Embed Size (px)
Citation preview
DPC/G4.38 Government guideline on cyber security
ISMF Guideline 38Legal, regulatory and contractual compliance requirements
BACKGROUND
This guideline outlines the legislative and regulatory requirements for South Australian Government agencies and suppliers to South Australian Government agencies whose contractual requirements include the Information Security Management Framework [ISMF]. Agencies must assure themselves that they are aware of their legal requirements and obligations in cyber security. This guideline supports implementation of ISMF Policy Statement 38.
GUIDANCE
The following tables identify local and international laws, regulations and other external requirements that must be identified, recognised and complied with in addition to highlighting relevant standards and guidelines used by the Government of South Australia security and risk framework. These items are regularly reviewed for changes that may impact policy and standards implementations involving cyber security. In addition to the considerations contained in this guideline, agencies and suppliers to government must assure themselves that any relevant agency and/or industry sector laws and regulations are being observed.
PART 1: LAWS AND LEGISLATIVE CONSIDERATIONS
Reference Relevance to cyber security initiatives
South Australian LegislationCriminal Law Consolidation Act 1935 (SA)
Codifies the majority of crimes in South Australia. Operates in conjunction with the common law.
Electronic Transactions Act 2000 (SA)
Mirrors the Commonwealth Act with some localised differences. Provides a regulatory framework to ensure that transactions conducted electronically or on paper are treated equally by law. Supports the development of e-commerce. It is technology neutral and does not endorse a particular signature technology, nor does it provide rules for digital or electronic signatures.
Emergency Management Act 2004 (SA)
Establish strategies and processes for the management of emergencies in the State. Includes provisions for the Establishment of State Emergency Management Committee, and the Appointment of State Co-ordinator. ICT Failure is recognised by the State
Reference Relevance to cyber security initiatives
Emergency Management Plan, which is enabled by this legislation.
Essential Services Act 1981 (SA)
Aims to protect the community against the interruption or dislocation of essential services. Responsible Parties should give consideration to critical ICT services that may underpin provision of essential services described by the Act.
Evidence Act 1929 (SA) Details the requirements for evidence gathering and handling including electronic information intended to be used in judicial proceedings. In particular Part 6A specifies the requirements for admissibility of computer derived evidence.
Freedom of Information Act 1991 (SA)
Promotes openness in government and accountability of State Government ministers and other government agencies by providing for public access to official documents and records; to provide for the correction of public documents and records in appropriate cases.
Listening and Surveillance Devices Act 1972 (SA)
Regulates the use of listening and surveillance devices, as part of the South Australian criminal law.
Public Finance and Audit Act 1987 (SA)
Regulates the receipt and expenditure of public money. Details the purpose, function and autonomy of the Office of the Auditor-General.
Public Sector Act 2009 (SA) Make provision for employment, management and governance matters relating to the public sector of the State.
Public Sector (Honesty and Accountability) Act 1995 (SA)
Imposes duties of honesty and accountability on public sector office holders, employees and contractors.
State Records Act 1997 (SA) Governs handling of official records to ensure that records of enduring evidential or informational value are preserved for future reference.
Commonwealth Legislation
Australian Security Intelligence Organisation Act 1979 (Cth)
Establishes and prescribes ASIO’s functions and powers. Includes provisions for computer access warrants, security assessments, and listening and tracking devices.
Crimes Act 1914 (Cth) Codifies offences against the Commonwealth. Functions alongside State legislation and is gradually superseding the Criminal Code Act 1914.
Criminal Code Act 1995 (Cth) The main piece of legislation containing federal offences. Abolishes all common law offences and is gradually superseding the Crimes Act 1914.
Cybercrime Act 2001 (Cth) Codifies and amends the law relating to computer offences.
Electronic Transactions Act 1999 (Cth)
Provides a regulatory framework that recognises the importance of the information economy and facilitates the use of electronic transactions.
Intelligence Services Act 2001 (Cth)
Provides a legislative basis for the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD). Also grants powers to Australian Security Intelligence Organisation (ASIO).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.1
Page 2 of 7
ISMF Guideline 38
Reference Relevance to cyber security initiatives
National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth)
Prevents the disclosure of information in federal criminal and civil proceedings where the disclosure is likely to prejudice national security, except where preventing the disclosure would seriously interfere with the administration of justice.
Privacy Act 1988 (Cth) Operates in conjunction with Common law. Defines what constitutes sensitive Information (section 6). It also details the Information Privacy Principles (section 14) and contains a definition of sensitive information in section 6.
Spam Act 2003 (Cth) Regulates commercial electronic messages, address- harvesting software etc. Also describes penalties and punitive measures. Particular attention should be paid to the requirement to provide an ‘opt-out/unsubscribe’ option when using mass-mailing or similar distribution software.
Telecommunications Act 1997 (Cth)
Provides a regulatory framework that promotes the long-term interests of end-users of carriage services.
Telecommunications (Interception and Access) Act 1979 (Cth)
Prohibits the interception of, and other access to, telecommunications except where authorised in special circumstances.
