CI SecurityPrivacy TL SW

Student workbook
Security and Privacy

TAFE NSW would like to pay our respect and acknowledge Aboriginal and Torres Strait Islander Peoples as the
Traditional Custodians of the Land, Rivers and Sea. We acknowledge and pay our respect to Elders, past, present
and emerging of all Nations.
Version: 20201214
Date created: 23 November 2020
Date modified: 14 December 2021
For queries contact: Technology and Business Services
© TAFE NSW 2021

RTO Provider Number 90003 | CRICOS Provider Code: 00591E
This resource can be found in the TAFE NSW Learning Bank.
The content in this document is copyright © TAFE NSW 2021 and should not be reproduced without the permission of
TAFE NSW. Information contained in this document is correct at time of printing: 27 May 2024. For current
information please refer to our website or your teacher as appropriate.
Content
Getting started....................................................................................................................5
What will I learn by completing this workbook?...................................................................6
Icon legends..........................................................................................................................7
Topic 1: Workplace Information...........................................................................................8
Overview.............................................................................................................................. 9
Activity 1.1: Gelos Enterprises security breach.....................................................................9
What is workplace information?.........................................................................................10
Legislative framework.........................................................................................................11
Activity 1.2: Legislative Framework....................................................................................14
Workplace policies and procedures....................................................................................14
Industry standards..............................................................................................................17
Privacy and sensitive data...................................................................................................18
Privacy legislation............................................................................................................... 20
Notifiable Data Breaches scheme (NDB).............................................................................22
Intellectual property (IP).....................................................................................................24
Topic 1: Check your understanding:....................................................................................28
Topic 2: Working in an Organisation..................................................................................33
Overview............................................................................................................................ 35
Workplace policies and procedures....................................................................................35
Risk management policy.....................................................................................................40
Activity 2.1: Identify risks and infringements......................................................................41
Code of ethics..................................................................................................................... 44
Compliance.........................................................................................................................44
Data protection...................................................................................................................45
Activity 2.2: Data breach.....................................................................................................46
Ethics.................................................................................................................................. 47
Activity 2.3: Reflection activity: Ethical decisions...............................................................51
Improving and maintaining documentation.......................................................................52
Reporting............................................................................................................................ 53
Communication.................................................................................................................. 54
Activity 2.4: What sort of question should you ask?...........................................................56
Activity 2.5: Active Listening...............................................................................................57
Topic 2: Check your understanding.....................................................................................58
Topic 3: Managing Data.....................................................................................................68
Overview............................................................................................................................ 69
Data management.............................................................................................................. 69
Document name: Cl_SecurityPrivacy_SW Page

Resource ID: Cl_SecurityPrivacy_TL_SW | Version: 20211214 © TAFE NSW 2021
Managing data....................................................................................................................70
Classifying information....................................................................................................... 72
Data privacy, security and ethics........................................................................................ 73
Activity 3.1: Securing backup data......................................................................................74
Privacy impact assessment (PIA)........................................................................................ 78
Organising and labelling data............................................................................................. 79
Data storage....................................................................................................................... 82
Storage Technologies..........................................................................................................83
Cloud storage......................................................................................................................87
Activity 3.2: Create a cloud backup storage account..........................................................89
Distributed framework....................................................................................................... 90
Data sharing, accuracy and preservation............................................................................91
Activity 3.3: Verifying and maintaining data.......................................................................92
Data disposal...................................................................................................................... 93
Privacy principles................................................................................................................94
Asset information register..................................................................................................95
Threats to data................................................................................................................... 98
Activity 3.4: Fraudulent email features explained..............................................................98
Data security.......................................................................................................................99
Activity 3.5: Password protect Microsoft Word document...............................................101
Topic 3: Check your understanding...................................................................................102
Answers to check your understanding questions.............................................................116
Topic 1:............................................................................................................................. 116
Topic 2:............................................................................................................................. 120
Topic 3:............................................................................................................................. 129
Answers to practice activities..........................................................................................142
Activity 1.1: Gelos Enterprises security breach.................................................................142
Activity 1.2: Legislative framework...................................................................................142
Activity 2.1: Identify risks and infringements....................................................................143
Activity 2.2: Data breach...................................................................................................147
Activity 2.3: Reflection activity: Ethical decisions.............................................................148
Activity 2.4: What sort of question should you ask?.........................................................149
Activity 2.5: Active Listening.............................................................................................151
References......................................................................................................................152
Image Attributions...........................................................................................................153

Getting started

What will I learn by completing this workbook?
This workbook covers these units of competency:
 BSBXCS303 Securely manage personally identifiable information and workplace

information
 ICTICT313 Identify IP, ethics and privacy policies in ICT environments
Successfully completing these unit will give you the skills and knowledge required to:
 securely manage personally identifiable information (PII) and workplace information

 understand and use organisational IP, ethics, and privacy policy procedures
 identify non-compliance incidents and risks within an organisation
 apply information protection protocols
 respond to risks and breaches according to policies, procedures, and legislation
 use communication processes and procedures related to identifying IP, ethics, and
privacy policies in ICT environments.
Alright, let’s get started!

Icon legends
Icon Description
Practice activity
Learning activities help you to gain a clear understanding of the

content in this resource. It is important for you to complete these
activities, as they will enhance your learning. The activities will
prepare you for assessments.
Collaboration
You will have opportunities to collaborate with others during your

study. This could involve group activities such as mini-projects or
discussions that will enable you to explore and expand your
understanding of the content.
Self-check
An activity that allows you to check your learning progress. The

self-check activity gives you the opportunity to identify areas of
learning where you could improve. If you identify these, you could
review the relevant content or activities.
Resources (required and suggested)
Additional resources throughout this workbook, such as chapters

from textbooks, online articles, videos, diagrams, and infographics.
These are supplementary resources, which will enhance your
learning experience and may help you complete the unit.
Assessment task
At different stages throughout the workbook, after you have

completed the readings and activities, you may be prompted to
complete one or more of your assessment tasks.
Video
Videos will give you a deeper insight into the content covered in
this workbook. If you are working from a printed version, you will
need to look these up using the URL (link to the video online)

Icon Description
provided.

Topic 1: Workplace Information

Overview
The digital world allows your organisation to hold vast amounts of information. So, what is
essential, and where can you find it? With the growing cyber security threat, what are your
obligations to protect it from falling into the wrong hands?
In this lesson, you'll learn about information sources, where to find the information you
need and how to access it. You will be introduced to the laws and the legislative bodies that
govern digital data protection.
You will learn about:
 types of workplace information

 personal identifiable information (PII)
 the privacy policy and legislation
 intellectual property, including copyright, trademarks and infringement.
At the end of this topic, you will need to complete the ‘Check your learning’ quiz questions
to test your learning and understanding.
Practice activity
Activity 1.1: Gelos Enterprises security breach

Gelos Enterprises has fallen victim to a security breach. An employee was tricked into
making security mistakes by giving away personal information. This security breach exposed
employee information such as names, addresses, phone numbers and dates of birth. The
information leak led to several employee's credentials being accessed, which was then used
to access the Gelos corporate network.
What could you have done to prevent this from happening?

What is workplace information?
Every workplace relies on exchanging information to carry out daily business. A workplace
will create, collect and use different types of information and documents specific to their
organisation.
Types of workplace information

The various types and quantities of information kept by an organisation will depend on the
business. It is important to become familiar with the kind of workplace information you will
be using. Managing and maintaining workplace documents in an organised manner is
essential.
Common types of workplace information can include:
Information Type Examples
Instructions Manuals, images and diagrams
Messages SMS, notes and call logs
Correspondence Emails, shared calendar entries and client letters
Personal records Employee details, contracts and annual leave
Financial records, invoices and statements from customers

Account records
or suppliers
Marketing material Flyers and invitations to promotional events
Workplace documents Policies and procedures, WHS risk assessments and reports
Cyber security, electronic client database and asset

Online
information details
Multimedia Training and marketing videos
Table 1 Common types of workplace information

Storing Information
There are many ways to store information and every business will have a system that suits
their needs.
 A small company might use a personalised filing system for paper documents and
electronic files.
 A large organisation may use a centralised electronic system allowing worldwide
access.
 General types of software can be used to record and manage information, for
example Word, Excel or accounting programs.
Whichever storing option a company selects, using policies and procedures will ensure
consistency and ease of use.
Locating Information
To locate information, you need to know how to access it while considering your legal and
job responsibilities.
 Records need to be organised, so they are easy to locate and identifiable by all
personnel who need to access them.
 Know what you are looking for, as there may be multiple versions of a file or
document. Version control is a means to identify the most current information.
 Store and collect the information according to the organisation's policies and
procedures.
 Confidential files are often password-protected so that only authorised personnel can
access them.
Legislative framework
Throughout your learning, you will be using the following terminology from the legislative
framework. It will be useful to familiarise yourself with these terms.

Figure 1: Legislative Framework Pyramid (© TAFE NSW 2021)
Acts
Acts are the broad framework that sets out the fundamental principles of the legislation. An
act also provides the duties, rights and obligations of all parties.
Regulations
Regulations are designed to support an act of law. They are the how to and provide
procedural and administrative guidelines to help us comply with the act.
Codes of Practice
Codes of Practice set out the minimum requirements on how to comply with the acts and
regulations.
Australian Standards
‘Australian Standards set out specifications and design procedures to ensure products and
services consistently perform safely, reliably, and the way they're intended to. There are two
types of standards, mandatory and voluntary.’
Source: Service NSW (Long URL: https://www.service.nsw.gov.au/transaction/comply-
australian-standards)

'Standards on their own are voluntary. Standards become mandatory when referred to in
State and Commonwealth legislation.'
Source: Standards Australia What is a Standard? (Long URL:
https://www.standards.org.au/standards-development/what-is-standard).
Industry Standards or Guidance Materials

Policies and procedures provide guidelines to ensure compliance with relevant legislative
and industry standards.
Legal requirements
Organisations take a best practice approach in protecting and managing information. There
will be information that your organisation is required to keep by law. For example, financial
data and safety incidents will need to be kept for several years.
Being compliant with legal obligations can:
 increase the confidence and trust of various stakeholders

 provide certainty and security of data within the organisation.
Follow your organisation's procedures for filing and retrieving confidential information. The
security measures put in place by an organisation will vary according to organisational and
legal requirements.
The security measures may include:
 files are not to be taken off the premises without proper authorisation
 copies of files are not to be taken for any reason or without authorisation
 a password is required to access certain files
 specific files may only be viewed in a particular room
 some files by law may have restricted access; for example, some government records
 personal files must remain confidential.

Practice activity
Activity 1.2: Legislative Framework

Find one of the following documents from the legislative framework that relates to IT:
 an act
 a regulation
 a code
 a standard
 a policy
 a procedure.
After you have found your document, please complete the activities following.
Provide a link to the document.

Write one sentence on your understanding of what the document addresses.
State how you would use this information within your own workplace.
Workplace policies and procedures

What are Policies and Procedures?
Organisational policies and organisational procedures are two different types of documents
that guide employees and employers with detailed, comprehensive guidelines for
performing specific tasks.

Every organisation should have well-documented and comprehensive workplace policies and
procedures for dealing with, filing, and storing workplace information. These policies and
procedures may vary between organisations.
Figure 2: Policy Handbook (© Getty Images copied under licence)
Policies
A policy explains what needs to be done. It is a guiding principle relating to legislation,
standards, or the organisation's values.
Industry policy is a set of rules and principles that guide industry members and workers on
the organisation's mission, values and standards for behaviour and performance. A policy is
not necessarily legally binding but may be used to support a legal argument as to the
appropriate measures that apply in an organisation.
An organisation's policy will set out the organisation's position in relation to the subject of
the policy. It should reflect legislation, industry standards and specific values and operations
of the business.
Some examples of IT company policies include:

 help desk policy
 privacy policy
 intellectual property policy
 risk management policy

 data protection policy
 compliance policy.
Procedures
A procedure explains how it is done. It contains practical information and directions on how
work should be carried out to an acceptable standard.
An organisation's policy contains procedures that outline the steps and directions on how an
activity is carried out to an acceptable standard. The procedures need to consider relevant
legislation, standards and other policies that apply to the organisation. For example, an
electronic data backup procedure outlines how electronic data should be handled to protect
the information in a cyber-attack.
Some examples of procedures for an IT role include:
 IT maintenance procedure
 IT backup procedure
 information privacy procedure
 password protection procedure
 IT consultant conduct procedure
 software installation procedure
 password management procedure
 electronic data disposal procedure
 transmission of sensitive data procedure.
Practices
These are often captured in a policy or procedure that document the actual methods utilised
for performing tasks or processes within the organisation. They are often verbally
communicated by colleagues or during staff training and not officially documented.

Industry standards
What are industry standards and why are they needed?
Industry standards intend to ensure that industry members conduct their business
operations, including providing services and products to an acceptable, safe and consistent
professional standard.
Several Australian and international standards are relevant to IT organisations and

information security management, for example, under the industry standard AS/NZS ISO/IEC
27000 series. They are designed to aid companies in managing potential data security
breaches and cyber-attacks.
In 2020, Standards Australia launched a task force of industry representatives tasked with
establishing baseline cyber security standards to improve the practice of cyber security
across Australian industries.
The article, Standards Australia to set cyber security standards (Long URL:
https://ia.acs.org.au/article/2020/standards-australia-to-set-cyber-security-standards.html),
is a great resource you can refer to that provides information on the cyber security industry
standards.
Codes of practice
Codes of practice provide detailed, clear information to help workplaces achieve their
responsibilities. They make understanding and implementing the act and regulations a more
straightforward process, offering suggestions for workplaces to follow.
Codes of practice do not replace the acts or regulations and are not mandatory. Instead,
they provide workplaces with a set of standards established by governing bodies equivalent
to the legal requirements.
Codes of practice are available online via the state or territory authority's website. For
example, visit the Information Technology Professionals Association (ITPA) Code of
Ethics (Long URL: https://www.itpa.org.au/code-of-ethics/) for specific information on the
code for ethics in a workplace.

Privacy and sensitive data
What is PII data?
Personally, identifiable information (PII) is data explicitly relating to an individual. Privacy
and sensitive data can be used by organisations to identify, locate or contact a person. It is
also used to collect marketing data. Technology companies can track and misuse collected
data. An example of PII abuse is the marketing material collected via social media apps, such
as Facebook and Instagram, for the benefit of the advertisers rather than the social media
account holder.
Everyone using IT needs to be aware of the security of their data and manage their privacy.
Use strong passwords that meet security or organisation standards when used at work and
change them regularly. Password protection will be discussed later in your learning.
Each person's information may contain sensitive data, which can be exposed if not securely
protected.
In Australia, the Privacy Act 1988 (Cth) (Long URL:

https://www.legislation.gov.au/Details/C2014C00076) defines personal information as
information or opinion, whether true or not, about an individual whose identity is apparent
or can reasonably be ascertained.
What is sensitive data?

Sensitive personally identifiable information (PII) can be classified as information that is
difficult to locate from a public source, including information or opinions about an individual.
Organisations that handle this sort of information must be vigilant to collect, store, use and
disclose sensitive data appropriately and securely. Sensitive information often relates to an
individual's ethnic origin, political opinion, religious beliefs, sexual orientation, criminal
record, health, genetic and biometric data.
What is non-sensitive data?

Non-sensitive personally identifiable information (PII) includes any publicly available
information. This can include gender, place, or date of birth. However, when combined with
other information, it can become easy for others to identify an individual.

Who is responsible?
Safeguarding PII is a shared responsibility with the owner of the data and the organisation
that holds the PII. It is best practice for organisations to ensure data confidentiality, prevent
data leaks and breaches, protect data from being destroyed and secure all PII.
Figure 3: Personal Data (© Getty Images modified under licence)
Now that you know what PII is and who is responsible for protecting it consider the following
for protecting your PII.
Categorise all PII

Identify PII data and classify into data that is not easily accessible, (medical information,
driver's license) and data that is easy to access (date of birth, postcode). This will allow you
to identify exactly which data needs a security strategy.
Conduct a risk assessment

Ask yourself: what are the risks to the company and the client, if the information was leaked
or lost?
Create access and privilege

Activate settings so you have control of data that can be seen. This will help protect against
data loss or alteration.

