Friday, 22 February 2008

Ignorance of the law...

In Australia, there is a view that financial systems require little along the lines of security and that SOX implemented far more. However, the "Tax file number guidelines 1992" as ammended Mar 2004 (http://www.privacy.gov.au/act/tfn/).

This means that compaies need to have controls that restrict access and in particular provide a defense against "all reasonably foreseeable risks to security". With standards being available from SANS and CIS, the obligations are clear. If your company is not protecting financial data, you are breaking the law. Ignorance is not a defense.

6. Storage, security and disposal of tax file number information

6.1 Tax file number recipients shall ensure:

(a) that tax file number information is protected, by such security safeguards as it is reasonable in the circumstances to take, to prevent loss, unauthorised access, use, modification or disclosure, and other misuse; and

Commissioner’s note: Tax file number recipients need to be aware that tax file number information handling procedures and safeguards should anticipate all reasonably foreseeable risks to security. Some examples of tax file number security are physical and logical barriers such as building security, locked filing cabinets, user identity checks and password controls for computer systems.

(b) that access to records that contain tax file number information is restricted, where practicable, to persons undertaking duties related to responsibilities arising under taxation, assistance agency or superannuation law which necessitate the use of tax file numbers.

Commissioner’s note: Tax file number recipients should limit, where practicable, the persons who are able to have access to tax file number information to those who require access in order to carry out responsibilities under taxation, assistance agency, or superannuation law. To ensure that access to tax file number information is restricted to those requiring access, tax file numbers should, where practicable, be separately and securely stored. This Guideline also recognises that tax file number recipients may not strictly be administering the relevant law but may still be handling tax file numbers in accordance with the law.

6.2 Tax file number recipients may dispose of tax file number information when it is no longer required by law nor administratively necessary to be retained. Any disposal of tax file number information shall be by appropriately secure means.

No comments: