Question

In the rules in Schedule 2 Part 2, section 2.2, table entry 3 refers to "email filtering and blocking methods that block emails with CDR data in text and attachments."

We will restrict and control access to a dedicated ADR environment containing CDR data. We are considering how we may extend the use of the enterprise tool we use for DLP (Data Loss Prevention).

However we are unsure how to apply the Rules clause quoted above. There are legitimate reasons for including, in emails, words that are also used in CDR data. We do not see a way that we could build rules based on email contents.  A word may be have the context of CDR data, but it may not.

What was intended by this clause and what is expected? We would welcome any guidance. Is this item mandatory, recommended, or merely illustrative of the type of activity that may be considered?

Answer

The intention of this control is to ensure that data remains managed securely in the CDR data environment.

While the steps and controls in Schedule 2 are the minimum requirements that an entity must meet in order to satisfy the information security obligations, we understand that commercial tools available would not be able to block emails with all types of CDR data in text and attachments. However, we would expect a solution to be in place for high risk/sensitive data types, as well as appropriate compensating controls. For example, processes are expected to be in place to limit the risk of inappropriate or unauthorised access to CDR Data.