Use encryption
Protect access to data to avoid it falling into the wrong hands.
Storing PII
Avoid storing information that you no longer need.
Follow policies and procedures

Ensure you follow the organisation’s policies and procedures.
Privacy legislation
Privacy law regulates the way personal information is collected, how it is used, stored and
handled. In Australia, privacy is acknowledged as a fundamental human right, and
organisations and agencies must handle personal information following:
 The Privacy Act 1988 (Cth) (Long URL:

https://www.legislation.gov.au/Details/C2014C00076).
 Notifiable Data Breaches scheme (NDB) (Long URL:
https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-
data-breaches-scheme/).
The Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) (Long URL: https://www.legislation.gov.au/Details/C2014C00076)
was introduced to promote and protect the privacy of individuals.
There are 13 Australian Privacy Principles (Long URL:

https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-
quick-reference/) which govern standards, rights and obligations around:
 the Collection of personal information (Long URL:

https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/
collection-of-personal-information/)
 the Use and disclosure of personal information (Long URL:
use-and-disclosure-of-personal-information/)

 What is personal information? (Long URL: https://www.oaic.gov.au/privacy/your-
privacy-rights/your-personal-information/what-is-personal-information/)
 an organisation or agency's governance and accountability
 integrity
 how to Correct your personal information (Long URL:
correct-your-personal-information/)
 the rights of individuals to Access your personal information (Long URL:
access-your-personal-information/).
The Office of the Australian Information Commissioner (OAIC) site includes information on
the Australian Privacy Principles (Long URL: https://www.oaic.gov.au/privacy/australian-
privacy-principles/). A breach of the Australian Privacy Principle is an 'interference with an
individual's privacy and can lead to regulatory action and penalties.
Access the Australian Privacy Principles quick reference (Long URL:

quick-reference/) for more information.
Australian Privacy Principles
Notification of the collection of personal information

A business that collects personal information should take reasonable steps to ensure the
individual is aware that their personal information is collected.
Use or disclosure of personal information

A business can only use the personal information for the purpose that was disclosed to the
individual.
Direct marketing
A business is limited to use or disclose personal information in advertising and can only do so
if specified conditions are met.

Adoption, use or disclosure of government related identifiers
In limited circumstances, a business may use Australian passport numbers, tax file numbers
and individual healthcare numbers to identify an individual.
Quality of personal information

A business will take great care to accurately record personal information and ensure it
remains current and complete.
Access to personal information

A business provides access to personal information to authorised personnel and has the
obligation to provide access to the individual whose information is collected unless there is a
specific reason not to.
Collection of personal information

A business must continuously update an individual’s personal information and ensure the
information is not misleading.
Security of personal information

A business will have policies and procedures in place that prevents misuse, interference and
loss of personal information.
Now that you have learned about some of the Australian Privacy Principles, refer to
the Australian Privacy Principles quick reference (Long URL:
quick-reference/) and complete the following activity.
Notifiable Data Breaches scheme (NDB)

A data breach occurs when personal information is stolen or lost or is subject to
unauthorised access or disclosure.
Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches scheme (Long URL:
https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-
breaches-scheme/states) that any person, organisation or agency must notify affected
individuals and the OAIC when a data breach is likely to result in serious harm to an

individual whose personal information is involved. Not complying with the NDB can lead to
serious fines.
Examples of a data breach that can affect individuals or cause serious harm may include:
 data or records containing customers' personal information is lost or stolen

 a database containing personal information is hacked
 a cyber-attack results in personal information being disclosed
 personal information is mistakenly provided to the wrong person
 identity theft
 financial loss through fraud
 a likely risk of physical harm from an abusive ex-partner
 serious psychological harm
 serious harm to an individual's reputation.
International data protection regulations:

There are various international organisations that ensure that the Privacy Act is carried over
when dealing with overseas companies, even if they don't have a physical presence in that
country. It aids in the safeguarding of personal information when dealing with overseas
companies. Australian companies need to comply with these regulations.
Most countries have their own data protection policies or regulations. Three examples of
organisations that are required to adhere to the international data protection regulations
are:
1. European Union (EU) General Data Protection Regulation (GDPR)

2. New Zealand Privacy Act 2020 (Long URL: https://www.privacy.org.nz/privacy-act-
2020/privacy-act-2020/)
3. Organisations for Economic Co-operation and Development (OECD).
European Union (EU) General Data Protection Regulation (GDPR) provides data protection
requirements to businesses of any size that offer goods and services in the EU.
According to the Office of the Australian Information Commissioner (Long URL:

https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-
general-data-protection-regulation/) this is designed to harmonise the data protection laws
across the EU. The Australian Privacy Act 1988 (Cth) and the EU GDPR share common
requirements, including:
 implementing privacy by design approach to compliance

 being able to demonstrate compliance with privacy principles and obligations
 adopting transparent information handling practices.
The New Zealand Privacy Act 2020 (Long URl: https: //www.privacy.org.nz/privacy-act-
2020/privacy-act-2020/) aligns with the Australian Privacy Act 1988 (Cth) and the GDPR, but
there are some differences. For example, in NZ, businesses are legally required to notify the
Privacy Commissioner when a data breach has occurred. In Australia, the obligations will
apply when the breach is likely to result in serious harm.
Organisations for Economic Co-operation and Development (OECD) is an international

organisation that aims to foster better policies to stimulate economic progress and world
trade. This is partly achieved by working with governments and policymakers to develop an
international standard-setting. The 1980 OECD Privacy Guidelines were developed for the
protection of personal data and recognises international privacy obligations on a global
scale.
Phishing scams are attempts by criminal cyber operators who trick you into providing your
personal information, leading to identity theft or unauthorised access to your bank account.
Such scams are Notifiable Data Breaches.
Intellectual property (IP)

Intellectual property rights are valuable assets. Without the protection of ideas, businesses
and individuals would not fully benefit from their inventions and creative efforts.
An organisation with these types of assets will have policies and procedures to maintain and
protect its intellectual property.
Intellectual property (IP) refers to original creative thought. IP is often referred to

as property of the mind because it results from applying someone's intellect to create
something new or original. IP can exist in various forms, for example, an invention, brand
name, book, film, trade secret or artistic design.
Common types of IP protection
Patents
A creator of a new device or process can apply for a patent. This will allow the creator to
exploit their product for commercial purposes. A patent needs to be applied for, granted and
registered under Patents Act 1990 (Cth) (Long URL:

https://www.legislation.gov.au/Details/C2019C00088), fees are payable pending the type of
application. An approved patent becomes a legally enforceable right.
For an application to be successful, a product must be new, useful, and innovative. When
granted under the Patents Act 1990 (Cth), a patent will give exclusive commercial rights to
the product (a monopoly). The Australian Government, IP Australia website includes
information on patents. Australian Government, IP Australia website (Long URL:
Rhttps://www.ipaustralia.gov.au/patents).
Examples of patents breaches include:
 making or using an invention without permission from the patent holder

 importing or selling a patented invention.
Trademarks
A trademark is used to identify products or services from other business competitors. It is a
form of intellectual property that protects the product's identity by ensuring the mark has
not been used before.
Under the Trade Marks Act 1995 (Cth) (Long URL:

https://www.legislation.gov.au/Series/C2004A04969) a registered trademark provides
exclusive rights to use, license and sell the mark. This means that no one else in Australia can
commercially use a trademark within the class of goods and services it's registered under.
Trademark registration is not compulsory. However, it is advisable because it can be

expensive and time-consuming to take legal action.
The Australian Government, IP Australia website includes information on trademarks:

Australian Government, IP Australia website (Long URL:
https://www.ipaustralia.gov.au/trade-marks)
Examples of trademark breaches include:
 using a slogan, name, symbol, or logo similar to a slogan, name, symbol or logo used
by another
 using a brand name in place of a generic name, attempting to pass off as an original.
Registered designs
Design rights protect the shape or appearance of manufactured goods. It applies to products
that have a physical shape and may be handmade or manufactured on a commercial scale.

The IP Australia website provides you with more information on designs, design rights and
the benefits of protecting designs. IP Australia website (Long URL:
https://www.ipaustralia.gov.au/trade-marks).
Copyright
When an idea or creative concept is documented on paper or electronically, it is
automatically protected by copyright in Australia under the Copyright Act 1968 (Cth) (Long
URL https://www.legislation.gov.au/Details/C2017C00180) works such as books, films,
music, sound recordings, newspapers, magazines, artwork, the source code of software,
computer programs, manuals and guides are protected by copyright.
Depending on the material, the copyright for literary, dramatic, musical, and artistic works
generally lasts 70 years from the author's death or 70 years from the year of first publication
after the author's death.
There is no registration system for copyright in Australia. Copyright rights are automatic and
do not require any registration.
The copyright owner has exclusive rights to:
 reproduce the work, for example, a book

 perform the work, for example, a song or play.
An owner of a copyright can sell or licence their rights or grant permission to use their work.
Copyright can be identified by the symbol © For example, at the front page of a book
authored by Hannah Smith: ‘© Hannah Smith 2020’. A copyright notice is not essential to
gain copyright but can help remind people.
Examples of copyright breaches include:
 installing software on more than one computer system without a proper licence
 using the program source code taken from an external party in breach of the
copyright rights of that party.
Circuit layout
Circuit layout rights protect the appearance (design and layout) of an electronic circuit.
These rights are automatic and do not require registration.
An example of a circuit layout breach includes:

 copying and using an externally developed and owned circuit layout in your own
organisation (for example, in a computer chip) without obtaining approval or a
licence from that party.
Trade secrets
Trade secrets can best be described as confidential information belonging to an organisation
and kept ‘secret’ by the employee in that organisation. Employees leaving the organisation
are a common source of ‘leaking’ trade secrets. Breach of trade secrets can be sued in court,
but it can be challenging to establish and may therefore not be pursued.
Trade secrets are not registered with IP offices. Examples of trade secrets includes the recipe
for Coca-Cola and the formula for WD-40. The employees at these companies must sign a
Non-Disclosure Agreement (NDA) preventing them from sharing these recipes. If an
employee shares a trade secret after signing an NDA, it is a breach of contract, and the
company can take legal action to recover their losses.
Intellectual property (IP) legislation and policy
Intellectual Property (IP) legislation

In Australia, the government body that administers rights and legislation relating to
intellectual property (IP) is IP Australia (Long URL: https://www.ipaustralia.gov.au/).
Under the Intellectual Property Laws Amendment Act 2015 (Cth) (Long URL:
https://www.legislation.gov.au/Details/C2015A00008) owners are granted certain exclusive
rights such as the ability to publish to various markets, licence the manufacture and
distribution of inventions, and sue in case of unlawful or deceptive copying.
Each type of IP protection has its own set of legislation. Business, company and domain
names are not IP rights and don't necessarily give exclusive rights of ownership.
Information about IP legislation can be accessed on the following sites:
 IP legislation (Long URL: https://www.ipaustralia.gov.au/about-us/legislation/ip-

legislation)
 Australian Copyright Council (Long URL: https://www.copyright.org.au/about_us).
It is important to note that Indigenous Cultural and Intellectual Property (ICIP) rights exist
to protect the heritage and culture of Indigenous People, providing guidance where the law
falls short.

Organisations must ensure that there is compliance with intellectual property laws and
organisational policy relating to IP. This requires that employees do not breach the IP of
others outside the organisation and that their IP is protected from the wrongful actions of its
own employees or external parties.
Intellectual Property (IP) policy

Intellectual Property (IP) policy in an organisation is maintained to ensure that IP is managed
appropriately and that all the staff understand and comply with the requirements within the
organisation.
The policy sets guidelines for employees and stakeholders regarding the legal requirements
around the usage of IP and making sure they are not infringing the IP owned by the
company. The policy also ensures that employees do the right thing in maintaining
confidentiality issues, ownership of IP and conflicts of interest.
Topic 1: Check your understanding:

1. For each description in the table below, determine whether it a policy or procedure.
Description Policy Procedure
Staff login access
Outline of executive orders
Steps to achieving tasks
Outline of staff functions and
responsibilities
Legal obligations
Storing and archiving
methods
Refer to OAIC (Long URL: https://www.oaic.gov.au/privacy/your-privacy-rights/your-

personal-information/what-is-personal-information/) to answer questions 2 to 4.
2. Referring to the OAIC, which three of the following data is considered personal
information?
Select the
Type of data correct
answer/s
Data that cannot be used on its own to trace or identify a person

Select the
answer/s
Employee record information
Internal protocol (IP) address
Person’s name
Anonymous data
Generalised data, for example age range 20-40
3. Referring to the OAIC, which three of the following data is considered sensitive
information?
Select the
answer/s
Political affiliation
Religion
Client name
Criminal record
Client address
4. Read the statement below and indicate if ‘true/false’.

Statement True/False
There is a different between personal and sensitive information
5. A business has policies and procedures in place to protect the personal information of
their clients, staff, and business relations. What Australian Privacy Principle does this
relate to?

Select the
Policy or procedure correct
answer/s
Collection of Solicited personal information
Dealing with unsolicited personal information
Anonymity and pseudonymity
Open and transparent management of personal information
6. A business provides the option to individuals to use email addresses which do not
disclose the person’s actual name and/or allows people to comment on forums using an
unidentifiable ‘user name’. What Australian Privacy Principle does this relate to?
Select the
answer/s
Collection of solicited personal information
7. A business may gather personal information (with consent) where it is reasonably

necessary for the business to function. What Australian Privacy Principle does this relate
to?
Select the
answer/s

Select the
answer/s
8. A business may collect information from a promotional flyer that has been sent to them
by another business and applies the Australian Privacy Principle that outlines how to deal
with this information. What Australian Privacy Principle does this relate to?
Select the
answer/s
9. Read the following scenarios and indicate if ‘scam’ or ‘legitimate’.
Scenario Scam Legitimate

You receive a text message from +61 444 444 444
advising that there is a report of a missing person and
you should contact 000 if sighted.
You receive a text message from an unknown sender to
your mobile phone. The message informs you that a
parcel needs to be delivered to you and they require
you to provide them with your address.
A Facebook request from an unknown person asking to
befriend you.
An IT company contacts you, offering you free
software.
You receive an email from your bank asking you to
provide them with your PIN number.
You receive an email from a company, addressing you
with Mr or Mrs, informing you that they have updated
their login credentials policy. They are asking you to

confirm your account by logging in via a provided link
You receive an email from eBay advising you have new
messages. The email contains a link to the eBay website
with instructions on how to log into My eBay.
You receive a phone call from the Australian Federal
Police (AFP) informing you that suspicious activity has
been observed regarding your bank account, and they
request personal details such as a Medicare number.
You will need to access the Gelos Intellectual Property Policy (pdf) (Long URL:
https://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-edb42692c34e/0/?
attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54) to answer the following
question.
10. Read the following statements and indicate if ‘true/false’.
Statements True/False
All employees, including contractors and consultants, are responsible for
properly identifying, attributing, and preserving IP owned by Gelos
Enterprises.
Employees who have confidential information from a former employer can
now share the information with their current employers as they do not
work with their former employer anymore.
Employees can freely disclose Gelos Enterprises’ proprietary or confidential
information to third parties with whom Gelos is doing business, such as
suppliers, licensees, or consultants without any legal or formal agreement.

Topic 2: Working in an Organisation

Overview
Understanding how businesses and organisations use and rely on policies and procedures
and how they comply with the legislation is an important part of your role as an ICT
employee.
In this lesson, you will learn:
 what a security policy is and why they are important

 the purpose and intention of the organisation's IP, procedures, ethics and privacy
policies
 organisational risk assessment and identification processes
 codes and standards relating to IT
 the roles and responsibilities of employees in IT
 to identify and understand different ethical theories and approaches.
What would you do?

What would you do if you were asked for your password?
Refer to the video What is your password? (Long URL: https://youtu.be/opRMrEfAIiI)

(YouTube, 02:50 min). This frightening but funny video shows just how easy it is to get
sensitive information from a person just by asking.
Workplace policies and procedures

In Topic 1: Workplace information, you learned that workplace policies and procedures are
essential to all organisations. They define the mission and values of a business whilst setting
clear guidelines, standards, and instructions for employees.
Term What it explains Definition

A policy provides an explanation and clarifies
Policy Why
the task.
Procedure How A procedure provides steps on how to

Term What it explains Definition
complete the task.
Standard Operating A SOP provides the detailed steps you need to
What
Procedure (SOP) take to complete the task.
Benefits of policies and procedures

Well-developed policies and procedures can provide the business with the following
benefits:
 clear employee standards of behaviour and performance

 standardised rules and guidelines for decision-making practices
 consistent and precise guidelines involving employee interactions
 calculated methods for dealing with complaints and misunderstandings
 protection from breaches of employment legislation, such as equal opportunity laws.
Policies and procedures relating to IT

Let’s explore some of the policies you are likely to find in an IT workplace that are relevant to
privacy and security.
Security policy
A good security policy will greatly benefit from implementing appropriate security controls
to safeguard enterprise resources from unfriendly attacks and effectively reduce the risk
posed.
The CIA triad represents Confidentiality, Integrity and Availability, which underpin
information security. This concept is discussed in more detail in Topic 3.

Figure 4: CIA Triad (© Getty Images modified under licence)
Confidentiality
Preserving authorised restrictions on access and disclosure, including protecting personal

privacy and proprietary information.
Availability
Ensuring timely, secure, and reliable access to information.
Integrity
Maintaining data integrity by guarding against improper modification or destruction.
Intellectual property policy

The intent of the Intellectual property (IP) policy is to provide a high level of ethical and legal
standards in the maintenance, protection, and development of IP and in respecting IP owned
by the organisation, employees or third parties.
Types of intellectual property policy:
 Patent: Any new technology or invention developed by the company should be

considered for patent application.

