A leader in Gartner's Magic Quadrant for security awareness

TECHSERT is the Asia-Pacific specialist in the information and cyber security compliance and awareness training of your staff, so your company/organisation can better meet:

  • The expectations of its clients in terms of how you handle their personal information;
  • Its legal and ethical obligations to securely manage data and personal information; and
  • Its own security needs in terms of protecting confidential business information and being able to use its business systems without external interference.

TECHSERT has partnered with Inspired eLearning to make a world-class training package available to governments, corporations and organisations across the Asia-Pacific region. Inspired eLearning is a recognized leader in the industry. In addition to winning numerous awards, they have been recently named an industry leader by the world's foremost information technology research and advisory company - Gartner.

Business systems have undergone a revolution over the last 30 to 40 years thanks to rapid advances in business technology, including computer systems, paperless information storage options, connection to the worldwide web and electronic communication options such as email.

This has created significant efficiencies and new opportunities for most businesses.

However, unless some care is taken, it has also created new opportunities for criminals and others who might want to do your business or organisation harm.

In the last few years cybercrime has been growing at such a rate that it is now an issue all governments, companies or organisations should constantly be monitoring and managing. A workplace culture of cyber security awareness is now as essential as a culture of physical security and safety.

And you and your staff are increasingly being targeted as an entry point into your computer/information technology systems. As technical security gets stronger, your people are being targeted as a way around the firewalls, filters and technical perimeters.

Like your physical front door, you can have the strongest locks or grille doors in the world, but if you or one of your staff is tricked into the opening the door or security grille, to someone with criminal intent, then those locks/grilles are useless.

APEC economies act on privacy and data security

Across the Asia Pacific governments are acting to protect their citizens against:

  • Privacy breaches;
  • Poor public-sector and private-sector security practices, involving their personal information; and
  • The improper use of their personal information.

Companies and organisations in the Asia Pacific are also acting to protect their reputations, intellectual property and their clients from cyber criminals and data breaches.

Effective staff training is a vital part of that process.

Here are three major examples from the region. For more examples see map below.

Australia

Introductory training helping employees become aware of and be able to detect and then respond effectively to ICT risks on their work station/ICT devices, which is then reinforced with regular short updates, is essential for all employees and contractors.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
China

The National People's Congress (NPC) revised the Consumer Protection Act on October 25, 2013, which took effect on March, 15, 2014 (the "Act"). In response (in part) to increases in online shopping, business operators now face heavier obligations to protect the personal information of the consumer, including obligations to (i) inform consumers of the purpose, method, and scope of the collection of their personal information while seeking consent from the consumer before collection; (ii) publish internal business rules with respect to the collection and use of the consumer's personal information; and (iii) take precautions to protect consumers' personal information and not disclosing, selling, or providing that information to third parties.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
Japan

Japan's Act on the Protection of Personal Information expects that:

  • A business operator handling personal information shall take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.
  • When a business operator handling personal information has an employee or trustee handling personal information, it must exercise appropriate supervision over the employee or trustee to ensure the security and control of the information.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
Click on each country to see more information
x
Japan

Japan's Act on the Protection of Personal Information expects that:

  • A business operator handling personal information shall take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.
  • When a business operator handling personal information has an employee or trustee handling personal information, it must exercise appropriate supervision over the employee or trustee to ensure the security and control of the information.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
South Korea

Article 29 (Duty of Safeguards)

The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc. necessary to ensure the safety as specified by the Presidential Decree so that personal information may not be lost, stolen, leaked, altered or damaged.

Article 31 (Designation of Privacy Officer)

  1. The personal information processor shall designate the privacy officer who comprehensively takes charge of the personal information processing.
  2. The privacy officer shall carry out the job in the following subparagraphs:
    • To establish and implement the data protection plan
    • To make regular survey of the actual state and practices of personal information processing, and to improve shortcomings;
    • To treat grievances and remedial compensation in relation to personal information processing;
    • To set up the internal control system to prevent the leak, or abuse and misuse, of personal information;
    • To prepare and implement the data protection education program;
    • To protect, and control and manage the personal information files; and
    • Other functions for the appropriate processing of personal information as stated by the Presidential Decree.

South Korea Personal Information and Security Act, 2014

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Hong Kong

Data Protection Principle 4 - security of personal data

All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to -

  1. the kind of data and the harm that could result if any of those things should occur;
  2. the physical location where the data are stored;
  3. any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored;
  4. any measures taken for ensuring the integrity, prudence and competence of persons having access to the data, and
  5. any measures taken for ensuring the secure transmission of the data.

