of 56
7/21/2019 Is18 Best Practice Guide
1/56
Queensland GovernmentInformationArchitecture
Information Standard 18
Information Security
Best Practice Supplement
DOC!"#$ CO#$%O&
Document Details
DocumentReference/Name:
IS18BPS_V1.00.00
Version Number: V1.00.00
Documentation Status: Workin
Draft
R!" IS #rc$i%e&
'I# Domain: Information (anaement
#e't Scheduled %evie(Date
In )ine *it$ Information Stan&ar& 18
)ersion *istory
Version Number Date Reason/"omments
V0.00.01 +, (a- +001 DR#!
V0.00.0+ + une +001 DR#!
V0.00.0, 1 Se2tember +001 Incor2orate& #enc- fee&back
V1.00.00 +1 Se2tember +001 Issue&
7/21/2019 Is18 Best Practice Guide
2/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Contents
1 Backroun&.....................................................................................................................................3
+ Im2)ementation................................................................................................................................+.1 Im2)ementation imeframe.....................................................................................................+.+ Im2)ementation Process.........................................................................................................4
, Risk #ssessment............................................................................................................................. 5,.1 !urt$er Reference...................................................................................................................
3 #enc- Securit- Po)ic-..................................................................................................................103.1 Best Practice........................................................................................................................103.+ !urt$er Reference.................................................................................................................11
Securit- !rame*ork......................................................................................................................1+.1 Best Practice........................................................................................................................1+.1.1 Information Securit- !rame*ork.......................................................................................1+.1.+ Securit- of $ir& Part- #ccess..........................................................................................13.1., 6utsourcin......................................................................................................................13
.+ !urt$er Reference.................................................................................................................134 Information #sset ")assification an& "ontro).................................................................................1
4.1 Best Practice........................................................................................................................14.1.1 #ccountabi)it- for assets...................................................................................................14.1.+ Information c)assification..................................................................................................14.+ !urt$er Reference.................................................................................................................14
5 Personne) Securit-........................................................................................................................155.1 Best Practice........................................................................................................................155.1.1 Securit- in 7ob &efinition an& resourcin...........................................................................155.1.+ ser trainin.....................................................................................................................155.1., Res2on&in to securit- inci&ents......................................................................................185.+ !urt$er Reference.................................................................................................................18
8 P$-sica) an& 9n%ironmenta) Securit-............................................................................................1
8.1 Best Practice........................................................................................................................18.1.1 Secure #reas....................................................................................................................18.1.+ 9ui2ment Securit-..........................................................................................................18.1., 'enera) "ontro)s..............................................................................................................+08.+ !urt$er Reference.................................................................................................................+0
62erationa) Securit- (anaement................................................................................................++.1 Best Practice........................................................................................................................++.1.1 62erationa) 2roce&ures an& res2onsibi)ities.....................................................................++.1.+ S-stem 2)annin an& acce2tance.....................................................................................++.1., Protection aainst ma)icious soft*are..............................................................................++.1.3 S-stems maintenance......................................................................................................+3.1. Net*ork manaement......................................................................................................+.1.4 (e&ia $an&)in.................................................................................................................+
.1.5 9;c$anes of Information an& Soft*are...........................................................................+.1.8 Re2ortin Reime............................................................................................................+8.+ !urt$er Reference.................................................................................................................+8
10 #ccess "ontro)..........................................................................................................................,010.1 Best Practice........................................................................................................................,010.1.1 Business reuirements for access contro)........................................................................,010.1.+ ser access manaement................................................................................................,010.1., ser Res2onsibi)ities........................................................................................................,010.1.3 Net*ork access contro)s...................................................................................................,110.1. "om2uter access contro)..................................................................................................,110.1.4 #22)ication access contro)................................................................................................,+10.1.5 (onitorin s-stem access an& use..................................................................................,+10.1.8 (obi)e eui2ment an& te)e*orkin...................................................................................,,
10.+ !urt$er Reference.................................................................................................................,311 S-stems De%e)o2ment an& (aintenance..................................................................................,
)ersion #o, BPS )1+--+-- Pa.e /
7/21/2019 Is18 Best Practice Guide
3/56
Information Standard #o+ 18 Best Practice Supplement Information Security
11.1 Best Practice........................................................................................................................,11.1.1 Securit- in a22)ication s-stems........................................................................................,11.1.+ "r-2tora2$ic contro)s......................................................................................................,11.1., S-stem fi)e securit-..........................................................................................................,11.1.3 De%e)o2ment an& su22ort securit-...................................................................................,11.+ !urt$er Reference.................................................................................................................,4
1+ Business "ontinuit- (anaement.............................................................................................,51+.1 Best Practice........................................................................................................................,51+.1.1 "ontinuit- P)ans...............................................................................................................,51+.1.+ Vu)nerabi)it- #ssessment..................................................................................................,51+.1., Im2act #ssessment..........................................................................................................,51+.+ !urt$er Reference.................................................................................................................,8
1, "om2)iance...............................................................................................................................301,.1 Best Practice........................................................................................................................301,.1.1 "om2)iance *it$ )ea) reuirements.................................................................................301,.1.+ Re%ie*s of securit- 2o)ic- an& tec$nica) com2)iance.......................................................301,.+ !urt$er Reference.................................................................................................................30
1,. Definition of erms.......................................................................................................................... 31#ttac$ment # < Sueste& 2o)ic- tem2)ates.......................................................................................... 33
)ersion #o, BPS )1+--+-- Pa.e 0
7/21/2019 Is18 Best Practice Guide
4/56
Information Standard #o+ 18 Best Practice Supplement Information Security
1 Bac.round
The effective management of information and supporting systems is fundamental to ongoing
client service delivery, provision of integrated services and the sharing of information. The
objective of information security is to maintain business continuity and minimise businessdamage by preventing or limiting the impact of security breaches.
This supplementary guide has been developed to support agencies implementing Information
Standard 18 Information Securityand to simplify and limit the impact of security
management issues. The level or degree of security that is required ithin each !gency, ill
be dependent upon a number of factors including"
The value of the information#
The impact of the loss of assets#
The ris$s to hich they are e%posed# and
The e%tent to hich they are affected by legal and regulatory requirements.
This document is provided for general guidance only, !gencies should consider the
information provided in this supplement as reference material. Security control measures
required ill be dependant on individual !gency situations.
!gencies need to conduct a ris$ assessment of information security controls currently in place
and determine here controls need to be implemented or processes improved to meet the
mandatory principles of Standard 18 and individual !gency requirements. The results of the
ris$ assessment should be used to prioritise the security controls required.
)ersion #o, BPS )1+--+-- Pa.e 2
7/21/2019 Is18 Best Practice Guide
5/56
Information Standard #o+ 18 Best Practice Supplement Information Security
/ Implementation
!s outlined in the Information Standard 18 !ttachment ! !gencies are required to conduct
a high level ris$ assessment of e%isting !gency security controls to determine ether these
meet minimum requirements of the mandatory principles ithin & months of the endorsementof this standard.
'here measures to meet the mandatory principles are not in place, and their absence is
determined to be of a high ris$ (major consequences and medium)high li$elihood of
occurrence* to !gency operations, these must be implemented in !gencies by +1 ecember
--.
/+1 Implementation $imeframe
Phase Responsibility Completed
1. /is$ !ssessment
to identify,
analyse and
evaluate ris$s
!gency 0anagers)%ternal !dvice)Information
Security 2fficer
& months from
endorsement of
Standard 18.
-. 3rioritise
implementation
of mandatory
principles
!gency 0anagers)Information 2ners)Information
4ustodians 5 System !dministrator)IT 0anagers
& months from
endorsement of
Standard 18.
+. Implement
mandatory
principles here
the ris$ is
determined to be
high.
!gency 0anagers)Information 2ners)Information
4ustodians 5 System !dministrator)IT 0anagers
3rior to
ecember +1
--
6. Implementation
of principles and
security issues of
medium lo
impact
!gency 0anagers)Information 2ners)Information
4ustodians 5 System !dministrator)IT 0anagers
2ngoing
7. usiness
4ontinuity
3lanning
!gency 0anagers)Information 2ners)Information
4ustodians 5 System !dministrator)IT 0anagers
2ngoing
)ersion #o, BPS )1+--+-- Pa.e 3
7/21/2019 Is18 Best Practice Guide
6/56
Information Standard #o+ 18 Best Practice Supplement Information Security
/+/ Implementation Process
)ersion #o, BPS )1+--+-- Pa.e 4
#enc- InformationSecurit- Po)ic-
Securit- !rame*ork= ro)es an& res2onsibi)ities>
Risk assessment
Securit- contro)s consistent *it$ risk assessmentan& information c)assifications
Personne)
Securit-
P$-sica)
Securit-
#ccess
"ontro)s
62erationa)
"ontro)s
S-stems De%"ontro)s
9&ucate/"ommunicate
Information ? Business Reuirements
#@@ Information sers
#sset ")assification ? "ontro)=accountabi)it- ? c)assificationication>
"om2)iance
B"P
Information
Stan&ar&s
@ea) ? @eis)ati%e
Reuirements
(onitor?re%ie*
5eyIn2ut
#cti%it-
(an&ator- Princi2)e
7/21/2019 Is18 Best Practice Guide
7/56
Information Standard #o+ 18 Best Practice Supplement Information Security
0 %is Assessment
It is recognised that many !gencies ill have the majority of the security controls outlined in
the standard already in place. 9oever all !gencies are required to conduct a high:level ris$
assessment to determine here they do, or do not, meet the minimum requirements of themandatory principles.
The ris$ assessment process is crucial in implementing effective information security
management. 'here agencies have no formal process for ris$ management in place it is
strongly recommended that the Queensland Government Information StandardsInformation
Risk Management Guideor theAustralian Standards AS/NZS 43!" #$$$ % Risk Management
are used.
The process and measures belo are provided for guidance in applying the mandatory
principles of Information Standard 18, some !gencies may ish to use more detailed
measures.
Consequence Scale
Measure Description
Major 0ajor problems ould occur and threaten the provision of important servicesresulting in significant economic loss and)or significant impact on ;overnment.
Moderate Services ould continue but ould need to be revieed or changed.
Minor ffectiveness of services ould be threatened but dealt ith.
Insignificant ealt ith as a part of routine operations.
Likelihood Scale
Measure Description
igh Is e%pected to occur in most conditions (1 or more times per year*
Medium The event ill probably happen in most conditions (- years*
Possible The event should happen at some time (7 years*
!nlikely The event could happen at some time (1 years*
Risk "ssessment
C#$S%&!%$C%S
Insignificant Minor Moderate Major
LI'%LI##D
igh I( RIS' )
Implement by
December *++*Medium
Possible
!nlikely
Rare
)ersion #o, BPS )1+--+-- Pa.e 6
7/21/2019 Is18 Best Practice Guide
8/56
Information Standard #o+ 18 Best Practice Supplement Information Security
igh)le,el risk assessment of mandatory principles
0+1 7urther %eference
uences and medium?hi.h
Implement yDecemer /--/
Determine y April/--/
Prioritise implementationof principles
Determine any othercontrols that may e
re>uired in a detailed ris
7or "'ample,Principle 1 IS18
A.ency Security PolicyIs t$ere an- #enc- Securit- Po)ic-AIs it en&orse& b- t$e "96 AIs it communicate& to staffA
7inancial !ana.ement
Information Standard!andatory Principles
A.ency operationalre>uirements t be cleaned then the message should
be bloc$ed.
!nti virus softare should be regularly updated ith ne definition files.
!nti:virus softare should be regularly revieed. It my be necessary to use
more than one type of scanning softare to ensure that ma%imum protection
is provided for all information platforms and environments.
!gencies should ensure that virus protection and recovery strategies are
included in ris$ management and business continuity plans. /eporting of virus incidents should be included in internal !gency Security
Incidents and Hiolations reports. See Section 8.1.8 for suggested reporting
contents.
-. !udit logs
!gencies should use system audit logs such as fireall logs to detect any
abnormal system activity including hac$er or virus activity.
+. Airealls and active content bloc$ing
4ontent bloc$ing may be considered as a method of reducing virus and
malicious code, hoever, employing such a mechanism needs to have a ris$assessment against the possible loss of business functionality.
!ctive content filters need to be installed on a gateay)fireall if they are
to be effective in virus and malicious code control.
6. ducation and aareness
Fsers should be educated about malicious softare in general, the ris$s that
it poses, virus symptoms and arning signs including hat processes
should be folloed in the case of suspected virus. !gencies should consider
netor$ broadcasts or a system for alerting users of virus attac$s.
)ersion #o, BPS )1+--+-- Pa.e /2
7/21/2019 Is18 Best Practice Guide
25/56
Information Standard #o+ 18 Best Practice Supplement Information Security
!gencies should establish a policy outlining the prohibited use and
installation of softare not authorised by the !gency including user
responsibilities ith regards to donloading softare from Internet and
e:mail sources.
+1+2 Systems maintenance
To minimise threats to the integrity and availability of information, !gencies should
consider but not limit activities to"
1. ac$up
ac$up cycles should be related to the business ris$, frequency ith hich
data and softare is changed and the criticality of the system to business
operations. The cycle should include, as a minimum"
: Incremental daily bac$ups of data and full ee$ly bac$ups of all
data, operating system and applications. ac$ups of data on a cycle
deemed appropriate by the IT 0anager, but as a minimum, on aee$ly basis#
: ac$ups of the complete operating system, and applications on a
cycle deemed appropriate by the IT 0anager, but as a minimum, on
a monthly basis.
! register of bac$ups, including verification of their success, should be
maintained.
! cycle of bac$up media should be used for all bac$ups, ith at least one
copy in each cycle stored off:site.
In addition to regular bac$ up cycles, a system bac$up should be performed
before and after major changes to the operating system, system softare, or
applications.
4onsideration should be ta$en hen upgrading technologies to ensure that
bac$up data is able to read in the ne environment.
! cycle of regular tests should be implemented to verify that the system can
be recovered from the bac$ups produced.
! cycle of bac$up media should be retained of all information required to
meet customer service, legal or statutory obligations. These bac$ups should
be tested and recreated at least annually and be stored off:site.
-. 2perator =ogs
2perator logs should be maintained, monitored and revieed on a regular
basis, to ensure that correct computer operating procedures have been
complied ith.
+. Aault =ogging
3rocedures should be implemented for the identification, monitoring,
recording and corrective action ta$en of systems faults and failures.
)ersion #o, BPS )1+--+-- Pa.e /3
7/21/2019 Is18 Best Practice Guide
26/56
Information Standard #o+ 18 Best Practice Supplement Information Security
+1+3 #et(or mana.ement
1. !gencies should document ho they intend to manage and protect information
integrity and availability on !gency netor$s from authorised and unauthorised
connections. Suggested policy documents include"
4onnectivity processes and procedures for connecting to other !gencynetor$s including the products and encryption methods to be used.
Aireall configuration and use.
Security filters and gateays.
'ireless =!@s use.
/emote user access mechanisms.
-. 'hen documenting netor$ management !gencies should also consider
maintaining up:to:date netor$ and communications configuration diagrams.
+. 4onsideration should be given to ensuring all implementation should adhere to
manufacturers or providers security site:hardening recommendations.
+1+4 !edia handlin.
To minimise threats to information media, !gencies should consider but not limit
activities to"
1. ocumenting policies and processes for the mar$ing, disposal and handling of
removable computer media (tapes, dis$s, etc* and paper:based information
(system documentation, reports, etc* to protect information from unauthorised
disclosure or misuse. (isposal of information must be in accordance ith an
!gency>s /etention and isposal Schedules and the =ibraries and !rchives !ct
1E88*.
-. 'hen considering disposal methods, !gencies need to ta$e into consideration
the classification level of the information contained on the media and the type
of media used for storage. Aor e%ample, degaussing, magnetic media overrite,
laser and copier drum sanitisation, volatile media and physical destruction are
methods that can be used for destroying information.
+. !gencies should consider instituting security controls and procedures for the
physical transportation of ;overnment information.
6. !s outlined in previous sections here information is temporarily removedfrom ;overnment premises, including media (eg paper files, floppy dis$s*
!gencies should ensure that policies for the care and handling of the material
are in place, and that officers are educated in their responsibilities ith regard
to the safeguarding of the information.
+1+6 "'chan.es of Information and Soft(are
Inter:!gency information e%change in the
7/21/2019 Is18 Best Practice Guide
27/56
Information Standard #o+ 18 Best Practice Supplement Information Security
1. Information %change !greements
%changes of information and data beteen !gencies or third party
organisations should be controlled and here practical in the form of a
ritten agreement complying ith relevant legalisation and ith the
Information Standard 6- :Information (rivacy
%changes of information and data beteen !gencies and)or third party
organi?ations should be controlled and here practical in the form of a
ritten agreement complying ith relevant legislation.
!ny connection to or by third party netor$s or services should be
conducted in the manner determined by the IT 0anager or 4hief
Information 2fficer.
-. Security of media in transit
'hen transporting or mailing media or information, !gencies should
implement policies and procedures for determining the methods forpac$aging and transporting the media based on the sensitivity and value of
the information.
+. Internet Security
Internet security is a critical current and ongoing security issue for !gencies.
The Internet creates a indo into the !gency netor$ that opens up the
potential for unauthorised access and security threats to the integrity,
confidentiality and availability of its information and all information facilities.
!gencies should assess their eb security requirements and develop policies
and controls to manage all aspects of on:line and Internet activities.
The issues to ta$e into consideration are numerous, hoever, a fe of the points
to assess include"
!nonymity and privacy#
ata confidentiality#
The use of coo$ies#
!pplications and plug:ins#
Type of language to be used#
3ractices for donloading e%ecutables#
'eb server security configuration and auditing#
!ccess controls#
The use of data encryption and 3I.
Impact and ris$ assessments should be conducted on all eb security controls
on a regular, if not on:going basis, and e%ternal e%pert advice should be sought
here possible.
'hen assessing ris$s and developing proposals for conducting on:line service
delivery or e%changing information in any form in an on:line environment,some of the issues that !gencies need to consider include"
)ersion #o, BPS )1+--+-- Pa.e /6
7/21/2019 Is18 Best Practice Guide
28/56
Information Standard #o+ 18 Best Practice Supplement Information Security
!ccountability : Tracing actions)events to
!uthentication : Herification of identity
!uthorisation : 'ho is authori?ed to transact businessJ
!vailability : 'hat ill be available hen and to homJ
4onfidentiality : Fse and storage of information and privacy
requirements
Herification : 9o information is verifiedJ
=iability : 'ho is liable for fraudulent or illegal
transactionsJ
0isrepresentation : 3retending to be someone else) providing false
information
0essage sequencing : /elaying messages in a different order
0odification : 4hanging the content of messages and data
enial of service : Alooding the netor$ ith messages
/epudiation : enial of message origin
6. :0ail Security
:mailis one of the most common uses of the Internet and is increasingly critical to
the normal conduct of business. Therefore, !gencies need policies for e:mail in
relation to employees use of electronic and ho e:mail ill be managed ithin the
!gency information management and technology environment.
!gency policies and procedures addressing e:mail use should consider the
folloing points"
nsuring that passords are used on e:mail systems
Scanned signatures should not be used (they can be cut and pasted to give the
appearance that a document as signed officially*
:mail communication is not private. !ny opinions e%pressed via e%ternal e:
mail, here they are not related to the conduct of business, should be noted as
individual opinions and not those of the organi?ation by inclusion of a
disclaimer.Aor e%ample"
This e-mail, together with any attachments, is intended for the named
recipient(s) only.