 Copyright: Copyright may include source code for software or software
documentation developed by the company.
 Trademarks: Any company brand names, logos, and designs should be registered
under trademark laws or design registration laws as applicable.
 Circuit layouts or designs: Circuit layouts or designs may include computer chip
designs. Regular checks should be made so that competitors with similar products
are not infringing on the company’s proprietary IP in its circuit layouts.
 Trade Secrets: Trade secrets may include proprietary or confidential information to
third parties with whom an organisation is doing business, for example, suppliers,
licensees, or consultants, except as specifically needed for the third party to perform
the services or task requested.
Privacy policy
A privacy policy outlines how an organisation must handle all personal information. What is
a privacy policy? (OAIC) states what must be included in an organisation’s privacy policy,
such as:
 their name and contact details

 what kind of personal information they collect and store
 how they collect personal information, where it is stored and the reasons why they
need to collect personal information
 how they’ll use and disclose personal information
 how you can access your personal information, or ask for a correction
 how to lodge a complaint if you think your information has been mishandled, and
how they’ll handle your complaint
 if they are likely to disclose your information outside Australia and, if practical, which
countries they are likely to disclose the information to.
For more information, please refer to What is a privacy policy? (OAIC) (Long URL:
https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-a-privacy-policy/)
Copyright policy
A copyright policy outlines how employees are to handle and use copyrighted material.
Copyright is a form of intellectual property. If we create something, copyright means that we

are the only ones who have the right to make a digital copy, publish it or distribute it. So,

copyright is the exclusive right to make and dispose of copies of your book, film, image, song
or 3D model.
In Australia, copyright is automatic and free on anything you create. It is governed by

the Copyright Act 1968 (Cth).
Copyright, design rights, moral rights, trademarks, and patents are all intellectual property
rights.
Personally identifiable information policy

This policy intends to ensure all personally identifiable information (PII) data (sensitive data)
has its confidentiality protected when accessed, handled, or managed within the
organisation. The policy is designed for the organisation to address its obligations under
the Privacy Act 1988 (Cth).
The EU’s General data protection regulation defines personal data as any information
related to a person that can be used to directly or indirectly identify them.
Information types classified as personal identifiable information (PII) listed below:
 an identification number
 online identifiers (including an IP address)
 location data
 name
 physical attributes
 health information
 economic, cultural, or social identity of a person.

Figure 5: Personally identifiable information types (© Getty Images modified under licence)
Data protection policy

A data protection policy (DPP) aims to protect a company's data and establish company-wide
data protection policies. This document would be available to all employees, especially those
that handle or process consumer data, so that everyone in the company understands the
importance of data protection and security.
An added benefit of a well-maintained DPP is that it can demonstrate the business’s

commitment to privacy and data protection.
Risk management policy

The purpose of a risk management policy is to protect staff and the organisation's assets. For
example, a security policy to protect the company knowledge base and financial data. The
policy outlines the management of risk to the business and can include:
 risk identification
 risk analysis
 risk controls
 risk financing and claims management.

Risk assessment
As a Gelos ICT employee, you will need to know how to conduct a risk assessment and how
to classify and communicate risks to stakeholders.
The video The power of a cyber risk assessment (Long URL: https://youtu.be/h38Uyu3jXX0)
(YouTube, 2:35 min) provides an overview of a cyber risk assessment and how it can be used
to understand and resolve an organisation's vulnerabilities.
Practice activity
Activity 2.1: Identify risks and infringements

Review the scenario and complete the activity to check your understanding of risks and
infringements.
Scenario
Your manager, Madison Mathews, has asked you to perform a clean-up of your work PC to
remove unwanted files, temporary files and internet cache.
While undertaking this clean-up, you came across a file named Staff2019.docx.
When you opened the file, you discovered that it contained the employment records of
multiple staff members that included the employees:
 names
 addresses
 bank account details
 pay rates
 other personal information.
Use these Gelos policies to complete this activity when prompted.

Data Protection Policy (pdf) (Long URL: https://share.tafensw.edu.au/share/items/5f1cec7b-
1d03-446a-85b7-edb42692c34e/0/?attachment.uuid=825c6959-8447-4007-8839-
2d9b69dbde74)

ICT Risk Management Policy (pdf) (Long URL:
attachment.uuid=d03451a2-9997-461e-89e9-ef2e283fcd1f)
1. This scenario was a non-compliance incident. What type of risk was this?
Select the
correct
answer/s
Copyright issue
File corruption risk
Plagiarism
Non-secure storage of personally identifiable information
Risk to data from natural disaster
File naming convention breach
2. What are the risks to Gelos Enterprises as a result of this incident? Select 3 correct
answers.
Select the
correct
answer/s
Breach of trust from the staff members
Loss of employees
A plagiarising breach
Breach of confidentiality and privacy laws
No impact to the organisation’s time management
Loss of professional reputation if news is leaked to media

3. Which part of the Gelos Data Protection Policy (pdf) confirms that an infringement has
occurred?
Gelos Data Protection Policy (pdf) (Long URL:

http://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-edb42692c34e/0/?
attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74).
Copy and paste the part of the policy that you believe has been breached.
 (Approximately 50 to 60 words)
4. Identify and name one principle in the ITPA Code of Ethics that has been breached.
ITPA Code of Ethics (Long URL: https://www.itpa.org.au/code-of-ethics/)
 Copy and paste the principle in the policy that you believe has been breached.
5. Review the Gelos Data Protection Policy (pdf) and make two recommendations for
procedures that will improve and maintain the current practices.

attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74).
 (At least two in total – between 20 to 40 words per recommendation).

6. L
Note that there are enforceable codes under some legislation, such as the Privacy o
Act 1988 (Cth) and the Australian Privacy Principles (Long URL: c
https://www.oaic.gov.au/privacy/australian-privacy-principles) (APP). a
t
This requires that organisations to which the APP applies must have a privacy e
policy (which can be considered a code) that is publicly available and contains
information about how the organisation handles privacy data.
and use the risk identification and rating process used at Gelos and rate the level of risk
to the company in this scenario. Include your justification why this would be the
appropriate level.
 (Approximately 40 words)
Code of ethics
A code of ethics sets the guidelines accepted by an organisation to help professionals
conduct business with integrity, honesty and professionalism.
The code of ethics also guides complex challenges, such as behaviour and the expected
conduct of employees. A breach of this code is grounds for termination.
An IT organisation might have its own code of ethics or conduct, or require that its
employees comply with industry or professional codes, for example, ACS Code of
Professional Conduct (pdf) (Long URL: https://www.acs.org.au/content/dam/acs/acs-
documents/ACS%20Code-of-Professional-Conduct_v2.1.pdfor the suggestions) from The
Association for Today's IT Professionals (Long URL: https://www.itpa.org.au/).
Compliance
How can an organisation comply with the rules, regulations, and laws?

To maintain integrity, confidentiality and availability of information and data, organisations
need to provide:
 appropriate technical and organisational measures

 controls to secure personal data
 a robust information security system.
Steps to ensure compliance

A compliance policy outlines the requirements needed to comply with rules, regulations, and
laws.
Compliance involves:
 reviewing work practices

 keeping up to date with current legislation relevant to the fluctuating IT cyber
security environment
 implementing monitoring processes, for example, holding regular spot checks to
work out if the procedures are implemented to the standard set by the organisation
 undertaking risk analysis.
Data protection
There are many industry standards to maintain and control data privacy and security.
Some security measures are:
 appropriate access control

 password policies
 guidelines on physical security
 guidelines on data storage, transfer, and disposal
 guidelines on backup
 appropriate data encryption
 appropriate guidelines on the use of cloud and installed software
 guidelines on the use of antivirus software.

Security measures
The following Gelos policies and procedures provide the guidelines for protecting
confidentiality and maintaining their networks and data.
 Data Protection Policy (pdf) (Long URL:

https://share.tafensw.edu.au/share/items/5f1cec7b-1d03-446a-85b7-
edb42692c34e/0/?attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74)
 Privacy Policy (pdf) (Long URL: https://share.tafensw.edu.au/share/items/5f1cec7b-
1d03-446a-85b7-edb42692c34e/0/?attachment.uuid=df50b7f8-f190-4a3c-aad0-
83297b3c395d)
 Intellectual Property Policy (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54)
 User Account Policy (pdf) (Long URl:
edb42692c34e/0/?attachment.uuid=e21baa89-9e37-4d32-b9d5-5a7291602493)
 ICT Disposal and Storage Procedure (pdf) (Long URl:
edb42692c34e/0/?attachment.uuid=02f82864-f184-410d-851c-b26d5a12e6b8)
 Records and Information Management (ICT) Procedure (pdf) (Long URl:
edb42692c34e/0/?attachment.uuid=5a225cb2-b9c3-47b3-82f1-10aff2c72d2e)
 ICT Maintenance Procedure (pdf) (Long URl:
edb42692c34e/0/?attachment.uuid=477e0f19-cea0-40ec-9696-db894dbb45d3).
Infringement of intellectual property

Organisations must ensure compliance with intellectual property (IP) laws and organisational
policy relating to IP.
This requires that employees do not breach the IP of others outside the organisation. IP is
protected from the wrongful actions of its employees or of external parties.

Practice activity
Activity 2.2: Data breach

Scenario 1
Study the following scenario and identify where data protection has been neglected.
An ICT trainee works at the customer desk at Gelos Enterprises. A person walks in requesting
access to their paper file. The trainee asks for the person’s name, retrieves the file and hands
it to the client. The client thanks the trainee and leaves the premises.
The trainee sends a message to the supervisor saying that the file has been handed to the
client.
The supervisor is angry with the trainee and says that their actions may have caused security
and confidentiality breaches.
What steps could the trainee have taken to avoid security and confidentiality breaches?
Scenario 2
Company X is a travel agency and uses password data protection for their databases.
Databases contain forms of credit card details, passport information and personal addresses.
The PPI password protection procedure states that each new client file should be password
protected, using the client name and the year they have been created, for example,
ClientName_2021, as the encryption.
What is wrong with this procedure?

Ethics
In your role as an ICT professional, there are expectations around your conduct. Consider the
following questions:
 What can you do if you see or hear something that you think isn't right?
 How do you know what proper conduct is in the workplace?
What is ethics?
A simple definition of ethics is ‘beliefs regarding right and wrong’. Behaving ethically or with
integrity refers to a behaviour that conforms to generally accepted social forms.
A person acting with integrity acts in ways that are consistent with their code of principles. A
straightforward approach to acting ethically is to extend to all persons the same respect and
consideration that you desire from others.
Ethics is where we question, discover, and protect our morals, principles and purpose. Ethics
are what makes us human.
The Ethics Centre, 2018 defines values, principles, and purpose.
Table 1 Ethics Centre definitions
Term Definition
Tell us what's good. They're the things we strive for, desire and seek
Values
to protect.
Tell us what's right. Outlining how we may or may not achieve our
Principles
values.
Purpose Gives life to your values and principles – your reason for being.
The video What is Ethics? (Long URL: https://youtu.be/u399XmkjeXo) (YouTube, 4:54 min)
provides an overview of the meaning of ethics and offers a good example of right vs right.

Ethical theories
Ethical theories are the dilemmas we face when we are trying to answer questions. For
example, should we focus on the nature of actions (what we ought to do) or focus on the
consequences?
There are a number of ethical theories and approaches, such as deontology, virtue ethics
and the consequentialist approach.
Deontology
The theory of deontology looks at the relationship between duty and the morality of human
actions.
Deontology ethics looks at what people do, not at what the consequences of their actions
are. For example, making false promises is wrong. You should not make a promise if you
don't intend to keep it.
The video Deontology | Ethics Defined (Long URL: https://youtu.be/wWZi-8Wji7M)

(YouTube, 1:57 min) provides a clear explanation of this theory with simple examples that
are easy to follow.
This theory judges the morality of an action based on adherence to a rule or set of rules. The
theory uses clear universal moral laws that distinguish right from wrong, like don't
lie or don't steal.
This theory is quite easy to apply due to this clarity as it requires people to follow the given
clear morals and laws when performing their duties. The theory's approach is to follow
natural intuition regarding what is or is not ethical.
This theory is quite easy to apply due to this clarity as it requires people to follow the given
clear morals and laws when performing their duties. The theory's approach is to follow
natural intuition regarding what is or is not ethical.
Virtue ethics theory

This theory concentrates on ethical thinking towards our morals and virtuous character.
It is a character-based approach for morality, identifying positive actions. For example,

courage, wisdom and loyalty.

It assumes that practicing the virtues will make you acquire them. For example, by practicing
honesty, a person develops a moral character. This theory doesn't focus on the rules or the
consequences.
The video Virtue Ethics | Ethics Defined (Long URL: https://youtu.be/NMblKpkKYao)

(YouTube, 1:43 min) provides you with a simple explanation.
Consequentialist approach
This theory considers what steps to take by evaluating the negative or positive consequences
of taking a specific action. For example, lying is bad, but if a lie saves a person's life, then the
action taken is the right one according to this theory.
Consequentialism is often criticised because it may be hard or even impossible to predict

action outcomes with certainty. It may sometimes lead to taking some objectionable
decisions for possible good outcomes.
The video Consequentialism | Ethics Defined (Long URL: https://youtu.be/51DZteag74A)

(YouTube, 1:48 min) provides more details on the consequentialist approach.
Ethics codes in the IT industry

In the business environment, ethics are guidelines, sometimes based on laws, adopted by
companies to promote fair and moral dealings.
Ethics affects individual responsibilities and actions for each employee. These codes ensure
that a level of trust can exist between all stakeholders.
With the increase in developments in information technology, issues such as cyber security
and safety bring their own set of moral questions.
For example:
 Is hacking of computers immoral?

 Is it immoral to copy software without authorisation for personal use?
 What are my moral responsibilities when operating a computer in a work
environment?
It's important that ICT professionals have an understanding of the values and ethics of the
organisation and the obligation to meet both employer and client expectations of ethical
conduct.

While there is no one piece of legislation that outlines the ethical requirements of a business
in Australia, there are references to ethical conduct in a wide variety of legislations that
apply to the ICT industry.
Code of ethics
A code of ethics can also be called a code of conduct, ethics statement or similar.
The following two associations have codes of ethics published by industry bodies. You may
be aware of other organisations that produce standards and codes for their members.
Australian Computer Society (ACS)

Australian Computer Society (ACS) is a leading association for ICT professionals in Australia.
The Governance documents and guides (Long URL:

https://www.acs.org.au/governance/rules-and-regulations.html) lists its code of ethics and
rules, and code of professional conduct.
Information Technology Professionals Association (ITPA)

Information Technology Professionals Association (ITPA) has a Code of Ethics (Long URL:
https://www.itpa.org.au/code-of-ethics/) and requires that members of the association
maintain a high standard of conduct within their professional lives.
Ethical issues
Managing ethics in the workplace involves identifying and prioritising values to inform
behaviours and attitudes in the workplace.
For this reason, it's important to be able to differentiate between a range of ethical issues.
Practice activity
Activity 2.3: Reflection activity: Ethical

decisions
Consider what you would do in each of the following situations.

Which section of the ITPA Code of Ethics could apply?
Scenario 1
You are asked to join an exciting new project; however, you don’t fully believe you have the
required training.
You really want to participate in the project as it will enhance your career. What should you
do?
Scenario 2
You are working for a large financial organisation, where the integrity of customer
information is paramount.
You suspect your best buddy may be accessing customer account details. He is recently
married, and if he loses his job, it may ruin his career. What should you do?
Scenario 3
You are working with your boss on a large proposal to install computer software for a large
retail business.
You are aware that this software solution is not fully costed, and there is a possibility of a
cost overrun. The installation is important for the business.
What should you do?

Improving and maintaining documentation
Improving and maintaining policies and procedures is the process of document
management. A typical organisation has many policies; therefore, a sound management
system is crucial.
All employees have a responsibility in helping to maintain workplace documentation.
The following steps are a guide to the continuous improvement process.
Reviewing
Getting staff feedback on the policies and procedures and discussing what works and what
doesn't is an excellent way to review. A control administrator should oversee the entire life
cycle for all policies, including the drafting and reviewing stages. Policies and procedures
must be viewed as an ongoing process requiring careful attention, time, and resources.
Locating and training

Inform users on how to get access to the policies quickly and efficiently, for example,
through a central repository. Every organisation must provide training to inform employees
of their responsibilities when following the organisation's policies and procedures.
Tracking and updating

Policies can quickly become outdated due to laws changing, technology advancements and
sloppy work habits. Outdated policies and procedures are a liability. Policies should be
reviewed every year to ensure that they stay current with the industry.
Repeat
Things change and require regular attention. Policy management is not a one-time effort.
Once you have completed the policy life cycle, go back and start again.
Visit Policies, procedures and processes (Long URL: https://business.gov.au/risk-

management/risk-assessment-and-planning/policies-procedures-and-processes) on the
Australian Government Business website for tips on implementing better policies and
procedures in an organisation.

