OCIO/S4.2Government standard on cyber security

Prepared by: Office of the Chief Information Officer

Version: 3.0.1

Date: 15 November 2012

ISMFStandard 138

Privacy and Confidentiality

ISMF Standard 138

GOVERNMENT STANDARD ON CYBER SECURITY

OCIO/S4.2 Privacy and Confidentiality

Confidentiality: Public Version: 3.0.1 Status: Final

Audience:Compliance:Creator:Mandate/Authority:Original Authorisation Date:Last Updated and Approved:Issued:Expiry Date:Primary Contact:

SA Government Agencies; Suppliers to SA GovernmentMandatoryOffice of the Chief Information OfficerSecurity and Risk Steering CommitteeSeptember 199615 November 201215 November 2012Not ApplicableSecurity and Risk Assurance, Office of the Chief Information Officer, Tel: +61 (8) 8463 4003

Coverage:The South Australian public authorities required to adhere to this standard are defined in OCIO/F4.1 Government framework on cyber security – Information Security Management Framework [ISMF].

This standard is intended for use by South Australian Government agencies and suppliers to Government whose contractual obligations require them to comply with this document. Reliance upon this policy or standard by any other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or liability to the extent permissible by law for any such reliance.

To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Standard 138.

This work is licensed under a Creative Commons Attribution 3.0 Australia Licence

Copyright © South Australian Government, 2012.Disclaimer

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 2 of 10

ISMF Standard 138

DOCUMENT TERMINOLOGY AND CONVENTIONS

The terms that are used in this document are to be interpreted as described in Internet Engineering Task Force (IETF) RFC 2119 entitled “Key words for use in RFCs to Indicate Requirement Levels”1. The RFC 2119 definitions are summarised in the table below.

Term Description

MUSTThis word, or the terms "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the specification.

MUST NOTThis phrase, or the phrase “SHALL NOT”, means that is an absolute prohibition of the specification.

SHOULD

This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

SHOULD NOT

This phrase, or the phrase "NOT RECOMMENDED" means that there may exist valid reasons in particular circumstances when the particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label.

MAYThis word, or the adjective “OPTIONAL”, means that an item is truly optional.

1 www.ietf.org/rfc/rfc2119.txt?number=2119

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 3 of 10

ISMF Standard 138

DOCUMENT CONTROL

Document location

/tt/file_convert/55cf9812550346d03395679b/document.docx

Electronic records management information

File Folder Number: OCIO08/0073/0003 – Document Number: 5281874

Author(s) Function / role

Andrew Jones

Jason Caley

Manager Strategy and Standards

Principal Policy Adviser, Security and Risk Assurance

Release detailsVersio

nDate

Published document. 2.3.1 10 May 2007

Revised format – no content changes. 2.4 03 June 2009

Issued as a standard under ISMF version 3.0; Released under terms of Australian Governments Open Access and Licensing framework [AusGOAL].

3.0 06 October 2011

Minor revision to remove obsolete entries under References & Links 3.0.1 15 November 2012

Distributed toVersio

nDate

Published to www.sa.gov.au website 3.0.1 November 2012

CLASSIFICATION

Confidentiality Description Circulation limit

PUBLIC-I2-A1 No harm could be caused to an organisation or individual and no unfair advantage could be given to any entity and no violation would occur to somebody’s right to privacy. Integrity 2 with low availability requirements.

Unrestricted access.

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 4 of 10

ISMF Standard 138

TABLE OF CONTENTS

1. PURPOSE..........................................................................6

2. CONTEXT..........................................................................6

2.1. Background....................................................................................................6

2.2. History............................................................................................................6

3. SCOPE..............................................................................6

4. TERMS AND ABBREVIATIONS..............................................7

4.1. Terms..............................................................................................................7

4.2. Abbreviations.................................................................................................8

5. STANDARD........................................................................8

5.1. South Australian Government standard.....................................................8

6. IMPLEMENTATION.............................................................8

6.1. Implementation considerations...................................................................8

6.2. Exemptions....................................................................................................9

6.3. Responsibilities.............................................................................................9

7. REFERENCES AND LINKS....................................................9

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 5 of 10

ISMF Standard 138

1. PURPOSE

This document states the standard of the Government of South Australia in relation to privacy and confidentiality of electronic information.

2. CONTEXT

2.1. Background

The government has obligations in relation to the:

privacy and security of information it holds.

integrity of data it generates and/or retains to support service delivery functions and development.

2.2. History

This standard revises the following policies and/or standards:

OCIO/P4.2 Security – Privacy and Confidentiality, Version 2.4.

This document replaces and shall be considered a full substitute for its predecessor.

