Embed Size (px)
Citation preview
Department of Police and Emergency Management
Information Security
Overview
• DPEM Framework
• Governance and Information Security
• Information Security Classification in Recordkeeping systems
DPEM Framework
•Information Security Policy Manual•Acceptable Use Reference Guide
DPEM Framework
•Information Security Manual•A suite of twenty-one policies•Acceptable User reference Guide
FRAMEWORK ELEMENT PURPOSE AND CONTENT ROLE RESPONSIBLE FOR APPROVAL
Policies Information security policies are the high level mandatory rules that state why information security is important and define the objectives and strategies for protecting the confidentiality, integrity and availability of C&IT resources.
Secretary/ Commissioner
Guidelines Guidelines contain detailed security requirements and criteria for meeting information security policy objectives and strategies.
Deputy Commissioner
Technical Standards Technical Standards contain detailed security requirements and criteria for meeting guidelines and policy objectives. Technical Standards may incorporate information security checklists.
Director Corporate Services or relevant Commander
Procedures Procedures explain in detail how the security requirements are to be implemented in specific business areas.
Managers and Officers in Charge
Implementation Plan• Acceptable Use Reference Guide
informs the implementation plan in DPEM
• Gap analysis matching policies to the Tasmanian Government Information Security Manual
The governance policy identifies reponsibilities for
No
Tasmanian Government Information Security Policy
Agencies MUST apply this policy in accordance with the Policy Principles. The Policy is mandatory and is to be applied across the following seven areas
DPEM Policy Acceptable Use Reference Guidelines
Schedule for Implementation of DPEM Information Security Policies
Completed Outstanding
1. Information security governance
The Head of each agency MUST convene an Information Security Committee composed of senior management, or assign the role to an existing senior management committee. This Committee is responsible for ensuring the Policy is applied
Chapter 1 -Information Security Governance and Management
Chapter 1 -Information Security Governance and Management
November 2012
Endorsed by ISC
Policy endorsed
Information Security Advisor endorsed
Information Security roles approved
Communication Plan
Oversee routine information security inspections and reviews assign to Management Review
2. Risk Management
Each agency MUST conduct regular information security risk assessments and implement appropriate risk management strategies that are proportionate to the level of identified risk.
Chapter 21 -Information Security Risk Management
Chapter 21 -Information Security Risk Management
February 2013
Endorsed by ISC
Policy forwarded to COP approval
May 2013
Risk Assessments to be conducted on information systems and business processes
Implementation PlanThis will ensure •compliance with the Tasmanian Government Information Security Manual•and personnel have a basic understanding of responsibilities
Information Security GovernanceThe Information Security Governance policy and guidelines defines information security roles and responsibilities within the Department of Police and Emergency Management.
Information Security Classification
• Identify – Information assets – Business Systems Owner and Custodian for each system– Classify each system
Controlled Items Register (CIRS)
Configuration Management Manager, CITS Manager, Application Support
Unclassified
Records Information Management (TRIM)
Records Management Deputy Director, Corporate Services
Manager, Records Information Services
Highly Protected
Forensics Register Forensics Register System Commander, Operations Support OIC Forensic Services Protected or in-confidence
Phototrac Photo Management Commander, Operations Support OIC Forensic Services In-Confidence
Ready Reference for Information Security Classification
Information Used in the Department of Police and Emergency Management
Public Information
Information authorised for
unlimited public access such as
department websites. The
integrity of public domain
information must be ensured
before its release.Examples:
PublicationsAnnual Reports
Community Alerts
Non-public Information
Unclassified InformationInformation that is not in the public domain, but does not need to be classified.Examples:Procedure manuals, departmental memos to general staff, policy documents
Security Classified Information
Non-National
HIGHLY PROTECTEDWitness/VIP Protection IDM
PROTECTED (& CABINET-IN-
CONFIDENCE)Investigation/prosecution files
X-IN-CONFIDENCE Personnel files, Tender evaluations, complaints and allegations
SECRET
TOP SECRET
CONFIDENTIAL
PROTECTED
National*
*National Security Classified Information based on the Commonwealth Protective Security Policy Framework (PSPF). The Counter Terrorism Unit has been assigned responsibility for National security information handled and processed within DPEM.
Impact Assessment MatrixImpact Type
Severity
Lowest Highest
Impact
Insignificant to MinorModerate to Major
Extreme
Provision of business operation and services
Little to no degradation of the capability (i.e. efficiency or effectiveness) of the department to perform one or more of its functions
Loss of operational systems or reduced ability for the department to perform one or more of its functions lasting between 1 to 7 days.