Reporting
One necessary type of communication is reporting to your line managers. This
communication includes reporting infringements, discrepancies, and issues. All kinds of
breaches must be reported according to your workplace policies and procedures. Reporting
is an essential step in improving safety and preventing further violations from happening.
By combining the reporting and investigation of security incidents, workplaces can put
preventative processes in place and develop safer work practices.
Accurately reporting all details of an incident is vital to effective investigation and to prevent
future infringements. You must report to your supervisor immediately, as this ensures that
the incident is fresh in your mind and the information is more accurate.
You can report in several ways:
 a verbal report to your supervisor

 completing a report form
 raising the issue at a staff meeting.
Communication
Let's explore some key communication skills. Along the way consider the scenarios
presented and how you would respond to the situation.
What is effective questioning?

Effective questioning is about asking the right questions to get the information you need or
to respond to a particular situation.
How you ask a question depends on the situation, who you are asking and what you want to
find out. There are many types of questions.
Have you heard of the following types of questions?
Closed questions
Closed questions only invite a quick response such as ‘yes’ or ‘no’ or simple facts.
For example: "Was the meeting helpful?" or "What colour should I use in this surface, red or
green?"

Open questions
Open questions invite a longer response and can’t be answered by a simple ‘yes’ or ‘no’.
For example, you realise your manager is very busy with some new tasks. You could offer
help by asking: "How can I help?"
Clarifying questions
Clarifying questions are used to elicit more detail from the other person or clarification of
what was said. They usually gain more factual detail.
For example, you could ask "You said you agree with this response, didn't you?" or "You told
me you go to the library every day, but what library are you referring to?
Probing questions
These are similar to clarifying questions, but some clarifying questions can be probing.
Probing questions are deliberately open questions to explore more detail about something
and can include asking for personal opinions.
For example, you could ask: "Why do you think that happened?" or "What does this remind
you of?"
Leading questions
These lead the other person to the answer you want. They are not always seen as desirable.
For example, if a real estate agent wants a client to buy one of their new apartments but the
client hasn't confirmed they are interested, the agent could ask a leading question like:
"When would you like to sign the contract?"
Rhetorical questions
These are questions you don’t expect an answer to.
For example, you might be just blowing off steam when you say: “How can anyone put up
with this?”

Remember
LinkedIn Learning videos will open in a new tab within your browser. You can
access the full video by logging in with your TAFE NSW username and password.
You can access a transcript of the video on the transcript tab within LinkedIn
Learning. When you’re finished, simply close the tab and return to your course.
Ask good questions

Learn more about ‘good’ questions in the video Ask good questions (Long URL:
https://www.linkedin.com/learning/negotiating-your-leadership-success/ask-good-
questions?resume=false&u=57684225) (LinkedIn Learning, 3:55min) which explores more
about asking open questions.
Practice activity
Activity 2.4: What sort of question should you

ask?
Think about the following situations and decide:
 which question types you should use?

 what questions you could ask?
Scenario 1
You have been asked to prepare a report for your supervisor on the existing customer
database you have been updating.
However, you can’t decide if you should provide a verbal or written report.
What question could you ask your supervisor to confirm the correct reporting procedure
they are expecting?
Scenario 2

You met with a client to find out more details about their security requirements and asked
the following questions.
1. Can you walk me through your security requirements needed for your business?
2. So, you want something that is easy to use?
3. When do you want it by?
What question types did you use?
What is active listening?

Active listening refers to be fully concentrated on what is being said rather than just
passively ‘hearing’ what the other person is saying.
The video Active listening (Long URL: https://www.linkedin.com/learning/navigating-

complexity-in-your-organization/active-listening?resume=false&u=57684225) (LinkedIn
Learning, 1:29min) explores active listening techniques.
Practice activity
Activity 2.5: Active Listening

Are they exercising active listening?
Check the scenarios, think about the questions and check the feedback.
Scenario 1
One of the ICT support staff at Gelos Enterprises is having a conversation with a new client to
clarify some aspects of the security brief. During the conversation, they feel their mobile
phone vibrate and check it for messages.
Is the Gelos employee demonstrating active listening skills?

Scenario 2
Your supervisor is very empathetic. Whenever you need to clarify something, they stop what
they are doing. Their body language tells you they are really interested.
Is the supervisor being person-centred?
Topic 2: Check your understanding

Use the following scenario to answer questions 1 to 6.
You are working as an ICT Trainee for Gelos Enterprises; therefore, it is important you
become familiar with the organisation's policies and procedures and current practices.
You will need to access these documents to answer the following questions:
 Privacy Policy (pdf) (Long URL: https: //share.tafensw.edu.au/share/items/5f1cec7b-

1d03-446a-85b7-edb42692c34e/0/?attachment.uuid=df50b7f8-f190-4a3c-aad0-
83297b3c395d).
 Intellectual Property Policy (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54).
 Data Protection Policy (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74).
 ICT Maintenance Procedure (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=477e0f19-cea0-40ec-9696-db894dbb45d3).
Select the correct

Gelos Policy Document answer/s
Data Protection Policy
Intellectual Protection Policy
Privacy Policy

Select the correct
Gelos Policy Document answer/s
Ethics Policy
1. A staff member of Gelos has created a new logo for a product the company will soon be
marketing. Identify which policy document you can use to obtain more information.
2. A client has asked to see the personal information that Gelos currently holds on them.
Identify which Gelos policy document you can use to obtain more information.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
3. Identify which Gelos policy document you can use to obtain more information on storage
of paper-based records such as client contracts and employee agreements.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
4. Identify which Gelos policy document you can use to obtain more information on correct
filing procedures for employee payroll data which includes bank account details.

Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
5. Gelos has created a new type of circuit board layout and needs to ensure no other
company can steal or use their ideas. Identify which Gelos policy document you can use
to obtain more information.
Select the
correct
Options answer/s
Privacy Policy
Ethics Policy
6. Identify which Gelos policy document you can use to obtain more information on details
of the format for a new password, for example, number of characters, use of capitals,
numbers and symbols.
Select the
correct
Options answer/s
Privacy Policy

Select the
correct
Options answer/s
Ethics Policy
Use the following scenario to answer questions 7 to 10.
The CEO of Gelos Enterprises, Catherine Dunn, has asked all Gelos ICT employees to read the
new security policy statement. Review the policy statement to answer the following
questions.
Gelos policy statement:
It is the corporate policy at Gelos Enterprises to perform an ID check at reception before

allowing anyone entry into the premises. If an ID is not available, the security staff will turn
the person away.
Those without proper identification are not permitted entry to the Gelos premises.
7. Which parties are responsible for enforcing the policy? Select all that apply.
Select the
correct
Options answer/s
The reception desk staff
The security department
The CEO, Catherine
The policy maker, Karen
8. What controls would be most appropriate to assist the security and reception staff to
enforce the policy? Select all that apply.

Select the
correct
Options answer/s
CCTV cameras
Gelos executives
The HR department
Security guards
9. You have noticed that security has been allowing people to enter the premises without
ID. Who are you going to report this to? Select all that apply.
Select the
correct
Options answer/s
The HR department
The CEO, Catherine
Your immediate supervisor
Select the
correct
Options answer/s
Within 1 hour
Immediately
Within 12 hours
On the day of the breach
10. Which one of the following is the preferred timeframe for reporting a breach?

Refer to the following to answer questions 11 to 15.
The video Copyright infringement in computer code (Long URL:

https://youtu.be/ppo3gSfiRyg) (YouTube, 3:47 min) explains what constitutes a breach of
computer code copyright and summarises what is protected by copyright law.
After reviewing the video, answer the following questions to check your understanding.
If you copy the source-code from other applications, it would be a non-
compliant incident.
12. Which policy would copying the source-code from other applications breach?
Select the
correct
Options answer/s
Intellectual property
Privacy policy
13. Which two ethical principles would be a breach according to the Information Technology
Professional Association (ITPA) Code?
Select the
correct
Options answer/s
Privacy
Honesty
Communication
Education

14. If a breach happens, what are the risks?
Select the
correct
Options answer/s
An infringement or legal claim
Organisation’s reputation is damaged
No changes will be made to the organisation
15. Read the statements below and indicate ‘true/false’.
Staff training should be carried out regularly to avoid this type of breach
occurring.
Ethical guidelines should be discussed with staff and management to avoid
this type of breach occurring
16. Consider the following statements and identify whether these are true or false.
Tip
Refer to the Copyright Act 1968 (Cth) (Long URL:

https://www.legislation.gov.au/Details/C2017C00180) to check your responses.
You can never copy someone else’s sound recording
There are certain circumstances in which a computer program can be
copied
Artistic work is protected by copyright even when the work is not
considered beautiful
The Copyright Act 1968 (Cth) controls the copyright in Australia to protect
all original works of authorship.
17. Match the descriptions to the relevant ethical theory / approach.
Description Select Letter Ethical theories/approach
A. Deontology theory
concentrates on ethical thinking
B. Virtue ethics theory
towards our morals and what it
C. Consequentialist
would mean to our character. approach

For example, by practicing

honesty, a person develops a
loyal and moral character
looks at what people do, not at

what the consequences of their A. Deontology theory
actions are. For example, B. Virtue ethics theory
making false promises is wrong. C. Consequentialist
approach
You should not make a promise
if you don’t intend to keep it
considers what steps to take by
evaluating the negative or
positive consequences of taking A. Deontology theory
a specific action. For example, B. Virtue ethics theory
lying is bad, but if a lie saves a C. Consequentialist
person’s life, then the action approach
taken is the right approach
according to this theory.
For each of the scenarios in questions 18 to 20, access the ITPA Code of Ethics (Long URL:
https://www.itpa.org.au/code-of-ethics/) to identify at least one relevant code of ethics that
has been breached.
18. Your manager has asked your colleague to email your work team informing them of
important changes to the Data Management Policy.
You notice that one person has not been included in the email.
This is a deliberate omission because they felt that the person missing from the email list
was not up to the task.
Which of the following ITPA codes of ethics have been breached? Select all that apply.
Select the
correct
ITPA Codes answer/s
Copyright

Select the
correct
ITPA Codes answer/s
IP
Honesty
Co-operation
Education
Fair treatment
Communication
19. You are responsible for birthday celebrations at your workplace. You access the staff
database to note a colleague's date of birth.
During the celebration, you announce to the team how old the colleague is.
Which one of the following ITPA codes of ethics have been breached?
Select the
correct
ITPA Codes answer/s
Copyright
Education
Co-operation
Privacy
20. It is your responsibility to check system performances at the end of each day. You are
running out of time and decide to come in early the next morning and do it then.

Select the
correct
ITPA Codes answer/s
Copyright
System integrity
Fair treatment
Co-operation
21. For each of the situations detailed below, identify the ethical issue it relates to.
Diagnostic tolls Select Letter Functions
Due to a system failure, a faulty

backup drive was discovered A. Conflict of interest
and lost data can’t be restored.
A small business is sold an

expensive database system B. Security
designed for large
organisations.
A contractor includes a circuit

design developed for a previous C. Reliability
employer in his new product.
A sensitive report is dropped

into a website folder, making it D. Value for money
accessible to search engines.
IT support staff loudly discuss

their organisation’s network E. Proprietary rights
security problem on a crowded
train.
You are a consultant asked by

two rival businesses to provide F. Confidentiality
them with quotes for the same
tender.

Topic 3: Managing Data

Overview
In your ICT workplace, part of your role is to handle large amounts of personally identifiable
information (PII) and workplace information. Knowing how to manage this data securely is
essential.
In this lesson, you will learn about:
 classifying the various types of information in the workplace

 the kind of data storage technologies and retrieval processors available
 accessing control protocols and the privacy impact assessment used
 malfunctioning infrastructure threats and attacks.
Data management
Data management is storing, organising, and managing data created and collected by an
organisation. This process involves ensuring that the data is accurate and available whilst
being accessible with appropriate protection controls.
Good data management practice requires:
 secure and reliable systems for data storage, transmission, and backup
 compliance with data protection laws, for example, Australian Privacy Principles
 procedures and guidelines as to how data is managed to avoid errors
 ensuring that data is input in the required format
 labelling of data.
Data management plan

Good data management consists of planning and organising each stage of handling data.
The Data Management Life Cycle (Long URL: https://data.nsw.gov.au/IDMF/data-
management-and-practice/data-management-life-cycle) summarises the life cycle of data
management plans in a government organisation. This life cycle can also apply to
commercial organisations.

The data management life cycle consists of six stages:
1. Create, capture and collect: Collect and collate data

2. Organise and store: Store data securely
3. Use and analyse: Access data
4. Share: Share secure data
5. Reuse and maintain: Data maintenance (accurate, up to date and comprehensive)
6. Archive or destroy: Delete and destroy redundant data
Figure 6: Data management life cycle (© TAFE NSW 2021)
Managing data
There are eight basic steps that explain how an organisation can manage its data during the
life cycle.
Table 2 Data Management Steps
Step Description
1. Creating and The organisation will create, receive, and collect data during its usual
collecting data business operations and will usually have a substantial amount of
stored data.
2. Data It is necessary to ensure that the appropriate types of information are

Step Description
classification and accessible to authorised personnel and that confidential data is
labelling secure.
3. Data privacy, Using and analysing data. For example, identifying IP and identifying
security, and ethics sensitive data, such as Personally Identifiable Information (PII).
An organisation must organise and store data. The data will need to
4. Data storage
be stored so that it is accessible and retrievable.
Share data with appropriate personnel and external parties in a
5. Data sharing
secure manner if required, for example, encryption.
Data sets may be required, check data is cleaned and accurate, back
6. Accuracy
up data and ensure a secure data environment.
7. Data
Reuse and maintain the data.
preservation
Archiving, destroying and de-identifying data when it is no longer
8. Data disposal
required.

Important: Throughout the whole data management process, it must be ensured
that data is protected against loss or corruption due to malfunctioning
infrastructure or cyber attacks
Figure 7: Collecting data (© Getty Images modified under licence)
Collecting data
Methods to collect data will vary in different organisations; however, the overall data
collection process remains the same.
Things you need to consider before you begin collecting data:
 Why are you collecting the data?

 What type of data are you going to manage?
 What methods and procedures are you going to use to collect, store and handle the
data?
Organisations may use structured steps based on multiple related policies and procedures,
or the data may be collected guided by the project's goal. During the data handling process,
an organisation must ensure that the data is accurate. This may involve revising the data
collection procedures and systems to improve accuracy, integrity, and relevance.

Classifying information
All data must be organised, classified, sorted, and stored logically, which will help make it
easier to find.
Data classification will also:
 enable compliance with relevant privacy laws, for example, the Australian Privacy
Principles
 assist in protecting the company's confidential, proprietary information, such as
certain IP assets, for example, trade secrets, inventions, source codes and
confidential financial information.
Standard categories of data classification have been developed and will depend on
organisational requirements.
Refer to the Office of the Victorian Information Commissioner (Long URL:

https://ovic.vic.gov.au/resource/sample-information-asset-register-iar-template/) for an
example of a comprehensive asset information register.
Public information
This is data that the organisation can share with the public. This information does not need
encryption or specific protection, and there is negligible or no risk in disclosure.
For example, an organisation will have publicly available information such as its privacy
policy, published financial accounts and product marketing material.
Internal
This is data that is not intended for public disclosure but has low security requirements. For
example, an organisational chart or standard product sales policy.
Unauthorised disclosure of this data is not intended to be made, but it will not cause
significant damage to the organisation and will not breach confidentiality requirements
under relevant laws.
Confidential information
Access to this data may cause moderate to a serious risk to the organisation and may
negatively affect the organisation.

For example, data about a new product being developed, internal financial results and
budgeting information.
Restricted
This is the most sensitive data. If unauthorised access is gained it can place the organisation
at substantial financial, regulatory, and reputational risk. This may result in the organisation
breaching legislative requirements.
For example, leaking personally identifiable information (PII) such as protected health
information or credit card numbers.
Data privacy, security and ethics

It is essential to follow the organisation's requirements when handling confidential
information.
Organisations must comply with the privacy, security and ethical laws when sharing data
inside and outside the organisation.
Practice activity
Activity 3.1: Securing backup data

In this activity, you will encrypt a USB drive. In your skills assessment, you will also be
required to encrypt a USB. You may use the encrypted drive created here for that
assessment. Be sure to record your password – you will need it later!
Scenario
You have been asked to back up some of the PII information currently stored on your local
hard drive and place it on a USB drive.
As part of the Gelos Enterprises Data Protection Policy, you are required to encrypt any USB
drive used for storing confidential data.

Follow these steps:
Encrypt a USB in Windows 10

1. Plug the USB drive into your PC.
2. Open File Explorer (Windows key + E).
3. Click onto the USB drive (left hand side of screen).
4. On the top menu bar, click on Manage.
5. When the ribbon appears, click on the BitLocker icon and select Turn on BitLocker.
Note: You can also right-click the USB drive you want to encrypt and select Turn on
BitLocker.
Figure 8: Turn on BitLocker
6. Wait while BitLocker initialises.

