Question
The CDR Rules state that the CDR data environment means ‘the information technology systems used for, and processes that relate to, the management of CDR data’.
Whereas the ‘CDR - Supplementary accreditation guidelines information security’ states that the boundaries of the CDR data environment ‘involves identifying the people, processes, technology and infrastructure that manages, secures, stores or otherwise interacts with CDR data,…may include infrastructure owned by, and management provided by, an outsourced service provider or third party’. The guidelines further state that an accredited person can limit the size of its CDR data
environment through segregation of the environment from other systems.
Schedule 2 Part 2 of the CDR Rules has a number of controls for end-user devices. If an end-user device is not directly connecting to the CDR data environment but instead a virtual desktop is being presented on the end-user device, e.g. AWS Amazon WorkSpaces, which is presenting CDR data, is the end-user device in scope for the CDR data environment and the Schedule 2 Part 2 controls?
Answer
One of the control objectives relating to end user devices is taking steps to secure network and systems within the CDR data environment.
Relevant considerations for whether the end-user device may be in scope for the CDR Data Environment may include:
- whether CDR data being presented can be removed from the virtual desktop
- to what extent can CDR data be seen/viewed/used via the virtual desktop environment.
If the end user device is in scope for the CDR data environment the Schedule 2 controls will apply.
We note that Schedule 2, clause 1.2 of the CDR Rules defines the 'CDR data environment' as '"the information technology systems used for, and processes that relate to, the management of CDR data."' It is CDR participants' responsibility to comply with the CDR Rules, including the Schedule 2 information security requirements. We encourage ADR applicants to obtain their own advice on whether specific scenarios and business/operating structures are compliant with CDR obligations. This may include an assessment of whether particular end user devices are captured within the definition of the CDR data environment.
The ACCC has updated its Supplementary Accreditation Guidelines on Information Security, and the OAIC has recently updated its Privacy Safeguard 12 Guidance. These guidance pieces provide further guidance on meeting CDR obligations.
Comments
0 comments
Please sign in to leave a comment.