DPC/G4.1a Government guideline on cyber security

ISMF Guideline 1aTransition guidance for agencies and suppliers

BACKGROUND

The introduction of the Information Security Management Framework [ISMF] version 3 emphasises the application of risk management principles and selective cyber security controls proportionate to the criticality and sensitivity of Information and Communication Technology [ICT] assets including the information itself.

A key change between ISMF version 2 and the new framework is the requirement for agencies to establish an overarching Information Security Management System [ISMS] that is continually monitored and improved as needed. This guideline assists agencies, and relevant suppliers to agencies, in transitioning from the current state to an operating environment that adheres to the requirements introduced in ISMF version 3. This guideline supports implementation of ISMF Policy Statement 1 – Compliant Authorities.

GUIDANCE

Graduated approachThe implementation will be stepped in three phases of two (2) years each. The calendar of key milestones and performance indicators are summarised on the next page. For the first two phases, agencies’ information assets that are not yet included in an Information Security Management System as required by ISMF version 3 will continue to be assessed against the ISMF version 2.

Periodic monitoringChief Executives in each agency should provide confirmation in line with the Cabinet Implementation Framework that they are satisfied with the protection of any State Government Critical Information Infrastructure for which they are accountable, at least annually or when any significant changes occur until such time as application of ISMF version 2 has been retired within the agency.

Internal audit functions within each agency should provide key findings and recommendations, as required by the ISMF, to the Chief Executive on the status and/or progress of transition efforts for business critical or sensitive information assets.

The Agency Security Executive [ASE] is appointed by way of the Protective Security Management Framework (Cabinet Circular 30) to provide executive direction and oversight of the security program. The ASE and internal audit function both have valid roles to assume in keeping the Chief Executive informed of cyber security compliance progress on a regular basis.

ISMF Guideline 4

ISMF version 2 sunset dateISMF version 2 will be retired as policy on 30 June 2015. In the meantime, any agency information assets that are yet to be transitioned to an ISMS that aligns with the requirements of ISMF version 3 will continue to be assessed against the version 2 framework.

Government guideline on cyber securityISMF transition guidance for agencies and suppliers v1.3

Page 2 of 4

Phase 1 (till June 30 2013) Establish an ISMS for information assets or undertakings that are critical or highly sensitive to the business

Agencies will have two (2) years to establish an information security management system and develop a statement of applicability for their operating environment that encompasses critical ICT information assets and associated activities. ICT resources used for processing or storing sensitive information, such as personally identifiable information (e.g. personal records, law enforcement data etc.), are to be included within the scope of the management system.

Agencies which already have an ISMS in place should use this time to conduct a gap analysis and amend their current ISMS to meet the requirements of ISMF version 3 for their most critical information assets/related business undertakings.

A key performance indicator for this phase of transition is documented compliance that 100% of the ICT component of State Government Critical Infrastructure and business critical assets (i.e. Agency Critical Infrastructure) are accounted for in the management system; as well as any systems that process or store privacy data.

Phase 2 (expires 30 June 2015) Improve what is in place, expand and logically progress the coverage of the ISMS to at least 50% of the agency operating environment

A subsequent two-year period should focus on adding additional ICT systems, processes and activities to the management system. A key metric of success would be the attainment of at least 50% of the ICT environment to be included in the management system. Agencies are at liberty to define the percentage metric based on their business profile [e.g. activities, business unit functions, assets, human resources, geographical locations etc.] ISMF version 2 expires at the conclusion of this period so that residual assets can be introduced to the ISMS in alignment with version 3 requirements in the final phase of transition.

A key performance indicator is demonstrated coverage that at least half of an agency’s ICT environment is included in the management system. Demonstrated coverage should be based on the significance of the ICT components to the agency’s core business functions.

ISMF Guideline 1a

ISMF Guideline 4

INFORMATION SECURITY TECHNOLOGY ADVISERS

Agency personnel and suppliers to government agencies should initially consult and confer with the Information Security Technology Adviser [ITSA] in that agency.

CYBER SECURITY SERVICES PORTAL

An open portal of qualified and suitably screened private sector organisations that can assist resource constrained agencies during transition to ISMF version 3 as well as providing other cyber security services may be accessed from the eProjects website.

ADDITIONAL CONSIDERATIONS

Work undertaken in previous business continuity exercises, such as pandemic influenza planning, should be leveraged in order to ascertain what cyber (ICT) services have been identified as critical to the continuity of the business and/or services provided by the state.

The active participation of the roles defined in the PSMF, namely the Chief Executive, the Agency Security Executive, the Information Technology Security Adviser, and the Agency Security Adviser coupled with internal audit functions are critical to the success of transitioning.

Several tools and guidelines have been published on http://digital.sa.gov.au/resources/topic/security

Government guideline on cyber securityISMF transition guidance for agencies and suppliers v1.3

Page 3 of 4

ISMF Guideline 1a

Phase 3 (expires 30 June 2017) Optimisation of the ISMS

Agencies will bring any remaining ICT assets into the scope of the new ISMS.

A key performance indicator is demonstrated progressive coverage of agency ICT environments within their management systems in line with achieving as close to 100% [target] coverage of their ICT environments as possible, once again based on business risk and impact analysis.

ISMF Guideline 1a

This guideline does not aim to provide the reader with all of the responsibilities and obligations associated with ISMF version 3 implementation and transition. It is merely an overview of the information provided in applicable government cyber security policy, applicable governance frameworks and the resources and utilities available at the time of publication. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).

REFERENCES, LINKS & ADDITIONAL INFORMATION

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

AS/NZS ISO/IEC 27002:2006

Australian Government Protective Security Policy Framework [PSPF]

Document Control

ID DPC/G4.1aVersion 1.3Classification/DLM PUBLIC-I1-A1Compliance DiscretionaryOriginal authorisation date February 2012Last approval date September 2017Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.