7. Select the box to Use a password to unlock the drive.
8. Type in a password you can remember in the Enter your password box and do it
again in the Re-enter your password box. Write down the password so you don’t
forget it!
9. The next screen asks: How do you want to back up your recovery key? This key
allows you to access the USB drive if you lose the password. Click Save to a file –
name the file appropriately and save it to somewhere you can find it again!

Figure 9: BitLocker Drive Encryption #1
10. Select how much of your USB drive you’d like encrypted. Here, you have two options
– select the entire drive or the used space only. Choose Encrypt entire drive.
11. Choose which encryption mode to use – we want this USB to be able to be used on a
number of different computers, so select Compatible Mode.
12. Click Start Encrypting when ready. How long the encryption takes will depend on the
size of your USB drive, the amount of data you have stored on it, and the system
specs of your machine.

Check your encryption using the password

1. Open File Explorer (Windows key + E).
2. Click on the USB drive.
3. In the BitLocker message box, enter the password you created earlier.
4. Click Unlock.
5. You should now have full access to the drive.

Figure 13: Check BitLocker encryption using password
Check your encryption using the recovery key

1. Open the encryption key file you saved earlier.
2. Select and copy the Recover Key.
3. Open the File explorer (Windows key + E).
4. Click on the USB drive – the BitLocker message box appears.
5. On the BitLocker message box, click More Options.
6. Click on Enter recovery key.
7. Paste the recovery key into the BitLocker encryption key box.
8. Click Unlock.
9. You should now have full access to the drive.

Figure 14: Check BitLocker encryption using recovery key
Privacy impact assessment (PIA)

What privacy risks could arise from a new project?
A privacy impact assessment (PIA) will help identify these risks.
The PIA sets out recommendations on:
 managing the risks

 minimising the risks
 eliminating the impact of the risks.
A privacy impact assessment (PIA) is vital in protecting privacy and is part of the Australian
Privacy Principles law of overall risk management and planning processes.
As described by the Office of the Australian Information Commissioner (Long URL:

https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-
impact-assessments/OAIC), undertaking a PIA can assist organisations to:
 describe how personal information flows in a project

 analyse the possible impacts on individuals' privacy
 identify and recommend options for avoiding, minimising or reducing negative
privacy impacts

 build privacy considerations into the design of a project
 achieve the project's goals while minimising the negative and enhancing the positive
privacy impacts.
Organising and labelling data

Organisations have security systems in place to protect varying levels of sensitive
information.
For example:
 personally identifiable information (PII) will be protected under the organisational

policy and subject to the Privacy Act 1988 (Cth)
 confidential company information such as specific IP, source codes on software or
inventions that have not been patented or trade secrets
 other organisational data that has restricted access within the organisation and when
communicating externally.
A category label is then associated with that data in the IT system.
Security policies can be labelled with the following information security categories. Let's look
at the principles of information security in more detail.

Figure 15: CIA Triad (© Getty Images modified under licence)
Confidentiality – Unauthorised disclosure

Confidentiality is about providing access to information only to authorised individuals,
groups, systems and processes.
An important aspect of ensuring confidentiality is data classification. This assists in

determining who has access to the data and what levels of controls can be put in place to
ensure confidentiality.
For example, think about your payroll information at work. You would expect that certain
authorised employees, such as a payroll officer, would need to view or modify your payroll
information but no one else. As an employee, you would not want other employees to view
your pay details. This is because you expect your details to be confidential.
Integrity - unauthorised changes

Integrity is about maintaining the accuracy and reliability of information and systems and
preventing any unauthorised modification. The system's hardware, application software and
network must work together to maintain and process data correctly and store it without any
unexpected alteration. The systems and network should be protected from any outside
interference or contamination. This is to ensure that attackers, or mistakes by users, do not
compromise the integrity of systems or data.

If you look at your bank statement you would expect that it only contains details of the
transactions that you have made. You would not want it to include any additional
transactions and you expect that the balance in the account is what you expect. You need to
trust that your bank has maintained the integrity of your banking details.
Availability - only accessible to authenticated personnel

Availability protection ensures reliable and timely access to data and resources only to
authorised individuals. The system's hardware, application software and network should
function in a predictable manner at an acceptable level of performance. The system should
also be able to recover from disruptions securely and quickly, so productivity is not
negatively affected. Protection mechanisms must be in place to protect against inside and
outside threats that could affect the availability and productivity of the system.
As an example, think about online systems and the internet. We all count on these online
systems in many areas of our modern life. We need them for shopping, banking, gaming,
education and many other areas. When these systems, such as an online banking system, is
not available, this can cause us disruption and inconvenience. We rely on the availability of
online systems.
The benefits of labelling are to:
 control access to sensitive information

 control access to unauthorised personnel.
Organisations must avoid having to secure all data on the IT system as sensitive data, as
some data may not be sensitive, for example, product marketing material.
The IT system and network can then check a label to make security-related decisions, such as
access control and routing.
For example, does it:
 need to be encrypted
 require password protection?
The NSW Government website has an excellent example of Information classification,

labelling and handling guidelines (Long URL:
https://www.digital.nsw.gov.au/policy/managing-data-information/information-
classification-labelling-and-handling-guidelines).

You can also refer to The Open Group Security Program Group (pdf) (Long URL:
http://www.opengroup.org/security/meetings/apr98/labeldoc.pdf) for an insight into their
information security labelling system.
Data storage
The large amounts of information generated and collected by an organisation raise several
challenges in managing the storage of data.
Data risks associated with data storage include:
 physical risks in relation to the physical location of the data storage infrastructure or
devices
 cyber security threats that exist against networks, servers and cloud infrastructure.
A storage device can be computer hardware that stores data temporarily or permanently.
The device can be external or internal to a computer, server, or other systems.
On-site data storage involves servers run by the organisation or in a private data centre
facility. A storage device external to the primary storage is known as backing up or backup
storage. Storage devices are known as storage media.
It is generally good practice to store data in three locations, known as the 3–2-1 backup rule.

Figure 16: 321 Backup rule (© Getty Images modified under licence)
 Create at least three copies of your data. For example, store data on the network,
store data on an external hard drive or a backup server in-house, and store data on
an external cloud storage.
 Store the copies on two different storage media. For example, storing data on an
external hard drive or back-up server in house.
 Store one copy on offsite storage. For example, storing data on external cloud
storage.
This data storage system helps protect the organisation from data loss, degradation, or
corruption due to hardware failure, destruction, theft, or malware infection, for example,
ransomware.
Hybrid clouds allow data and apps to move between two cloud areas or a private and public
cloud. A hybrid cloud allows an organisation to address business requirements or regulatory
compliance issues by maintaining some control without giving third-party data centres
access to all the organisation's data.
Storage Technologies
Digital data storage media can include:
 magnetic storage devices

 optical storage devices
 flash memory devices
 online or cloud storage.
Random Access Memory, or RAM, is the primary storage of a computer. When working on a
file on your computer, it will temporarily store data in your RAM. RAM is a volatile memory
and cannot hold onto information once the system is turned off.
Storage media
Storage media refers to a component within a computing system or a device that can receive
and store information.
The two main types of storage media used are:
Hard-disk drives (HDDs)

Also known as a hard drive, HD or HDDs can be installed on almost every desktop or laptop
computer. It stores operating system files, software programs and user documents, such as
photographs, text files, videos, and audio.
Solid-state drives (SSDs)

SSD uses flash memory to store data. It is sometimes used in netbooks, laptops, and desktop
computers.
SSD vs HDD
SSDs have a faster read and write speed. They have a noiseless operation, greater reliability,
and lower power consumption but are usually more costly.
HDDs have been the usual form of secondary storage for a long time, but SSDs are quickly
overtaking HDD as the preferred technology. Some organisations use SSDs for high-
performing workloads and HDDs for the rest. Other organisations have storage systems that
incorporate both HDDs and SSDs.
Both HDD and SSD devices are also used as external drives.
Both are forms of non-volatile storage that can keep data even if the power gives out, unlike
traditional random-access memory (RAM).

Figure 17: Tape Storage (© Getty Images copied under licence)
Tape storage
Tape storage is sometimes used for backup and archiving purposes. However, it is slower
and less reliable than other storage media.
Optical storage
Compact Disks (CDs) and DVDs (including Blu-Ray disks) are forms of optical storage
technology that use lasers and lights to read and write data.
DVDs have much greater storage capacity than compact disks. These devices can be used as
storage devices, not only for music and videos.
Flash drives
Also known as a thumb drive, memory stick, jump drive or USB stick. It is a flash-memory
data-storage device that incorporates an integrated USB interface.
Flash memory is generally more efficient and reliable than optical media, being smaller,
faster, and possessing much greater storage capacity.
Other types of storage technology are SD cards and floppy disks.

Cloud storage
Another storage technology that involves accessing services over a network via a collection
of remote servers.
It is not surprising that people store their personal information on various storage devices
such as their mobile phones, USB drives, laptops, and external drives. Larger organisations
use external devices to implement their backup.
All personal information stored must be protected. You can use various protection strategies
to make sure that your personal information is protected from hackers. Organisations deploy
sophisticated data encryption and pervasive security to protect their sensitive data.
When using portable devices to store such sensitive information, follow these tips to protect
your device.
 Password protect your external device (for example, encrypt your USB drive).
 Make sure to use complex, strong passwords that are not easy to guess by hackers. It
is also important to make sure that you are not using the same password to access a
lot of systems and devices because that makes your devices and systems more
vulnerable.
 Use other forms of access like fingerprints to protect the data on the devices.
 When you are copying or accessing the data using the password beware of shoulder
surfers. (Shoulder surfers are people who take advantage to look over your keypad
when you are typing the pin/passwords.)
 Avoid using any public device or laptop (including even your friend's computer) to
access your data. You may not be aware of the security status of the new device, and
your data may be vulnerable.
A virtual private network (VPN) can ensure the data is protected when passing information
from one device to another via networks or the internet.
Emerging trends
Visit Storage 101: Modern Storage Technologies (Long URL:
https://www.red-gate.com/simple-talk/sql/database-administration/storage-101-modern-
storage-technologies/)for a discussion of emerging trends in data storage, such as virtual
SANs, intelligent storage, computational storage and storage-class memory.

Cloud storage
Cloud storage stores data on remote servers which can be accessed from the internet. The
data is managed, maintained, and backed up remotely by the cloud service provider, for
which the users generally pay a service fee.
Examples of cloud service providers are Google Drive, Microsoft OneDrive, Microsoft Azure,
Amazon Web Services and Dropbox. YouTube and similar platforms are also cloud storages
but are not used by organisations to store their data in the same way as a commercial cloud
service provider.
If your primary system is breached and the data is lost or corrupted, you can retrieve it from
the cloud and restore your network data, reducing downtime. Cloud storage uses data
centres with considerable computer servers that physically store the data and make it
available online to users via the internet. Users can remotely upload and store data and
retrieve the data whenever required.
Let's explore some advantages and disadvantages of cloud storage and some considerations
when deciding to use a cloud service provider.
Advantages of cloud storage:

 enables backup of data and easy retrieval
 allows sharing and collaboration for a group of people via shared storage
 easily accessible remotely in any location, including by mobile devices
 lowers costs as it reduces maintenance of hardware and software capacities
 cost of service is usually scalable by usage and has a flexible service model for
payment
 storage capacity is not limited and can be increased as necessary
 data security advanced features.
Disadvantages of cloud storage:

 dependent on internet connectivity
 moving from one cloud to another may be difficult due to different platforms and
infrastructure
 users have limited control of the function and execution of services as the
infrastructure is owned and controlled by the cloud service provider

 security – although cloud services provide advanced security protection, the user
does not have direct security control or data protection to prevent hacking over its
sensitive data held in the cloud. This is particularly important when the user has
obligations under privacy laws or when other sensitive company data is sent to the
cloud.
Using a cloud service provider

There are several issues to be considered in an organisation deciding to use a cloud service
provider.
Any organisation holding confidential data will be obliged to maintain the security of that
data to ensure the organisation does not breach obligations under relevant privacy
legislation in relation to personally identifiable information (PII) that it holds.
Key questions to be addressed by the organisation in relation to privacy concerns are

contained in the fact sheet issued by the Australian Government Cloud computing and
privacy: Small business factsheet.
Cloud computing and privacy: Small business factsheet (pdf) (Long URL:
https://www.communications.gov.au/sites/default/files/small-business-privacy-
factsheet.pdf)
Consider the following questions you might ask a cloud storage provider.
Where will my data be stored?

Different countries have different laws that may allow access to stored data for law
enforcement and national security purposes.
Do you offer encryption services?

Some cloud providers offer encryption services to give customers an additional level of
protection for their stored data.
Under what circumstances will data be disclosed to third parties?

If you are uncomfortable with proposed disclosure arrangements, particularly where your
express consent is not required, you may wish to choose a different provider.

Visit The Risks and Benefits of Cloud Storage in 2021 (Long URL:
https://www.cloudwards.net/the-risks-and-benefits-of-cloud-storage/) to learn more
information about the advantages and disadvantages of cloud storage.
Practice activity
Activity 3.2: Create a cloud backup storage

account
In this activity you will create a Google Drive cloud storage account.
Note that in your assessment, you will be required to copy files to cloud storage and you
may use the drive account you are creating here for that assessment task.
1. Access Google Drive
In this activity, you will visit the Google Drive website to create a Google account and access
Google Drive (cloud drive).
If you already have a Google account, then you can access your Google Drive using the link
and proceed with the activity steps.
Getting started with Google Drive (Long URL:

https://edu.gcfglobal.org/en/googledriveanddocs/getting-started-with-google-drive/1/)
2. Access Google apps
After you have created and logged into your Google Account, access your Google Drive using
the icon for Google Drive which will be available from the Google apps menu.

Figure 18: Google apps menu (© TAFE NSW)
3. Add one document to Google Drive
Once you have opened your Google Drive, do the following:
 Create a new Folder with ITSecurityPrivacy name

 Add one document of your choice to this folder.
Congratulations! You have now stored an important document on cloud storage.
Try the same activity with one more cloud storage of your choice. Some examples to look at
would be Microsoft OneDrive and Dropbox.
Distributed framework
A distributed storage system supports data storage and retrieval among several computers
or storage devices. It will split data across multiple servers and often across more than one
data centre but will behave as one storage system.
Each physical server is called a node and can be located in the same region or different
countries (a distributed data store).
Because data is copied (in whole or part) across several servers in a storage network, if a
single server is down, all the data is backed up and distributed across other nodes.

The
Algorithms are used to determine the optimum distribution across the nodes.
Platforms such as Amazon S3, Google Cloud and Microsoft Azure offer distributed
service models.
distributed data system is a cluster of storage units with a mechanism for data
synchronisation and coordination between clustered nodes.
The table following explains the advantages of a distributed data system over the centralised
model.
Table 3 Advantages of a distributed data system over the centralised model
Advantage Description
Scalability Add more storage space by adding more storage nodes to scale up.
Can store more than one copy of the same data for high availability and
Redundancy
backup.
Cost Less expensive to store large volumes of data.
Distributed data offers better performance than a single server in some
Performance cases, such as storing data closer to its customers.
However, the complexity introduced by distributed systems may diminish their reliability in
some areas.
The video What is a distributed system? (Long URL: https://youtu.be/7VbL89mKK3M)

(YouTube, 9:04 min) provides a brief introduction to this type of system.
Data sharing, accuracy and preservation

Let's explore best practices for data sharing, maintaining data accuracy and
data preservation.
Data sharing
Sometimes organisations share data with other organisations to improve various aspects of a
policy, a process or further analysis. While there are always some concerns about sharing

data freely outside the organisation, proper risk management can be weighed against the
potential benefits of sharing the data.
Governing bodies support best practices in data sharing by effectively managing the risk
associated with data sharing. A more balanced approach in data sharing could be achieved
by balancing between a range of risk-management controls and treatments and the benefits
gained by sharing the data rather than flatly reducing the level of details from the data.
Refer to the Australian government Best Practice Guide to Applying Data Sharing Principles
(pdf) (Long URL: https://www.datacommissioner.gov.au/sites/default/files/2019-08/data-
sharing-principles-best-practice-guide-15-mar-2019.pdf) for more information.
Data Sharing Principles

The 5 Data Sharing Principles are:
1. Projects: Data is shared for an appropriate purpose that delivers a public benefit.
2. People: The user has the appropriate authority to access the data.
3. Settings: The environment in which the data is shared minimises the risk of
unauthorised use or disclosure.
4. Data: Appropriate and proportionate protections are applied to the data.
5. Output: The output from the data sharing arrangement is appropriately safeguarded
before any further sharing or release.
Practice activity
Activity 3.3: Verifying and maintaining data

In your role as a Gelos ICT trainee, your manager asked you to contact eight of the company
suppliers via email to send quotations for new equipment.
When you sent the emails, you received a delivery failure notice for two of them. The
purchasing team confirmed that the suppliers are still active in the system, so you decided to
call them.
When you called, you found that their email addresses were wrong in the Gelos system. You
collected the correct email addresses as below from the three suppliers.

