Requirements for Protecting the Endpoint in Australia: Understanding the Law

By: Arieanna Schweber | 4/6/2016

Safeguarding endpoint devices poses enormous challenges for organizations: the volume and variety of devices in use by employees, the lack of control over end-user behaviour, and the growing number of risks introduced on the endpoint. Not only is the endpoint contributing to a growing attack surface, but regular daily activities on endpoint devices are putting data at risk in a variety of ways.

In recognition of the growing threat the endpoint poses to data security, many laws and security standards are being revised to include requirements for endpoint security. We recently put together a whitepaper that examines Australia’s endpoint security posture, looking at the requirements under Australian privacy law for data protections on the endpoint and the penalties for non-compliance. With Australian organizations rating themselves as lagging in mobility business strategies, particularly in mitigating mistakes by employees, these requirements place a great deal of pressure on Australian organizations to step up in mitigating the risks of the endpoint.

Australia’s Privacy Act regulates the handling of personal information about individuals. In the March 2014 revision of the Privacy Act, 13 Australian Privacy Principles (APPs) were introduced to regulate the handling of personal information, with increased abilities to enforce penalties for non-compliant organizations. In particular, APP 11 - Security of Personal Information, requires that organizations “take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorized access, modification or disclosure.”

As with many laws and frameworks, the exact “reasonable steps” are vague, as these depend on the circumstances of each organization (size, resources and business model), the amount and sensitivity of information held, and the unique risks identified during ongoing risks assessments. In its Guide to Securing Personal Information, the steps and strategies to securing information include reviews of governance, culture and training, internal practices, procedures and systems, ICT security, access security, third-party providers and cloud use, data breaches, physical security, destruction and de-identification and standards. In our own whitepaper, we lay out the specific requirements pertaining to endpoint security, which include standards on the policy and measures to prevent loss, damage or theft of devices as well as measures to manage the risks of using these devices.

Persistence technology by Absolute helps organisations to successfully meet the key requirements pertaining to endpoint security derived from the updated Privacy Act and associated guidance. We help mitigate the risks of a data breach from missing devices, as well as effectively implement risk management and governance strategies for the use of devices, including automated alerts if changes occur on the device (such as anomalous device behavior, disabled encryption or SCCM malfunction).

To learn more, download our whitepaper, Complying with Australian Privacy Law: Protecting Privacy with Endpoint Security.

Financial Services