Professional Documents
Culture Documents
CI SecurityPrivacy TL SW
CI SecurityPrivacy TL SW
Version: 20201214
The content in this document is copyright © TAFE NSW 2021 and should not be reproduced without the permission of
TAFE NSW. Information contained in this document is correct at time of printing: 27 May 2024. For current
information please refer to our website or your teacher as appropriate.
Content
Getting started....................................................................................................................5
What will I learn by completing this workbook?...................................................................6
Icon legends..........................................................................................................................7
Topic 1: Workplace Information...........................................................................................8
Overview.............................................................................................................................. 9
Activity 1.1: Gelos Enterprises security breach.....................................................................9
What is workplace information?.........................................................................................10
Legislative framework.........................................................................................................11
Activity 1.2: Legislative Framework....................................................................................14
Workplace policies and procedures....................................................................................14
Industry standards..............................................................................................................17
Privacy and sensitive data...................................................................................................18
Privacy legislation............................................................................................................... 20
Notifiable Data Breaches scheme (NDB).............................................................................22
Intellectual property (IP).....................................................................................................24
Topic 1: Check your understanding:....................................................................................28
Topic 2: Working in an Organisation..................................................................................33
Overview............................................................................................................................ 35
Workplace policies and procedures....................................................................................35
Risk management policy.....................................................................................................40
Activity 2.1: Identify risks and infringements......................................................................41
Code of ethics..................................................................................................................... 44
Compliance.........................................................................................................................44
Data protection...................................................................................................................45
Activity 2.2: Data breach.....................................................................................................46
Ethics.................................................................................................................................. 47
Activity 2.3: Reflection activity: Ethical decisions...............................................................51
Improving and maintaining documentation.......................................................................52
Reporting............................................................................................................................ 53
Communication.................................................................................................................. 54
Activity 2.4: What sort of question should you ask?...........................................................56
Activity 2.5: Active Listening...............................................................................................57
Topic 2: Check your understanding.....................................................................................58
Topic 3: Managing Data.....................................................................................................68
Overview............................................................................................................................ 69
Data management.............................................................................................................. 69
Successfully completing these unit will give you the skills and knowledge required to:
Practice activity
Collaboration
Self-check
Assessment task
Video
Videos will give you a deeper insight into the content covered in
this workbook. If you are working from a printed version, you will
need to look these up using the URL (link to the video online)
provided.
In this lesson, you'll learn about information sources, where to find the information you
need and how to access it. You will be introduced to the laws and the legislative bodies that
govern digital data protection.
At the end of this topic, you will need to complete the ‘Check your learning’ quiz questions
to test your learning and understanding.
Practice activity
Workplace documents Policies and procedures, WHS risk assessments and reports
A small company might use a personalised filing system for paper documents and
electronic files.
A large organisation may use a centralised electronic system allowing worldwide
access.
General types of software can be used to record and manage information, for
example Word, Excel or accounting programs.
Whichever storing option a company selects, using policies and procedures will ensure
consistency and ease of use.
Locating Information
To locate information, you need to know how to access it while considering your legal and
job responsibilities.
Records need to be organised, so they are easy to locate and identifiable by all
personnel who need to access them.
Know what you are looking for, as there may be multiple versions of a file or
document. Version control is a means to identify the most current information.
Store and collect the information according to the organisation's policies and
procedures.
Confidential files are often password-protected so that only authorised personnel can
access them.
Legislative framework
Throughout your learning, you will be using the following terminology from the legislative
framework. It will be useful to familiarise yourself with these terms.
Acts
Acts are the broad framework that sets out the fundamental principles of the legislation. An
act also provides the duties, rights and obligations of all parties.
Regulations
Regulations are designed to support an act of law. They are the how to and provide
procedural and administrative guidelines to help us comply with the act.
Codes of Practice
Codes of Practice set out the minimum requirements on how to comply with the acts and
regulations.
Australian Standards
‘Australian Standards set out specifications and design procedures to ensure products and
services consistently perform safely, reliably, and the way they're intended to. There are two
types of standards, mandatory and voluntary.’
Source: Service NSW (Long URL: https://www.service.nsw.gov.au/transaction/comply-
australian-standards)
Legal requirements
Organisations take a best practice approach in protecting and managing information. There
will be information that your organisation is required to keep by law. For example, financial
data and safety incidents will need to be kept for several years.
Follow your organisation's procedures for filing and retrieving confidential information. The
security measures put in place by an organisation will vary according to organisational and
legal requirements.
files are not to be taken off the premises without proper authorisation
copies of files are not to be taken for any reason or without authorisation
a password is required to access certain files
specific files may only be viewed in a particular room
some files by law may have restricted access; for example, some government records
personal files must remain confidential.
an act
a regulation
a code
a standard
a policy
a procedure.
After you have found your document, please complete the activities following.
Policies
A policy explains what needs to be done. It is a guiding principle relating to legislation,
standards, or the organisation's values.
Industry policy is a set of rules and principles that guide industry members and workers on
the organisation's mission, values and standards for behaviour and performance. A policy is
not necessarily legally binding but may be used to support a legal argument as to the
appropriate measures that apply in an organisation.
An organisation's policy will set out the organisation's position in relation to the subject of
the policy. It should reflect legislation, industry standards and specific values and operations
of the business.
Procedures
A procedure explains how it is done. It contains practical information and directions on how
work should be carried out to an acceptable standard.
An organisation's policy contains procedures that outline the steps and directions on how an
activity is carried out to an acceptable standard. The procedures need to consider relevant
legislation, standards and other policies that apply to the organisation. For example, an
electronic data backup procedure outlines how electronic data should be handled to protect
the information in a cyber-attack.
IT maintenance procedure
IT backup procedure
information privacy procedure
password protection procedure
IT consultant conduct procedure
software installation procedure
password management procedure
electronic data disposal procedure
transmission of sensitive data procedure.
Practices
These are often captured in a policy or procedure that document the actual methods utilised
for performing tasks or processes within the organisation. They are often verbally
communicated by colleagues or during staff training and not officially documented.
In 2020, Standards Australia launched a task force of industry representatives tasked with
establishing baseline cyber security standards to improve the practice of cyber security
across Australian industries.
The article, Standards Australia to set cyber security standards (Long URL:
https://ia.acs.org.au/article/2020/standards-australia-to-set-cyber-security-standards.html),
is a great resource you can refer to that provides information on the cyber security industry
standards.
Codes of practice
Codes of practice provide detailed, clear information to help workplaces achieve their
responsibilities. They make understanding and implementing the act and regulations a more
straightforward process, offering suggestions for workplaces to follow.
Codes of practice do not replace the acts or regulations and are not mandatory. Instead,
they provide workplaces with a set of standards established by governing bodies equivalent
to the legal requirements.
Codes of practice are available online via the state or territory authority's website. For
example, visit the Information Technology Professionals Association (ITPA) Code of
Ethics (Long URL: https://www.itpa.org.au/code-of-ethics/) for specific information on the
code for ethics in a workplace.
Everyone using IT needs to be aware of the security of their data and manage their privacy.
Use strong passwords that meet security or organisation standards when used at work and
change them regularly. Password protection will be discussed later in your learning.
Each person's information may contain sensitive data, which can be exposed if not securely
protected.
Now that you know what PII is and who is responsible for protecting it consider the following
for protecting your PII.
Storing PII
Avoid storing information that you no longer need.
Privacy legislation
Privacy law regulates the way personal information is collected, how it is used, stored and
handled. In Australia, privacy is acknowledged as a fundamental human right, and
organisations and agencies must handle personal information following:
The Office of the Australian Information Commissioner (OAIC) site includes information on
the Australian Privacy Principles (Long URL: https://www.oaic.gov.au/privacy/australian-
privacy-principles/). A breach of the Australian Privacy Principle is an 'interference with an
individual's privacy and can lead to regulatory action and penalties.
Direct marketing
A business is limited to use or disclose personal information in advertising and can only do so
if specified conditions are met.
Now that you have learned about some of the Australian Privacy Principles, refer to
the Australian Privacy Principles quick reference (Long URL:
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-
quick-reference/) and complete the following activity.
Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches scheme (Long URL:
https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-
breaches-scheme/states) that any person, organisation or agency must notify affected
individuals and the OAIC when a data breach is likely to result in serious harm to an
Examples of a data breach that can affect individuals or cause serious harm may include:
Most countries have their own data protection policies or regulations. Three examples of
organisations that are required to adhere to the international data protection regulations
are:
European Union (EU) General Data Protection Regulation (GDPR) provides data protection
requirements to businesses of any size that offer goods and services in the EU.
The New Zealand Privacy Act 2020 (Long URl: https: //www.privacy.org.nz/privacy-act-
2020/privacy-act-2020/) aligns with the Australian Privacy Act 1988 (Cth) and the GDPR, but
there are some differences. For example, in NZ, businesses are legally required to notify the
Privacy Commissioner when a data breach has occurred. In Australia, the obligations will
apply when the breach is likely to result in serious harm.
Phishing scams are attempts by criminal cyber operators who trick you into providing your
personal information, leading to identity theft or unauthorised access to your bank account.
Such scams are Notifiable Data Breaches.
An organisation with these types of assets will have policies and procedures to maintain and
protect its intellectual property.
Patents
A creator of a new device or process can apply for a patent. This will allow the creator to
exploit their product for commercial purposes. A patent needs to be applied for, granted and
registered under Patents Act 1990 (Cth) (Long URL:
For an application to be successful, a product must be new, useful, and innovative. When
granted under the Patents Act 1990 (Cth), a patent will give exclusive commercial rights to
the product (a monopoly). The Australian Government, IP Australia website includes
information on patents. Australian Government, IP Australia website (Long URL:
Rhttps://www.ipaustralia.gov.au/patents).
Trademarks
A trademark is used to identify products or services from other business competitors. It is a
form of intellectual property that protects the product's identity by ensuring the mark has
not been used before.
using a slogan, name, symbol, or logo similar to a slogan, name, symbol or logo used
by another
using a brand name in place of a generic name, attempting to pass off as an original.
Registered designs
Design rights protect the shape or appearance of manufactured goods. It applies to products
that have a physical shape and may be handmade or manufactured on a commercial scale.
Copyright
When an idea or creative concept is documented on paper or electronically, it is
automatically protected by copyright in Australia under the Copyright Act 1968 (Cth) (Long
URL https://www.legislation.gov.au/Details/C2017C00180) works such as books, films,
music, sound recordings, newspapers, magazines, artwork, the source code of software,
computer programs, manuals and guides are protected by copyright.
Depending on the material, the copyright for literary, dramatic, musical, and artistic works
generally lasts 70 years from the author's death or 70 years from the year of first publication
after the author's death.
There is no registration system for copyright in Australia. Copyright rights are automatic and
do not require any registration.
An owner of a copyright can sell or licence their rights or grant permission to use their work.
Copyright can be identified by the symbol © For example, at the front page of a book
authored by Hannah Smith: ‘© Hannah Smith 2020’. A copyright notice is not essential to
gain copyright but can help remind people.
installing software on more than one computer system without a proper licence
using the program source code taken from an external party in breach of the
copyright rights of that party.
Circuit layout
Circuit layout rights protect the appearance (design and layout) of an electronic circuit.
These rights are automatic and do not require registration.
Trade secrets
Trade secrets can best be described as confidential information belonging to an organisation
and kept ‘secret’ by the employee in that organisation. Employees leaving the organisation
are a common source of ‘leaking’ trade secrets. Breach of trade secrets can be sued in court,
but it can be challenging to establish and may therefore not be pursued.
Trade secrets are not registered with IP offices. Examples of trade secrets includes the recipe
for Coca-Cola and the formula for WD-40. The employees at these companies must sign a
Non-Disclosure Agreement (NDA) preventing them from sharing these recipes. If an
employee shares a trade secret after signing an NDA, it is a breach of contract, and the
company can take legal action to recover their losses.
Under the Intellectual Property Laws Amendment Act 2015 (Cth) (Long URL:
https://www.legislation.gov.au/Details/C2015A00008) owners are granted certain exclusive
rights such as the ability to publish to various markets, licence the manufacture and
distribution of inventions, and sue in case of unlawful or deceptive copying.
Each type of IP protection has its own set of legislation. Business, company and domain
names are not IP rights and don't necessarily give exclusive rights of ownership.
It is important to note that Indigenous Cultural and Intellectual Property (ICIP) rights exist
to protect the heritage and culture of Indigenous People, providing guidance where the law
falls short.
The policy sets guidelines for employees and stakeholders regarding the legal requirements
around the usage of IP and making sure they are not infringing the IP owned by the
company. The policy also ensures that employees do the right thing in maintaining
confidentiality issues, ownership of IP and conflicts of interest.
2. Referring to the OAIC, which three of the following data is considered personal
information?
Select the
Type of data correct
answer/s
Person’s name
Anonymous data
3. Referring to the OAIC, which three of the following data is considered sensitive
information?
Select the
Type of data correct
answer/s
Political affiliation
Religion
Client name
Criminal record
Client address
5. A business has policies and procedures in place to protect the personal information of
their clients, staff, and business relations. What Australian Privacy Principle does this
relate to?
6. A business provides the option to individuals to use email addresses which do not
disclose the person’s actual name and/or allows people to comment on forums using an
unidentifiable ‘user name’. What Australian Privacy Principle does this relate to?
Select the
Policy or procedure correct
answer/s
Select the
Policy or procedure correct
answer/s
8. A business may collect information from a promotional flyer that has been sent to them
by another business and applies the Australian Privacy Principle that outlines how to deal
with this information. What Australian Privacy Principle does this relate to?
Select the
Policy or procedure correct
answer/s
You will need to access the Gelos Intellectual Property Policy (pdf) (Long URL:
https://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-edb42692c34e/0/?
attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54) to answer the following
question.
Statements True/False
All employees, including contractors and consultants, are responsible for
properly identifying, attributing, and preserving IP owned by Gelos
Enterprises.
Employees who have confidential information from a former employer can
now share the information with their current employers as they do not
work with their former employer anymore.
Employees can freely disclose Gelos Enterprises’ proprietary or confidential
information to third parties with whom Gelos is doing business, such as
suppliers, licensees, or consultants without any legal or formal agreement.
At the end of this topic, you will need to complete the ‘Check your learning’ quiz questions
to test your learning and understanding.
Security policy
A good security policy will greatly benefit from implementing appropriate security controls
to safeguard enterprise resources from unfriendly attacks and effectively reduce the risk
posed.
The CIA triad represents Confidentiality, Integrity and Availability, which underpin
information security. This concept is discussed in more detail in Topic 3.
Confidentiality
Availability
Integrity
Privacy policy
A privacy policy outlines how an organisation must handle all personal information. What is
a privacy policy? (OAIC) states what must be included in an organisation’s privacy policy,
such as:
For more information, please refer to What is a privacy policy? (OAIC) (Long URL:
https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-a-privacy-policy/)
Copyright policy
A copyright policy outlines how employees are to handle and use copyrighted material.
Copyright, design rights, moral rights, trademarks, and patents are all intellectual property
rights.
The EU’s General data protection regulation defines personal data as any information
related to a person that can be used to directly or indirectly identify them.
an identification number
online identifiers (including an IP address)
location data
name
physical attributes
health information
economic, cultural, or social identity of a person.
risk identification
risk analysis
risk controls
risk financing and claims management.
The video The power of a cyber risk assessment (Long URL: https://youtu.be/h38Uyu3jXX0)
(YouTube, 2:35 min) provides an overview of a cyber risk assessment and how it can be used
to understand and resolve an organisation's vulnerabilities.
Practice activity
Scenario
Your manager, Madison Mathews, has asked you to perform a clean-up of your work PC to
remove unwanted files, temporary files and internet cache.
While undertaking this clean-up, you came across a file named Staff2019.docx.
When you opened the file, you discovered that it contained the employment records of
multiple staff members that included the employees:
names
addresses
bank account details
pay rates
other personal information.