Table 4 Supplier email addresses
Supplier name Updated email information

Anders Computing marie.anders@anders.com.au
Eastern Connection PCs annedevon@optus.net.com.au
Holz Software Company Michael.holz@holzsoftware.com.au
Open the Gelos Enterprises Suppliers 2021 (docx) (Long URL:

https://share.tafensw.edu.au/share/items/99f57124-5ce3-4308-890b-cce98c750c92/0/?
attachment.uuid=1a221162-fa25-4a38-b67c-d816d00121c3) file and update the email
addresses with the correct information.
Data disposal
Whether an organisation creates, collects, transfers, or stores data, they all have one
problem.
What are they going to do with the data once they no longer need to keep it?
Organisations will generally have a policy and procedure for record retention and
destruction. The policy may indicate that certain records are to be held for only a certain
length of time. For example, tax records in Australia are usually only required to be kept for
five years from when you lodged the tax return.
Destroy and de-identify data

What is the difference between data disposal and destroying or de-identifying it?
Data disposal
Data disposal includes disposing of all data from your computer or device by putting it in the
trash or by simply deleting the files from the computer. Disposing of data this way means
that the data can still be accessed and therefore can be used by others with malicious intent.
De-identifying data
To de-identify data is to destroy the information by wiping the device clean of data. This
form of data disposal is a secure way to ensure there is no access to or the ability to access
that information.

The process of deleting data is not enough to stop it from being unrecoverable.
Depending on the type of personal information involved, the organisation may have specific
obligations under law or a court-tribunal order to retain, destroy, or de-identify personal
information.
Destruction according to data type

There are various methods for destruction according to the type of media.
Specialised software may be required for digital records or, for physical destruction, the
organisation may engage a company that specialises in the physical destruction of hardware
components to ensure the information is irrecoverable.
For paper documents, a shredder or a shredding company can be used. Audits and
verifications are made to ensure that the policies and guidelines for destruction are carried
out.
Privacy principles
Under Australian Privacy Principles Chapter 11: APP 11 – Security of personal
information (Long URL: https://www.oaic.gov.au/privacy/australian-privacy-principles-
guidelines/chapter-11-app-11-security-of-personal-information/)where the APP entity holds
personal information that it no longer needs for a purpose that is permitted under the APPs,
it must ensure that it takes reasonable steps to destroy or de-identify the personal
information.
Personal information is de-identified under s6 of the Privacy Act 1988 (Cth) 'if the
information is no longer about an identifiable individual or an individual who is reasonably
identifiable'. Personal information is destroyed.
The steps taken to destroy personal information will depend on whether the personal
information is held in hard copy or electronic form.
The Guide to securing personal information (Long URL:

https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-
information/) from the Office of the Australian Information Commissioner provides a clear
graphic of the five processes that need to be considered when collecting and protecting
personal information throughout its life cycle.

Figure 19: The information life cycle (© Getty Images modified under license)
1. Consider whether it is actually necessary to collect and hold personal information in

order to carry out your functions or activities.
2. Plan how personal information will be handled by embedding privacy protections
into the design of information handling practices.
3. Assess the risks associated with the collection of the personal information due to a
new act, practice, change to an existing project or as part of business as usual.
4. Take appropriate steps and put into place strategies to protect personal information
that you hold.
5. Destroy or de-identify the personal information when it is no longer needed.
Asset information register

An asset information register is used to record and manage information assets. It enables
the identification and management of the risks related to different information assets. It also
identifies the implementation of any controls used to reduce the risks associated with the
assets, such as identifying assets where access is limited to authorised personnel only.
Suppose the organisation does not fully understand the types of information it holds and the
purpose for which it is stored. In that case, it will be difficult to protect it from external
attacks or internal lapses in maintaining secure protection of data.

The
If it is uncertain if the item may contain PII the company policy is to treat the item asset
as PII to avoid any potential breach of privacy laws.
information register ensures that proper security controls are applied to a particular set of
stored data based on their sensitivity and business value.
Information assets
Personal identifiable information

Personal identifiable information (PII) is information or an opinion about an identified
individual. This includes personal information such as a person's name, address, phone
number, date of birth, age, bank details and medical records. It can also include bank
account or credit card details, user IDs, passwords and lists of employees. An individual is
capable of being identified from the data or a number or sources of data. For example, an
email address having the name of the individual as part of the email address would be
enough to identify the individual.
Sensitive company data

Sensitive company data is any company information that is confidential which the company
does not wish to be made public without its agreement. For example, internal financial
information, customer database, trade secrets, intellectual property (except publicly
accessible information such as a trademark). Sensitive company data includes PII.
Where the term sensitive data or sensitive information is used, the word sensitive may be
used in two separate contexts: under privacy laws and under company information.
Under the Privacy Act 1988 (Cth) sensitive personal information is a subset of personal
identifiable information (PII) that has a specific meaning and includes health information
about an individual. For example, where customer information collected by a company
includes health information, this sensitive information has a higher level of protection under
the Privacy Act 1988 (Cth) than other PII.
However, the term sensitive is also used more broadly in relation to company information
where that data is highly confidential to the company. For example, trade secrets, company
developed software IP and internal company cyber intrusion reports.

Security and restrictions
Access control
Access control is about protecting company data or asset access, such as by restricting
access to specified named individuals or specified job roles or specific authorised company
personnel. For physical assets it involves restricting physical access.
Usual options to select from include:
 not accessible
 physical access restricted
 authorised persons only
 no restriction.
Confidentiality
Confidentiality rating is about preventing unauthorised access to sensitive information
without limiting the persons who require access to it.
Ratings include high, medium, low and not confidential.
High
Strictly confidential, required to be highly secure, disclosure would severely impact business.
Medium
Confidential but disclosure would have medium impact.
Low
Low security, loss of confidentiality would not materially impact business.
Not confidential
Information made publicly available.
Level of security
Add any relevant comments regarding the asset and the level of security.

Threats to data
A threat is typically any malicious attack that is trying to access the data in an organisation
unlawfully. Malware is a malfunctioning infrastructure. Malware is a term used for all
malicious software installed on the host computer.
The following video on Malware: Difference Between Computer Viruses, Worms and Trojans
(Long URL: https://youtu.be/n8mbzU0X2nQ) (YouTube, 2:46 min) explains what you need to
know about malware. After reviewing the video, answer the questions in the activity that
follows.
Practice activity
Activity 3.4: Fraudulent email features

explained
Let's look at each of these elements and what would indicate that the following email could
be a fraud.
From: MSTeam-Outlook mailto: no-reply@office365protectionservices.com.au

Sent: 11 May 2021 12:30 am
To: Fred Bloggs Fred.Bloggs@yourcompany.com
Subject: Account verification – Urgent attention required
This email is from a trusted sender.

We're having problems with your Office365 account: Fred.Bloggs@yourcompany.com
on our system, fetures will be turn off.
To resolve this problem , you need to log onto this portal to verify your account.
SIGNON TO MICROSOFT OFFICE365 ACCOUNT PORTAL

If this is not done within 24 hours your account will be suspended.
Microsoft Office 365 Corporation

One-Microsoft Way Redmond
WA, 98052
Alrights Reserved | Acceptable Use Policy | Privacy Notice

Elements indicating that this email is fraudulent include:
 fake sender email address and domain

 email send time is not in normal business hours (this could still be OK if it is an
automated message)
 sense of urgency in the action you must take
 fake trusted email source message
 threats
 fake portal name
 fake email signature
 no logos or icons
 spelling errors.
Data security
Access control
Access control is the key component of data security.
Who should get access to your organisation's data and how?
What factors decide the denial of access to certain information to users who do have the
privilege to access it?
To effectively protect data in an organisation, an access control policy must be in place that
addresses the above questions.
Access control is a method that guarantees the user's authentication and makes sure that
they have the appropriate access to the organisational data. Access control consists of two
main components.
Authentication
Authentication is a process or action which confirms that users are who they claim to be.
Authorisation
Authorisation determines whether the user should be allowed to access the data that they
are trying to access. Where most organisations heavily rely on cloud services, the Internet of

Things, artificial intelligence and machine learning, it becomes important that users are
authenticated and authorised before getting hold of an organisation's data.
Identity and access management protocols are specifically designed to protect the
authentication information as it travels through the networks or between servers.
Several identity access management (IAM) protocols support stronger IAM policies that help
secure the data and its integrity.
Some common examples of IAM protocols are:
 Lightweight Directory Access Protocol (LDAP)

 Security Assertion Markup Language (SAML)
 OpenID
 OAuth
 Kerberos
 Remote Authentication Dial-In User Service (RADIUS)
 Diameter
 System for Cross-domain Identity Management (SCIM)
 Terminal Access Controller Access Control System (TACACS)
 BlockChain.
By using a virtual private network (VPN) your online identity can be concealed from the
public internet connections by creating a private network.
VPNs can be installed on various machines to create an encrypted tunnel between the
computer and the network. This will ensure that all the user's web traffic and their IP
address are hidden from their internet service providers, therefore helping to keep the data
secured during the communication.
Password protection
Password protection is another way to secure the identity of users in the system and
provides an extra layer of protection. This can be done by the use of sophisticated password
manager apps.
Here are some common tips to keeping your passwords protected:
 use long and complex passwords (ideally, the password should be 16 characters or
more)

 change the passwords frequently
 avoid using the same password
 keep your passwords unique to avoid easy guesses
Password protection can also be used to protect confidential documents at your

workplace. For example, you can password protect Microsoft Word or Microsoft
Excel spreadsheets before copying them on network drives or sending them via
emails.
 make use of special characters and digits in a complex combination that is hard to
predict
 most importantly, making use of password manager apps, for example, 1Password
and LastPass.
Encryption
Encryption is the process of turning your data into code.
Encryption is commonly used to protect the data on top of password protection. This
process changes the original plaintext into what is called ciphertext with a secret code. This
is applied before sending it over the internet, such as sending via emails.
This means that when the data is being sent via any channel, the data is encoded. To read
the data, it needs a key that will decrypt, making your data less vulnerable. This reduces the
risk of theft, destruction or tampering and is standard practice in the IT industry.
Practice activity
Activity 3.5: Password protect Microsoft Word

document
The following steps can be used to protect a Microsoft Word document with a password.
Try this activity to protect a document you would like to practice with.
1. Go to File > Info > Protect Document > Encrypt with Password.

Type a password, then type it again to confirm it.
Save the file to make sure the password takes effect.
Explore if you could also protect a Microsoft Excel spreadsheet file?
Topic 3: Check your understanding

Use the following scenario to answer questions 1 to 6:
In your role as an ICT trainee, you have been asked to conduct a privacy impact assessment
(PIA) on the data used for the 2017 Gelos IT conference.
This data includes a list of attendees and their:
 names
 addresses
 company
 position in the company
 bank payment details.
At the time, the attendees were asked to complete a paper-based form. The data was then
collated and entered into a database. The paper-based documents were sent to be
destroyed (burnt or shredded), but the database file still remains.
As this conference was so long ago, this data is no longer needed. Complete the PIA
questions to identify the information held and the plan of action.
Assess your responses against the related Australian Privacy Principles Chapter 11: APP 11
— Security of personal information (Long URL: https://www.oaic.gov.au/privacy/australian-
privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information/ ) (if
applicable).
1. Read the following questions and indicate if ‘Yes/No’.
Questions Yes No
Does the data involve personal information?
Is all the personal information collected necessary for the project?

(APP3.1-3.2)

Questions Yes No
Is the personal information accurate, complete and up to date?

(APP10)
Are there security measures in place to protect personal

information collected and used for the project? (APP11)
2. Where will the personal information be stored? (APP11)
Select the
correct
Applications answer/s
Local storage
Cloud storage
Local and cloud storage
3. Who will have access to the personal information? (APP12)
Select the
correct
Authorised personnel
General public
All staff
Only you
Questions Yes No
Personal information will be shared outside of your organisation?

(APP6)

Questions Yes No
Is there a document available to the public or stakeholders that

sets out your company’s policies for the management of personal
information? (APP1.3-1.5)
5. How will personal paper-based information be destroyed when it is no longer required?

(APP11)
Select the
correct
Process such as burning or shredding
Send paper documents to recycling
Garbage disposal for paper copies
6. How will personal electronic information be destroyed when it is no longer required?

(APP11)
Select the
correct
De-identify information beyond use
Archive files to remote storage
Delete the data files
7. What are two benefits of using the 3-2-1 backup rule?
Select the
correct
Doing backups guarantee that data will never be at risk of corruption
3-2-1 rule is a benefit as it backs up files from largest to smallest, therefore

saving time

Select the
correct
Prevents data loss in the event of human error
To ensure data is secure in the event of a fire, earthquake, tornado, flood

or other natural disaster
8. Which two of the following can be cyber security threats to network servers?
Select the
correct
Natural disasters
Unauthorised access
Hacking and phishing
Human error
9. Which two of the following are external storage devices?

Select the
correct
USB drive
Cloud storage
Computer hard drive
Compressed data file
Use the following scenario to answer questions 10 to 14:
In your role as an ICT trainee for Gelos Enterprises, you have been asked to complete an
asset information register for the information held by the ICT department.
Complete the questions to select the appropriate responses for each type of asset
information listed in the asset information register.
10. Match the asset information with the asset type.

Asset information Select Letter Asset type
A. Electronic – Public
Publicly available advertising brochures information
and promotional materials (electronic).
Sales staff payment records including B. Electronic- Employee

full name, address, contact details, details
salary rates, tax file details, banking
details (electronic).
Product information including price C. Paper of hard copy

lists, catalogues, brochures and records
information (electronic).
A software product developed by Gelos

in 2021 for securely logging in to a D. IP - Invention, patent or
database system using generated circuit layout
passwords.
Promotional videos publicly available

(electronic).
Paper-based employee records

archived and stored off-site (includes
personal details, salary rates, tax file
details, banking details, home address
and contact details).
11. Which of the following asset information details contain Personally Identifiable
Information (PII) under privacy laws?
Select the
Asset information details correct
answer/s
Paper-based employee records archived and stored off-site (includes
personal details, salary rates, tax file details, banking details, home
address and contact details).
Promotional videos publicly available (electronic).
Product information including price lists, catalogues, brochures and

Sales staff payment records including full name, address, contact details,
salary rates, tax file details, banking details (electronic).
A software product developed by Gelos in 2021 for securely logging in to a
database system using generated passwords.

Select the
answer/s
Publicly available advertising brochures and promotional materials
(electronic).
12. Which of the following asset information details contain sensitive company data?
Select the
answer/s
personal details, salary rates, tax file details, banking details, home

Sales staff payment records including full name, address, contact details,
(electronic).
13. Match the asset information with the required access control.
Asset information No restriction Authorised persons only
Publicly available advertising brochures

Sales staff payment records including

full name, address, contact details,
Product information including price
lists, catalogues, brochures and
in 2021 for securely logging in to a
database system using generated
passwords.


(electronic).

14. Match the asset information with the level of confidentiality.
Asset information Not confidential High


lists, catalogues, brochures and
passwords.

(electronic).

Answer questions 15 to 20 to check your knowledge of common types of security threats.
15. Match the type of malware to the description.
Description Select letter Type of Malware
can replicate itself A. A trojan

From: RealGmail@Gmailxyz.co.tz
Reply to: mailto:GmailVerification@Gmailxyz.co.tz
Subject: Your Gmail account requires your immediate action
Dear Google email User,

Starting next week, we will be deleting all inactive email accounts to free up space
for new users. If you want to continue using your email account, you are required
to send the following information immediately. If we do not receive this
information from you within 48 hours, your email account will be closed.
Name (first and last):
Email Login:
Password:
Date of birth:
Alternate email:
Thank you for your immediate attention.
is software that looks legitimate B. A worm
logs keystrokes to steal your passwords C. Ransomware
holds your computer hostage D. Spyware
16. Scenario: Suspicious email
You have received this email in your personal Gmail account inbox.
What type of cyber security threat is this? Select all that apply.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware

17. Scenario: Suspicious SMS
You receive the following SMS:
Mary-Jane wishes to wish you a merry Christmas.

To see your electronic greeting card, click on the following link https://bitly.com/2KXjhLP.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
18. Scenario: Suspicious request for information
You find a website offering a free subscription to an IT magazine. You just have to answer a
few questions to activate the subscription. Among the questions are requests for your full
name, month of birth, year of birth and mother's maiden name.
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
19. Scenario: Suspicious social media activity
You receive the following message on social media from a friend-of-a-friend:
There are poor sick orphan children in Thailand that desperately need your help. You can
make a real difference to their lives. Please send money to PoorSickOrphans. You are real
friend. [image thumbs up] 'thumbs up'

Sent: 11 May 2021 12:30 am

We're having problems with your Office365 account:
Fred.Bloggs@yourcompany.com on our system, fetures will be turn off.


WA, 98052
Select the
correct
Options answer/s
Phishing
Social engineering
Malware
20. Scenario: Identify the features of a fraudulent email
Review the following copy of a fraudulent email.
Can you pick the elements of the email that indicate that this is a fraud?
How could you tell that this may be a fraudulent email? Select all areas of concern.

