UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements"

Transcription

1 Defence Security Manual DSM Part 2:51 Outsourced Offshore and Cloud Based Computing Arrangements Version 1 ation date July 2105 Amendment list 23 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements Defence personnel are, and external service providers subject to the terms and conditions of their contract may be, bound by security policy contained in the DSM and Information Security Manual (ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in action under the relevant contract provision or legislation including, but not limited to; the Defence Force Discipline Act 1982, the Service Act 1999, and the Crimes Act Mandatory requirements in the DSM and ISM are identified through the use of the terms must / must not and should / should not. Compliance with these requirements is mandatory unless the appropriate authority, if applicable, has considered the justification for non-compliance and accepted the associated risk through the granting of a dispensation. The terms recommend and may are used to denote a sensible security practice and noncompliance need not be approved or documented. Note: Non-compliance with a sensible security practice ought to be informed by sound risk management principles. The DSM compliance regime, including the authority to approve non-compliance with mandatory requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed in DSM Part 2:1 Dispensations. Copyright Commonwealth of Australia 2010 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Department of Defence. Requests and inquiries concerning reproduction and rights should be addressed to Defence Publishing Services, Department of Defence.

2 Introduction 1. The storage and processing of Defence information in outsourced or offshore ICT facilities represents an increased risk to Defence information. The purpose of Defence Security Manual (DSM) Part 2:51 is to outline Defence policy for the protection of information in these circumstances. Policy 2. Defence will adopt a risk managed approach to the use of outsourcing and cloud based computing. Defence risk tolerance is compliant with mandatory whole of government approval processes specified in the Australian Government Protective Security Policy Framework (PSPF). Process 3. Unclassified information, including information that is subject to the Privacy Act 1988 requires a minimum level of protection unless it has been publically released. Outsourcing arrangements that involve this information introduces risks that need to be identified and managed. 4. The government, through the PSPF, has directed all agencies to take a consistent approach to the risk management and the level of approvals required when considering outsourcing functions that use this information. The levels of approvals required in this document are consistent with the government s requirements as described in the PSPF. 5. This part applies to cloud based storage and processing of unclassified Dissemination Limited Marking (DLM).marked information. It applies to both Defence outsourcing activities and Defence industry s own ICT infrastructure that is used to process Defence Unclassified information that is not publically available. Example: A consultancy company will be working on a range of Defence tasks that will require it to process For Official Use Only (FOUO) and Sensitive: Personal information. The company can not use Internet cloud based computing to host this work without approval. For instance they could not use a word processor hosted on the web or web based as these are examples of Software as a Service. Example: A multinational consultancy company can not use the company s international private cloud for processing of Defence information without approval. For instance they could not store information on virtual servers physically hosted in another country on their private cloud or use overseas system administrators to administer software resident on an Australian server. Note: Nothing prevents an international company from undertaking network monitoring or other system administration tasks that cannot access the stored data from offshore. 6. Both Defence and Defence industry are bound by the approvals processes in this DSM part for the infrastructure on which they process Defence unclassified information that is not publicly available, and Defence information subject to the Privacy Act Note: Defence employee name, Position with Defence, DRN address and Defence phone number are not subject to the Privacy Act 1988 as this information is placed onto the public record via the Commonwealth Gazette, s sent via the internet and the Defence Telephone Directory. Note: Defence members who hold Defence Protected Identities have their identity and role protected as official information. The systems that process these identities are protected in accordance with DSM Part 2: For Defence industry all risk assessments must be undertaken in consultations with the contract manager. Defence industry is unable to accept security risk on behalf of Defence and therefore needs to work closely with relevant contract managers. Defence industry is reminded that this DSM part applies to all information that is not for public release. In practice this is all information that a company DSM Part 2:51 Page 2 of 14