1. This scenario was a non-compliance incident. What type of risk was this?
Select the
correct
answer/s
Copyright issue
Plagiarism
2. What are the risks to Gelos Enterprises as a result of this incident? Select 3 correct
answers.
Select the
correct
answer/s
Loss of employees
A plagiarising breach
Copy and paste the part of the policy that you believe has been breached.
(Approximately 50 to 60 words)
4. Identify and name one principle in the ITPA Code of Ethics that has been breached.
Copy and paste the principle in the policy that you believe has been breached.
(Approximately 30 to 50 words)
5. Review the Gelos Data Protection Policy (pdf) and make two recommendations for
procedures that will improve and maintain the current practices.
and use the risk identification and rating process used at Gelos and rate the level of risk
to the company in this scenario. Include your justification why this would be the
appropriate level.
(Approximately 40 words)
Code of ethics
A code of ethics sets the guidelines accepted by an organisation to help professionals
conduct business with integrity, honesty and professionalism.
The code of ethics also guides complex challenges, such as behaviour and the expected
conduct of employees. A breach of this code is grounds for termination.
An IT organisation might have its own code of ethics or conduct, or require that its
employees comply with industry or professional codes, for example, ACS Code of
Professional Conduct (pdf) (Long URL: https://www.acs.org.au/content/dam/acs/acs-
documents/ACS%20Code-of-Professional-Conduct_v2.1.pdfor the suggestions) from The
Association for Today's IT Professionals (Long URL: https://www.itpa.org.au/).
Compliance
How can an organisation comply with the rules, regulations, and laws?
Compliance involves:
Data protection
There are many industry standards to maintain and control data privacy and security.
This requires that employees do not breach the IP of others outside the organisation. IP is
protected from the wrongful actions of its employees or of external parties.
Study the following scenario and identify where data protection has been neglected.
An ICT trainee works at the customer desk at Gelos Enterprises. A person walks in requesting
access to their paper file. The trainee asks for the person’s name, retrieves the file and hands
it to the client. The client thanks the trainee and leaves the premises.
The trainee sends a message to the supervisor saying that the file has been handed to the
client.
The supervisor is angry with the trainee and says that their actions may have caused security
and confidentiality breaches.
What steps could the trainee have taken to avoid security and confidentiality breaches?
Scenario 2
Study the following scenario and identify where data protection has been neglected.
Company X is a travel agency and uses password data protection for their databases.
Databases contain forms of credit card details, passport information and personal addresses.
The PPI password protection procedure states that each new client file should be password
protected, using the client name and the year they have been created, for example,
ClientName_2021, as the encryption.
What can you do if you see or hear something that you think isn't right?
How do you know what proper conduct is in the workplace?
What is ethics?
A simple definition of ethics is ‘beliefs regarding right and wrong’. Behaving ethically or with
integrity refers to a behaviour that conforms to generally accepted social forms.
A person acting with integrity acts in ways that are consistent with their code of principles. A
straightforward approach to acting ethically is to extend to all persons the same respect and
consideration that you desire from others.
Ethics is where we question, discover, and protect our morals, principles and purpose. Ethics
are what makes us human.
Term Definition
Tell us what's good. They're the things we strive for, desire and seek
Values
to protect.
Tell us what's right. Outlining how we may or may not achieve our
Principles
values.
Purpose Gives life to your values and principles – your reason for being.
The video What is Ethics? (Long URL: https://youtu.be/u399XmkjeXo) (YouTube, 4:54 min)
provides an overview of the meaning of ethics and offers a good example of right vs right.
There are a number of ethical theories and approaches, such as deontology, virtue ethics
and the consequentialist approach.
Deontology
The theory of deontology looks at the relationship between duty and the morality of human
actions.
Deontology ethics looks at what people do, not at what the consequences of their actions
are. For example, making false promises is wrong. You should not make a promise if you
don't intend to keep it.
This theory judges the morality of an action based on adherence to a rule or set of rules. The
theory uses clear universal moral laws that distinguish right from wrong, like don't
lie or don't steal.
This theory is quite easy to apply due to this clarity as it requires people to follow the given
clear morals and laws when performing their duties. The theory's approach is to follow
natural intuition regarding what is or is not ethical.
This theory is quite easy to apply due to this clarity as it requires people to follow the given
clear morals and laws when performing their duties. The theory's approach is to follow
natural intuition regarding what is or is not ethical.
Consequentialist approach
This theory considers what steps to take by evaluating the negative or positive consequences
of taking a specific action. For example, lying is bad, but if a lie saves a person's life, then the
action taken is the right one according to this theory.
Ethics affects individual responsibilities and actions for each employee. These codes ensure
that a level of trust can exist between all stakeholders.
With the increase in developments in information technology, issues such as cyber security
and safety bring their own set of moral questions.
For example:
It's important that ICT professionals have an understanding of the values and ethics of the
organisation and the obligation to meet both employer and client expectations of ethical
conduct.
Code of ethics
A code of ethics can also be called a code of conduct, ethics statement or similar.
The following two associations have codes of ethics published by industry bodies. You may
be aware of other organisations that produce standards and codes for their members.
Ethical issues
Managing ethics in the workplace involves identifying and prioritising values to inform
behaviours and attitudes in the workplace.
For this reason, it's important to be able to differentiate between a range of ethical issues.
Practice activity
Scenario 1
You are asked to join an exciting new project; however, you don’t fully believe you have the
required training.
You really want to participate in the project as it will enhance your career. What should you
do?
Scenario 2
You are working for a large financial organisation, where the integrity of customer
information is paramount.
You suspect your best buddy may be accessing customer account details. He is recently
married, and if he loses his job, it may ruin his career. What should you do?
Scenario 3
You are working with your boss on a large proposal to install computer software for a large
retail business.
You are aware that this software solution is not fully costed, and there is a possibility of a
cost overrun. The installation is important for the business.
Reviewing
Getting staff feedback on the policies and procedures and discussing what works and what
doesn't is an excellent way to review. A control administrator should oversee the entire life
cycle for all policies, including the drafting and reviewing stages. Policies and procedures
must be viewed as an ongoing process requiring careful attention, time, and resources.
Repeat
Things change and require regular attention. Policy management is not a one-time effort.
Once you have completed the policy life cycle, go back and start again.
By combining the reporting and investigation of security incidents, workplaces can put
preventative processes in place and develop safer work practices.
Accurately reporting all details of an incident is vital to effective investigation and to prevent
future infringements. You must report to your supervisor immediately, as this ensures that
the incident is fresh in your mind and the information is more accurate.
Communication
Let's explore some key communication skills. Along the way consider the scenarios
presented and how you would respond to the situation.
How you ask a question depends on the situation, who you are asking and what you want to
find out. There are many types of questions.
Closed questions
Closed questions only invite a quick response such as ‘yes’ or ‘no’ or simple facts.
For example: "Was the meeting helpful?" or "What colour should I use in this surface, red or
green?"
For example, you realise your manager is very busy with some new tasks. You could offer
help by asking: "How can I help?"
Clarifying questions
Clarifying questions are used to elicit more detail from the other person or clarification of
what was said. They usually gain more factual detail.
For example, you could ask "You said you agree with this response, didn't you?" or "You told
me you go to the library every day, but what library are you referring to?
Probing questions
These are similar to clarifying questions, but some clarifying questions can be probing.
Probing questions are deliberately open questions to explore more detail about something
and can include asking for personal opinions.
For example, you could ask: "Why do you think that happened?" or "What does this remind
you of?"
Leading questions
These lead the other person to the answer you want. They are not always seen as desirable.
For example, if a real estate agent wants a client to buy one of their new apartments but the
client hasn't confirmed they are interested, the agent could ask a leading question like:
"When would you like to sign the contract?"
Rhetorical questions
These are questions you don’t expect an answer to.
For example, you might be just blowing off steam when you say: “How can anyone put up
with this?”
Practice activity
Scenario 1
You have been asked to prepare a report for your supervisor on the existing customer
database you have been updating.