Select the
correct
Options answer/s
Source and contact information
Appearance
Personal information
Attachments
Links
Content
Social engineering
Inclusion of suspicious on-line websites or programs
Review the following scenarios on malfunctions, threats and risks to answer questions 21
to 24.
Scenario 1
You have been asked by your employer to scan your computer for malware.
Upon running the scan, the protection history page states that at 3:19pm on the 23/9/2021
a severe threat has been found by Windows Defender Antivirus and action is needed.

Note: The Protection history page notifies of any threats that have been found by
Windows Defender Antivirus. In this instance the threat has been deemed
as Severe and needs you to make a decision on what action should be taken.
Figure 20: Protection history notification (© TAFE NSW)
21. Once the scan has completed and you are notified that the threat is severe, what are the
next two steps you will take?
Select the
correct
Steps answer/s
Complete a backup of the data
Remove the virus
Turn off the computer and unplug from the network
Write a report to your supervisor
22. What are three pieces of information you need to include in your report to your
supervisor?
Select the
correct
Options answer/s
The type of antivirus software installed
The time of the threat

Select the
correct
Options answer/s
The age of the computer
The date of the threat
The threat is classified as severe and action should be taken
Scenario 2
As you are logging into an application on your computer, you receive a fatal error.

Fatal error!
Application Path: C:\Program Files (x86)\Rockwell Software\RSLogix5000\ENU\
v20\Bin\RS5000.Exe
Elapsed execution time: 7 seconds
Version: V20.01.00 (Release)

Source File: unknown
Line Number: -1
Function/Method: unknown
OS Version: Unrecognized OS 64-bit (- Build 9200)
Thread Id: 00002bf0 (11248)
Error 0xc0000005 (-1073741819)
EXCEPTION_ACCESS_VIOLATION - An "access violation" exception was generated.
Press OK to terminate this application.
Figure 21: Fatal error (© TAFE NSW)
23. What type of malware is this? Select all that apply.

Select the
correct
Malware answer/s
Virus threat
Ransomware
Malfunction
Phishing
24. What are some warning signs to look out for that may indicate a malware problem?
Select all that apply.
Select the
correct
Warning Signs answer/s
Sluggish performance
Software bugs
Unusual pop-up dialogue boxes
Unexpected crashes

Answers to check your
understanding questions
Topic 1:
1. For each description in the table below, determine whether it a policy or procedure.
Description Policy Procedure
Staff login access X
Outline of executive orders X
Steps to achieving tasks X
Outline of staff functions and
X
responsibilities
Legal obligations X
Storing and archiving
X
methods
Refer to OAIC (Long URL: https://www.oaic.gov.au/privacy/your-privacy-rights/your-

personal-information/what-is-personal-information/) to answer questions 2 to 4.
2. Referring to the OAIC, which three of the following data is considered personal
information?
Select the
answer/s
Data that cannot be used on its own to trace or identify a person
Employee record information X
Internal protocol (IP) address X
Person’s name X
Anonymous data
Generalised data, for example age range 20-40

3. Referring to the OAIC, which three of the following data is considered sensitive
information?
Select the
answer/s
Political affiliation X
Religion X
Client name
Criminal record X
Client address

Statement True/False
There is a different between personal and sensitive information True
5. A business has policies and procedures in place to protect the personal information of
their clients, staff, and business relations. What Australian Privacy Principle does this
relate to?
Select the
answer/s
Collection of Solicited personal information
Open and transparent management of personal information X
6. A business provides the option to individuals to use email addresses which do not
disclose the person’s actual name and/or allows people to comment on forums using an
unidentifiable ‘user name’. What Australian Privacy Principle does this relate to?

Select the
answer/s
Anonymity and pseudonymity X
7. A business may gather personal information (with consent) where it is reasonably

necessary for the business to function. What Australian Privacy Principle does this relate
to?
Select the
answer/s
Collection of solicited personal information X
8. A business may collect information from a promotional flyer that has been sent to them
by another business and applies the Australian Privacy Principle that outlines how to deal
with this information. What Australian Privacy Principle does this relate to?
Select the
answer/s

Select the
answer/s
Dealing with unsolicited personal information X
9. Read the following scenarios and indicate if ‘scam’ or ‘legitimate’.

You receive a text message from +61 444 444 444
advising that there is a report of a missing person and X
you should contact 000 if sighted.
You receive a text message from an unknown sender to
your mobile phone. The message informs you that a
X
parcel needs to be delivered to you and they require
you to provide them with your address.
A Facebook request from an unknown person asking to
X
befriend you.
An IT company contacts you, offering you free
X
software.
You receive an email from your bank asking you to
X
provide them with your PIN number.
X
You receive an email from eBay advising you have new
messages. The email contains a link to the eBay website X
with instructions on how to log into My eBay.
You receive a phone call from the Australian Federal
Police (AFP) informing you that suspicious activity has
X
been observed regarding your bank account, and they
request personal details such as a Medicare number.
You will need to access the Gelos Intellectual Property Policy (pdf) (Long URL:
attachment.uuid=1ab93cf6-0eed-498a-95a5-585a22042d54) to answer the following
question.

10. Read the following statements and indicate if ‘true/false’.
All employees, including contractors and consultants, are responsible for
properly identifying, attributing, and preserving IP owned by Gelos True
Enterprises.
Employees who have confidential information from a former employer can
now share the information with their current employers as they do not False
work with their former employer anymore.
Employees can freely disclose Gelos Enterprises’ proprietary or confidential
information to third parties with whom Gelos is doing business, such as False
suppliers, licensees, or consultants without any legal or formal agreement.
Topic 2:
1. A staff member of Gelos has created a new logo for a product the company will soon be
marketing. Identify which policy document you can use to obtain more information.
Select the
correct
Options answer/s
Intellectual Protection Policy X
Privacy Policy
Ethics Policy
2. A client has asked to see the personal information that Gelos currently holds on them.
Identify which Gelos policy document you can use to obtain more information.
Select the
correct
Options answer/s

Select the
correct
Options answer/s
Privacy Policy X
Ethics Policy
3. Identify which Gelos policy document you can use to obtain more information on storage
of paper-based records such as client contracts and employee agreements.
Select the
correct
Options answer/s
Data Protection Policy X
Privacy Policy
Ethics Policy
4. Identify which Gelos policy document you can use to obtain more information on correct
filing procedures for employee payroll data which includes bank account details.
Select the
correct
Options answer/s
Privacy Policy X
Ethics Policy

5. Gelos has created a new type of circuit board layout and needs to ensure no other
company can steal or use their ideas. Identify which Gelos policy document you can use
to obtain more information.
Select the
correct
Options answer/s
Intellectual Protection Policy X
Privacy Policy
Ethics Policy
6. Identify which Gelos policy document you can use to obtain more information on details
of the format for a new password, for example, number of characters, use of capitals,
numbers and symbols.
Select the
correct
Options answer/s
Data Protection Policy X
Privacy Policy
Ethics Policy
The CEO of Gelos enterprises, Catherine Dunn, has asked all Gelos ICT employees to read the
new security policy statement. Review the policy statement to answer the following
questions.

Gelos policy statement:
It is the corporate policy at Gelos Enterprises to perform an ID check at reception before

allowing anyone entry into the premises. If an ID is not available, the security staff will turn
the person away.
Those without proper identification are not permitted entry to the Gelos premises.
7. Which parties are responsible for enforcing the policy? Select all that apply.
Select the
correct
Options answer/s
The reception desk staff X
The security department X
The CEO, Catherine
The policy maker, Karen
8. What controls would be most appropriate to assist the security and reception staff to
enforce the policy? Select all that apply.
Select the
correct
Options answer/s
CCTV cameras X
Gelos executives
The HR department
Security guards X
9. You have noticed that security has been allowing people to enter the premises without
ID. Who are you going to report this to? Select all that apply.

Select the
correct
Options answer/s
The HR department
The CEO, Catherine X
Your immediate supervisor X
10. Which one of the following is the preferred time frame for reporting a breach?
Select the
correct
Options answer/s
Within 1 hour
Immediately X
Within 12 hours
On the day of the breach
If you copy the source-code from other applications, it would be a non-
True
compliant incident.
12. Which policy would copying the source-code from other applications breach?
Select the
correct
Options answer/s
Intellectual property X

Select the
correct
Options answer/s
Privacy policy
13. Which two ethical principles would be a breach according to the Information technology
professional association (ITPA) Code?
Select the
correct
Options answer/s
Privacy X
Honesty X
Communication
Education
14. If a breach happens, what are the risks?
Select the
correct
Options answer/s
An infringement or legal claim X
Organisation’s reputation is damaged X
No changes will be made to the organisation
15. Read the statements below and indicate ‘true/false’.
Staff training should be carried out regularly to avoid this type of breach True

occurring.
Ethical guidelines should be discussed with staff and management to avoid

True
this type of breach occurring
16. Consider the following statements and identify whether these are true or false.
Tip
Refer to the Copyright Act 1968 (Cth) (Long URL:

https://www.legislation.gov.au/Details/C2017C00180) to check your responses.
You can never copy someone else’s sound recording False
There are certain circumstances in which a computer program can be
True
copied
Artistic work is protected by copyright even when the work is not
True
considered beautiful
The Copyright Act 1968 (Cth) controls the copyright in Australia to protect
True
all original works of authorship.
17. Match the descriptions to the relevant ethical theory / approach.
concentrates on ethical thinking

towards our morals and what it D. Deontology theory
would mean to our character. E. Virtue ethics theory
B
For example, by practicing F. Consequentialist
approach
honesty, a person develops a
loyal and moral character
looks at what people do, not at

what the consequences of their D. Deontology theory
actions are. For example, E. Virtue ethics theory
A
making false promises is wrong. F. Consequentialist
approach
You should not make a promise
if you don’t intend to keep it
considers what steps to take by C D. Deontology theory
evaluating the negative or E. Virtue ethics theory
positive consequences of taking F. Consequentialist
approach

a specific action. For example,
lying is bad, but if a lie saves a
person’s life, then the action
taken is the right approach
according to this theory.
18. Your manager has asked your colleague to email your work team informing them of
important changes to the Data Management Policy.
You notice that one person has not been included in the email.
This is a deliberate omission because they felt that the person missing from the email list
was not up to the task.
Which of the following ITPA codes of ethics have been breached? Select all that apply.
Select the
correct
ITPA codes answer/s
Copyright
IP
Honesty X
Co-operation X
Education X
Fair treatment X
Communication X
19. You are responsible for birthday celebrations at your workplace. You access the staff
database to note a colleague's date of birth.
During the celebration, you announce to the team how old the colleague is.

Select the
correct
ITPA codes answer/s
Copyright
Education
Co-operation
Privacy X
20. It is your responsibility to check system performances at the end of each day. You are
running out of time and decide to come in early the next morning and do it then.
Select the
correct
ITPA codes answer/s
Copyright
System integrity X
Fair treatment
Co-operation
21. For each of the situations detailed below, identify the ethical issue it relates to.
Due to a system failure, a faulty

backup drive was discovered C G. Conflict of interest
and lost data can’t be restored.
A small business is sold an

expensive database system D H. Security
designed for large
organisations.
E I. Reliability
A contractor includes a circuit

design developed for a previous

employer in his new product.
A sensitive report is dropped

into a website folder, making it B J. Value for money
accessible to search engines.
IT support staff loudly discuss

their organisation’s network F K. Proprietary rights
security problem on a crowded
train.
You are a consultant asked by

two rival businesses to provide A L. Confidentiality
them with quotes for the same
tender.
Topic 3:
Yes No
Does the data involve personal information? X
Is all the personal information collected necessary for the project? X

(APP3.1-3.2)
Is the personal information accurate, complete and up to date? X

(APP10)
Are there security measures in place to protect personal X

information collected and used for the project? (APP11)
2. Where will the personal information be stored? (APP11)

Select the
correct
Local storage
Cloud storage X
Local and cloud storage
3. Who will have access to the personal information? (APP12)
Select the
correct
Authorised personnel X
General public
All staff
Only you
Questions Yes No
Personal information will be shared outside of your organisation? X

(APP6)
Is there a document available to the public or stakeholders that

sets out your company’s policies for the management of personal X
information? (APP1.3-1.5)
5. Will personal paper-based information be destroyed when it is no longer required?

(APP11)

Select the
correct
Process such as burning or shredding
Send paper documents to recycling X
Garbage disposal for paper copies
6. How will personal electronic information be destroyed when it is no longer required?

(APP11)
Select the
correct
De-identify information beyond use X
Archive files to remote storage
Delete the data files
7. What are two benefits of using the 3-2-1 backup rule?
Select the
correct
Doing backups guarantee that data will never be at risk of corruption

3-2-1 rule is a benefit as it backs up files from largest to smallest, therefore
saving time
Prevents data loss in the event of human error X

To ensure data is secure in the event of a fire, earthquake, tornado, flood
X
or other natural disaster
8. Which two of the following can be cyber security threats to network servers?

Select the
correct
Natural disasters
Unauthorised access X
Hacking and phishing X
Human error
9. Which two of the following are external storage devices?

Select the
correct
USB drive X
Cloud storage X
Computer hard drive
Compressed data file
In your role as an ICT trainee for Gelos Enterprises, you have been asked to complete an
asset information register for the information held by the ICT department.
Complete the questions to select the appropriate responses for each type of asset
information listed in the asset information register.
10. Match the asset information with the asset type.

E. Electronic – Public
Publicly available advertising brochures A
information
Sales staff payment records including F. Electronic- Employee

full name, address, contact details, B
details
Product information including price A G. Paper of hard copy

lists, catalogues, brochures and records


in 2021 for securely logging in to a D H. IP - Invention, patent or
database system using generated circuit layout
passwords.
Promotional videos publicly available A

(electronic).

archived and stored off-site (includes C
11. Which of the following asset information details contain Personally Identifiable
Information (PII) under privacy laws?
Select the
answer/s
personal details, salary rates, tax file details, banking details, home X

Sales staff payment records including full name, address, contact details, X
(electronic).
12. Which of the following asset information details contain sensitive company data?
Select the
answer/s
personal details, salary rates, tax file details, banking details, home X

Select the
answer/s
Sales staff payment records including full name, address, contact details, X
A software product developed by Gelos in 2021 for securely logging in to a X
(electronic).
13. Match the asset information with the required access control.
Publicly available advertising brochures X


X
lists, catalogues, brochures and X
X
passwords.
Promotional videos publicly available X

(electronic).

personal details, salary rates, tax file X
14. Match the asset information with the level of confidentiality.

X

X

salary
From:rates, tax file details, banking
RealGmail@Gmailxyz.co.tz
Reply to: mailto:GmailVerification@Gmailxyz.co.tz
Product
Subject:information
Your Gmail including price your immediate action
account requires
lists, catalogues, brochures and X
Dear Google email User,
inStarting
2021 fornext week,logging
securely we will in
betodeleting
a all inactive email accounts to free up space
for new users. X
database systemIfusing
you want to continue using your email account, you are required
generated
to send the following information immediately. If we do not receive this
passwords.
information from you within 48 hours, your email account will be closed.
Name (first and last): X
(electronic).
Email Login:
Paper-based
Password: employee records
Date of birth:
personal details, salary rates, tax file X
Alternate email:
Thank you for your immediate attention.
15. M
can replicate itself B A. A trojan
is software that looks legitimate A B. A worm
logs keystrokes to steal your passwords D C. Ransomware
holds your computer hostage C D. Spyware
16. Scenario: Suspicious email

You have received this email in your personal Gmail account inbox.
Select the
correct
answer/s
Phishing X
Social engineering X

Select the
correct
answer/s
Malware
17. Scenario: Suspicious SMS
You receive the following SMS:
Mary-Jane wishes to wish you a merry Christmas.

To see your electronic greeting card, click on the following link https://bitly.com/2KXjhLP.
Select the
correct
Options answer/s
Phishing
Malware X
18. Scenario: Suspicious request for information

You find a website offering a free subscription to an IT magazine. You just have to answer a
few questions to activate the subscription. Among the questions are requests for your full
name, month of birth, year of birth and mother's maiden name.
What type of cyber security threat is this? Select all that apply .
Select the
correct
Options answer/s
Phishing X
Social engineering
Malware X
19. Scenario: Suspicious social media activity

You receive the following message on social media from a friend-of-a-friend:
There are poor sick orphan children in Thailand that desperately need your help. You can
make a real difference to their lives. Please send money to PoorSickOrphans. You are real
friend. [image thumbs up] 'thumbs up'
Select the
correct
Options answer/s
Phishing
Malware
20. Scenario: Identify the features of a fraudulent email

Review the following copy of a fraudulent email.
Can you pick the elements of the email that indicate that this is a fraud?

Sent: 11 May 2021 12:30 am

We're having problems with your Office365 account: Fred.Bloggs@yourcompany.com
on our system, fetures will be turn off.

WA, 98052
How could you tell that this may be a fraudulent email? Select all areas of concern.

