Firearms Information Security
The Shooting Industry Foundation of Australia (SIFA), recognises that:
- The underlying policy objective of firearms regulation in Australia is to ensure public safety and to facilitate the safe and responsible possession, carriage, use, registration, storage, and transfer of firearms.
- All Australian Governments recognise the importance of keeping sensitive information secure, and mandate best practice information security standards for their agencies (e.g. the ISM, link below).
- Those arrangements typically require the Accountable Authority to establish, maintain and keep under review effective systems for risk management, internal control and assurance (including by means of audits) appropriate for that agency.
- The targeted theft of firearms from licensed firearm owners by criminals is often sighted as a significant source of illegal firearms in the illicit / black market.
- Poor information security is a valuable source of intelligence which enables targeted thefts to occur, and which jeopardises the personal safety of firearms owners.
- There are numerous critical audits and examples of Australian firearm regulators breaching their information security obligations and being responsible for data spills of sensitive personal information.
- Information security is not limited to audit logs on firearm registry databases but extends to such things as paper-based forms, printouts of confidential information (as used during safe storage inspections), outsourced print and post of permits to acquire, and the unencrypted emailing of spreadsheets when exchanging information between the regulator and regulated entities (e.g. firearms dealers).
- As the custodians of sensitive private information, firearms regulators must be compelled by their Minister to be fully compliant with current best practice information security practices.
- Cyber security arrangements for firearm regulators must be assessed annually (independently of their sponsoring agency) and an attestation of compliance published by the auditor.
- There must be mandatory disclosure of all cyber security incidents relating to the regulation of firearms, or when hard copy information is lost or becomes uncontrolled.
- Where a cyber-attack or data spill occurs, the responsible agency must bear the full burden of mitigating all public and personal safety consequences arising from that incident, including where appropriate compensation such as the upgraded physical security arrangements for all victims of the attack / spill.