Data Protection Principles in the Hong Kong Personal Data (Privacy) Ordinance - from the Privacy Commissioner’s perspective (2nd Edition)

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
China

The National People's Congress (NPC) revised the Consumer Protection Act on October 25, 2013, which took effect on March, 15, 2014 (the "Act"). In response (in part) to increases in online shopping, business operators now face heavier obligations to protect the personal information of the consumer, including obligations to (i) inform consumers of the purpose, method, and scope of the collection of their personal information while seeking consent from the consumer before collection; (ii) publish internal business rules with respect to the collection and use of the consumer's personal information; and (iii) take precautions to protect consumers' personal information and not disclosing, selling, or providing that information to third parties.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Thailand

With such rapid growth in IT availability and usage, an evitable burden is placed on the organisation's ability to protect and maintain its IT security. This situation requires the organisation to exercise control and management in order to eliminate threats and risks, or, at minimum, reduce them to acceptable levels.

In the context of IT security, threats and risks can be evaluated from several points of view. For example, they can be classified as internal vs. external depending on the source of the threat and risk factors. Internal threats can occur due to a lack of personnel capacity concerning technology administration or improper use, lack of experiences, skills and knowledge, individual omission, lack of understanding of IT security importance, lack of proper training, lack of clear policy or direction at the organisation level resulting in possible conflicting implementation, or lack of appropriate tools.

External threats, however, occur due to external factors such as attack from malicious users, natural disasters, failure of service providers, and vulnerability of software used in organisations. Although such threats are often beyond local control and difficult to foresee, they can be mitigated though proper risk management strategies.

In order to manage such threats and risks effectively, an organisation can apply an international standard ISO/IEC 27002 which consist of 11 domains:

(1) Security Policy
(2) Organisation of Information Security
(3) Asset Management
(4) Human Resource Security
(5) Physical and Environmental Security
(6) Communications and Operations Management
(7) Access Control
(8) Information System Acquisition, Development and Maintenance
(9) Information Security Incident Management
(10) Business Continuity Management
(11) Compliance

Thailand Computer Emergency Response Team (ThaiCERT), 2012 annual report.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Vietnam

Article 21

Collection, processing and use of personal information in the network environment

  1. Organisations and individuals that collect, process and use personal information of other people have the following responsibilities:
    c. To take necessary managerial and technical measures to ensure that personal information shall not be lost, stolen, disclosed, modified or destroyed.

Article 42

Policies on development of information technology human resources

  1. The State shall adopt policies to expand the scale and raise the quality of training of information technology human resources.
  2. The State's priority and key programs and projects on information technology application and development must have contents on training of information technology human resources.

Article 60

Protection of information infrastructure

  1. Organisations and individuals shall guarantee the safety of the information infrastructure under their management; submit to the management, inspection and examination by competent state agencies and meet those agencies' requirements on ensuring information infrastructure safety and information security.

Article 72

Assurance of information safety and confidentiality

  1. Organisations' and individuals' lawful personal information which is exchanged, transmitted or stored in the network environment shall be kept confidential in accordance with law.

Vietnam Ministry of Justice, Law on information technology (No. 67/2006/QH11)

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Taiwan

Article 5

The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.

Article 18

The government agency which keeps personal information files should assign personnel(s) on security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed or disclosed.

Article 27

The non-government agency which keeps personal information files should adopt proper security measures to prevent them from being stolen, altered, damaged, destroyed or disclosed.

Taiwan Ministry of Justice, Personal Information Protection Act

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Philippines

SEC. 2. Declaration of Policy. - It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

SEC. 20. Security of Personal Information.

  1. The personal information controller must implement reasonable and appropriate organisational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
  2. The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
  3. The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organisation and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
    • Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
    • A security policy with respect to the processing of personal information;
    • A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach;
    • Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

Philippines Data Privacy Act of 2012, excerpts from Chapters I & V

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
India
  1. Reasonable Security Practices and Procedures - (1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

    (2) The International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

    (3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.

    (4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

Government of India, Ministry of Communications and Information Technology - Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Malaysia
  1. (1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard -

    (a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;

    (b) to the place or location where the personal data is stored;

    (c) to any security measures incorporated into any equipment in which the personal data is stored;

    (d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and

    (e) to the measures taken for ensuring the secure transfer of the personal data.

  2. (2) Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor -

    (a) provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and

    (b) takes reasonable steps to ensure compliance with those measures;

Government of Malaysia - Laws of Malaysia, Act 709, Personal Data Protection Act 2010.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Singapore
  1. The Protection Obligation

    17.1. Section 24 of the PDPA (Personal Data Protection Act) requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. This obligation of organisations to protect personal data is referred to in these Guidelines as the Protection Obligation.