However, you can’t decide if you should provide a verbal or written report.
What question could you ask your supervisor to confirm the correct reporting procedure
they are expecting?
Scenario 2
1. Can you walk me through your security requirements needed for your business?
2. So, you want something that is easy to use?
3. When do you want it by?
Practice activity
Check the scenarios, think about the questions and check the feedback.
Scenario 1
One of the ICT support staff at Gelos Enterprises is having a conversation with a new client to
clarify some aspects of the security brief. During the conversation, they feel their mobile
phone vibrate and check it for messages.
Your supervisor is very empathetic. Whenever you need to clarify something, they stop what
they are doing. Their body language tells you they are really interested.
You are working as an ICT Trainee for Gelos Enterprises; therefore, it is important you
become familiar with the organisation's policies and procedures and current practices.
You will need to access these documents to answer the following questions:
Privacy Policy
Ethics Policy
1. A staff member of Gelos has created a new logo for a product the company will soon be
marketing. Identify which policy document you can use to obtain more information.
2. A client has asked to see the personal information that Gelos currently holds on them.
Identify which Gelos policy document you can use to obtain more information.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
3. Identify which Gelos policy document you can use to obtain more information on storage
of paper-based records such as client contracts and employee agreements.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
4. Identify which Gelos policy document you can use to obtain more information on correct
filing procedures for employee payroll data which includes bank account details.
Privacy Policy
Ethics Policy
5. Gelos has created a new type of circuit board layout and needs to ensure no other
company can steal or use their ideas. Identify which Gelos policy document you can use
to obtain more information.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
6. Identify which Gelos policy document you can use to obtain more information on details
of the format for a new password, for example, number of characters, use of capitals,
numbers and symbols.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
The CEO of Gelos Enterprises, Catherine Dunn, has asked all Gelos ICT employees to read the
new security policy statement. Review the policy statement to answer the following
questions.
Those without proper identification are not permitted entry to the Gelos premises.
7. Which parties are responsible for enforcing the policy? Select all that apply.
Select the
correct
Options answer/s
8. What controls would be most appropriate to assist the security and reception staff to
enforce the policy? Select all that apply.
CCTV cameras
Gelos executives
The HR department
Security guards
9. You have noticed that security has been allowing people to enter the premises without
ID. Who are you going to report this to? Select all that apply.
Select the
correct
Options answer/s
The HR department
Select the
correct
Options answer/s
Within 1 hour
Immediately
Within 12 hours
10. Which one of the following is the preferred timeframe for reporting a breach?
After reviewing the video, answer the following questions to check your understanding.
Statements True/False
If you copy the source-code from other applications, it would be a non-
compliant incident.
12. Which policy would copying the source-code from other applications breach?
Select the
correct
Options answer/s
Intellectual property
Privacy policy
13. Which two ethical principles would be a breach according to the Information Technology
Professional Association (ITPA) Code?
Select the
correct
Options answer/s
Privacy
Honesty
Communication
Education
Select the
correct
Options answer/s
An infringement or legal claim
Statements True/False
Staff training should be carried out regularly to avoid this type of breach
occurring.
Ethical guidelines should be discussed with staff and management to avoid
this type of breach occurring
16. Consider the following statements and identify whether these are true or false.
Tip
Statements True/False
You can never copy someone else’s sound recording
There are certain circumstances in which a computer program can be
copied
Artistic work is protected by copyright even when the work is not
considered beautiful
The Copyright Act 1968 (Cth) controls the copyright in Australia to protect
all original works of authorship.
A. Deontology theory
concentrates on ethical thinking
B. Virtue ethics theory
towards our morals and what it
C. Consequentialist
would mean to our character. approach
For each of the scenarios in questions 18 to 20, access the ITPA Code of Ethics (Long URL:
https://www.itpa.org.au/code-of-ethics/) to identify at least one relevant code of ethics that
has been breached.
18. Your manager has asked your colleague to email your work team informing them of
important changes to the Data Management Policy.
You notice that one person has not been included in the email.
This is a deliberate omission because they felt that the person missing from the email list
was not up to the task.
Which of the following ITPA codes of ethics have been breached? Select all that apply.
Select the
correct
ITPA Codes answer/s
Copyright
IP
Honesty
Co-operation
Education
Fair treatment
Communication
19. You are responsible for birthday celebrations at your workplace. You access the staff
database to note a colleague's date of birth.
During the celebration, you announce to the team how old the colleague is.
Which one of the following ITPA codes of ethics have been breached?
Select the
correct
ITPA Codes answer/s
Copyright
Education
Co-operation
Privacy
20. It is your responsibility to check system performances at the end of each day. You are
running out of time and decide to come in early the next morning and do it then.
Which one of the following ITPA codes of ethics have been breached?
Copyright
System integrity
Fair treatment
Co-operation
21. For each of the situations detailed below, identify the ethical issue it relates to.
At the end of this topic, you will need to complete the ‘Check your learning’ quiz questions
to test your learning and understanding.
Data management
Data management is storing, organising, and managing data created and collected by an
organisation. This process involves ensuring that the data is accurate and available whilst
being accessible with appropriate protection controls.
secure and reliable systems for data storage, transmission, and backup
compliance with data protection laws, for example, Australian Privacy Principles
procedures and guidelines as to how data is managed to avoid errors
ensuring that data is input in the required format
labelling of data.
Managing data
There are eight basic steps that explain how an organisation can manage its data during the
life cycle.
Step Description
1. Creating and The organisation will create, receive, and collect data during its usual
collecting data business operations and will usually have a substantial amount of
stored data.
2. Data It is necessary to ensure that the appropriate types of information are
Collecting data
Methods to collect data will vary in different organisations; however, the overall data
collection process remains the same.
enable compliance with relevant privacy laws, for example, the Australian Privacy
Principles
assist in protecting the company's confidential, proprietary information, such as
certain IP assets, for example, trade secrets, inventions, source codes and
confidential financial information.
Standard categories of data classification have been developed and will depend on
organisational requirements.
Public information
This is data that the organisation can share with the public. This information does not need
encryption or specific protection, and there is negligible or no risk in disclosure.
For example, an organisation will have publicly available information such as its privacy
policy, published financial accounts and product marketing material.
Internal
This is data that is not intended for public disclosure but has low security requirements. For
example, an organisational chart or standard product sales policy.
Unauthorised disclosure of this data is not intended to be made, but it will not cause
significant damage to the organisation and will not breach confidentiality requirements
under relevant laws.
Confidential information
Access to this data may cause moderate to a serious risk to the organisation and may
negatively affect the organisation.
Restricted
This is the most sensitive data. If unauthorised access is gained it can place the organisation
at substantial financial, regulatory, and reputational risk. This may result in the organisation
breaching legislative requirements.
For example, leaking personally identifiable information (PII) such as protected health
information or credit card numbers.
Organisations must comply with the privacy, security and ethical laws when sharing data
inside and outside the organisation.
Practice activity
Scenario
You have been asked to back up some of the PII information currently stored on your local
hard drive and place it on a USB drive.
As part of the Gelos Enterprises Data Protection Policy, you are required to encrypt any USB
drive used for storing confidential data.
Note: You can also right-click the USB drive you want to encrypt and select Turn on
BitLocker.
10. Select how much of your USB drive you’d like encrypted. Here, you have two options
– select the entire drive or the used space only. Choose Encrypt entire drive.
11. Choose which encryption mode to use – we want this USB to be able to be used on a
number of different computers, so select Compatible Mode.
12. Click Start Encrypting when ready. How long the encryption takes will depend on the
size of your USB drive, the amount of data you have stored on it, and the system
specs of your machine.
A privacy impact assessment (PIA) is vital in protecting privacy and is part of the Australian
Privacy Principles law of overall risk management and planning processes.
For example:
Security policies can be labelled with the following information security categories. Let's look
at the principles of information security in more detail.
For example, think about your payroll information at work. You would expect that certain
authorised employees, such as a payroll officer, would need to view or modify your payroll
information but no one else. As an employee, you would not want other employees to view
your pay details. This is because you expect your details to be confidential.
