More on Disclosure Laws in Australia….

Posted on August 14th, 2007 by Drazen Drazic

This recent story from Computerworld: Australia’s data privacy landscape called into question, provides a further good insight into proposed data disclosure laws being introduced into Australia.

Yes, as you know, I think this is a good thing. See previous posts.

But, lets not kid ourselves and think a law like this on its own is going to quickly make big changes. It has been stated many times that this law in the US has improved Information Security practices greatly, but, how is this being measured? A few major news stories do not make for across the board better practices having been deployed. All it highlights is that now when someone is openly compromised, they have to lay the cards on the table.

The biggest problem in this respect that we see is that most companies would not know if they have been compromised. I hate to keep referring to TJX but they are a classic case study. How long had the compromise been going on for before it was detected? From our experience, the problem is far more widespread than most people believe.

Unless any such law is supported by strong supporting laws around Information Security practices and controls, the 3 monkey approach will remain the leading Information Security practice in existence! ie; we know nothing therefore we have nothing to disclose.

In which case, bet your house, that even if the law comes into existence, you won’t see too many “disclosures”. And, based upon that, business will continue to think that the IT Security industry just hypes the risk to make and keep themselves in business.

Standards like PCI DSS drive better Information Security practices but even combined with disclosure laws, still don’t fully get around the 3 monkeys approach. Just throwing it out there, but maybe something along the lines of:

Standard x.x: In the event of major / critical vulnerability detected on Internet facing system, organisation must undertake investigation to determine whether vulnerability has been compromised and to what extent.

2 Responses to “More on Disclosure Laws in Australia….”

  1. Beast Or Buddha » Blog Archive » Disclosure Laws in Australia - Article from SA Australia Newsletter Says:
    October 31st, 2007 at 2:38 pm

    [...] http://beastorbuddha.com/2007/08/14/more-on-disclosure-laws-in-australia/. [...]

  2. Beast Or Buddha » Blog Archive » ALRC - Data Breach Notification Recommendation……Flawed Approach? Says:
    August 13th, 2008 at 2:48 pm

    [...] legislation/regulation around basic and minimum security practices and controls. See previous post on this [...]

Leave a Reply