner for Privacy and Data Protection, of a Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS). The Commissioner will also develop guidelines to assist Government agencies to develop security plans and help ensure changes to current processes are implemented smoothly.

A presentation recently released by the Office of the Victorian Privacy Commissioner indicates that the standards will reflect contemporary Australian and international security standards, such as the Commonwealth Government PSPF and the ISO 27000 range, but be tailored to meet the needs of Victorian Government public sector organisations. The standards will promote a risk based approach to support the practical implementation of security controls in a proportionate manner that supports (and does not inhibit) government business.

The Act states that, following the issue of the standards by the Commissioner, applicable Victorian public sector agencies and bodies must ensure that:

• a security risk profile assessment is undertaken; and
• a protective data security plan is developed that addresses the standards applicable to that agency or body; and
• the plan is reviewed if an agency’s circumstances change, or otherwise every two years.

How we can help

Contact us to find out how this new legislation could affect your agency.

We can help you conduct a security risk profile assessment and develop data security plans tailored to your agency’s unique requirements.

Blueprint Information Security is registered on the Victorian Government Ariba eServices Register.

Australian service providers are often asked to provide their clients with third party assurance of their information security. These requests may mention ISO 27001 certification or, usually if the client is US-based, SAS 70 or SOC reports. ISO 27001 is well recognised as the international standard for managing information security, but what are SAS 70 and SOC?

SAS 70 no longer exists as a current standard. It was replaced by SOC 1 in 2011. So if an organisation is asking for a SAS 70 report, what they should really be referring to is a SOC 1 report.

SOC 1, 2 and 3 are audit reports awarded to service providers demonstrating a defined level of security controls. SOC 1, 2 and 3 do not provide certification to any international standard. They are audits developed by the American Institute of Certified Public Accountants (AICPA) primarily to meet the needs of American companies. They have not been through the rigorous international review process common to international standards, and as such may disregard regional issues that tend not to exist in America. SOC 1, 2 and 3 audits can only be conducted by a Certified Public Accountant (CPA) registered with the American Institute of Certified Public Accountants.

There is an international equivalent to SOC 1 that may be more appropriate for Australian organisations. It is called ISAE 3402 and was developed by the International Federation of Accountants (IFAC). The SOC 1 assessment was actually developed from this standard, but differs from it slightly. However, the ISAE 3402 standard is not well known in the security industry, so many international organisations choose ISO 27001 certification instead.

SOC Categories

SOC 1 is an audit report on controls related to the protection of financial statements. This report is only likely to be relevant to those service providers that offer financial reporting services. SOC 1 audits are performed against an American standard called SSAE 16.

SOC 2 is an audit report on controls related to one or more of the following areas: security, availability, processing integrity, confidentiality and privacy. The scope of the report varies depending on which of these attributes the service provider decides to include. SOC 2 audits are performed against American standards known as the Trust Services and AT 101.

SOC 1 and SOC 2 reports can be either Type 1 or Type 2. A Type 1 report is restricted to an assessment of how the security controls are designed.  It does not include an assessment of how effectively the controls are operating. A Type 2 report includes an assessment of the design and operating effectiveness of the security controls.

SOC 2 reports are generally not provided to service providers’ clients because they may contain sensitive information about security controls. Instead, a service provider can obtain a higher level compliance report called SOC 3, which does not contain sensitive information. The assessment for SOC 2 and SOC 3 is the same, but the report is different. The SOC 3 report can be provided to clients to demonstrate compliance without disclosing any sensitive information. SOC 3 reports must be performed as a Type 2 assessment.

More information on SOC 1, 2 and 3 reports can be found here:

• AICPA SOC Whitepaper

To find out more, call an expert consultant in Melbourne today on 1300 977 774.