Reasonable Security Institute

What is Reasonable Security?

https://www.dhirubhai.net/groups/14136111/

In light of the recent Optus data breach, questions have been raised on whether Optus has taken reasonable steps to protect its customer's personal and identity information. The OAIC has issued an updated statement (https://www.oaic.gov.au/updates/news-and-media/oaic-updated-statement-on-optus-data-breach) reiterating the privacy protection obligation of the data holder under APP 11:

“... When that information is no longer required, they must take reasonable steps to destroy or de-identify the personal information they hold. Collecting and storing unnecessary information breaches privacy and creates risk ..."

But how should an organisation determine when "information is no longer required"? And who in the organisation is routinely responsible for reviewing when information has passed its use-by-date?

Damien Manuel, chairperson of the?Australian Information Security Association (AISA)?Information Security Association also called for then minimisation in data retention:

“... In the past, everybody used to think ‘the more data I have, the better off I am’ because you might get some insights, and even monetise that data in some way or give better customer service ... We should be thinking of the more data you have, the higher your risk, The message should be: only collect the data that you need for the purpose that you need ...”

Please see my analysis in my LinkedIn post here:

But the question remains what is Reasonable?

Reasonableness is defined by community consensus

I am pleased to announce the formation of the Reasonable Security Institute (https://www.dhirubhai.net/groups/14136111/) with fellow foundation members: Branko Ninkovic, EJ WISE , Dr Fabian Horton and Josh Lyon. The Institute is a community of communities where participation is on an individual basis. The Institute does not represent or is beholden to any particular institution or standard. It is a safe, non-judgmental place to exchange ideas on the notion of Reasonable Security. It is NOT a platform for developing standards or endorsing any particular point of view. It is free to join the Institute to share their views. The Institute is an Incorporated Association registered with FAIR Trading NSW (INC22000921). The principles of the Insitute are:

1. Reasonableness is defined by community consensus
2. Community consensus, under the Australian democracy, is tested under the legal system such as the Australian Corporation Law S180
3. Reasonable Security is where the “Security Capabilities Commensurates with the Threats” (a quote from paragraph 13 under APRA CPS 234)

4. A standard-based cyber risk quantification (aka Open Group FAIR) is a tool for measuring the Reasonableness of a Security Program given a defined context of Community Expectation

The Institute encourages a diversity of views and practices inclusivity. It is a town square for exchanging ideas and encouraging discussion to shape community consensus. It mirrors the political process in our society except without the influence of any dominant political parties or philosophies. It is to draw a line-in-the-sand reflective of the shift in community sentiment. As a recovering IT security auditor, I appreciate the value and importance of keeping a finger on the pulse of community sentiment and not living in the ivory tower of compliance. Compliance is still a necessary safeguard but should not overrule risk management prerogatives.

I look forward to you joining the Reasonable Security Institute.