[LINK] [PRIVACY] Re: Super fund security breach lands good Samaritan in hot water

Roger Clarke Roger.Clarke at xamax.com.au
Thu Oct 20 20:44:08 AEDT 2011

At 18:30 +1100 20/10/11, Jan Whitaker wrote:
>Super bad: First State set police on man who showed them how 770,000
accounts could be ripped off
>Claims First State Super flaw ignored for 'years'
>Asher Moses
>October 20, 2011 - 12:09PM

It's great stuff.  Security people indulge in theatre all the time. 
They have to allow other people to play the melodrama game too.

But here's the key messages about regulation:

>The superannuation industry is regulated by the Australian 
>Prudential Regulation Authority.  ... APRA's oversight of the 
>industry extends to ensuring firms adequately manage IT risks.

>[1] A spokesman for APRA said he could not comment on the matter 
>because ''a secrecy provision in the APRA Act prevents us from'' 
>commenting on the institutions that it regulates.

Not 'name and shame', but 'smother the bother'.

>[2] A ''prudential practice guide'' on the management of security 
>risk in information technology by superannuation firms (PDF) is 
>published on APRA's website.
>''Controls, commensurate with the sensitivity and criticality of the 
>data/information involved, would normally be implemented where 
>sensitive data/information is at risk of leakage,'' the guidelines 
>around access controls state.

Not requirements, not standards, not commitments, not anything really.

The same old public servant waffle that pervades the Privacy Act and 
every other piece of pseudo-regulatory instrument in the country.

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list