3. SCOPE

The ISMF and all security Bulletins, Notifications and standards issued under it shall apply, unless otherwise advised, to all bodies that are:

o South Australian Government public sector agencies (as defined in the Public Sector Act 2009), that is, administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown. Public sector agencies are herein referred to as “Agencies”; OR

o Suppliers to the South Australian Government or its Agencies that have contractual conditions which require compliance to the ISMF as described in section 2.1 of the ISMF

The ISMF and all security Bulletins, Notifications and standards issued under it shall apply to:

o All information processed, stored or communicated by ICT equipment, where that information is either:

Official Information of the South Australian Government or its Agencies; or

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 6 of 10

ISMF Standard 138

Information of which the South Australian Government or any of its Agencies has custody2

Information as described above which Suppliers that have contractual conditions that require compliance to the ISMF as described in section 2.1 of the ISMF hold on behalf of the South Australian Government or any its Agencies

o Anything that acts upon an ICT asset, including creating, controlling, validating, and otherwise managing the ICT asset throughout the lifecycle of the asset.

4. TERMS AND ABBREVIATIONS

4.1. Terms

“Authorised access” means access to, use of, copying of, or any form of communication with, the information/data owned by an agency.

“Responsible Party” is used in two contexts within the ISMF. These are:

o An Agency – the internal to government body that retains ultimate responsibility for all aspects covered by the Information Security Management Framework [ISMF] as it relates to a particular agency and its information assets.

o A Supplier – an external to government entity that is typically responsible for compliance with the ISMF by way of a contractual agreement that contains clauses requiring security of Agency information and the regulation of access to an Agency’s information assets. The term “Supplier” shall be read as “Suppliers who are subject to contractual conditions that require them to comply with the ISMF” unless another intention is apparent.

When a Supplier has contracted with the State, the provisions of the ISMF will apply to the Supplier either:

o under the terms of a Purchasing Agreement for whole of Government contracts and associated Customer Agreements; or

o by way of an individual contract with an Agency whereby the Agency has specified the parts of its Information Security Management System [ISMS] for which compliance is sought.

It should be noted that Agency Chief Executives retain ultimate accountability for all security matters within their agencies. The application of the ISMF to a Supplier via a contract with the State or Agency shall not absolve the Agency from these obligations and responsibilities.

“Responsible Parties” includes both Agencies and Suppliers who are subject to contractual conditions that require them to comply with the ISMF. Where any ambiguity arises between these entities in relation to adherence to the ISMF, the Agency Controls implemented in the Customer Agreement shall prevail (i.e. The Agency remains the default party and the Customer Agreement is used as the vehicle for setting the scope and requirements for the Supplier to comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may

2 Note the definition of “custody” in the ISMF differs from State Records’ interpretation.

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 7 of 10

ISMF Standard 138

also introduce additional Agency-specific controls and policies that the Supplier must comply with).

“Business Owner” represents the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units should own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner. A Business Owner or group of Business Owners must be identified for each information asset.

4.2. Abbreviations

ICT Information and Communication Technology

ISMF Information Security Management Framework

PSMF Protective Security Management Framework

5. STANDARD

5.1. South Australian Government standard

Privacy and confidentiality of government data is governed by the Information Privacy Principles Instruction (Cabinet Administrative Instruction 1/89) issued as Premier and Cabinet Circular No. 12.

6. IMPLEMENTATION

6.1. Implementation considerations

As part of a data management plan, Responsible Parties must define authorised access for all its data, including who has access, the level of authority required, and the level of access allowed. The Government of South Australia Information Security Management Framework describes a series of policies, standards and controls for the protection of information in South Australian government ICT environments.

The framework has been written and structured to align closely with AS/NZS ISO/IEC 27001:2006 Information Technology – Security techniques - Information security management systems - Requirements. The ISMF applies a risk-based approach to cyber security in accord with the government’s Risk Management Policy Statement.

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 8 of 10

ISMF Standard 138

6.2. Exemptions

None.

6.3. Responsibilities

Chief executives have ultimate responsibility for all security matters within their agencies.

Treasurer's instruction 2, ‘Financial Management Policies’ establishes certain obligations and expectations on how entities of the South Australian Government manage risk including those pertaining to ICT projects. On the issue of information security management, it is required that the entity implements whatever control measures are necessary to provide adequate protection for its information and that, where applicable, the entity shall comply with the instructions detailed in the Protective Security Management Framework issued as Premier and Cabinet Circular No. 30.

7. REFERENCES AND LINKS

Government of South Australia Information Privacy Principles Instruction (Cabinet Administrative Instruction 1/89) issued as Premier and Cabinet Circular No. 12

AS/NZS ISO/IEC 27001:2006 Information Technology – Security techniques - Information security management systems – Requirements

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

Government of South Australia Protective Security Management Framework [PSMF] issued as Premier and Cabinet Circular No. 30

Privacy and Confidentiality

OCIO/S4.2 version 3.0.1 Page 9 of 10

This work is licensed under a Creative Commons Attribution 3.0 Australia Licence

Copyright © South Australian Government, 2012.Disclaimer