If you have received this message in error, you are asked to inform the
sender as quickly as possile and delete this message and any copies of
this message from your computer system network. !ny form of disclosure,
modification, distriution and"or pulication of this e-mail message is
prohiited. #nless stated otherwise, this e-mail represents only the views
of the $ender and not the views of the %epartment of &&&&&'
nsuring e:mail systems, are bac$ed:up and maintained in accordance ith
operational systems management standards
)ersion #o, BPS )1+--+-- Pa.e /8
7/21/2019 Is18 Best Practice Guide
29/56
Information Standard #o+ 18 Best Practice Supplement Information Security
!gencies should ensure the evidentiary value of electronic message
transactions, and the general reliability and availability of the electronic
messaging system is maintained
!gency use policy should cover"
o The use of email to conduct official business : 4larification of thetypes of information that can and cannot be transmitted by :mail
systems for e%ample no transmission of classified information,
staff:in:confidence or commercial:in:confidence material e%cept
here these systems have been established for such a purpose and
have appropriate controls
o The use of email for personal business#
o !ccess control and confidential protection of messages#
o The management and retention of email messages.
7. 2ther forms of information %change"
!gency policies should address information security implications, practices
and protocols in the use of communications and information devices
including facsimile, telephones, ansering machines, palm pilots and video
communication.
+1+8 %eportin. %e.ime
1. !gencies should consider establishing an !gency C/egister of Hiolations and
%posuresD for reporting incidents (including Hirus* to the !gency Information
%ecutive Aorum)Steering 4ommittee.
-. /eports may contain#
etails of person reporting the e%posure)violation and ho the
e%posure)violation as detected#
ate and time of violation#
@ature of impact of e%posure)violation including computer systems,
softare and hardare affected#
!ction that can or has been ta$en to prevent further compromise.
+. The /egister of %posures should be used as a tool hen revieing securitypolicy, assessing security ris$s and preventing future occurrences and in the
ongoing security training of staff.
6. /eporting of security ea$nesses and softare malfunctions should also be
monitored to assist in ongoing information integrity and availability.
+/ 7urther %eference
!ustralian Standards" AS/NZS 4444+"+!!! 0Section41
AS/NZS 4444#"#$$$ 0Section ;1
AS/NZS IS2/I #--$$"+!!# 0Section ;1
)ersion #o, BPS )1+--+-- Pa.e /
7/21/2019 Is18 Best Practice Guide
30/56
Information Standard #o+ 18 Best Practice Supplement Information Security
4ommonealth of !ustralia" (rotective Security Manual
Australian Government (u5lis6ing Service7
an5erra) +!!!
,inancial Management Standard #$$- & .reasury ,inancial Management (ractice Manuals % .reasury
efence Signals irectorate Australian ommunications
lectronic Security Instruction 33
0ASI 331
7/21/2019 Is18 Best Practice Guide
31/56
Information Standard #o+ 18 Best Practice Supplement Information Security
1- Access Control
1-+1Best Practice
!ccess to information and systems should be considered in information security controls.4ontrols ill vary according to !gency information classification and netor$
infrastructure. In addition to those outlined in the standard the folloing may also be
considered.
(/efer to !ttachment ! for suggested policy content.*
1-+1+1 Business re>uirements for access control
1. !ccess policies should address detail access control rules, based on Chat must be
generally forbidden unless e%pressly permittedD ensuring that business
requirements are folloed.
-. 2nly granting users access to the information, programs and system softare that
they require to perform their day:to:day business functions.
1-+1+/ ser access mana.ement
1. The overall frameor$ of access rights should be revieed and amended on a
regular basis to determine that they remain appropriate.
-. !ll changes to employees> user duties should be reflected in access control rights.
!ll changes should be carried out on a timely basis. !ccess privileges should be
disabled or modified hen users change jobs, or leave the !gency permanently, or
are on leave for a prolonged period.
+. Fser access rights should be in accordance ith the information oner and should
be authorised by the users> manager before the user is granted access to the
information or system. The manager should ensure that the user has sufficient
understanding of the system.
6. !ccess control mechanisms (delete : softare, or equivalent features ithin system
softare,* should be used to restrict access to all computer systems, including
hardare, softare and data.
7. If user authentication is based upon passords the folloing controls should be
considered"
The user should be required to change temporary passords at the first logon
(temporary passords only being valid for one day*#
Fsers should be required to change their authentication code after a
predetermined period of time, through either automatic or manual means and
should not be alloed to reuse an authentication code for at least 1+ cycles#
'here passords are used as authorisation, users should be educated in
selecting and using passords.
1-+1+0 ser %esponsiilities
1. Fsers should be made aare of their responsibilities ith regard to system access.
)ersion #o, BPS )1+--+-- Pa.e 01
7/21/2019 Is18 Best Practice Guide
32/56
Information Standard #o+ 18 Best Practice Supplement Information Security
-. Fser access should be disconnected and their account disabled after three rejected
attempts to logon. 'hen a terminal or 34 has been logged:on and no activity has
occurred for a period of time, the device should be automatically loc$ed and require
re:input of user identifier.
1-+1+2 #et(or access controls
1. To prevent and reduce ris$ of users selecting routes to netor$ services outside
authorised access paths, !gencies> access control processes and policies should
implement enforced netor$ paths.
-. 3olicies should be documented outlining methods for security and consistency
of data, computers and communications infrastructure in !gency netor$s.
+. @etor$s should be configured and protected to ensure that a compromise or
security breach in one netor$ ill not allo access to other netor$s.
6. 'here interconnection is required beteen corporate netor$s and public
netor$s, source and destination address chec$ing mechanisms should be usedeg fireall protection.
7. If fireall protection is utilised !gencies should consider implementing a
fireall security policy outlining connection rules, incident monitoring and
audit processes.
&. Sufficient audit logs should be $ept of system administrator logins and any
changes to equipment configurations, to monitor the security of netor$s and
communications infrastructure.
B. To minimise ris$s from e%ternal connections, !gency remote access processes
should at a minimum register all persons ith remote access privileges and log
all remote access attempts and activity and ensure all users are authenticated
before access to the netor$ is granted.
8. In relation to controlling unauthorised netor$ access !gencies should
consider"
@ode authentication and dedicated lines#
/estrictions to traffic type (i.e. electronic mail, one or to ay file transfer,
or interactive communications* or time#
Implementing gateay and fireall technologies for filtering and
controlling traffic# Implementing intrusion detection softare.
1-+1+3 Computer access control
1. The user>s logon procedure should disclose minimum information about the
system. The logon should be validated only on correct input of all data.
-. !uthentication management should include"
ncrypting authentication codes transmitted across !gency and other
netor$s#
)ersion #o, BPS )1+--+-- Pa.e 0/
7/21/2019 Is18 Best Practice Guide
33/56
Information Standard #o+ 18 Best Practice Supplement Information Security
nsuring that passords are not ritten or recorded in plain te%t on any
media, including automated logon scripts and hard:coding into in:house
softare#
/evieing and possibly disabling access rights hich have not been used
ithin the last + calendar day period#+. !gencies should consider implementing standard approaches to netor$
configuration to allo for planning and ris$ assessment of security across the
netor$, eg. servers that run dedicated services such as virus protection or
firealls should be devoted to running that softare only.
6. !ll access control privileges of users should default to denial of access hen
there is a malfunction in the computer or netor$ access control system.
7. !uthentication codes should be changed hen there is an indication of possible
system security or authentication code compromise. !ll failed access attempts
should be monitored, revieed and appropriate action ta$en.
1-+1+4 Application access control
1. !gencies should consider implementing controls that assist in restricting access
to information ithin applications, by the use of menus and controlling access
rights (eg read, rite, delete*.
-. !ccess to system utilities that may be used to alter data or program code should
be $ept to a minimum ith all system master passords restricted to, and
maintained by, the Information and System Security !dministrator or applicable
appointee.
+. !ll systems> utilities that may be used to alter data or program code should beregistered ith access to these utilities recorded in system log files. !ccess to
such utilities should be restricted to authorised personnel in accordance ith
their or$ function.
6. !ll remote access support applications and utilities should only be provided to
authorised information systems support personnel. 3olicies should also be in
place for the configuration of such systems.
7. !ll vendor and default passords provided ith IT equipment should to be
changed prior to a system going into operation.
1-+1+6 !onitorin. system access and use1. In access control policies, !gencies need to consider, hat events and hich
systems need to be logged and monitored in order to detect deviation from
normal access in the event of security incidents, and the ris$ to information and
systems. These logs should include recording e%ceptions and access logs along
ith access activities including"
Fser I>s, successful and failed logon and logoff dates and times and files
accessed.
Fse of systems> utilities and operator privileges.
Systems> failures and alerts including failed access attempts throughfirealls and gateays.
)ersion #o, BPS )1+--+-- Pa.e 00
7/21/2019 Is18 Best Practice Guide
34/56
Information Standard #o+ 18 Best Practice Supplement Information Security
-. Significant security relevant events (eg. time of logins, modification to critical
business application* should be included in the system log.
+. The current time should be accurately reflected in the internal cloc$ of all
netor$ed computers and servers.
6. =ogging softare and logs produced should be resistant to any attempteddeactivation, modification and)or deletion. 'here there has been a suspicion of
computer crime or abuse, relevant information should be stored in a safe and
secure place.
7. =ogs should be in place for production systems handling confidential
information.
&. The use of special privileges should be restricted and controlled as the
unnecessary allocation or unauthorised use of special privileges can be a major
factor to system security failure. Special privileges include"
9igh privilege users (for e%ample administrator)supervisor access rights*
Security administration (for e%ample security administrator*
/oot access ) operating system access
@etor$ management access# and
atabase administration
&. =ogs should be in place for systems handling sensitive information. The logs
should minimally include"
user:ids
times and dates for log:on and log:off
terminal identifier
records of successful and unsuccessful system access.
1-+1+8 !oile e>uipment and tele(orin.
1. 3ortable computers should have a I2S passord or equivalent in operation
ith file access protection to prevent access by unauthorised users in the event
of being misplaced or stolen.
-. 3rocedures for access protection of mobile devices including phones and palmpilot devices should be considered in !gency access policies.
+. 4ontrols such as bac$up and virus protection should be outlined in !gency
mobile and teleor$ing procedures.
6. 'here teleor$ing home is adopted by !gencies, policies, procedures and
requirements should be clearly documented to authori?e and control
teleor$ing activities.
7. !gencies should ensure that physical security and use of ;overnment assets
and the sensitivity of information accessed are clearly addressed in the policy.
)ersion #o, BPS )1+--+-- Pa.e 02
7/21/2019 Is18 Best Practice Guide
35/56
Information Standard #o+ 18 Best Practice Supplement Information Security
&. 'here !gency>s are considering the attachment of privately oned devices
connecting to the !gency netor$ (for e%ample access to email using home
computers* detailed ris$ assessments should cover all possible security threats,
including"
=ac$ of control of home 34>s (for e%ample un$non softare, access
by family, friends*
Increased ris$ of disclosure of information
!ccess security aspects (such as riting don of instructions for login
including passords*
Increased ris$ of malicious code and virus attac$
3ossibility of the 34 becoming a bridge to the Internet (for e%ample if
the user connects to both Internet and the !gency*
!dverse impacts upon other connecting !gencies.
1-+/ 7urther %eference
!ustralian Standard" AS/NZS 4444+"+!!! 0Section4-1
AS/NZS 4444#"#$$$ 0Section $1
AS/NZS IS2/I #--$$"+!!# 0Section $1
efence Signals irectorate" Australian ommunications
lectronic Security Instruction 33
0ASI 331
4ommonealth of !ustralia" 3rotective Security 0anual
!ustralian ;overnment 3ublishing Service,
4anberra# -
,inancial Management Standard #$$- & .reasury
,inancial Management (ractice Manuals % .reasury
7/21/2019 Is18 Best Practice Guide
36/56
Information Standard #o+ 18 Best Practice Supplement Information Security
)ersion #o, BPS )1+--+-- Pa.e 04
7/21/2019 Is18 Best Practice Guide
37/56
Information Standard #o+ 18 Best Practice Supplement Information Security
11 Systems Development and !aintenance
11+1 Best Practice
11+1+1 Security in application systems
1. 'hen evaluating softare pac$ages, !gencies should ensure that security
controls are addressed as part of the evaluation process.
-. !gencies should consider implementing policies and processes to outline their
practices for input validation, internal processing chec$s and controls,
message authentication techniques and output data validation ith application
and systems development. 3ractices should be in accordance ith the ris$s
associated ith the system data.
+. The security controls of audit trails and activity logs should be ritten into
applications for the validation of data and internal processing.
11+1+/ Crypto.raphic controls
1. ncryption is critical in providing adequate security controls for systems and
applications. 'hen used they provide a means of protecting confidentiality
and integrity, and for ensuring strong authentication and non:repudiation of
information.
-. !gencies should implement cryptographic controls commensurate ith the
international standard, for e%ample /hindael, triple ata ncryption Standard
(S* or equivalent strength appropriate to the classification of information
and business requirements.
+. 'hen investigating 3I services or technologies for applications, !gencies
should ensure that controls are selected appropriate to the ris$ of the
information.
11+1+0 System file security
1. 2perational softare should be maintained at a level supported by the supplier.
-. !ppropriate testing, planning and migration control measures should be carried
out hen upgrading patches or ne softare versions to ensure the overall
security of the !gency operational environment is not adversely impacted.
+. The testing of systems and data should be controlled and monitored especially
here operational data sets are used.
6. 4ontrol measures should be in place for maintaining and accessing program and
system source libraries.
11+1+2 Development and support security
1. 'hen outsourcing the development of applications, licensing arrangements,
code onership and intellectual property rights should be ta$en into contract
consideration.
)ersion #o, BPS )1+--+-- Pa.e 06
7/21/2019 Is18 Best Practice Guide
38/56
Information Standard #o+ 18 Best Practice Supplement Information Security
-. 3olicies should be in place for control of changes to operational applications
including version control for softare upgrades.
+. !gencies should ensure that all softare programs introduced into the operating
environment do not impact the security of e%isting information and systems.
6. Softare products should be formally evaluated.
11+/ 7urther %eference
!ustralian Standard" AS/NZS 4444+"+!!! 0Section 4;1
AS/NZS 4444#"#$$$ 0Section #!1
AS/NZS IS2/I #--$$"+!!#
0Section #!1
4ommonealth of !ustralia" (rotective Security Manual
Australian Government (u5lis6ing Service7
an5erra) +!!!
efence Signals irectorate" Australian ommunications
lectronic Security Instruction 33
0ASI 331
,inancial Management Standard #$$- & .reasury
,inancial Management (ractice Manuals % .reasury
)ersion #o, BPS )1+--+-- Pa.e 08
7/21/2019 Is18 Best Practice Guide
39/56
Information Standard #o+ 18 Best Practice Supplement Information Security
1/ Business Continuity !ana.ement
1/+1Best Practice
1/+1+1 Continuity Plans
1. 'hen developing information business continuity management plans, !gencies
should consider adapting theAS/NZS 43!"#$$$ Risk Management Guide.
-. !n information business continuity plan should be prepared and tested periodically
for all business and computer systems. The testing strategy to be implemented ill
be influenced by the importance of the system to the business operations and the
ability to recover the system ithin the time frames required by users.
+. !gencies should determine and document the manner in hich business operations
and client services ill be carried out hile the technical recovery strategy is being
implemented.
6. ! copy of the information business continuity plan should be stored off site in a
secure manner to ensure that plans can be implemented in the case of a disaster.
7. ! revie should be underta$en of any significant disruption to information services
or failures to ascertain the cause, assess the remedy and ensure procedures are
adjusted to reduce the li$elihood of any repeat occurrence.
1/+1+/ )ulneraility Assessment
'hen determining the vulnerability of the information or system factors to consider are"
The value to another party if they ere able to obtain access to the information#
The disruption that ould result if the information or system(s* ere
unavailable or deleted#
The impact of the information being inaccurate or incomplete#
The ease ith hich it can be accessed, amended or deleted# and
The li$elihood that an access attempt ould remain undetected and untraced.
If the ris$ of any one of the above is rated as unusually high, then additional security
measures should be considered.
1/+1+0 Impact Assessment
The folloing factors should be considered in determining the impact to the ;overnment if
the information, process or other assets ere to be accessed, deleted, or amended"
/is$ to life#
=oss of customer)citi?en confidence and satisfaction#
isruption to delivery of goods or services#
elays in collection of revenue#
isruption to procurement of goods or services#
)ersion #o, BPS )1+--+-- Pa.e 0
7/21/2019 Is18 Best Practice Guide
40/56
Information Standard #o+ 18 Best Practice Supplement Information Security
elays in paying suppliers or personnel#
iversion of goods#
=oss of commercial advantage (eg. unauthorised access to tender responses and
evaluation*#
isruption to transmission#
eterioration in quality of goods or services#
iversion of funds#
Inability to manage funds#
elays in provision of information to regulators or investors#
Inability to meet statutory or contractual obligations#
!dditional or$load arising from the need to revert to manual operations,
correction of errors, and processing of bac$ups# Increased ris$ of fraud or error#
=oss of management control# and
=oss of productivity.
1/+/ 7urther %eference
7/21/2019 Is18 Best Practice Guide
41/56
Information Standard #o+ 18 Best Practice Supplement Information Security
0!)0!I4 /eport @o.-- 2ctober 1EE&
Guidelines for Managing Risk in t6e Australian
(u5lic Service &
7/21/2019 Is18 Best Practice Guide
42/56
Information Standard #o+ 18 Best Practice Supplement Information Security
10 Compliance
10+1Best Practice
1. !gencies should see$ advice on specific legal compliance requirements fromtheir !gency legal advisers.
-. !gencies should include in their !gency security education programs,
responsibilities for compliance ith legal and legislative issues, in particular
copyright, licensing and terms and conditions of use infringements of
information and softare systems.
+. !gencies should also consider including responsibilities for the preservation
and integrity of information in education programs.
10+1+1 Compliance (ith le.al re>uirements
1. !gencies should be aare and develop processes to ensure all legal and
legislative obligations are observed hen using and managing information.
-. !gencies should have in place processes for maintaining aareness for
copyright, licensing, terms and conditions of use infringements of information
and softare systems.
+. !gencies should ensure effective policies and procedures are in place for
effective disciplinary actions hen dealing ith breaches of information
security.
10+1+/ %evie(s of security policy and technical complianceInformation policies, procedures and compliance should be revieed and reported
to appropriate management at least annually to ensure the reliability and overall
security of operational applications, operating environment and technical
infrastructure.
10+/ 7urther %eference
!ustralian Standard" AS/NZS 4444+"+!!! 0Section 4#!1
AS/NZS 4444#"#$$$ 0Section #+1
AS/NZS IS2/I #--$$"+!!#
0Section #+1
,inancial Management Standard #$$- & .reasury
Ainancial 0anagement 3ractice 0anuals Treasury
)ersion #o, BPS )1+--+-- Pa.e 2/
7/21/2019 Is18 Best Practice Guide
43/56
Information Standard #o+ 18 Best Practice Supplement Information Security
10+ Definition of $erms
"cceptance testing Testing of softare systems to determine hether the system
meets the required criteria.
"uthentication The process that verifies the claimed identity of an individual as
established by an identification process.
"uthorised !se Fse by individuals ho have"
/eceived the appropriate authorisation (hich must be signed
and documented as stipulated in local business procedures*
before operating the relevant device or service#
!greed to abide by the policies, guidelines and local practicearrangements for use of the relevant device or service, and ho
have appropriately ac$noledged this agreement here required.
",ailability nsuring that authorised users have access to information and
associated assets hen required.
0uilding and %ntry
Controls
!ccess control mechanisms, hich restrict access to areas such
as chec$ing of identification, access to$ens or smartcards.
0usiness Continuity Plan ! plan hich describe a sequence of actions, and the parties
responsible for carrying them out in response to a series of
identified ris$s, ith the objective of restoring normal business
operations as quic$ly as possible.
Classification The systematic arrangement of information into logical
categories.
Confidentiality nsuring that information is accessible only to those authorised
to have access.
Confidentiality
"greement
!greement indicating agreement to abide by !gency
confidentiality requirements.
Cookies ! message given to a eb broser by a eb server this can be
to identify a user.
Controlled %n,ironment nvironment here security measures have been implemented.
Cryptography mbodies principles, means and methods for the transformation
of data in order to hide its information content, prevent its
undetected modification and)or its unauthorised use.
Data Information, for e%ample, numbers, te%t and images, in a form
that is suitable for storage in or processing by a computer
De,elopment
%n,ironment
! systems area separated from operational systems area for the
purpose of developing and upgrading softare systems or
applications
)ersion #o, BPS )1+--+-- Pa.e 20
7/21/2019 Is18 Best Practice Guide
44/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Disciplinary "ction In the event that employees and agents are proven to have
breached the conditions of this and associated policies,
disciplinary action, as outlined in the(u5lic Service Act #$$
and !gency 4ode of 4onduct and)or legal action and
prosecution.
%mployees and "gents Includes persons engaged in the capacity of permanent,
temporary and casual employment of
7/21/2019 Is18 Best Practice Guide
45/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Security Controls 9ardare, programs, procedures, policies and physical
safeguards hich are put in place to assure the integrity and
protection of information and the means of processing and
accessing it.
Security Incidents 0ay include, but are not limited to, any act that" oes not comply ith the requirements of this policy#
%poses the
7/21/2019 Is18 Best Practice Guide
46/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Attachment A Su..ested policy templates
A.ency Information Security Policy
1+ I#$%ODC$IO#
.6is section s6ould contain a general statement em
7/21/2019 Is18 Best Practice Guide
47/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information Security
Information Asset Classification and Control Policy
1+ Purpose
/+ Scope
0+ Policy
3.1. Asset Accountability
9o are all major information assets accounted forJ
'hat are the major information assetsJ ('here is this documentedJ*.
9o are oners of these assets nominatedJ 'ho are theyJ ('here is this
documentedJ*.
'ho is responsible for establishing and maintaining the inventory of
information assetsJ ('here is this documentedJ*
3.2. Classification of Information
'ho is responsible for specifying and maintaining classifications of
informationJ
Information asset labelling hat needs to be labelled (and here is this
documented*J
9andling ho is classified information to be handled, stored, transmitted or
disseminatedJ
isposal ho is classified information to be disposed of and ho is this to be
authorisedJ
FSample Document OnlyF
F#B+ A.encies should develop detailed policies and procedures for many of the topics coveredin this hi.hlevel policy+
)ersion #o, BPS )1+--+-- Pa.e 26
7/21/2019 Is18 Best Practice Guide
48/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information SecurityPersonnel Security Policy
1+ Purpose
/+ Scope
0+ Policy
,.1. ob &escri2tions
'ill security be addressed in all job descriptions or only those ith access toclassified informationJ
'ho is responsible for assessing the level of security and ensuring that it is
addressed in job descriptionsJ
'hat verification chec$s ill be made on job applicants, contractors, and
consultantsJ
'ho authorises thisJ !nd ho is authorised to carry out these chec$sJ
,.+. "onfi&entia)it-
'ill confidentiality agreements be signedJ
o terms and conditions of employment outline security responsibilitiesJ
,.,. ser e&ucation
'hat security responsibilities ill be included in Induction and ongoing staff
trainingJ
9o ill security responsibilities be communicated to staff and henJ
,.3. Res2on&in to securit- inci&ents
'hat are reportable security incidentsJ 'ea$nessesJ
'hat is the process for reporting security incidentsJ
9o ill it be communicated to staffJ
'ho is responsible for folloing up security incident reportsJ
'hat are reportable softare malfunctionsJ9o ill they be reported, monitored and resolvedJ
'ho is responsible for folloing up and resolving malfunctionsJ
,.. Disci2)inar- 2rocess
'hat is the disciplinary process for security violationsJ 9o is it
communicated to staffJ !nd ho is authorised to deal ith security violations.
FSample Document OnlyF
NB. #encies s$ou)& &e%e)o2 &etai)e& 2o)icies an& 2roce&ures for man- of t$e to2ics co%ere& in t$is$i$C)e%e) 2o)ic-
)ersion #o, BPS )1+--+-- Pa.e 28
7/21/2019 Is18 Best Practice Guide
49/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information Security
Physical < "nvironmental Security Policy
1+ Purpose
/+ Scope
0+ Policy
3.1. Physical security and entry controls
'hat areas need physical entry and perimeter controlsJ g computer rooms,
document storageJ 9o are all other areas to be securedJ 2ffices, or$stations,
delivery facilities, third party accessJ
3.2. Equipment siting
9o and here is critical equipment to be sitedJ 'hat safeguards are to be in
placeJ
3.3. Poer supplies
'hat safeguards are in place for poer supplies to critical equipmentJ
3.!. Cabling and communications equipment
9o is cabling to be protectedJ 9o is communications equipment to be
housedJ
3.". Equipment maintenance
9o and ho is alloed to carry out maintenance on equipment
3.#. $ff%site equipment
'hat is the policy on security of equipment $ept off site eg home use
equipment, portable equipmentJ
3.&. 'isposal and re%use of equipment
'hat is the process)ho authorises the disposal and reuse of equipment.
3.(. )eneral equipment security
'hat is the !gency policy for unattended or$stations, unattended facsimiles,
etcJ
FSample Document OnlyF
F#B+ A.encies should develop detailed policies and procedures for many of the topics covered
in this hi.hlevel policy+
)ersion #o, BPS )1+--+-- Pa.e 2
7/21/2019 Is18 Best Practice Guide
50/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information Security
Operational Security !ana.ement Policy
1+ Purpose
/+ Scope
0+ Policy
3.1. 'ocumentation of operating procedures
'hat processes must be documented and ho is responsibleJ
Is there a document style template that must be usedJ
3.2. Change control
'hat processes are subject to authorised change controlJ
Is there a process for implementing changes to information systemsJ
3.3. Incident management'hat type of security incidents must be reportedJ
'hat is the reporting structure for reporting theseJ
'hat are the procedures to be carried out for each type of incidentJ
3.!. *egregation of duties
'hat is the policy for segregating duties that might involve a conflict of
interestJ
'hat are the specific duties that must be segregatedJ
3.". E+ternal facilities
'ho authorises the use of e%ternal facilities managementJ'hat are the security issues that must be addressed in e%ternal facilities
managementJ
'ho and ho is security monitored in e%ternal facilitiesJ
3.#. $perational en,ironment separation
'hat is the policy ith regard to separating the development)testing
environment from the operational environmentJ
3.&. Capacity planning
'ho is responsible for information systems capacity planningJ
'hat processes or systems need to be monitored for future planningJ
)ersion #o, BPS )1+--+-- Pa.e 3-
7/21/2019 Is18 Best Practice Guide
51/56
Information Standard #o+ 18 Best Practice Supplement Information Security
3.(. *ystem acceptance
'ho is responsible for the migration of ne systems or upgrades into the
operating environmentJ
'hat chec$s and processes need to be made before ta$ing systems into
productionJ
3.-. irus protection
'hat is the !gency method for insuring only authorised softare is usedJ
'hat is the !gency method for virus and malicious code protectionJ
'ho is responsible for cleaning and reporting virus attac$sJ
9o ill users be educatedJ
3.10. *ystems maintenance
'hat is the policy on bac$upJ
'hat is the policy for logging system activitiesJ
'hat is the policy on systems maintenanceJ Including authorisation processesJ
3.11. /etor management
'ho is responsible for netor$ managementJ
'hat are the policies and processes for remote accessJ
'ho authorises e%ternal connectionsJ
3.12. edia handling and security
'hat is the process for reusing media eg hard drives, bac$up tapes
'hat is the process for transporting and storing mediaJ
'hat is the process and ho authorises disposal of all types of information,eg. paper documents, dis$s, and system documentationJ
'hat is the process for storage, handling and access to all types of information
types, eg. ho is media to be labelled, use of distribution lists, filing of e:mails,
facsimilesJ
3.13. E+changing of information
'ho authorises information e%changeJ
'hat type of information can be sent over public netor$s, eg. facsimiles, e:
mail and ho authorises itJ
'hat chec$s are in place to chec$ for transmission receiptJ'ho authorises Gon:line> or publicly available transactions)systemsJ
'hat chec$s are to be carried out prior to instituting theseJ
'hen is encryption used and hat is the level of encryption that can be used
ho authorises thisJ
'hat is the policy on e:mailJ
'hat is the policy in relation to information and communication devices
including ansering machines, electronic diaries, etcJ
)ersion #o, BPS )1+--+-- Pa.e 31
7/21/2019 Is18 Best Practice Guide
52/56
Information Standard #o+ 18 Best Practice Supplement Information Security
3.1!. eporting regimes
'hat is the process and policy for !gency security reporting hat needs to be
reported, ho is the information to be collected and ho is the information to
be reported toJ
FSample Document OnlyF
K@. !gencies should develop detailed policies and procedures for many of the topics covered in this high:levelpolicy.
)ersion #o, BPS )1+--+-- Pa.e 3/
7/21/2019 Is18 Best Practice Guide
53/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information Security
Access Controls
1+ Purpose
/+ Scope
0+ Policy
3.1. Access control policy
'ho and ho is authorisation for access to systems and business applications
grantedJ
3.1". ser access
9o is access to information systems to be granted (eg passords etc*J
'ho is responsible for monitoring and revieing access rightsJ
'ho is responsible for removing and notifying of redundant Fser Is and
accounts and hat is the processJ
'ho is responsible for granting access to systems utilities and privilege
managementJ9o is access and use of systems utilities monitoredJ
3.1#. ser responsibilities
9o are users to be educated and made aare of access responsibilitiesJ
'hat are users> responsibilities for access and passordsJ
3.1&. /etor access
'ho is responsible for authorising netor$ access (both internally and e%ternal
connections*J
'hat is the process for enforced netor$ paths, user authentication for e%ternal
connection, @ode authentication, use of remote diagnostic portsJ9o ill netor$ domains and groups be segregatedJ
'hat netor$ connection controls ill be in place eg. times, type and si?e of
file transfers to e%ternal sourceJ
3.1(. $perating system access
9o is automatic terminal identification used to authenticate connections to
specific locations and portable equipmentJ
)ersion #o, BPS )1+--+-- Pa.e 30
7/21/2019 Is18 Best Practice Guide
54/56
Information Standard #o+ 18 Best Practice Supplement Information Security
'hat is the secure logon and logoff process for accessJ
!re there restrictions on connection times in placeJ
9o ill passords be issued and managed hat are the rules for passordsJ
9o ill systems utilities> use be controlledJ
3.1-. Application access'ho authorises application access eg read, riteJ
'hat is the process for authorising access to information hen systems share
resources, eg. to separate systems are integrated to form a third application or
systemJ
3.20. onitoring system access
'hat system events ill be logged, eg. date, I3 address, Fser:Is, unsuccessful
logins, alerts from intrusion detection systems (fireall*J
'hen and ho ill revie and monitor system logsJ !nd here are they
storedJ
3.21. obile computing and telecommuting
2utline !gency policy for each type of mobile device eg. physical storage,
personal usage, protection of information held on the device, access
mechanisms (eg passord*, virus protection, bac$up.
3olicy on use of computer equipment for telecommuting, eg. authorisation
process, system access, physical security, etc.
FSample Document OnlyF
F#B+ A.encies should develop detailed policies and procedures for many of the topics covered
in this hi.hlevel policy+
)ersion #o, BPS )1+--+-- Pa.e 32
7/21/2019 Is18 Best Practice Guide
55/56
Information Standard #o+ 18 Best Practice Supplement Information Security
Information Security
System Development and !aintenance Policy
1+ Purpose
/+ Scope
0+ Policy
3.1. *ystem requirements
'hat are the security controls that should be addressed in ne systems or
upgrades, eg. input data validation, internal processing, message authentication,
output data validationJ
3.22. se of cryptography
'hen is encryption to be usedJ
'ho authorises the use of encryptionJ'hat strength of S is being usedJ
'ho ill assess the need for 3IJ
3.23. *ecurity of system files
9o is access to system files grantedJ
'ho is responsible for monitoring and recording changes to systemsJ
'hat is the policy on $eeping previous versions of softareJ
'hat chec$s ill be in place for assessing impact of ne systems or changes on
e%isting systemsJ
'ho is responsible for authorisation of ne systems or changes into the
operational environmentJ
'here ill test data for systems originate from (eg. ill operational data be
usedJ If so, ho ill it be monitored and ho authorises it*J
9o ill program source code be monitored and maintainedJ
3.2!. 'e,elopment and support
'hat is the change request process for systemsJ
'ho can authorise changes to systemsJ 'ho carries these outJ
'ho authorises hen changes to systems ill occur (eg timing in relation to
business activities*J
'hat is the process for upgrading softare changes ho assesses changes and
impacts on current systems, business activities and costsJ
)ersion #o, BPS )1+--+-- Pa.e 33
7/21/2019 Is18 Best Practice Guide
56/56
Information Standard #o+ 18 Best Practice Supplement Information Security
'hat chec$s are in place for ensuring that outsourced softare development
addresses !gency information security requirementsJ
'hat is the process for testing and evaluating softareJ
Sam2)e Document 6n)-
NB. #encies s$ou)& &e%e)o2 &etai)e& 2o)icies an& 2roce&ures for man- of t$e to2ics co%ere& in t$is$i$C)e%e) 2o)ic-.