CECV follows a formal cyber security incident response process that is put into action whenever a cyber incident is raised. Cyber security incidents must be reported to the CECV service desk.
A cyber security incident describes an adverse event where there is a breach of a system’s security policy that requires corrective action. A cyber security incident is potentially a serious event given it can compromise the confidentiality, integrity, and availability of ICON.
Examples of cyber security incidents which could affect ICON include but are not limited to:
A Distributed Denial of Service (DDoS) attack on an ICON system which has impacted the service availability by increasing traffic to the point of making it inaccessible or unusable;
Compromise or disclosure of commercially sensitive or personally identifiable information;
Compromise of network account credentials;
Unauthorised use of ICON;
Ransomware or malware has infected a single machine or segment of the network.
The Notifiable Data Breach Scheme (NDBS) came into effect on 22 February 2018. Details about the NDBS and school obligations were published in COMS and are available on CEVN at https://cevn.cecv.catholic.edu.au/Melb/Document-File/School-Improvement/ICT-Advice/CECV-Notifiable-Data-Breach-Scheme.
The following guide on when to report a data breach is extracted from the Office of the Australian Information Commissioner (OAIC) website located at https://www.oaic.gov.au/privacy/notifiable-data-breaches/.
An eligible data breach occurs when:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
this is likely to result in serious harm to one or more individuals, and
the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action