As an example, think about online systems and the internet. We all count on these online
systems in many areas of our modern life. We need them for shopping, banking, gaming,
education and many other areas. When these systems, such as an online banking system, is
not available, this can cause us disruption and inconvenience. We rely on the availability of
online systems.
Organisations must avoid having to secure all data on the IT system as sensitive data, as
some data may not be sensitive, for example, product marketing material.
The IT system and network can then check a label to make security-related decisions, such as
access control and routing.
need to be encrypted
require password protection?
Data storage
The large amounts of information generated and collected by an organisation raise several
challenges in managing the storage of data.
physical risks in relation to the physical location of the data storage infrastructure or
devices
cyber security threats that exist against networks, servers and cloud infrastructure.
A storage device can be computer hardware that stores data temporarily or permanently.
The device can be external or internal to a computer, server, or other systems.
On-site data storage involves servers run by the organisation or in a private data centre
facility. A storage device external to the primary storage is known as backing up or backup
storage. Storage devices are known as storage media.
It is generally good practice to store data in three locations, known as the 3–2-1 backup rule.
Create at least three copies of your data. For example, store data on the network,
store data on an external hard drive or a backup server in-house, and store data on
an external cloud storage.
Store the copies on two different storage media. For example, storing data on an
external hard drive or back-up server in house.
Store one copy on offsite storage. For example, storing data on external cloud
storage.
This data storage system helps protect the organisation from data loss, degradation, or
corruption due to hardware failure, destruction, theft, or malware infection, for example,
ransomware.
Hybrid clouds allow data and apps to move between two cloud areas or a private and public
cloud. A hybrid cloud allows an organisation to address business requirements or regulatory
compliance issues by maintaining some control without giving third-party data centres
access to all the organisation's data.
Storage Technologies
Digital data storage media can include:
Random Access Memory, or RAM, is the primary storage of a computer. When working on a
file on your computer, it will temporarily store data in your RAM. RAM is a volatile memory
and cannot hold onto information once the system is turned off.
Storage media
Storage media refers to a component within a computing system or a device that can receive
and store information.
SSD vs HDD
SSDs have a faster read and write speed. They have a noiseless operation, greater reliability,
and lower power consumption but are usually more costly.
HDDs have been the usual form of secondary storage for a long time, but SSDs are quickly
overtaking HDD as the preferred technology. Some organisations use SSDs for high-
performing workloads and HDDs for the rest. Other organisations have storage systems that
incorporate both HDDs and SSDs.
Both HDD and SSD devices are also used as external drives.
Both are forms of non-volatile storage that can keep data even if the power gives out, unlike
traditional random-access memory (RAM).
Tape storage
Tape storage is sometimes used for backup and archiving purposes. However, it is slower
and less reliable than other storage media.
Optical storage
Compact Disks (CDs) and DVDs (including Blu-Ray disks) are forms of optical storage
technology that use lasers and lights to read and write data.
DVDs have much greater storage capacity than compact disks. These devices can be used as
storage devices, not only for music and videos.
Flash drives
Also known as a thumb drive, memory stick, jump drive or USB stick. It is a flash-memory
data-storage device that incorporates an integrated USB interface.
Flash memory is generally more efficient and reliable than optical media, being smaller,
faster, and possessing much greater storage capacity.
It is not surprising that people store their personal information on various storage devices
such as their mobile phones, USB drives, laptops, and external drives. Larger organisations
use external devices to implement their backup.
All personal information stored must be protected. You can use various protection strategies
to make sure that your personal information is protected from hackers. Organisations deploy
sophisticated data encryption and pervasive security to protect their sensitive data.
When using portable devices to store such sensitive information, follow these tips to protect
your device.
Password protect your external device (for example, encrypt your USB drive).
Make sure to use complex, strong passwords that are not easy to guess by hackers. It
is also important to make sure that you are not using the same password to access a
lot of systems and devices because that makes your devices and systems more
vulnerable.
Use other forms of access like fingerprints to protect the data on the devices.
When you are copying or accessing the data using the password beware of shoulder
surfers. (Shoulder surfers are people who take advantage to look over your keypad
when you are typing the pin/passwords.)
Avoid using any public device or laptop (including even your friend's computer) to
access your data. You may not be aware of the security status of the new device, and
your data may be vulnerable.
A virtual private network (VPN) can ensure the data is protected when passing information
from one device to another via networks or the internet.
Emerging trends
Visit Storage 101: Modern Storage Technologies (Long URL:
https://www.red-gate.com/simple-talk/sql/database-administration/storage-101-modern-
storage-technologies/)for a discussion of emerging trends in data storage, such as virtual
SANs, intelligent storage, computational storage and storage-class memory.
Examples of cloud service providers are Google Drive, Microsoft OneDrive, Microsoft Azure,
Amazon Web Services and Dropbox. YouTube and similar platforms are also cloud storages
but are not used by organisations to store their data in the same way as a commercial cloud
service provider.
If your primary system is breached and the data is lost or corrupted, you can retrieve it from
the cloud and restore your network data, reducing downtime. Cloud storage uses data
centres with considerable computer servers that physically store the data and make it
available online to users via the internet. Users can remotely upload and store data and
retrieve the data whenever required.
Let's explore some advantages and disadvantages of cloud storage and some considerations
when deciding to use a cloud service provider.
Any organisation holding confidential data will be obliged to maintain the security of that
data to ensure the organisation does not breach obligations under relevant privacy
legislation in relation to personally identifiable information (PII) that it holds.
Cloud computing and privacy: Small business factsheet (pdf) (Long URL:
https://www.communications.gov.au/sites/default/files/small-business-privacy-
factsheet.pdf)
Consider the following questions you might ask a cloud storage provider.
Practice activity
In this activity, you will visit the Google Drive website to create a Google account and access
Google Drive (cloud drive).
If you already have a Google account, then you can access your Google Drive using the link
and proceed with the activity steps.
After you have created and logged into your Google Account, access your Google Drive using
the icon for Google Drive which will be available from the Google apps menu.
Try the same activity with one more cloud storage of your choice. Some examples to look at
would be Microsoft OneDrive and Dropbox.
Distributed framework
A distributed storage system supports data storage and retrieval among several computers
or storage devices. It will split data across multiple servers and often across more than one
data centre but will behave as one storage system.
Each physical server is called a node and can be located in the same region or different
countries (a distributed data store).
Because data is copied (in whole or part) across several servers in a storage network, if a
single server is down, all the data is backed up and distributed across other nodes.
Platforms such as Amazon S3, Google Cloud and Microsoft Azure offer distributed
service models.
distributed data system is a cluster of storage units with a mechanism for data
synchronisation and coordination between clustered nodes.
The table following explains the advantages of a distributed data system over the centralised
model.
Advantage Description
Scalability Add more storage space by adding more storage nodes to scale up.
Can store more than one copy of the same data for high availability and
Redundancy
backup.
Cost Less expensive to store large volumes of data.
Distributed data offers better performance than a single server in some
Performance cases, such as storing data closer to its customers.
However, the complexity introduced by distributed systems may diminish their reliability in
some areas.
Data sharing
Sometimes organisations share data with other organisations to improve various aspects of a
policy, a process or further analysis. While there are always some concerns about sharing
Governing bodies support best practices in data sharing by effectively managing the risk
associated with data sharing. A more balanced approach in data sharing could be achieved
by balancing between a range of risk-management controls and treatments and the benefits
gained by sharing the data rather than flatly reducing the level of details from the data.
Refer to the Australian government Best Practice Guide to Applying Data Sharing Principles
(pdf) (Long URL: https://www.datacommissioner.gov.au/sites/default/files/2019-08/data-
sharing-principles-best-practice-guide-15-mar-2019.pdf) for more information.
1. Projects: Data is shared for an appropriate purpose that delivers a public benefit.
2. People: The user has the appropriate authority to access the data.
3. Settings: The environment in which the data is shared minimises the risk of
unauthorised use or disclosure.
4. Data: Appropriate and proportionate protections are applied to the data.
5. Output: The output from the data sharing arrangement is appropriately safeguarded
before any further sharing or release.