United States Legislation
USA PATRIOT Act 2001
Has repercussions for government information being hosted or communicated via ICT equipment located in the US and its possessions. Information may be accessed or collected by authorised agencies. Additionally US based companies operating in foreign jurisdictions are also subject to many provisions within this Act.
Computer Fraud and Abuse Act 1986
The definition of a “protected computer” has implications to ICT systems used outside of the US, specifically:
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
Federal Information Security Management Act 2002
Recognises the importance of information security to the economic and national security interests of the United States. The Act requires each US federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Useful for tracking changes and emerging trends in information security legislation.
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.1
Page 3 of 7
ISMF Guideline 38
PART 2: POLICIES AND STANDARDS
A comprehensive listing of relevant information security policies and standards is contained in the Information Security Management Framework [ISMF].
Australian Government policy and standards
Reference Relevance to cyber security
Australian Government Protective Security Policy Framework [PSPF]
The PSPF is a reflection of the requirements of contemporary Government and private-sector partnership, agile procedural change and the dynamic landscape of information security, particularly in light of constantly evolving ICT technologies and services delivery capabilities. The PSPF is designed to progressively replace the PSM over a period of time.
Australian Government Information Security Manual, [ISM]
The ISM (formerly known as ACSI 33) is a standard that forms part of a suite produced by ASD relating to information security. Its role is to promote a consistent approach to information security across all Australian Government, State and Territory agencies and bodies. It provides a security risk assessment for information that is processed, stored or communicated by government systems with corresponding risk treatments to reduce the level of security risk to an acceptable level.
South Australian Government circulars and instructions
Reference Relevance to cyber security initiatives
Treasurer’s Instruction 2 Financial management policies, stipulates obligations and expectations on how South Australian Government entities manage risk management requirements (such as major ICT projects and initiatives).
Financial Management Framework, section 2
Retired. Replaced by Treasurer’s Instruction 28. Refer to link for Treasurer’s Instruction 2.
Premier and Cabinet Circular 12 (PC012) [IPPS]
Information Privacy Principles Instruction
Premier and Cabinet Circular 30 (PC030) [PSMF]
Protective Security Management Framework for SA Government. This document is the foundation document that calls into requirement, the State’s ISMF and the usage of the Australian Government PSPF.
Notifications Various: Several items are relevant to security, risk, continuity, information privacy and service assurance. Some are provided by the Cyber Security and Risk Assurance Group (DPC) but all notifications are tracked. Available to SA Government personnel only (via Intranet access).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.1
Page 4 of 7
ISMF Guideline 38
South Australian Government policies and standards
Reference Relevance to cyber security initiatives
Code of Ethics for the South Australian Public Sector
Encompasses topics such as: Handling Official Information, Public Comment, Use of Government Resources and Conflicts of Interest
South Australian Recordkeeping Metadata Standard
This Standard outlines the basic core set of metadata elements required to manage records in accordance with best practice.
Intellectual Property Policy
This policy provides an enabling and overarching framework to create a supportive environment to:
achieve best practice in IP management in Government;
where appropriate, to facilitate effectiveness of knowledge transfer by Government agencies to the public and private sectors; and
achieve effective and timely protection of Government IP and, where appropriate, its commercialisation.
Information Security Management Framework [ISMF]
South Australian security framework describing 40 policies, 140 standards and numerous controls in support of cyber security. It is closely aligned to ISO 27001.
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.1
Page 5 of 7
ISMF Guideline 38
Australian and International industry standards
Reference Relevance to cyber security initiatives
AS/NZS ISO/IEC 27001 ISO 27001 stipulates the ISMS requirements and is referenced for SA Government specific implementations of policy as described by the ISMF
AS/NZS ISO/IEC 27002 Code of practice for Information Security Controls
AS ISO/IEC 20000 IT Service Management reflecting best practice guidance contained in ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and related Technology)
AS 8018 Australian Standard AS8018 ICT Service Management (ITIL)
AS/NZS ISO 31000 International Risk Management Standard.
ISO/IEC 13888 Non-Repudiation
PCI-DSS Payment Card Industry (PCI) Data Security Standard
ADDITIONAL CONSIDERATIONS
This guideline does not aim to provide the reader with all legislative and regulatory requirements for cyber security initiatives. It is merely an overview of the laws, legislation, policies, standards and guidelines adhered to across the South Australian Government. It is highly recommended that agencies review these documents in their entirety and assess other relevant legislation and regulations that may apply in their specific industry sector or circumstances. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.1
Page 6 of 7
ISMF Guideline 38
REFERENCES, LINKS & ADDITIONAL INFORMATION
South Australian Government - Attorney General's Department South Australian Legislation Australian Government - Commonwealth Law AS/NZS ISO/IEC 27001 DPC/F4.1 Information Security Management Framework [ISMF] PC030 Protective Security Management Framework [PSMF] Australian Government Protective Security Policy Framework [PSPF]
Document Control
ID DPC/G4.38Version 2.1Classification/DLM PUBLIC-I1-A1Compliance DiscretionaryOriginal authorisation date February 2014Last approval date September 2017Next Review date September 2018
Licence
With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.
ISMF Guideline 38