Inability of the department to perform one or more of its major functions where top-level management or ministerial intervention would be required.
Inability to operate and deliver essential departmental operational functions and services where the delivery is significantly compromised for a significant time period greater than 7 days
Personnel damage Little to no impact on individuals though some minor injuries may be present
Low to serious levels of injuries or illness to individuals
Major loss of life and serious levels of life threatening injuries or illness to many individuals
Financial Minor financial impost to DPEM of between 2% and 5% of the monthly agency budget or impost to individuals of up to $2000
Significant to major financial impost to DPEM between 5% and 10% of the monthly agency budget or impost to individuals of between $2,000 and $20, 000
Major financial impost to DPEM in excess of 10% of the monthly agency budget or major impost to individuals of in excess of $20,000
Public Image and confidence Little to no impact on community confidence in the departments ability to deliver essential services
Community confidence lowered in the department to perform one or some of its functions where a measure of damage control may be required
Extreme publicity causing embarrassment to the department or government resulting in a serious loss of public confidence
Security Compromise of security classified resource/s classified at the levels of IN-CONFIDENCE, or RESTRICTED and/or compromise of unclassified resources.
Compromise of security classified resource/s classified at the levels of PROTECTED or CONFIDENTIAL
Compromise of security classified resources classified at the levels of HIGHLY PROTECTED or SECRET
SECURITY CLASSIFICATIONConsider for
PUBLIC or UNCLASSIFIED
Consider for
X-IN- CONFIDENCE or PROTECTED
Consider for
HIGHLY PROTECTED
Information Security Classification Policy and Guidelines
• Applies to all DPEM information, paper-based, electronic and includes information held in databases
• Observes the “need-to-know” principle• Includes procedures for manual handling
disclosure and circulation of information and guidelines for courier services
• Classification criteria and examples of information in each information security category
Information Security Classification• In practice the default classification will be
UNCLASSIFIED• UNCLASSIFIED documents / records will be
labeled as such to indicate that they have been security classified
• Records classes identified in the disposal schedule provide a framework for setting security classification
Information Security in Recordkeeping Systems
Physical Records - Security Classification will be applied at file level and all documents will inherit this classificationElectronic Records - Information security classification may be applied at file or document level
Information Security in Recordkeeping Systems
• Default information security classification will also be applied for certain domains – HR documents - staff in confidence – Procurement – commercial –in-confidence
• Other areas may routinely produce information with a Law enforcement-in-confidence or Public Classification
Responsibility for setting classification• Records staff will apply appropriate information
security classification when creating a file in TRIM, and all documents / records will inherit the information security classification from file
• End users will be required to select an information security classification when registering a document in record keeping systems other than TRIM
Protective Marking System
In TRIM – A TRIM word add-in has been trialled. This automatically populate templates with TRIM metadata and the security classification be automatically populated onto documents when they are assigned to a file in TRIM
Security on documents is inherited from the fileHence the importance of completing the TRIM audit
Other Systems• Develop procedures for marking
information/documents generated from or in other systems
• Include a reporting template with the protective marking system labels on all system development and enhancements in future
• Label documents from legacy systems manually – eg with stamps for all Protected and Highly Protected
information– conduct a risk assessments
Handling Standards for Manual TransmissionIn-Confidence – Protected - Highly Protected
•Develop detailed procedures/check lists for records staff for the management of mail and physical documents
•These procedures should also apply to files that are being sent to other agencies eg. the courts or the DPP
•Procedures for the physical receipt of Security Classified Information should also developed
Receiving Security Classified Information
• Ensure the document or package was transmitted in accordance with the manual handling standards
• Report any signs of tampering • Sign and Return receipt accompanying the
documents/file to the originator or• Receipt in the relevant system by changing the
assignee or intended destination
Acceptable Use Guidelines
Prioritise policies for implementation•Governance Policy•Risk Management•Information Security Classification•Physical Security•Incident Management•What is the minimum level that will meet the mandatory requirements•Document and mitigate risks
So Far …• DPEM Information security policies developed• Established the DPEM Information Security Committee• Information Security Review completed and risks
documented• Gap analysis completed• Policies prioritised for implementation• Business Systems Owner and Custodians Register (Asset
Register) collated• Audit of TRIM objects underway• Trialed word add-in for the protective marking system• Awareness raising presentations with staff underway
Issues
• Generally information security is not embedded in work practices
• Classification level and access review required• Nationally classified information • Over-classification • Audit trails for classified documents / files
Angela MalesDepartment of Police and Emergency
Management
Telephone: 6230 2218email:
