Is18 Best Practice Guide

7/21/2019 Is18 Best Practice Guide

1/56

Queensland GovernmentInformationArchitecture

Information Standard 18

Information Security

Best Practice Supplement

DOC!"#$ CO#$%O&

Document Details

DocumentReference/Name:

IS18BPS_V1.00.00

Version Number: V1.00.00

Documentation Status: Workin

Draft

R!" IS #rc$i%e&

'I# Domain: Information (anaement

#e't Scheduled %evie(Date

In )ine *it$ Information Stan&ar& 18

)ersion *istory

Version Number Date Reason/"omments

V0.00.01 +, (a- +001 DR#!

V0.00.0+ + une +001 DR#!

V0.00.0, 1 Se2tember +001 Incor2orate& #enc- fee&back

V1.00.00 +1 Se2tember +001 Issue&


2/56

Information Standard #o+ 18 Best Practice Supplement Information Security

Contents

1 Backroun&.....................................................................................................................................3

+ Im2)ementation................................................................................................................................+.1 Im2)ementation imeframe.....................................................................................................+.+ Im2)ementation Process.........................................................................................................4

, Risk #ssessment............................................................................................................................. 5,.1 !urt$er Reference...................................................................................................................

3 #enc- Securit- Po)ic-..................................................................................................................103.1 Best Practice........................................................................................................................103.+ !urt$er Reference.................................................................................................................11

Securit- !rame*ork......................................................................................................................1+.1 Best Practice........................................................................................................................1+.1.1 Information Securit- !rame*ork.......................................................................................1+.1.+ Securit- of $ir& Part- #ccess..........................................................................................13.1., 6utsourcin......................................................................................................................13

.+ !urt$er Reference.................................................................................................................134 Information #sset ")assification an& "ontro).................................................................................1

4.1 Best Practice........................................................................................................................14.1.1 #ccountabi)it- for assets...................................................................................................14.1.+ Information c)assification..................................................................................................14.+ !urt$er Reference.................................................................................................................14

5 Personne) Securit-........................................................................................................................155.1 Best Practice........................................................................................................................155.1.1 Securit- in 7ob &efinition an& resourcin...........................................................................155.1.+ ser trainin.....................................................................................................................155.1., Res2on&in to securit- inci&ents......................................................................................185.+ !urt$er Reference.................................................................................................................18

8 P$-sica) an& 9n%ironmenta) Securit-............................................................................................1

8.1 Best Practice........................................................................................................................18.1.1 Secure #reas....................................................................................................................18.1.+ 9ui2ment Securit-..........................................................................................................18.1., 'enera) "ontro)s..............................................................................................................+08.+ !urt$er Reference.................................................................................................................+0

62erationa) Securit- (anaement................................................................................................++.1 Best Practice........................................................................................................................++.1.1 62erationa) 2roce&ures an& res2onsibi)ities.....................................................................++.1.+ S-stem 2)annin an& acce2tance.....................................................................................++.1., Protection aainst ma)icious soft*are..............................................................................++.1.3 S-stems maintenance......................................................................................................+3.1. Net*ork manaement......................................................................................................+.1.4 (e&ia $an&)in.................................................................................................................+

.1.5 9;c$anes of Information an& Soft*are...........................................................................+.1.8 Re2ortin Reime............................................................................................................+8.+ !urt$er Reference.................................................................................................................+8

10 #ccess "ontro)..........................................................................................................................,010.1 Best Practice........................................................................................................................,010.1.1 Business reuirements for access contro)........................................................................,010.1.+ ser access manaement................................................................................................,010.1., ser Res2onsibi)ities........................................................................................................,010.1.3 Net*ork access contro)s...................................................................................................,110.1. "om2uter access contro)..................................................................................................,110.1.4 #22)ication access contro)................................................................................................,+10.1.5 (onitorin s-stem access an& use..................................................................................,+10.1.8 (obi)e eui2ment an& te)e*orkin...................................................................................,,

10.+ !urt$er Reference.................................................................................................................,311 S-stems De%e)o2ment an& (aintenance..................................................................................,

)ersion #o, BPS )1+--+-- Pa.e /


3/56


11.1 Best Practice........................................................................................................................,11.1.1 Securit- in a22)ication s-stems........................................................................................,11.1.+ "r-2tora2$ic contro)s......................................................................................................,11.1., S-stem fi)e securit-..........................................................................................................,11.1.3 De%e)o2ment an& su22ort securit-...................................................................................,11.+ !urt$er Reference.................................................................................................................,4

1+ Business "ontinuit- (anaement.............................................................................................,51+.1 Best Practice........................................................................................................................,51+.1.1 "ontinuit- P)ans...............................................................................................................,51+.1.+ Vu)nerabi)it- #ssessment..................................................................................................,51+.1., Im2act #ssessment..........................................................................................................,51+.+ !urt$er Reference.................................................................................................................,8

1, "om2)iance...............................................................................................................................301,.1 Best Practice........................................................................................................................301,.1.1 "om2)iance *it$ )ea) reuirements.................................................................................301,.1.+ Re%ie*s of securit- 2o)ic- an& tec$nica) com2)iance.......................................................301,.+ !urt$er Reference.................................................................................................................30

1,. Definition of erms.......................................................................................................................... 31#ttac$ment # < Sueste& 2o)ic- tem2)ates.......................................................................................... 33

)ersion #o, BPS )1+--+-- Pa.e 0


4/56


1 Bac.round

The effective management of information and supporting systems is fundamental to ongoing

client service delivery, provision of integrated services and the sharing of information. The

objective of information security is to maintain business continuity and minimise businessdamage by preventing or limiting the impact of security breaches.

This supplementary guide has been developed to support agencies implementing Information

Standard 18 Information Securityand to simplify and limit the impact of security

management issues. The level or degree of security that is required ithin each !gency, ill

be dependent upon a number of factors including"

The value of the information#

The impact of the loss of assets#

The ris$s to hich they are e%posed# and

The e%tent to hich they are affected by legal and regulatory requirements.

This document is provided for general guidance only, !gencies should consider the

information provided in this supplement as reference material. Security control measures

required ill be dependant on individual !gency situations.

!gencies need to conduct a ris$ assessment of information security controls currently in place

and determine here controls need to be implemented or processes improved to meet the

mandatory principles of Standard 18 and individual !gency requirements. The results of the

ris$ assessment should be used to prioritise the security controls required.



5/56


/ Implementation

!s outlined in the Information Standard 18 !ttachment ! !gencies are required to conduct

a high level ris$ assessment of e%isting !gency security controls to determine ether these

meet minimum requirements of the mandatory principles ithin & months of the endorsementof this standard.

'here measures to meet the mandatory principles are not in place, and their absence is

determined to be of a high ris$ (major consequences and medium)high li$elihood of

occurrence* to !gency operations, these must be implemented in !gencies by +1 ecember

--.

/+1 Implementation $imeframe

Phase Responsibility Completed

1. /is$ !ssessment

to identify,

analyse and

evaluate ris$s

!gency 0anagers)%ternal !dvice)Information

Security 2fficer

& months from

endorsement of

Standard 18.

-. 3rioritise

implementation

of mandatory

principles

!gency 0anagers)Information 2ners)Information

4ustodians 5 System !dministrator)IT 0anagers

& months from

endorsement of

Standard 18.

+. Implement

mandatory

principles here

the ris$ is

determined to be

high.



3rior to

ecember +1

--

6. Implementation

of principles and

security issues of

medium lo

impact



2ngoing

7. usiness

4ontinuity

3lanning



2ngoing



6/56


/+/ Implementation Process


#enc- InformationSecurit- Po)ic-

Securit- !rame*ork= ro)es an& res2onsibi)ities>

Risk assessment

Securit- contro)s consistent *it$ risk assessmentan& information c)assifications

Personne)

Securit-

P$-sica)

Securit-

#ccess

"ontro)s

62erationa)

"ontro)s

S-stems De%"ontro)s

9&ucate/"ommunicate

Information ? Business Reuirements

#@@ Information sers

#sset ")assification ? "ontro)=accountabi)it- ? c)assificationication>

"om2)iance

B"P

Information

Stan&ar&s

@ea) ? @eis)ati%e

Reuirements

(onitor?re%ie*

5eyIn2ut

#cti%it-

(an&ator- Princi2)e


7/56


0 %is Assessment

It is recognised that many !gencies ill have the majority of the security controls outlined in

the standard already in place. 9oever all !gencies are required to conduct a high:level ris$

assessment to determine here they do, or do not, meet the minimum requirements of themandatory principles.

The ris$ assessment process is crucial in implementing effective information security

management. 'here agencies have no formal process for ris$ management in place it is

strongly recommended that the Queensland Government Information StandardsInformation

Risk Management Guideor theAustralian Standards AS/NZS 43!" #$$$ % Risk Management

are used.

The process and measures belo are provided for guidance in applying the mandatory

principles of Information Standard 18, some !gencies may ish to use more detailed

measures.

Consequence Scale

Measure Description

Major 0ajor problems ould occur and threaten the provision of important servicesresulting in significant economic loss and)or significant impact on ;overnment.

Moderate Services ould continue but ould need to be revieed or changed.

Minor ffectiveness of services ould be threatened but dealt ith.

Insignificant ealt ith as a part of routine operations.

Likelihood Scale

Measure Description

igh Is e%pected to occur in most conditions (1 or more times per year*

Medium The event ill probably happen in most conditions (- years*

Possible The event should happen at some time (7 years*

!nlikely The event could happen at some time (1 years*

Risk "ssessment

C#$S%&!%$C%S

Insignificant Minor Moderate Major

LI'%LI##D

igh I( RIS' )

Implement by

December *++*Medium

Possible

!nlikely

Rare



8/56


igh)le,el risk assessment of mandatory principles

0+1 7urther %eference

uences and medium?hi.h

Implement yDecemer /--/

Determine y April/--/

Prioritise implementationof principles

Determine any othercontrols that may e

re>uired in a detailed ris

7or "'ample,Principle 1 IS18

A.ency Security PolicyIs t$ere an- #enc- Securit- Po)ic-AIs it en&orse& b- t$e "96 AIs it communicate& to staffA

7inancial !ana.ement

Information Standard!andatory Principles

A.ency operationalre>uirements t be cleaned then the message should

be bloc$ed.

!nti virus softare should be regularly updated ith ne definition files.

!nti:virus softare should be regularly revieed. It my be necessary to use

more than one type of scanning softare to ensure that ma%imum protection

is provided for all information platforms and environments.

!gencies should ensure that virus protection and recovery strategies are

included in ris$ management and business continuity plans. /eporting of virus incidents should be included in internal !gency Security

Incidents and Hiolations reports. See Section 8.1.8 for suggested reporting

contents.

-. !udit logs

!gencies should use system audit logs such as fireall logs to detect any

abnormal system activity including hac$er or virus activity.

+. Airealls and active content bloc$ing

4ontent bloc$ing may be considered as a method of reducing virus and

malicious code, hoever, employing such a mechanism needs to have a ris$assessment against the possible loss of business functionality.

!ctive content filters need to be installed on a gateay)fireall if they are

to be effective in virus and malicious code control.

6. ducation and aareness

Fsers should be educated about malicious softare in general, the ris$s that

it poses, virus symptoms and arning signs including hat processes

should be folloed in the case of suspected virus. !gencies should consider

netor$ broadcasts or a system for alerting users of virus attac$s.

)ersion #o, BPS )1+--+-- Pa.e /2


25/56


!gencies should establish a policy outlining the prohibited use and

installation of softare not authorised by the !gency including user

responsibilities ith regards to donloading softare from Internet and

e:mail sources.

+1+2 Systems maintenance

To minimise threats to the integrity and availability of information, !gencies should

consider but not limit activities to"

1. ac$up

ac$up cycles should be related to the business ris$, frequency ith hich

data and softare is changed and the criticality of the system to business

operations. The cycle should include, as a minimum"

: Incremental daily bac$ups of data and full ee$ly bac$ups of all

data, operating system and applications. ac$ups of data on a cycle

deemed appropriate by the IT 0anager, but as a minimum, on aee$ly basis#

: ac$ups of the complete operating system, and applications on a

cycle deemed appropriate by the IT 0anager, but as a minimum, on

a monthly basis.

! register of bac$ups, including verification of their success, should be

maintained.

! cycle of bac$up media should be used for all bac$ups, ith at least one

copy in each cycle stored off:site.

In addition to regular bac$ up cycles, a system bac$up should be performed

before and after major changes to the operating system, system softare, or

applications.

4onsideration should be ta$en hen upgrading technologies to ensure that

bac$up data is able to read in the ne environment.

! cycle of regular tests should be implemented to verify that the system can

be recovered from the bac$ups produced.

! cycle of bac$up media should be retained of all information required to

meet customer service, legal or statutory obligations. These bac$ups should

be tested and recreated at least annually and be stored off:site.

-. 2perator =ogs

2perator logs should be maintained, monitored and revieed on a regular

basis, to ensure that correct computer operating procedures have been

complied ith.

+. Aault =ogging

3rocedures should be implemented for the identification, monitoring,

recording and corrective action ta$en of systems faults and failures.



26/56


+1+3 #et(or mana.ement

1. !gencies should document ho they intend to manage and protect information

integrity and availability on !gency netor$s from authorised and unauthorised

connections. Suggested policy documents include"

4onnectivity processes and procedures for connecting to other !gencynetor$s including the products and encryption methods to be used.

Aireall configuration and use.

Security filters and gateays.

'ireless =!@s use.

/emote user access mechanisms.

-. 'hen documenting netor$ management !gencies should also consider

maintaining up:to:date netor$ and communications configuration diagrams.

+. 4onsideration should be given to ensuring all implementation should adhere to

manufacturers or providers security site:hardening recommendations.

+1+4 !edia handlin.

To minimise threats to information media, !gencies should consider but not limit

activities to"

1. ocumenting policies and processes for the mar$ing, disposal and handling of

removable computer media (tapes, dis$s, etc* and paper:based information

(system documentation, reports, etc* to protect information from unauthorised

disclosure or misuse. (isposal of information must be in accordance ith an

!gency>s /etention and isposal Schedules and the =ibraries and !rchives !ct

1E88*.

-. 'hen considering disposal methods, !gencies need to ta$e into consideration

the classification level of the information contained on the media and the type

of media used for storage. Aor e%ample, degaussing, magnetic media overrite,

laser and copier drum sanitisation, volatile media and physical destruction are

methods that can be used for destroying information.

+. !gencies should consider instituting security controls and procedures for the

physical transportation of ;overnment information.

6. !s outlined in previous sections here information is temporarily removedfrom ;overnment premises, including media (eg paper files, floppy dis$s*

!gencies should ensure that policies for the care and handling of the material

are in place, and that officers are educated in their responsibilities ith regard

to the safeguarding of the information.

+1+6 "'chan.es of Information and Soft(are

Inter:!gency information e%change in the


27/56


1. Information %change !greements

%changes of information and data beteen !gencies or third party

organisations should be controlled and here practical in the form of a

ritten agreement complying ith relevant legalisation and ith the

Information Standard 6- :Information (rivacy

%changes of information and data beteen !gencies and)or third party

organi?ations should be controlled and here practical in the form of a

ritten agreement complying ith relevant legislation.

!ny connection to or by third party netor$s or services should be

conducted in the manner determined by the IT 0anager or 4hief

Information 2fficer.

-. Security of media in transit

'hen transporting or mailing media or information, !gencies should

implement policies and procedures for determining the methods forpac$aging and transporting the media based on the sensitivity and value of

the information.

+. Internet Security

Internet security is a critical current and ongoing security issue for !gencies.

The Internet creates a indo into the !gency netor$ that opens up the

potential for unauthorised access and security threats to the integrity,

confidentiality and availability of its information and all information facilities.

!gencies should assess their eb security requirements and develop policies

and controls to manage all aspects of on:line and Internet activities.

The issues to ta$e into consideration are numerous, hoever, a fe of the points

to assess include"

!nonymity and privacy#

ata confidentiality#

The use of coo$ies#

!pplications and plug:ins#

Type of language to be used#

3ractices for donloading e%ecutables#

'eb server security configuration and auditing#

!ccess controls#

The use of data encryption and 3I.

Impact and ris$ assessments should be conducted on all eb security controls

on a regular, if not on:going basis, and e%ternal e%pert advice should be sought

here possible.

'hen assessing ris$s and developing proposals for conducting on:line service

delivery or e%changing information in any form in an on:line environment,some of the issues that !gencies need to consider include"



28/56


!ccountability : Tracing actions)events to

!uthentication : Herification of identity

!uthorisation : 'ho is authori?ed to transact businessJ

!vailability : 'hat ill be available hen and to homJ

4onfidentiality : Fse and storage of information and privacy

requirements

Herification : 9o information is verifiedJ

=iability : 'ho is liable for fraudulent or illegal

transactionsJ

0isrepresentation : 3retending to be someone else) providing false

information

0essage sequencing : /elaying messages in a different order

0odification : 4hanging the content of messages and data

enial of service : Alooding the netor$ ith messages

/epudiation : enial of message origin

6. :0ail Security

:mailis one of the most common uses of the Internet and is increasingly critical to

the normal conduct of business. Therefore, !gencies need policies for e:mail in

relation to employees use of electronic and ho e:mail ill be managed ithin the

!gency information management and technology environment.

!gency policies and procedures addressing e:mail use should consider the

folloing points"

nsuring that passords are used on e:mail systems

Scanned signatures should not be used (they can be cut and pasted to give the

appearance that a document as signed officially*

:mail communication is not private. !ny opinions e%pressed via e%ternal e:

mail, here they are not related to the conduct of business, should be noted as

individual opinions and not those of the organi?ation by inclusion of a

disclaimer.Aor e%ample"

This e-mail, together with any attachments, is intended for the named

recipient(s) only.

If you have received this message in error, you are asked to inform the

sender as quickly as possile and delete this message and any copies of

this message from your computer system network. !ny form of disclosure,

modification, distriution and"or pulication of this e-mail message is

prohiited. #nless stated otherwise, this e-mail represents only the views

of the $ender and not the views of the %epartment of &&&&&'

nsuring e:mail systems, are bac$ed:up and maintained in accordance ith

operational systems management standards



29/56


!gencies should ensure the evidentiary value of electronic message

transactions, and the general reliability and availability of the electronic

messaging system is maintained

!gency use policy should cover"

o The use of email to conduct official business : 4larification of thetypes of information that can and cannot be transmitted by :mail

systems for e%ample no transmission of classified information,

staff:in:confidence or commercial:in:confidence material e%cept

here these systems have been established for such a purpose and

have appropriate controls

o The use of email for personal business#

o !ccess control and confidential protection of messages#

o The management and retention of email messages.

7. 2ther forms of information %change"

!gency policies should address information security implications, practices

and protocols in the use of communications and information devices

including facsimile, telephones, ansering machines, palm pilots and video

communication.

+1+8 %eportin. %e.ime

1. !gencies should consider establishing an !gency C/egister of Hiolations and

%posuresD for reporting incidents (including Hirus* to the !gency Information

%ecutive Aorum)Steering 4ommittee.

-. /eports may contain#

etails of person reporting the e%posure)violation and ho the

e%posure)violation as detected#

ate and time of violation#

@ature of impact of e%posure)violation including computer systems,

softare and hardare affected#

!ction that can or has been ta$en to prevent further compromise.

+. The /egister of %posures should be used as a tool hen revieing securitypolicy, assessing security ris$s and preventing future occurrences and in the

ongoing security training of staff.

6. /eporting of security ea$nesses and softare malfunctions should also be

monitored to assist in ongoing information integrity and availability.

+/ 7urther %eference

!ustralian Standards" AS/NZS 4444+"+!!! 0Section41

AS/NZS 4444#"#$$$ 0Section ;1

AS/NZS IS2/I #--$$"+!!# 0Section ;1

)ersion #o, BPS )1+--+-- Pa.e /


30/56


4ommonealth of !ustralia" (rotective Security Manual

Australian Government (u5lis6ing Service7

an5erra) +!!!

,inancial Management Standard #$$- & .reasury ,inancial Management (ractice Manuals % .reasury

efence Signals irectorate Australian ommunications

lectronic Security Instruction 33

0ASI 331


31/56


1- Access Control

1-+1Best Practice

!ccess to information and systems should be considered in information security controls.4ontrols ill vary according to !gency information classification and netor$

infrastructure. In addition to those outlined in the standard the folloing may also be

considered.

(/efer to !ttachment ! for suggested policy content.*

1-+1+1 Business re>uirements for access control

1. !ccess policies should address detail access control rules, based on Chat must be

generally forbidden unless e%pressly permittedD ensuring that business

requirements are folloed.

-. 2nly granting users access to the information, programs and system softare that

they require to perform their day:to:day business functions.

1-+1+/ ser access mana.ement

1. The overall frameor$ of access rights should be revieed and amended on a

regular basis to determine that they remain appropriate.

-. !ll changes to employees> user duties should be reflected in access control rights.

!ll changes should be carried out on a timely basis. !ccess privileges should be

disabled or modified hen users change jobs, or leave the !gency permanently, or

are on leave for a prolonged period.

+. Fser access rights should be in accordance ith the information oner and should

be authorised by the users> manager before the user is granted access to the

information or system. The manager should ensure that the user has sufficient

understanding of the system.

6. !ccess control mechanisms (delete : softare, or equivalent features ithin system

softare,* should be used to restrict access to all computer systems, including

hardare, softare and data.

7. If user authentication is based upon passords the folloing controls should be

considered"

The user should be required to change temporary passords at the first logon

(temporary passords only being valid for one day*#

Fsers should be required to change their authentication code after a

predetermined period of time, through either automatic or manual means and

should not be alloed to reuse an authentication code for at least 1+ cycles#

'here passords are used as authorisation, users should be educated in

selecting and using passords.

1-+1+0 ser %esponsiilities

1. Fsers should be made aare of their responsibilities ith regard to system access.



32/56


-. Fser access should be disconnected and their account disabled after three rejected

attempts to logon. 'hen a terminal or 34 has been logged:on and no activity has

occurred for a period of time, the device should be automatically loc$ed and require

re:input of user identifier.

1-+1+2 #et(or access controls

1. To prevent and reduce ris$ of users selecting routes to netor$ services outside

authorised access paths, !gencies> access control processes and policies should

implement enforced netor$ paths.

-. 3olicies should be documented outlining methods for security and consistency

of data, computers and communications infrastructure in !gency netor$s.

+. @etor$s should be configured and protected to ensure that a compromise or

security breach in one netor$ ill not allo access to other netor$s.

6. 'here interconnection is required beteen corporate netor$s and public

netor$s, source and destination address chec$ing mechanisms should be usedeg fireall protection.

7. If fireall protection is utilised !gencies should consider implementing a

fireall security policy outlining connection rules, incident monitoring and

audit processes.

&. Sufficient audit logs should be $ept of system administrator logins and any

changes to equipment configurations, to monitor the security of netor$s and

communications infrastructure.

B. To minimise ris$s from e%ternal connections, !gency remote access processes

should at a minimum register all persons ith remote access privileges and log

all remote access attempts and activity and ensure all users are authenticated

before access to the netor$ is granted.

8. In relation to controlling unauthorised netor$ access !gencies should

consider"

@ode authentication and dedicated lines#

/estrictions to traffic type (i.e. electronic mail, one or to ay file transfer,

or interactive communications* or time#

Implementing gateay and fireall technologies for filtering and

controlling traffic# Implementing intrusion detection softare.

1-+1+3 Computer access control

1. The user>s logon procedure should disclose minimum information about the

system. The logon should be validated only on correct input of all data.

-. !uthentication management should include"

ncrypting authentication codes transmitted across !gency and other

netor$s#

)ersion #o, BPS )1+--+-- Pa.e 0/


33/56


nsuring that passords are not ritten or recorded in plain te%t on any

media, including automated logon scripts and hard:coding into in:house

softare#

/evieing and possibly disabling access rights hich have not been used

ithin the last + calendar day period#+. !gencies should consider implementing standard approaches to netor$

configuration to allo for planning and ris$ assessment of security across the

netor$, eg. servers that run dedicated services such as virus protection or

firealls should be devoted to running that softare only.

6. !ll access control privileges of users should default to denial of access hen

there is a malfunction in the computer or netor$ access control system.

7. !uthentication codes should be changed hen there is an indication of possible

system security or authentication code compromise. !ll failed access attempts

should be monitored, revieed and appropriate action ta$en.

1-+1+4 Application access control

1. !gencies should consider implementing controls that assist in restricting access

to information ithin applications, by the use of menus and controlling access

rights (eg read, rite, delete*.

-. !ccess to system utilities that may be used to alter data or program code should

be $ept to a minimum ith all system master passords restricted to, and

maintained by, the Information and System Security !dministrator or applicable

appointee.

+. !ll systems> utilities that may be used to alter data or program code should beregistered ith access to these utilities recorded in system log files. !ccess to

such utilities should be restricted to authorised personnel in accordance ith

their or$ function.

6. !ll remote access support applications and utilities should only be provided to

authorised information systems support personnel. 3olicies should also be in

place for the configuration of such systems.

7. !ll vendor and default passords provided ith IT equipment should to be

changed prior to a system going into operation.

1-+1+6 !onitorin. system access and use1. In access control policies, !gencies need to consider, hat events and hich

systems need to be logged and monitored in order to detect deviation from

normal access in the event of security incidents, and the ris$ to information and

systems. These logs should include recording e%ceptions and access logs along

ith access activities including"

Fser I>s, successful and failed logon and logoff dates and times and files

accessed.

Fse of systems> utilities and operator privileges.

Systems> failures and alerts including failed access attempts throughfirealls and gateays.



34/56


-. Significant security relevant events (eg. time of logins, modification to critical

business application* should be included in the system log.

+. The current time should be accurately reflected in the internal cloc$ of all

netor$ed computers and servers.

6. =ogging softare and logs produced should be resistant to any attempteddeactivation, modification and)or deletion. 'here there has been a suspicion of

computer crime or abuse, relevant information should be stored in a safe and

secure place.

7. =ogs should be in place for production systems handling confidential

information.

&. The use of special privileges should be restricted and controlled as the

unnecessary allocation or unauthorised use of special privileges can be a major

factor to system security failure. Special privileges include"

9igh privilege users (for e%ample administrator)supervisor access rights*

Security administration (for e%ample security administrator*

/oot access ) operating system access

@etor$ management access# and

atabase administration

&. =ogs should be in place for systems handling sensitive information. The logs

should minimally include"

user:ids

times and dates for log:on and log:off

terminal identifier

records of successful and unsuccessful system access.

1-+1+8 !oile e>uipment and tele(orin.

1. 3ortable computers should have a I2S passord or equivalent in operation

ith file access protection to prevent access by unauthorised users in the event

of being misplaced or stolen.

-. 3rocedures for access protection of mobile devices including phones and palmpilot devices should be considered in !gency access policies.

+. 4ontrols such as bac$up and virus protection should be outlined in !gency

mobile and teleor$ing procedures.

6. 'here teleor$ing home is adopted by !gencies, policies, procedures and

requirements should be clearly documented to authori?e and control

teleor$ing activities.

7. !gencies should ensure that physical security and use of ;overnment assets

and the sensitivity of information accessed are clearly addressed in the policy.



35/56


&. 'here !gency>s are considering the attachment of privately oned devices

connecting to the !gency netor$ (for e%ample access to email using home

computers* detailed ris$ assessments should cover all possible security threats,

including"

=ac$ of control of home 34>s (for e%ample un$non softare, access

by family, friends*

Increased ris$ of disclosure of information

!ccess security aspects (such as riting don of instructions for login

including passords*

Increased ris$ of malicious code and virus attac$

3ossibility of the 34 becoming a bridge to the Internet (for e%ample if

the user connects to both Internet and the !gency*

!dverse impacts upon other connecting !gencies.

1-+/ 7urther %eference

!ustralian Standard" AS/NZS 4444+"+!!! 0Section4-1

AS/NZS 4444#"#$$$ 0Section $1

AS/NZS IS2/I #--$$"+!!# 0Section $1

efence Signals irectorate" Australian ommunications


0ASI 331

4ommonealth of !ustralia" 3rotective Security 0anual

!ustralian ;overnment 3ublishing Service,

4anberra# -

,inancial Management Standard #$$- & .reasury

,inancial Management (ractice Manuals % .reasury


36/56




37/56


11 Systems Development and !aintenance

11+1 Best Practice

11+1+1 Security in application systems

1. 'hen evaluating softare pac$ages, !gencies should ensure that security

controls are addressed as part of the evaluation process.

-. !gencies should consider implementing policies and processes to outline their

practices for input validation, internal processing chec$s and controls,

message authentication techniques and output data validation ith application

and systems development. 3ractices should be in accordance ith the ris$s

associated ith the system data.

+. The security controls of audit trails and activity logs should be ritten into

applications for the validation of data and internal processing.

11+1+/ Crypto.raphic controls

1. ncryption is critical in providing adequate security controls for systems and

applications. 'hen used they provide a means of protecting confidentiality

and integrity, and for ensuring strong authentication and non:repudiation of

information.

-. !gencies should implement cryptographic controls commensurate ith the

international standard, for e%ample /hindael, triple ata ncryption Standard

(S* or equivalent strength appropriate to the classification of information

and business requirements.

+. 'hen investigating 3I services or technologies for applications, !gencies

should ensure that controls are selected appropriate to the ris$ of the

information.

11+1+0 System file security

1. 2perational softare should be maintained at a level supported by the supplier.

-. !ppropriate testing, planning and migration control measures should be carried

out hen upgrading patches or ne softare versions to ensure the overall

security of the !gency operational environment is not adversely impacted.

+. The testing of systems and data should be controlled and monitored especially

here operational data sets are used.

6. 4ontrol measures should be in place for maintaining and accessing program and

system source libraries.

11+1+2 Development and support security

1. 'hen outsourcing the development of applications, licensing arrangements,

code onership and intellectual property rights should be ta$en into contract

consideration.



38/56


-. 3olicies should be in place for control of changes to operational applications

including version control for softare upgrades.

+. !gencies should ensure that all softare programs introduced into the operating

environment do not impact the security of e%isting information and systems.

6. Softare products should be formally evaluated.

11+/ 7urther %eference

!ustralian Standard" AS/NZS 4444+"+!!! 0Section 4;1

AS/NZS 4444#"#$$$ 0Section #!1

AS/NZS IS2/I #--$$"+!!#

0Section #!1

4ommonealth of !ustralia" (rotective Security Manual

Australian Government (u5lis6ing Service7

an5erra) +!!!

efence Signals irectorate" Australian ommunications


0ASI 331


,inancial Management (ractice Manuals % .reasury



39/56


1/ Business Continuity !ana.ement

1/+1Best Practice

1/+1+1 Continuity Plans

1. 'hen developing information business continuity management plans, !gencies

should consider adapting theAS/NZS 43!"#$$$ Risk Management Guide.

-. !n information business continuity plan should be prepared and tested periodically

for all business and computer systems. The testing strategy to be implemented ill

be influenced by the importance of the system to the business operations and the

ability to recover the system ithin the time frames required by users.

+. !gencies should determine and document the manner in hich business operations

and client services ill be carried out hile the technical recovery strategy is being

implemented.

6. ! copy of the information business continuity plan should be stored off site in a

secure manner to ensure that plans can be implemented in the case of a disaster.

7. ! revie should be underta$en of any significant disruption to information services

or failures to ascertain the cause, assess the remedy and ensure procedures are

adjusted to reduce the li$elihood of any repeat occurrence.

1/+1+/ )ulneraility Assessment

'hen determining the vulnerability of the information or system factors to consider are"

The value to another party if they ere able to obtain access to the information#

The disruption that ould result if the information or system(s* ere

unavailable or deleted#

The impact of the information being inaccurate or incomplete#

The ease ith hich it can be accessed, amended or deleted# and

The li$elihood that an access attempt ould remain undetected and untraced.

If the ris$ of any one of the above is rated as unusually high, then additional security

measures should be considered.

1/+1+0 Impact Assessment

The folloing factors should be considered in determining the impact to the ;overnment if

the information, process or other assets ere to be accessed, deleted, or amended"

/is$ to life#

=oss of customer)citi?en confidence and satisfaction#

isruption to delivery of goods or services#

elays in collection of revenue#

isruption to procurement of goods or services#



40/56


elays in paying suppliers or personnel#

iversion of goods#

=oss of commercial advantage (eg. unauthorised access to tender responses and

evaluation*#

isruption to transmission#

eterioration in quality of goods or services#

iversion of funds#

Inability to manage funds#

elays in provision of information to regulators or investors#

Inability to meet statutory or contractual obligations#

!dditional or$load arising from the need to revert to manual operations,

correction of errors, and processing of bac$ups# Increased ris$ of fraud or error#

=oss of management control# and

=oss of productivity.

1/+/ 7urther %eference


41/56


0!)0!I4 /eport @o.-- 2ctober 1EE&

Guidelines for Managing Risk in t6e Australian

(u5lic Service &


42/56


10 Compliance

10+1Best Practice

1. !gencies should see$ advice on specific legal compliance requirements fromtheir !gency legal advisers.

-. !gencies should include in their !gency security education programs,

responsibilities for compliance ith legal and legislative issues, in particular

copyright, licensing and terms and conditions of use infringements of

information and softare systems.

+. !gencies should also consider including responsibilities for the preservation

and integrity of information in education programs.

10+1+1 Compliance (ith le.al re>uirements

1. !gencies should be aare and develop processes to ensure all legal and

legislative obligations are observed hen using and managing information.

-. !gencies should have in place processes for maintaining aareness for

copyright, licensing, terms and conditions of use infringements of information

and softare systems.

+. !gencies should ensure effective policies and procedures are in place for

effective disciplinary actions hen dealing ith breaches of information

security.

10+1+/ %evie(s of security policy and technical complianceInformation policies, procedures and compliance should be revieed and reported

to appropriate management at least annually to ensure the reliability and overall

security of operational applications, operating environment and technical

infrastructure.

10+/ 7urther %eference

!ustralian Standard" AS/NZS 4444+"+!!! 0Section 4#!1

AS/NZS 4444#"#$$$ 0Section #+1

AS/NZS IS2/I #--$$"+!!#

0Section #+1


Ainancial 0anagement 3ractice 0anuals Treasury



43/56


10+ Definition of $erms

"cceptance testing Testing of softare systems to determine hether the system

meets the required criteria.

"uthentication The process that verifies the claimed identity of an individual as

established by an identification process.

"uthorised !se Fse by individuals ho have"

/eceived the appropriate authorisation (hich must be signed

and documented as stipulated in local business procedures*

before operating the relevant device or service#

!greed to abide by the policies, guidelines and local practicearrangements for use of the relevant device or service, and ho

have appropriately ac$noledged this agreement here required.

",ailability nsuring that authorised users have access to information and

associated assets hen required.

0uilding and %ntry

Controls

!ccess control mechanisms, hich restrict access to areas such

as chec$ing of identification, access to$ens or smartcards.

0usiness Continuity Plan ! plan hich describe a sequence of actions, and the parties

responsible for carrying them out in response to a series of

identified ris$s, ith the objective of restoring normal business

operations as quic$ly as possible.

Classification The systematic arrangement of information into logical

categories.

Confidentiality nsuring that information is accessible only to those authorised

to have access.

Confidentiality

"greement

!greement indicating agreement to abide by !gency

confidentiality requirements.

Cookies ! message given to a eb broser by a eb server this can be

to identify a user.

Controlled %n,ironment nvironment here security measures have been implemented.

Cryptography mbodies principles, means and methods for the transformation

of data in order to hide its information content, prevent its

undetected modification and)or its unauthorised use.

Data Information, for e%ample, numbers, te%t and images, in a form

that is suitable for storage in or processing by a computer

De,elopment

%n,ironment

! systems area separated from operational systems area for the

purpose of developing and upgrading softare systems or

applications



44/56


Disciplinary "ction In the event that employees and agents are proven to have

breached the conditions of this and associated policies,

disciplinary action, as outlined in the(u5lic Service Act #$$

and !gency 4ode of 4onduct and)or legal action and

prosecution.

%mployees and "gents Includes persons engaged in the capacity of permanent,

temporary and casual employment of


45/56


Security Controls 9ardare, programs, procedures, policies and physical

safeguards hich are put in place to assure the integrity and

protection of information and the means of processing and

accessing it.

Security Incidents 0ay include, but are not limited to, any act that" oes not comply ith the requirements of this policy#

%poses the


46/56


Attachment A Su..ested policy templates

A.ency Information Security Policy

1+ I#$%ODC$IO#

.6is section s6ould contain a general statement em


47/56



Information Asset Classification and Control Policy

1+ Purpose

/+ Scope

0+ Policy

3.1. Asset Accountability

9o are all major information assets accounted forJ

'hat are the major information assetsJ ('here is this documentedJ*.

9o are oners of these assets nominatedJ 'ho are theyJ ('here is this

documentedJ*.

'ho is responsible for establishing and maintaining the inventory of

information assetsJ ('here is this documentedJ*

3.2. Classification of Information

'ho is responsible for specifying and maintaining classifications of

informationJ

Information asset labelling hat needs to be labelled (and here is this

documented*J

9andling ho is classified information to be handled, stored, transmitted or

disseminatedJ

isposal ho is classified information to be disposed of and ho is this to be

authorisedJ

FSample Document OnlyF

F#B+ A.encies should develop detailed policies and procedures for many of the topics coveredin this hi.hlevel policy+



48/56


Information SecurityPersonnel Security Policy

1+ Purpose

/+ Scope

0+ Policy

,.1. ob &escri2tions

'ill security be addressed in all job descriptions or only those ith access toclassified informationJ

'ho is responsible for assessing the level of security and ensuring that it is

addressed in job descriptionsJ

'hat verification chec$s ill be made on job applicants, contractors, and

consultantsJ

'ho authorises thisJ !nd ho is authorised to carry out these chec$sJ

,.+. "onfi&entia)it-

'ill confidentiality agreements be signedJ

o terms and conditions of employment outline security responsibilitiesJ

,.,. ser e&ucation

'hat security responsibilities ill be included in Induction and ongoing staff

trainingJ

9o ill security responsibilities be communicated to staff and henJ

,.3. Res2on&in to securit- inci&ents

'hat are reportable security incidentsJ 'ea$nessesJ

'hat is the process for reporting security incidentsJ

9o ill it be communicated to staffJ

'ho is responsible for folloing up security incident reportsJ

'hat are reportable softare malfunctionsJ9o ill they be reported, monitored and resolvedJ

'ho is responsible for folloing up and resolving malfunctionsJ

,.. Disci2)inar- 2rocess

'hat is the disciplinary process for security violationsJ 9o is it

communicated to staffJ !nd ho is authorised to deal ith security violations.


NB. #encies s$ou)& &e%e)o2 &etai)e& 2o)icies an& 2roce&ures for man- of t$e to2ics co%ere& in t$is$i$C)e%e) 2o)ic-



49/56



Physical < "nvironmental Security Policy

1+ Purpose

/+ Scope

0+ Policy

3.1. Physical security and entry controls

'hat areas need physical entry and perimeter controlsJ g computer rooms,

document storageJ 9o are all other areas to be securedJ 2ffices, or$stations,

delivery facilities, third party accessJ

3.2. Equipment siting

9o and here is critical equipment to be sitedJ 'hat safeguards are to be in

placeJ

3.3. Poer supplies

'hat safeguards are in place for poer supplies to critical equipmentJ

3.!. Cabling and communications equipment

9o is cabling to be protectedJ 9o is communications equipment to be

housedJ

3.". Equipment maintenance

9o and ho is alloed to carry out maintenance on equipment

3.#. $ff%site equipment

'hat is the policy on security of equipment $ept off site eg home use

equipment, portable equipmentJ

3.&. 'isposal and re%use of equipment

'hat is the process)ho authorises the disposal and reuse of equipment.

3.(. )eneral equipment security

'hat is the !gency policy for unattended or$stations, unattended facsimiles,

etcJ


F#B+ A.encies should develop detailed policies and procedures for many of the topics covered

in this hi.hlevel policy+



50/56



Operational Security !ana.ement Policy

1+ Purpose

/+ Scope

0+ Policy

3.1. 'ocumentation of operating procedures

'hat processes must be documented and ho is responsibleJ

Is there a document style template that must be usedJ

3.2. Change control

'hat processes are subject to authorised change controlJ

Is there a process for implementing changes to information systemsJ

3.3. Incident management'hat type of security incidents must be reportedJ

'hat is the reporting structure for reporting theseJ

'hat are the procedures to be carried out for each type of incidentJ

3.!. *egregation of duties

'hat is the policy for segregating duties that might involve a conflict of

interestJ

'hat are the specific duties that must be segregatedJ

3.". E+ternal facilities

'ho authorises the use of e%ternal facilities managementJ'hat are the security issues that must be addressed in e%ternal facilities

managementJ

'ho and ho is security monitored in e%ternal facilitiesJ

3.#. $perational en,ironment separation

'hat is the policy ith regard to separating the development)testing

environment from the operational environmentJ

3.&. Capacity planning

'ho is responsible for information systems capacity planningJ

'hat processes or systems need to be monitored for future planningJ

)ersion #o, BPS )1+--+-- Pa.e 3-


51/56


3.(. *ystem acceptance

'ho is responsible for the migration of ne systems or upgrades into the

operating environmentJ

'hat chec$s and processes need to be made before ta$ing systems into

productionJ

3.-. irus protection

'hat is the !gency method for insuring only authorised softare is usedJ

'hat is the !gency method for virus and malicious code protectionJ

'ho is responsible for cleaning and reporting virus attac$sJ

9o ill users be educatedJ

3.10. *ystems maintenance

'hat is the policy on bac$upJ

'hat is the policy for logging system activitiesJ

'hat is the policy on systems maintenanceJ Including authorisation processesJ

3.11. /etor management

'ho is responsible for netor$ managementJ

'hat are the policies and processes for remote accessJ

'ho authorises e%ternal connectionsJ

3.12. edia handling and security

'hat is the process for reusing media eg hard drives, bac$up tapes

'hat is the process for transporting and storing mediaJ

'hat is the process and ho authorises disposal of all types of information,eg. paper documents, dis$s, and system documentationJ

'hat is the process for storage, handling and access to all types of information

types, eg. ho is media to be labelled, use of distribution lists, filing of e:mails,

facsimilesJ

3.13. E+changing of information

'ho authorises information e%changeJ

'hat type of information can be sent over public netor$s, eg. facsimiles, e:

mail and ho authorises itJ

'hat chec$s are in place to chec$ for transmission receiptJ'ho authorises Gon:line> or publicly available transactions)systemsJ

'hat chec$s are to be carried out prior to instituting theseJ

'hen is encryption used and hat is the level of encryption that can be used

ho authorises thisJ

'hat is the policy on e:mailJ

'hat is the policy in relation to information and communication devices

including ansering machines, electronic diaries, etcJ



52/56


3.1!. eporting regimes

'hat is the process and policy for !gency security reporting hat needs to be

reported, ho is the information to be collected and ho is the information to

be reported toJ


K@. !gencies should develop detailed policies and procedures for many of the topics covered in this high:levelpolicy.



53/56



Access Controls

1+ Purpose

/+ Scope

0+ Policy

3.1. Access control policy

'ho and ho is authorisation for access to systems and business applications

grantedJ

3.1". ser access

9o is access to information systems to be granted (eg passords etc*J

'ho is responsible for monitoring and revieing access rightsJ

'ho is responsible for removing and notifying of redundant Fser Is and

accounts and hat is the processJ

'ho is responsible for granting access to systems utilities and privilege

managementJ9o is access and use of systems utilities monitoredJ

3.1#. ser responsibilities

9o are users to be educated and made aare of access responsibilitiesJ

'hat are users> responsibilities for access and passordsJ

3.1&. /etor access

'ho is responsible for authorising netor$ access (both internally and e%ternal

connections*J

'hat is the process for enforced netor$ paths, user authentication for e%ternal

connection, @ode authentication, use of remote diagnostic portsJ9o ill netor$ domains and groups be segregatedJ

'hat netor$ connection controls ill be in place eg. times, type and si?e of

file transfers to e%ternal sourceJ

3.1(. $perating system access

9o is automatic terminal identification used to authenticate connections to

specific locations and portable equipmentJ



54/56


'hat is the secure logon and logoff process for accessJ

!re there restrictions on connection times in placeJ

9o ill passords be issued and managed hat are the rules for passordsJ

9o ill systems utilities> use be controlledJ

3.1-. Application access'ho authorises application access eg read, riteJ

'hat is the process for authorising access to information hen systems share

resources, eg. to separate systems are integrated to form a third application or

systemJ

3.20. onitoring system access

'hat system events ill be logged, eg. date, I3 address, Fser:Is, unsuccessful

logins, alerts from intrusion detection systems (fireall*J

'hen and ho ill revie and monitor system logsJ !nd here are they

storedJ

3.21. obile computing and telecommuting

2utline !gency policy for each type of mobile device eg. physical storage,

personal usage, protection of information held on the device, access

mechanisms (eg passord*, virus protection, bac$up.

3olicy on use of computer equipment for telecommuting, eg. authorisation

process, system access, physical security, etc.


F#B+ A.encies should develop detailed policies and procedures for many of the topics covered

in this hi.hlevel policy+



55/56



System Development and !aintenance Policy

1+ Purpose

/+ Scope

0+ Policy

3.1. *ystem requirements

'hat are the security controls that should be addressed in ne systems or

upgrades, eg. input data validation, internal processing, message authentication,

output data validationJ

3.22. se of cryptography

'hen is encryption to be usedJ

'ho authorises the use of encryptionJ'hat strength of S is being usedJ

'ho ill assess the need for 3IJ

3.23. *ecurity of system files

9o is access to system files grantedJ

'ho is responsible for monitoring and recording changes to systemsJ

'hat is the policy on $eeping previous versions of softareJ

'hat chec$s ill be in place for assessing impact of ne systems or changes on

e%isting systemsJ

'ho is responsible for authorisation of ne systems or changes into the

operational environmentJ

'here ill test data for systems originate from (eg. ill operational data be

usedJ If so, ho ill it be monitored and ho authorises it*J

9o ill program source code be monitored and maintainedJ

3.2!. 'e,elopment and support

'hat is the change request process for systemsJ

'ho can authorise changes to systemsJ 'ho carries these outJ

'ho authorises hen changes to systems ill occur (eg timing in relation to

business activities*J

'hat is the process for upgrading softare changes ho assesses changes and

impacts on current systems, business activities and costsJ



56/56


'hat chec$s are in place for ensuring that outsourced softare development

addresses !gency information security requirementsJ

'hat is the process for testing and evaluating softareJ

Sam2)e Document 6n)-

NB. #encies s$ou)& &e%e)o2 &etai)e& 2o)icies an& 2roce&ures for man- of t$e to2ics co%ere& in t$is$i$C)e%e) 2o)ic-.

Date post:	12-Apr-2018
Category:	Documents
Upload:	paul
View:	224 times
Download:	0 times

Is18 Best Practice Guide

Documents