Practice activity
When you sent the emails, you received a delivery failure notice for two of them. The
purchasing team confirmed that the suppliers are still active in the system, so you decided to
call them.
When you called, you found that their email addresses were wrong in the Gelos system. You
collected the correct email addresses as below from the three suppliers.
Data disposal
Whether an organisation creates, collects, transfers, or stores data, they all have one
problem.
What are they going to do with the data once they no longer need to keep it?
Organisations will generally have a policy and procedure for record retention and
destruction. The policy may indicate that certain records are to be held for only a certain
length of time. For example, tax records in Australia are usually only required to be kept for
five years from when you lodged the tax return.
Data disposal
Data disposal includes disposing of all data from your computer or device by putting it in the
trash or by simply deleting the files from the computer. Disposing of data this way means
that the data can still be accessed and therefore can be used by others with malicious intent.
De-identifying data
To de-identify data is to destroy the information by wiping the device clean of data. This
form of data disposal is a secure way to ensure there is no access to or the ability to access
that information.
Depending on the type of personal information involved, the organisation may have specific
obligations under law or a court-tribunal order to retain, destroy, or de-identify personal
information.
Specialised software may be required for digital records or, for physical destruction, the
organisation may engage a company that specialises in the physical destruction of hardware
components to ensure the information is irrecoverable.
For paper documents, a shredder or a shredding company can be used. Audits and
verifications are made to ensure that the policies and guidelines for destruction are carried
out.
Privacy principles
Under Australian Privacy Principles Chapter 11: APP 11 – Security of personal
information (Long URL: https://www.oaic.gov.au/privacy/australian-privacy-principles-
guidelines/chapter-11-app-11-security-of-personal-information/)where the APP entity holds
personal information that it no longer needs for a purpose that is permitted under the APPs,
it must ensure that it takes reasonable steps to destroy or de-identify the personal
information.
Personal information is de-identified under s6 of the Privacy Act 1988 (Cth) 'if the
information is no longer about an identifiable individual or an individual who is reasonably
identifiable'. Personal information is destroyed.
The steps taken to destroy personal information will depend on whether the personal
information is held in hard copy or electronic form.
Suppose the organisation does not fully understand the types of information it holds and the
purpose for which it is stored. In that case, it will be difficult to protect it from external
attacks or internal lapses in maintaining secure protection of data.
information register ensures that proper security controls are applied to a particular set of
stored data based on their sensitivity and business value.
Information assets
Where the term sensitive data or sensitive information is used, the word sensitive may be
used in two separate contexts: under privacy laws and under company information.
Under the Privacy Act 1988 (Cth) sensitive personal information is a subset of personal
identifiable information (PII) that has a specific meaning and includes health information
about an individual. For example, where customer information collected by a company
includes health information, this sensitive information has a higher level of protection under
the Privacy Act 1988 (Cth) than other PII.
However, the term sensitive is also used more broadly in relation to company information
where that data is highly confidential to the company. For example, trade secrets, company
developed software IP and internal company cyber intrusion reports.
Access control
Access control is about protecting company data or asset access, such as by restricting
access to specified named individuals or specified job roles or specific authorised company
personnel. For physical assets it involves restricting physical access.
not accessible
physical access restricted
authorised persons only
no restriction.
Confidentiality
Confidentiality rating is about preventing unauthorised access to sensitive information
without limiting the persons who require access to it.
High
Strictly confidential, required to be highly secure, disclosure would severely impact business.
Medium
Confidential but disclosure would have medium impact.
Low
Low security, loss of confidentiality would not materially impact business.
Not confidential
Information made publicly available.
Level of security
Add any relevant comments regarding the asset and the level of security.
The following video on Malware: Difference Between Computer Viruses, Worms and Trojans
(Long URL: https://youtu.be/n8mbzU0X2nQ) (YouTube, 2:46 min) explains what you need to
know about malware. After reviewing the video, answer the questions in the activity that
follows.
Practice activity
Data security
Access control
Access control is the key component of data security.
What factors decide the denial of access to certain information to users who do have the
privilege to access it?
To effectively protect data in an organisation, an access control policy must be in place that
addresses the above questions.
Access control is a method that guarantees the user's authentication and makes sure that
they have the appropriate access to the organisational data. Access control consists of two
main components.
Authentication
Authentication is a process or action which confirms that users are who they claim to be.
Authorisation
Authorisation determines whether the user should be allowed to access the data that they
are trying to access. Where most organisations heavily rely on cloud services, the Internet of
Identity and access management protocols are specifically designed to protect the
authentication information as it travels through the networks or between servers.
Several identity access management (IAM) protocols support stronger IAM policies that help
secure the data and its integrity.
By using a virtual private network (VPN) your online identity can be concealed from the
public internet connections by creating a private network.
VPNs can be installed on various machines to create an encrypted tunnel between the
computer and the network. This will ensure that all the user's web traffic and their IP
address are hidden from their internet service providers, therefore helping to keep the data
secured during the communication.
Password protection
Password protection is another way to secure the identity of users in the system and
provides an extra layer of protection. This can be done by the use of sophisticated password
manager apps.
use long and complex passwords (ideally, the password should be 16 characters or
more)
make use of special characters and digits in a complex combination that is hard to
predict
most importantly, making use of password manager apps, for example, 1Password
and LastPass.
Encryption
Encryption is the process of turning your data into code.
Encryption is commonly used to protect the data on top of password protection. This
process changes the original plaintext into what is called ciphertext with a secret code. This
is applied before sending it over the internet, such as sending via emails.
This means that when the data is being sent via any channel, the data is encoded. To read
the data, it needs a key that will decrypt, making your data less vulnerable. This reduces the
risk of theft, destruction or tampering and is standard practice in the IT industry.
Practice activity
Try this activity to protect a document you would like to practice with.
1. Go to File > Info > Protect Document > Encrypt with Password.
In your role as an ICT trainee, you have been asked to conduct a privacy impact assessment
(PIA) on the data used for the 2017 Gelos IT conference.
names
addresses
company
position in the company
bank payment details.
At the time, the attendees were asked to complete a paper-based form. The data was then
collated and entered into a database. The paper-based documents were sent to be
destroyed (burnt or shredded), but the database file still remains.
As this conference was so long ago, this data is no longer needed. Complete the PIA
questions to identify the information held and the plan of action.
Assess your responses against the related Australian Privacy Principles Chapter 11: APP 11
— Security of personal information (Long URL: https://www.oaic.gov.au/privacy/australian-
privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information/ ) (if
applicable).
Questions Yes No
Select the
correct
Applications answer/s
Local storage
Cloud storage
Select the
correct
Applications answer/s
Authorised personnel
General public
All staff
Only you
Questions Yes No
Select the
correct
Applications answer/s
Select the
correct
Applications answer/s
Select the
correct
Applications answer/s
8. Which two of the following can be cyber security threats to network servers?
Select the
correct
Applications answer/s
Natural disasters
Unauthorised access
Human error
USB drive
Cloud storage
In your role as an ICT trainee for Gelos Enterprises, you have been asked to complete an
asset information register for the information held by the ICT department.
Complete the questions to select the appropriate responses for each type of asset
information listed in the asset information register.
11. Which of the following asset information details contain Personally Identifiable
Information (PII) under privacy laws?
Select the
Asset information details correct
answer/s
Paper-based employee records archived and stored off-site (includes
personal details, salary rates, tax file details, banking details, home
address and contact details).
Promotional videos publicly available (electronic).
12. Which of the following asset information details contain sensitive company data?
Select the
Asset information details correct
answer/s
Paper-based employee records archived and stored off-site (includes
personal details, salary rates, tax file details, banking details, home
address and contact details).
Promotional videos publicly available (electronic).
13. Match the asset information with the required access control.
You have received this email in your personal Gmail account inbox.
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
You find a website offering a free subscription to an IT magazine. You just have to answer a
few questions to activate the subscription. Among the questions are requests for your full
name, month of birth, year of birth and mother's maiden name.
