There is no place for flamboyant, gut-feeling decisions when it comes to information systems security, according to Peter Whythes, acting manager of the Attorney General's department policy and services branch.
Speaking at the Security 2002 conference in Sydney last week, Whythes said IT professionals need to make security part of their organisation's culture, not simply leave responsibility to a few staff.
"A lot of the national information infrastructure is owned and operated by the private sector, and protection of this information, particularly in the telecommunications, banking, finance, energy, transport, defence and utilities industries, is essential," he said.
Citing the recently released OECD guidelines which focus on the responsibility, risk assessment, security design, implementation and security of existing information systems, Whythes said any organisation in contact with Federal Government information must be able to protect it to a Federal Government standard.
Also speaking at the conference Deputy Federal Privacy Commissioner Timothy Pilgrim pointed to the damaging impact of the Telstra 'glitch' in which silent numbers were mistakenly published.
Pilgrim said security also needs to be tight around Web sites, giving an example of an Australian bank's Web site that a hacker attached and downloaded 70,0000 bank account numbers.
"We also looked at a site earlier this year that had 10,000 credit card numbers stolen from its Web site. We investigated and people were arrested and charged. At the end of the day, it may be a rogue employee and the law deals with them. But we investigated at a corporate angle and looked to see if their systems were properly designed and if they had best practice screening on staff and IT systems. If we had found these things were not in place, it would have been the organisation's fault -- a breach [by] the organisation," Pilgrim said.
To prevent such breaches, Pilgrim said organisations need to check all IT systems including databases and human resource systems are secure.
Another security problem on the rise, Pilgrim said, is identity fraud - the misuse peoples' bank account numbers and tax file numbers.
He cited biometrics, private key infrastructure (PKI), smart cards, privacy enhancing technology (PET) and privacy intrusive technology (PIT) as protective resources.