GS1 Australia Security Statement


Last Revised: June 2024

The purpose of this security statement is to provide a comprehensive overview of GS1 Australia's cybersecurity framework and practices. As an organisation, we recognise the critical importance of effective cybersecurity measures in today's digital landscape.

GS1 Australia’s information security program is designed with safeguards to prevent the unauthorised use or disclosure of customer data. We have developed a robust cyber security framework which encompasses a variety of policies designed to manage risks and ensure secure operations.

GS1 Australia has been independently assessed against the NIST Cyber Security Framework (CSF) for Cyber Security Maturity and are within the industry benchmark for our maturity as an organisation. Developed by the National Institute of Standards and Technology (NIST), this framework is globally recognised and designed to help organisations manage and enhance their cybersecurity posture. Continuous improvement across all NIST cyber security functions is part of the ongoing GS1 Australia cyber security strategy.

This security statement outlines GS1 Australia’s strategies and practices, demonstrating our dedication to ensuring a secure and resilient operational environment.

Asset Management

Our Asset Management strategy includes protocols for the identification, classification, and management of both physical and digital assets. Through patch management and other security measures, we ensure assets are securely maintained and protected from unauthorised access or compromise.

Human Resource Security

Recognising employees as both valuable assets and potential security risks, we implement controls including thorough background checks, continuous security training, and access control aligned with individual job responsibilities. Our processes for handling departures and changes in employee status are controlled to prevent unauthorised access to sensitive information.

Security Training and Awareness

Regular training and awareness programs are conducted to keep staff informed about the latest cybersecurity threats and best practices. These initiatives are crucial in cultivating a pervasive security culture throughout the organisation.

Data Security and Protection

A detailed data protection strategy is employed that encompasses encryption, stringent access controls, and periodic audits. This ensures the confidentiality, integrity, and availability of our data, with sensitive information safeguarded against unauthorised access, disclosure, or destruction.

Application Security Posture

Application testing is critical in identifying and remedying vulnerabilities that could potentially be exploited by attackers. Through rigorous security reviews and both automated and manual testing of threat scenarios, we strive to detect and mitigate threats, simulating attack techniques commonly used by malicious entities. Our application security measures, tested by accredited partners, are aligned with the Open Web Application Security Project (OWASP) industry standard, focusing on the most prevalent, severe, and impactful security risks.

Cloud and Data Centre Security

Utilising Microsoft Azure and Google Web Services, we leverage enhanced security features of these cloud providers. Their comprehensive physical controls, data privacy assurances, and continuous audits backed by certifications that include SOC 2, ISO 27001, FedRAMP, and PCI DSS, enhance the security of our cloud-based infrastructure.

Information Systems Acquisition, Development, and Maintenance

GS1 Australia integrates cybersecurity throughout the lifecycle of our information systems. From acquisition through to development and maintenance, security best practices including third-party vendor security reviews and security event monitoring are embedded to mitigate risks and enhance system resilience against cyber threats.

Change Management

Our change management process aims to carefully evaluate and manage risks that IT system changes might cause. We review, test, and monitor each change rigorously to handle possible security effects.

Information Security Incident Management

We have a well-established incident management framework that includes Data Breach Policy and plan which enables quick identification, response, and recovery from security incidents. This framework is designed to minimise incident impacts, optimise recovery and ensure thorough investigations to prevent future occurrences.

Commitment

GS1 Australia is dedicated to robust cybersecurity practices and continues to stay alert and proactive in the face of ever-evolving threats. By adopting the GS1 Australia Cybersecurity Framework, GS1 Australia and its trusted partners observe a wide array of cybersecurity measures to protect the organisation and its members against a spectrum of cybersecurity risks and challenges.


Tavita Maanaima

Chief Information Officer, GS1 Australia