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
There are poor sick orphan children in Thailand that desperately need your help. You can
make a real difference to their lives. Please send money to PoorSickOrphans. You are real
friend. [image thumbs up] 'thumbs up'
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
Can you pick the elements of the email that indicate that this is a fraud?
How could you tell that this may be a fraudulent email? Select all areas of concern.
Appearance
Personal information
Attachments
Links
Content
Social engineering
Review the following scenarios on malfunctions, threats and risks to answer questions 21
to 24.
Scenario 1
You have been asked by your employer to scan your computer for malware.
Upon running the scan, the protection history page states that at 3:19pm on the 23/9/2021
a severe threat has been found by Windows Defender Antivirus and action is needed.
21. Once the scan has completed and you are notified that the threat is severe, what are the
next two steps you will take?
Select the
correct
Steps answer/s
22. What are three pieces of information you need to include in your report to your
supervisor?
Select the
correct
Options answer/s
Scenario 2
As you are logging into an application on your computer, you receive a fatal error.
Virus threat
Ransomware
Malfunction
Phishing
24. What are some warning signs to look out for that may indicate a malware problem?
Select all that apply.
Select the
correct
Warning Signs answer/s
Sluggish performance
Software bugs
Unexpected crashes
2. Referring to the OAIC, which three of the following data is considered personal
information?
Select the
Type of data correct
answer/s
Person’s name X
Anonymous data
Select the
Type of data correct
answer/s
Political affiliation X
Religion X
Client name
Criminal record X
Client address
5. A business has policies and procedures in place to protect the personal information of
their clients, staff, and business relations. What Australian Privacy Principle does this
relate to?
Select the
Policy or procedure correct
answer/s
6. A business provides the option to individuals to use email addresses which do not
disclose the person’s actual name and/or allows people to comment on forums using an
unidentifiable ‘user name’. What Australian Privacy Principle does this relate to?
Select the
Policy or procedure correct
answer/s
8. A business may collect information from a promotional flyer that has been sent to them
by another business and applies the Australian Privacy Principle that outlines how to deal
with this information. What Australian Privacy Principle does this relate to?
Select the
Policy or procedure correct
answer/s
You will need to access the Gelos Intellectual Property Policy (pdf) (Long URL:
https://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-edb42692c34e/0/?
attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54) to answer the following
question.
Statements True/False
All employees, including contractors and consultants, are responsible for
properly identifying, attributing, and preserving IP owned by Gelos True
Enterprises.
Employees who have confidential information from a former employer can
now share the information with their current employers as they do not False
work with their former employer anymore.
Employees can freely disclose Gelos Enterprises’ proprietary or confidential
information to third parties with whom Gelos is doing business, such as False
suppliers, licensees, or consultants without any legal or formal agreement.
Topic 2:
1. A staff member of Gelos has created a new logo for a product the company will soon be
marketing. Identify which policy document you can use to obtain more information.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
2. A client has asked to see the personal information that Gelos currently holds on them.
Identify which Gelos policy document you can use to obtain more information.
Select the
correct
Options answer/s
Privacy Policy X
Ethics Policy
3. Identify which Gelos policy document you can use to obtain more information on storage
of paper-based records such as client contracts and employee agreements.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
4. Identify which Gelos policy document you can use to obtain more information on correct
filing procedures for employee payroll data which includes bank account details.
Select the
correct
Options answer/s
Privacy Policy X
Ethics Policy
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
6. Identify which Gelos policy document you can use to obtain more information on details
of the format for a new password, for example, number of characters, use of capitals,
numbers and symbols.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
The CEO of Gelos enterprises, Catherine Dunn, has asked all Gelos ICT employees to read the
new security policy statement. Review the policy statement to answer the following
questions.
Those without proper identification are not permitted entry to the Gelos premises.
7. Which parties are responsible for enforcing the policy? Select all that apply.
Select the
correct
Options answer/s
8. What controls would be most appropriate to assist the security and reception staff to
enforce the policy? Select all that apply.
Select the
correct
Options answer/s
CCTV cameras X
Gelos executives
The HR department
Security guards X
9. You have noticed that security has been allowing people to enter the premises without
ID. Who are you going to report this to? Select all that apply.
The HR department
10. Which one of the following is the preferred time frame for reporting a breach?
Select the
correct
Options answer/s
Within 1 hour
Immediately X
Within 12 hours
Statements True/False
If you copy the source-code from other applications, it would be a non-
True
compliant incident.
12. Which policy would copying the source-code from other applications breach?
Select the
correct
Options answer/s
Intellectual property X
Privacy policy
13. Which two ethical principles would be a breach according to the Information technology
professional association (ITPA) Code?
Select the
correct
Options answer/s
Privacy X
Honesty X
Communication
Education
Select the
correct
Options answer/s
Statements True/False
Staff training should be carried out regularly to avoid this type of breach True
16. Consider the following statements and identify whether these are true or false.
Tip
Statements True/False
You can never copy someone else’s sound recording False
There are certain circumstances in which a computer program can be
True
copied
Artistic work is protected by copyright even when the work is not
True
considered beautiful
The Copyright Act 1968 (Cth) controls the copyright in Australia to protect
True
all original works of authorship.
18. Your manager has asked your colleague to email your work team informing them of
important changes to the Data Management Policy.
You notice that one person has not been included in the email.
This is a deliberate omission because they felt that the person missing from the email list
was not up to the task.
Which of the following ITPA codes of ethics have been breached? Select all that apply.
Select the
correct
ITPA codes answer/s
Copyright
IP
Honesty X
Co-operation X
Education X
Fair treatment X
Communication X
19. You are responsible for birthday celebrations at your workplace. You access the staff
database to note a colleague's date of birth.
During the celebration, you announce to the team how old the colleague is.
Which one of the following ITPA codes of ethics have been breached?
Copyright
Education
Co-operation
Privacy X
20. It is your responsibility to check system performances at the end of each day. You are
running out of time and decide to come in early the next morning and do it then.
Which one of the following ITPA codes of ethics have been breached?
Select the
correct
ITPA codes answer/s
Copyright
System integrity X
Fair treatment
Co-operation
21. For each of the situations detailed below, identify the ethical issue it relates to.
Topic 3:
1. Read the following questions and indicate if ‘Yes/No’.
Yes No
Local storage
Cloud storage X
Select the
correct
Applications answer/s
Authorised personnel X
General public
All staff
Only you
Questions Yes No
Select the
correct
Applications answer/s
Select the
correct
Applications answer/s
8. Which two of the following can be cyber security threats to network servers?
Natural disasters
Unauthorised access X
Human error
USB drive X
Cloud storage X
In your role as an ICT trainee for Gelos Enterprises, you have been asked to complete an
asset information register for the information held by the ICT department.
Complete the questions to select the appropriate responses for each type of asset
information listed in the asset information register.
11. Which of the following asset information details contain Personally Identifiable
Information (PII) under privacy laws?
Select the
Asset information details correct
answer/s
Paper-based employee records archived and stored off-site (includes
personal details, salary rates, tax file details, banking details, home X
address and contact details).
Promotional videos publicly available (electronic).
12. Which of the following asset information details contain sensitive company data?
Select the
Asset information details correct
answer/s
Paper-based employee records archived and stored off-site (includes
personal details, salary rates, tax file details, banking details, home X
address and contact details).
Promotional videos publicly available (electronic).
13. Match the asset information with the required access control.
15. M
What type of cyber security threat is this? Select all that apply.
Select the
correct
answer/s
Phishing X
Social engineering X
Malware
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering X
Malware X
What type of cyber security threat is this? Select all that apply .
Select the
correct
Options answer/s
Phishing X
Social engineering
Malware X
There are poor sick orphan children in Thailand that desperately need your help. You can
make a real difference to their lives. Please send money to PoorSickOrphans. You are real
friend. [image thumbs up] 'thumbs up'
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering X
Malware
Can you pick the elements of the email that indicate that this is a fraud?
How could you tell that this may be a fraudulent email? Select all areas of concern.