Note: The Protection history page notifies of any threats that have been found by
Windows Defender Antivirus. In this instance the threat has been deemed
as Severe and needs you to make a decision on what action should be taken.
Select the
correct
Options answer/s
Source and contact information X
Appearance X
Personal information X
Attachments
Links
Content X
Inclusion of suspicious on-line websites or programs
Scenario 1
You have been asked by your employer to scan your computer for malware.
Upon running the scan, the protection history page states that at 3:19pm on the 23/9/2021
a severe threat has been found by Windows Defender Antivirus and action is needed.
21. Once the scan has completed and you are notified that the threat is severe, what are the
next two steps you will take?
Select the
correct
Options answer/s
Complete a backup of the data

Select the
Fatal error! correct
Options answer/s
Application Path: C:\Program Files (x86)\Rockwell Software\RSLogix5000\ENU\
Remove the virus
v20\Bin\RS5000.Exe
Elapsed execution time: 7 seconds X
Turn off the computer and unplug from the network
Write a report
Version: to your
V20.01.00 supervisor
(Release) X
Source File: unknown
Line Number: -1
Function/Method: unknown 22. W
OS Version: Unrecognized OS 64-bit (- Build 9200) h
Thread Id: 00002bf0 (11248) Select the
correct
Options
Error 0xc0000005 (-1073741819) answer/s
The type of antivirus software installed
EXCEPTION_ACCESS_VIOLATION - An "access violation" exception was generated.
The time of the threat X
Press
The ageOK
ofto terminate
the computerthis application.
The date of the threat X
The threat is classified as severe and action should be taken X
Scenario 2
As you are logging into an application on your computer, you receive a fatal error.
23. What type of malware is this? Select all that apply.
Select the
correct
Malware answer/s
Virus threat X
Ransomware
Malfunction X
Phishing
24. What are some warning signs to look out for that may indicate a malware problem?
Select all that apply.

Select the
correct
Warning Signs answer/s
Sluggish performance X
Software bugs
Unusual pop-up dialogue boxes X
Unexpected crashes X
Answers to practice activities

Activity 1.1: Gelos Enterprises security breach
What would you do if you were in the following situation to prevent this scenario from
coming true?

Gelos Enterprises fell victim to a security breach. An employee was tricked into making
security mistakes by giving away personal information. This security breach exposed
employee information such as names, addresses, phone numbers and dates of birth. The
information leak led to several employee's credentials being accessed, which was then used
to access the Gelos corporate network.
One of the best ways to prevent account access is to change passwords. Continually
changing passwords could prevent ongoing data loss. When paired with systems to detect
malware, this is a simple and effective way to fight data intrusion.
Activity 1.2: Legislative framework

Find one of the following documents from the legislative framework that relates to IT:
 an act
 a regulation
 a code
 a standard
 a policy
 a procedure.
After you have found your document, please complete the activities following.
1. Provide a link to the document.

2. Write one sentence on your understanding of what the document addresses.
3. State how you would use this information within your own workplace.
Example Response
Note: in this example response, different documents have been used for question 1 and 2,
and question 3.

1. Gelos Enterprises ICT Disposal and Storage Procedure (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=02f82864-f184-410d-851c-b26d5a12e6b8).
2. The document outlines how to remove and store ICT components, including software
and hardware.
3. I could use the Gelos Enterprises Privacy Policy (pdf) (Long URL:
edb42692c34e/0/?attachment.uuid=df50b7f8-f190-4a3c-aad0-83297b3c395d) to
ensure I collect, use, maintain and disclose information in an appropriate manner.
Activity 2.1: Identify risks and infringements

1. This scenario was a non-compliance incident. What type of risk was this?
Select the
correct
answer/s
Copyright issue
File corruption risk
Plagiarism
Non-secure storage of personally identifiable information X
Risk to data from natural disaster
File naming convention breach
2. What are the risks to Gelos Enterprises as a result of this incident? Select 3 correct
answers.

Select the
correct
answer/s
Breach of trust from the staff members X
Loss of employees
A plagiarising breach
Breach of confidentiality and privacy laws X
No impact to the organisation’s time management
Loss of professional reputation if news is leaked to media X
3. Which part of the Gelos Data Protection Policy (pdf) confirms that an infringement has
occurred?

attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74) confirms that an infringement
has occurred?
 Copy and paste the part of the policy that you believe has been breached.
The part of the policy that has been breached may include:
2.1 Personally Identifiable Information

Personally identifiable information (PII) (as outlined in the Privacy Act 1988) is information or
an opinion about an identified individual. This includes personal information such as a
person’s name, address, phone number, date of birth, age, bank details, medical records,

including but not limited to bank account or credit card details, user ids, passwords, list of
employees.
or
3. Access Control
Access control is about protecting company data or asset access by restricting access to
specified named individuals, job roles, or authorised company personnel. For digital assets, it
involves the use of passwords and/or two-stage authentication. For physical assets, it
involves restricting physical access.
4. Identify and name one principle in the ITPA Code of Ethics that has been breached.
ITPA Code of Ethics (Long URL: https://www.itpa.org.au/code-of-ethics/)
 Copy and paste the principle in the policy that you believe has been breached.
Privacy
I will access private information on computer systems only when it is necessary in the course
of my duties. I will maintain the confidentiality of any information to which I may have
access. I acknowledge statutory laws governing data privacy such as the Australian Privacy
Principles
or
System Integrity
I will strive to ensure the integrity of the systems I have responsibility for, using all
appropriate means -- such as regularly maintaining software and hardware; analysing system
performance and activity; and, as far as possible, preventing unauthorised use or access.
5. Review the Gelos Data Protection Policy (pdf) and make two recommendations for
procedures that will improve and maintain the current practices.

attachment.uuid=825c6959-8447-4007-8839-2d9b69dbde74)

 (At least two in total – between 20 to 40 words per recommendation).
Restricting access
Access control is about protecting company data or asset access by restricting access to
specified named individuals, job roles, or authorised company personnel. For digital assets, it
involves the use of passwords and/or two-stage authentication. For physical assets, it
involves restricting physical access.
Encryption of the sensitive data
Encryption with a secret key is used to make data indecipherable unless decryption of the
dataset using the assigned key is carried out.
Encryption and partitioning are also used to protect personal identifiers.
6. Locate and use the risk identification and rating process used at Gelos and rate the level
of risk to the company in this scenario. Include your justification why this would be the
appropriate level.
 (Approximately 40 words)
Policy
The policy is Gelos ICT Risk Management Policy (pdf) (Long URL:
attachment.uuid=d03451a2-9997-461e-89e9-ef2e283fcd1f).
Risk level
Risk level is high.
Justification
The data is sensitive and the likelihood is possible, making it a high level risk.
The data is accessible only by staff using that particular computer, meaning it is not likely,
but is certainly possible.

Activity 2.2: Data breach
Scenario 1
An ICT trainee works at the customer desk at Gelos Enterprises. A person walks in requesting
access to their paper file. The trainee asks for the person’s name, retrieves the file and hands
it to the client. The client thanks the trainee and leaves the premises.
The trainee sends a message to the supervisor saying that the file has been handed to the
client.
The supervisor is angry with the trainee and says that their actions may have caused security
and confidentiality breaches.
What steps could the trainee have taken to avoid security and confidentiality breaches?
The trainee should have asked the client for proper identification. An unauthorised person
may have collected it and private information may have been shared to the wrong party.
The trainee should have confirmed with the supervisor that the file may be handed over.
Although most of the file may have belonged to the client, there may be outstanding bills
preventing the file to be returned to the client.
Copies must be kept.
The file must be checked before returning to the client as notes made by the authorised
person working on the file do not belong to the client and should be removed.
Scenario 2

Company X is a travel agency and uses password data protection for their databases.
Databases contain forms of credit card details, passport information and personal addresses.
The PPI password protection procedure states that each new client file should be password
protected, using the client name and the year they have been created, for example,
ClientName_2021, as the encryption.
What is wrong with this procedure?
The procedure should provide a stronger password, including a mixture of symbols,

numbers, lower and capital case letters.
Activity 2.3: Reflection activity: Ethical

decisions
Consider what you would do in each of the following situations.
Which section of the ITPA Code of Ethics could apply?
Scenario 1
You are asked to join an exciting new project; however, you don’t fully believe you have the
required training.
You really want to participate in the project as it will enhance your career.
What should you do?
The honesty section of the ITPA Code of Ethics would apply in this situation.
Scenario 2
You are working for a large financial organisation, where the integrity of customer
information is paramount.

You suspect your best buddy may be accessing customer account details. He is recently
married, and if he loses his job, it may ruin his career. What should you do?
The privacy section of the ITPA Code of Ethics would apply in this situation.
Scenario 3
You are working with your boss on a large proposal to install computer software for a large
retail business.
You are aware that this software solution is not fully costed, and there is a possibility of a
cost overrun. The installation is important for the business. What should you do?
The communication section of the ITPA Code of Ethics would apply in this situation.
Activity 2.4: What sort of question should you

ask?
Think about the following situations and decide:
 which question types you should use?

 what questions you could ask?
Scenario 1
You have been asked to prepare a report for your supervisor on the existing customer
database you have been updating.
However, you can’t decide if you should provide a verbal or written report.
What question could you ask your supervisor to confirm the correct reporting procedure
they are expecting?

As you are looking for a specific answer, you would ask a closed question. For example, you
could ask ‘Which reporting procedure would you prefer, written or verbal?
Scenario 2
You met with a client to find out more details about their security requirements and asked
the following questions.
1. Can you walk me through your security requirements needed for your business?
So, you want something that is easy to use?
When do you want it by?
What question types did you use?
Question 1: This is an open question. It invites the client to approach this in their own way.
Question 2: You could say this is a closed question as the client can answer just ‘yes’ or ‘no’.
However, its main function is to confirm or clarify information. So, this is also a clarifying
question.
Question 3: This is a closed question. It asks for a simple timeframe.
Activity 2.5: Active Listening

Are they exercising active listening?
Check the scenarios, think about the questions and check the feedback.
Scenario 1
One of the ICT support staff at Gelos Enterprises is having a conversation with a new client to
clarify some aspects of the security brief. During the conversation, they feel their mobile
phone vibrate and check it for messages.
Is the Gelos employee demonstrating active listening skills?

No. The Gelos employee is not fully concentrating on what the client is saying and is letting
the mobile phone distract them from the conversation.
Scenario 2
Your supervisor is very empathetic. Whenever you need to clarify something, they stop what
they are doing. Their body language tells you they are really interested.
Is the supervisor being person-centred?
Yes, they are taking the time to be fully present and focus on you.

References
Australian Government Business. (2021). Tips for better policies and processes in your
business. Retrieved from https://business.gov.au/risk-management/risk-assessment-
and-planning/policies-procedures-and-processes
Australian Government, Office of the Australian Information Commissioner. (2021). Guide to

securing personal information. Retrieved from OAIC:
https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-
information
Australian Government, Office of the Australian Information Commissioner. (2021). Guide to

undertaking privacy impact assessments. Retrieved from OAIC:
https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-
privacy-impact-assessments
Imperva. (2021). Personally Identifiable Information (PII). Retrieved from Imperva:

https://www.imperva.com/learn/data-security/personally-identifiable-information-
pii/
NSW Government. (2021). Data management life cycle. Retrieved from Data.NSW:
https://data.nsw.gov.au/IDMF/data-management-and-practice/data-management-
life-cycle
NSW Government. (2021). Information classification, labelling and handling guidelines.

Retrieved from digital.nsw: https://www.digital.nsw.gov.au/policy/managing-data-
information/information-classification-labelling-and-handling-guidelines
Service NSW. (2021). Comply with Australian standards. Retrieved from Service NSW:
https://www.service.nsw.gov.au/transaction/comply-australian-standards
Standards Australia. (2021). What is a standard. Retrieved from Standards Australia:

https://www.standards.org.au/standards-development/what-is-standard
The Ethics Centre. (2021). What is ethics? Retrieved from The Ethics Centre:
https://ethics.org.au/why-were-here/what-is-ethics/
Wikipedia. (n.d.). Digitalimage editing. Retrieved from Wikipedia:

https//en.wikipedia.org/wiki/image_editing

Image Attributions
Title Page Creator Licence Modified/By
Cover image 1 Katherina Gloth © Unsplash copied N/A

under licence
Getting started 5 Jud Mackrill © Unsplash copied N/A

under licence
Topic 1 8 ThisisEngineerin © Unsplash copied N/A

g RAEng under licence
Topic 2 33 Scott Graham © Unsplash copied N/A

under licence
Topic 3 68 Markus Spiske © Unsplash copied N/A

under licence
Figure 1: Legislative 12 TAFE NSW © TAFE NSW 2021 N/A

Framework Pyramid
Figure 2: Policy 15 Yin Yang © Getty Images N/A

Handbook copied under licence
Figure 3: Personal Data 19 vchal © Getty Images TAFE NSW

modified under
licence
Figure 4: CIA Triad 36 ilyaliren © Getty Images TAFE NSW

modified under
Getty image 854995940, licence
Getty image
1289025554, Getty
image 1306100120
Figure 5: Personally 39 fonikum, © Getty Images TAFE NSW

identifiable information elenabs modified under
types licence
Getty image
1276626711, Getty

image 1227600817,
Getty image 1132112674
Figure 6: Data 70 TAFE NSW © TAFE NSW 2021 N/A

management life cycle
Figure 7: Collecting data 71 kadirkaba © Getty Images TAFE NSW

modified under
licence
Figure 8: Turn on 74 TAFE NSW © TAFE NSW 2021 N/A

BitLocker
Figure 9: BitLocker Drive 75 TAFE NSW © TAFE NSW 2021 N/A

Encryption #1
Figure 10: BitLocker 75 TAFE NSW © TAFE NSW 2021 N/A

Drive Encryption #2

Drive Encryption #3

Drive Encryption #4
Figure 13: Check 77 TAFE NSW © TAFE NSW 2021 N/A

BitLocker encryption
using password
Figure 14: Check 77 TAFE NSW © TAFE NSW 2021 N/A

BitLocker encryption
using recovery key
Figure 15: CIA Triad 79 ilyaliren © Getty Images TAFE NSW

modified under
licence
Figure 16: 321 Backup 82 kadirkaba © Getty Images TAFE NSW

rule modified under

licence
Figure 17: Tape Storage 84 HinelineDesign © Getty Images N/A

copied under licence
Figure 18: Google apps 89 TAFE NSW © TAFE NSW 2021 N/A
menu
Figure 19: The 94 theseamuss © Getty Images TAFE NSW

information life cycle modified under
licence
Figure 20: Protection 112 TAFE NSW © TAFE NSW 2021 N/A
history notification
Figure 21: Fatal error 113 TAFE NSW © TAFE NSW 2021 N/A


CI SecurityPrivacy TL SW

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CI SecurityPrivacy TL SW

Uploaded by

Copyright:

Available Formats

Student workbook

Security and Privacy

Date created: 23 November 2020

Date modified: 14 December 2021

For queries contact: Technology and Business Services

© TAFE NSW 2021

This resource can be found in the TAFE NSW Learning Bank.

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

 BSBXCS303 Securely manage personally identifiable information and workplace

 securely manage personally identifiable information (PII) and workplace information

Alright, let’s get started!

Document name: Cl_SecurityPrivacy_SW Page

Learning activities help you to gain a clear understanding of the

You will have opportunities to collaborate with others during your

An activity that allows you to check your learning progress. The

Resources (required and suggested)

Additional resources throughout this workbook, such as chapters

At different stages throughout the workbook, after you have

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

You will learn about:

 types of workplace information

Activity 1.1: Gelos Enterprises security breach

What could you have done to prevent this from happening?

Document name: Cl_SecurityPrivacy_SW Page

Types of workplace information

Common types of workplace information can include:

Information Type Examples

Instructions Manuals, images and diagrams

Messages SMS, notes and call logs

Correspondence Emails, shared calendar entries and client letters

Personal records Employee details, contracts and annual leave

Financial records, invoices and statements from customers

Marketing material Flyers and invitations to promotional events

Cyber security, electronic client database and asset

Multimedia Training and marketing videos

Table 1 Common types of workplace information

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

Document name: Cl_SecurityPrivacy_SW Page

Industry Standards or Guidance Materials

Being compliant with legal obligations can:

 increase the confidence and trust of various stakeholders

The security measures may include:

Document name: Cl_SecurityPrivacy_SW Page

Activity 1.2: Legislative Framework

Provide a link to the document.

Workplace policies and procedures

Document name: Cl_SecurityPrivacy_SW Page

Figure 2: Policy Handbook (© Getty Images copied under licence)

Some examples of IT company policies include:

Document name: Cl_SecurityPrivacy_SW Page

Some examples of procedures for an IT role include:

Document name: Cl_SecurityPrivacy_SW Page

Several Australian and international standards are relevant to IT organisations and

Document name: Cl_SecurityPrivacy_SW Page

In Australia, the Privacy Act 1988 (Cth) (Long URL:

What is sensitive data?

What is non-sensitive data?

Document name: Cl_SecurityPrivacy_SW Page

Figure 3: Personal Data (© Getty Images modified under licence)