    Examples of administrative measures an organisation may use to protect personal data:

    • Requiring employees to be bound by confidentiality obligations in their employment agreements;
    • Implementing robust policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations;
    • Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data; and
    • Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data.

Singapore Personal Data Protection Commission 2015.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
Brunei

Brunei is still developing privacy and data protection laws. Watch this space for updates in the future.

x
Indonesia

Article 18

  1. The Electronic System Operator shall provide an audit trail record of all activities of the Electronic System Operation.
  2. Audit trail record as intended in paragraph (1) is used for purposes of monitoring, enforcement, dispute resolution, verification, testing, and other checking.

Article 20

  1. Electronic System Operator shall have and perform the procedures and structure for securing the Electronic Systems in avoiding disruption, failure, and loss.
  2. Electronic System Operator shall provide a security system that includes procedures and systems to prevent and solve the threats and attacks that cause disruption, failure, and loss.
  3. In case there is failure or disruption of system with it seriously affected as a result of the actions of the other party to Electronic Systems, Electronic System Operator shall secure the data and immediately report at the first opportunity to the law enforcement officers or related Sector Supervisory and Regulatory Agency.
  4. Further provisions on the security system as intended in paragraph (2) are governed by Ministerial Regulation.

Article 22

  1. Electronic System Operator shall maintain the confidentiality, integrity, authenticity, accessibility, availability, and traceability of the Electronic Information and/or Electronic Document in accordance with the provisions of the regulation.
  2. The Electronic Systems Operation purpose for Electronic Information and/or Electronic Document that are transferable, Electronic Information and/or Electronic Document must be unique and describe the acquisition and ownership.

Article 24

  1. The Electronic System Operator shall conduct training to Electronic Systems to Users.
  2. Training as intended in paragraph (1) at least on the rights, obligations and responsibilities of all parties involved, and the procedures for filing a complaint.

Article 27

Electronic System Operator is obligated to protect its users and the public from harm caused by its operation of Electronic Systems.

Article 28

  1. Each person who works in the Electronic Systems Operation must secure and protect structure and infrastructures of Electronic Systems or information transmitted through the Electronic System.
  2. Electronic System Operator shall provide, teach, and train personnel in charge and responsible on the security and protection of structure and infrastructure of Electronic Systems.

Regulation of the Government of the Republic of Indonesia Number 82 of 2012: Concerning electronic system and transaction operation, excerpts from Part Seven, Security of Electronic System Operation

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
Australia

Introductory training helping employees become aware of and be able to detect and then respond effectively to ICT risks on their work station/ICT devices, which is then reinforced with regular short updates, is essential for all employees and contractors.

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.
x
New Zealand

Privacy Principle 5: Storage and security of personal information

An agency that holds personal information shall ensure -

  1. that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -
    • loss; and
    • access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
    • other misuse; and
  2. that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

How does the Privacy Act apply to my business?

Secure storage and disposal of personal information

Make sure that you hold and use personal information in a safe and secure way, and that you dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly.

New Zealand Office of the Privacy Commissioner, October 2015

Please note: This is an example only of recent ICT security requirements in this nation. At the time of viewing this specific information might be superseded.

TECHSERT
offers high-quality, engaging and affordable
staff information and cyber security training courses
and services, which can help you manage
this growing risk to your information and cyber security

Click on each country to see more information.
Please note: The specific information highlighted for each country is an example of recent ICT security requirements only. At the time of viewing the specific information might be superseded. It is provided simply to illustrate the growing response of governments, across the Asia-Pacific region, to the rapidly growing incidence of cyber crime and the growing risk of, and costly, embarrassing fallout from, information/data breaches within public and private sector entities.
As the risks grow, what can your business or organisation do to be more cyber secure and aware?
  • Understand information and cyber security and that it is a serious and growing risk to your business
  • Have your IT systems, including staff behavior, independently tested
  • Have your systems independently re-tested on a regular basis
  • Establish policies to guide and govern the use of your networks
  • Educate your team/staff to be more aware of the problem and risks
  • Contact TECHSERT about its comprehensive staff information and cyber security training program

For more
information
(and a free training trial)

Click on red buttons

NEARLY 1 IN 5 AUSTRALIAN BUSINESSES
WILL SUFFER A SERIOUS DATA BREACH
DUE TO CYBER CRIME & INADEQUATE CYBER SECURITY
IN THE NEXT 24 MONTHS.

Follow us on Social Media