Select the
correct
Options answer/s
Appearance X
Personal information X
Attachments
Links
Content X
Social engineering X
Scenario 1
You have been asked by your employer to scan your computer for malware.
Upon running the scan, the protection history page states that at 3:19pm on the 23/9/2021
a severe threat has been found by Windows Defender Antivirus and action is needed.
21. Once the scan has completed and you are notified that the threat is severe, what are the
next two steps you will take?
Select the
correct
Options answer/s
Write a report
Version: to your
V20.01.00 supervisor
(Release) X
Source File: unknown
Line Number: -1
Function/Method: unknown 22. W
OS Version: Unrecognized OS 64-bit (- Build 9200) h
Thread Id: 00002bf0 (11248) Select the
correct
Options
Error 0xc0000005 (-1073741819) answer/s
The type of antivirus software installed
EXCEPTION_ACCESS_VIOLATION - An "access violation" exception was generated.
The time of the threat X
Press
The ageOK
ofto terminate
the computerthis application.
Scenario 2
As you are logging into an application on your computer, you receive a fatal error.
Select the
correct
Malware answer/s
Virus threat X
Ransomware
Malfunction X
Phishing
24. What are some warning signs to look out for that may indicate a malware problem?
Select all that apply.
Sluggish performance X
Software bugs
Unexpected crashes X
One of the best ways to prevent account access is to change passwords. Continually
changing passwords could prevent ongoing data loss. When paired with systems to detect
malware, this is a simple and effective way to fight data intrusion.
an act
a regulation
a code
a standard
a policy
a procedure.
After you have found your document, please complete the activities following.
Example Response
Note: in this example response, different documents have been used for question 1 and 2,
and question 3.
2. The document outlines how to remove and store ICT components, including software
and hardware.
3. I could use the Gelos Enterprises Privacy Policy (pdf) (Long URL:
https://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-
edb42692c34e/0/?attachment.uuid=df50b7f8-f190-4a3c-aad0-83297b3c395d) to
ensure I collect, use, maintain and disclose information in an appropriate manner.
Select the
correct
answer/s
Copyright issue
Plagiarism
2. What are the risks to Gelos Enterprises as a result of this incident? Select 3 correct
answers.
Loss of employees
A plagiarising breach
3. Which part of the Gelos Data Protection Policy (pdf) confirms that an infringement has
occurred?
Copy and paste the part of the policy that you believe has been breached.
(Approximately 50 to 60 words)
The part of the policy that has been breached may include:
or
3. Access Control
Access control is about protecting company data or asset access by restricting access to
specified named individuals, job roles, or authorised company personnel. For digital assets, it
involves the use of passwords and/or two-stage authentication. For physical assets, it
involves restricting physical access.
4. Identify and name one principle in the ITPA Code of Ethics that has been breached.
Copy and paste the principle in the policy that you believe has been breached.
(Approximately 30 to 50 words)
Privacy
I will access private information on computer systems only when it is necessary in the course
of my duties. I will maintain the confidentiality of any information to which I may have
access. I acknowledge statutory laws governing data privacy such as the Australian Privacy
Principles
or
System Integrity
I will strive to ensure the integrity of the systems I have responsibility for, using all
appropriate means -- such as regularly maintaining software and hardware; analysing system
performance and activity; and, as far as possible, preventing unauthorised use or access.
5. Review the Gelos Data Protection Policy (pdf) and make two recommendations for
procedures that will improve and maintain the current practices.
Restricting access
Access control is about protecting company data or asset access by restricting access to
specified named individuals, job roles, or authorised company personnel. For digital assets, it
involves the use of passwords and/or two-stage authentication. For physical assets, it
involves restricting physical access.
Encryption of the sensitive data
Encryption with a secret key is used to make data indecipherable unless decryption of the
dataset using the assigned key is carried out.
Encryption and partitioning are also used to protect personal identifiers.
6. Locate and use the risk identification and rating process used at Gelos and rate the level
of risk to the company in this scenario. Include your justification why this would be the
appropriate level.
(Approximately 40 words)
Policy
The policy is Gelos ICT Risk Management Policy (pdf) (Long URL:
http://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-edb42692c34e/0/?
attachment.uuid=d03451a2-9997-461e-89e9-ef2e283fcd1f).
Risk level
Risk level is high.
Justification
The data is sensitive and the likelihood is possible, making it a high level risk.
The data is accessible only by staff using that particular computer, meaning it is not likely,
but is certainly possible.
Study the following scenario and identify where data protection has been neglected.
An ICT trainee works at the customer desk at Gelos Enterprises. A person walks in requesting
access to their paper file. The trainee asks for the person’s name, retrieves the file and hands
it to the client. The client thanks the trainee and leaves the premises.
The trainee sends a message to the supervisor saying that the file has been handed to the
client.
The supervisor is angry with the trainee and says that their actions may have caused security
and confidentiality breaches.
What steps could the trainee have taken to avoid security and confidentiality breaches?
The trainee should have asked the client for proper identification. An unauthorised person
may have collected it and private information may have been shared to the wrong party.
The trainee should have confirmed with the supervisor that the file may be handed over.
Although most of the file may have belonged to the client, there may be outstanding bills
preventing the file to be returned to the client.
The file must be checked before returning to the client as notes made by the authorised
person working on the file do not belong to the client and should be removed.
Scenario 2
Study the following scenario and identify where data protection has been neglected.
The PPI password protection procedure states that each new client file should be password
protected, using the client name and the year they have been created, for example,
ClientName_2021, as the encryption.
Scenario 1
You are asked to join an exciting new project; however, you don’t fully believe you have the
required training.
You really want to participate in the project as it will enhance your career.
What should you do?
The honesty section of the ITPA Code of Ethics would apply in this situation.
Scenario 2
You are working for a large financial organisation, where the integrity of customer
information is paramount.
The privacy section of the ITPA Code of Ethics would apply in this situation.
Scenario 3
You are working with your boss on a large proposal to install computer software for a large
retail business.
You are aware that this software solution is not fully costed, and there is a possibility of a
cost overrun. The installation is important for the business. What should you do?
The communication section of the ITPA Code of Ethics would apply in this situation.
Scenario 1
You have been asked to prepare a report for your supervisor on the existing customer
database you have been updating.
However, you can’t decide if you should provide a verbal or written report.
What question could you ask your supervisor to confirm the correct reporting procedure
they are expecting?
Scenario 2
You met with a client to find out more details about their security requirements and asked
the following questions.
1. Can you walk me through your security requirements needed for your business?
So, you want something that is easy to use?
When do you want it by?
Question 1: This is an open question. It invites the client to approach this in their own way.
Question 2: You could say this is a closed question as the client can answer just ‘yes’ or ‘no’.
However, its main function is to confirm or clarify information. So, this is also a clarifying
question.
Question 3: This is a closed question. It asks for a simple timeframe.
Check the scenarios, think about the questions and check the feedback.
Scenario 1
One of the ICT support staff at Gelos Enterprises is having a conversation with a new client to
clarify some aspects of the security brief. During the conversation, they feel their mobile
phone vibrate and check it for messages.
Scenario 2
Your supervisor is very empathetic. Whenever you need to clarify something, they stop what
they are doing. Their body language tells you they are really interested.
Yes, they are taking the time to be fully present and focus on you.
NSW Government. (2021). Data management life cycle. Retrieved from Data.NSW:
https://data.nsw.gov.au/IDMF/data-management-and-practice/data-management-
life-cycle
Service NSW. (2021). Comply with Australian standards. Retrieved from Service NSW:
https://www.service.nsw.gov.au/transaction/comply-australian-standards
The Ethics Centre. (2021). What is ethics? Retrieved from The Ethics Centre:
https://ethics.org.au/why-were-here/what-is-ethics/
Getty image
1276626711, Getty
image 1227600817,
Getty image 1132112674
licence
Figure 18: Google apps 89 TAFE NSW © TAFE NSW 2021 N/A
menu
Figure 20: Protection 112 TAFE NSW © TAFE NSW 2021 N/A
history notification
Figure 21: Fatal error 113 TAFE NSW © TAFE NSW 2021 N/A