3 has about Defence that is not publically available, regardless of whether it carries a DLM or not. Material that carries a DLM will require additional protections. 8. These approval processes apply to information that is not encrypted with an Australian Signals Directorate (ASD) endorsed product to reduce the classification of information. Example: The same consultancy company could use any Internet based backup service and storage if the content being backed up is encrypted to an ASD endorsed encryption standard prior to being backed up. 9. This part is to be read in conjunction with DSM Part 2:4 Facilities and ICT accreditation. Where information is classified information, DSM Part 2:4 takes precedence and the system is always accredited. a. Unclassified systems that process DLM managed material meet the ISM requirements for Government systems and are accredited against the ISM G controls. However due to the large number of these systems Defence takes a risk managed approach to determine which systems will undergo accreditation. 10. A risk assessment is needed to determine the risk of using cloud based computing services and whether accreditation will be conducted in order to assess the effectiveness of implemented risk mitigation measures. The following table shows the approvals required for the risk assessment: Table 2:51-1: Defence Policy for the Storage and Processing of Australian Government information in Outsourced or Offshore Arrangements ICT Arrangement Offshore and Outsourced - Domestically hosted (onshore) public cloud Outsourced Domestically hosted (onshore) private, internal or community cloud Unclassified information that is publicly available Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. Accreditation is not required. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. Accreditation is not required. Other unclassified information that is not publicly available Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by Secretary Defence. The risk assessment must [Auth:None] be conducted in accordance with this DSM Part. The risk assessment must [Auth:None] identify whether the system will be accredited. All Unclassified - Information subject to the Privacy Act 1988 Defence or Defence industry must not [Auth:None] enter into these arrangements without agreement from Minister for Defence and the Attorney General. The risk assessment must [Auth:None] be conducted in accordance with this DSM part. The risk assessment must [Auth:None] identify whether the system will be accredited. If the risk assessment identifies that accreditation is required, it must be conducted in accordance with DSM part 2:4; any accreditation awarded under an international standard may be taken into consideration, but is not considered equivalent to a Defence accreditation. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. The risk assessment must [Auth:None] identify whether the system will be accredited. Defence or Defence industry may enter into these arrangements following a risk assessment. The risk assessment must [Auth:None] be endorsed by a SES Band 1/O7. The risk assessment must [Auth:None] identify whether the system will be accredited. DSM Part 2:51 Page 3 of 14

4 Determine the Approval Context 11. Prior to commencing a business case or outsourcing activity that requires the Secretary or Minister s approval, an in principle agreement to conduct the activity must be gained from the Cyber Security Governance Board (GCSB). a. Other activities that do not require Secretary or Ministerial approval must seek the advice of the Defence Chief Information Security Officer (CISO) in order to determine if the matter will be managed through the CSGB. 12. The purpose of seeking in principle agreement from the CSGB is to determine the appropriateness of the activity in the context of the Defence environment and establish the scope and managerial context that the risk assessment will be conducted in as well as any consequent project decision and coordination activities. 13. CSGB submissions must identify: a. the scope of the activity; b. the key risk holders; c. the decision maker(s) and resources that will be responsible for the conduct of the risk assessment; d. any alignment to enterprise ICT risk activities; e. the decision maker or committee (including the CSGB) that will act as the risk owner; f. the approvals process for staffing to the Secretary and Minister as appropriate; and g. project or other approval mechanisms. Conduct the Risk Assessment 14. The risk assessment is undertaken in accordance with AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines and HB 167:2006 Security Risk Management. These are standard approaches to risk management. 15. The risk assessment needs to be as broad and as comprehensive as is possible and identified risks will form the basis of decisions made. The assessment needs to be independent, objective and capable of withstanding public scrutiny and independent inquiry. The Strategic Context of Outsourcing and Offshoring 16. The strategic context is the external environment in which the agency seeks to achieve its objectives. The external context can include, but is not limited to: a. the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; b. key drivers and trends having impact on the objectives of the organisation; and c. relationships with, perceptions and values of external stakeholders. 17. When conducting the risk assessment it is necessary to consider what aspects of strategic context are relevant to the situation, and factor these into the risk assessment process. These can include: DSM Part 2:51 Page 4 of 14

5 a. relevant Australian legislation, regulation and policy, including responsibility for safeguarding Australian Government information, including but not limited to: (1) requirements of the Archive Act 1983 and Freedom of Information Act 1988; b. foreign laws and potential jurisdictional access to information; (1) equivalent FOI acts; and (2) operation of Foreign Intelligence Services, local intelligence collection laws; and c. the potential benefits of outsourcing or off shoring arrangements. 1 How to Determine the Organisational Context 18. The organisational context is the internal environment in which the project seeks to achieve its objectives. This can include, but is not limited to: a. governance, organisational structure, roles and accountabilities within Defence; b. policies, objectives, and the broader Chief Information Officer Group managed strategies that are in place to achieve them; c. capabilities, understood in terms of resources and knowledge (eg, capital, time, people, processes, systems and technologies); d. extent of contribution to overall Defence capability and key dependencies and interrelationships; e. the relationships with and perceptions and values of internal stakeholders; f. the organisation's culture, including the security culture; g. information systems affected, information flows between them and decision making processes (both formal such as extant project boards and informal such as working relationships between multiple vendors); h. standards, guidelines and models such as the Defence Information Environment security architecture; and i. the nature and extent of contractual relationships, including subcontracting. Identifying Risk 19. ASD publishes specific guidance on cloud computing issues in addition to general outsourcing risks covered in the ISM. Readers should refer to ASD product when conducting risk assessments. 20. The following questions can assist in identifying risks. Enquiries should not be limited to these topics. It may be necessary to form a project security working group and workshop the following risks in order to gain a view across all stakeholders: a. Is the information provided to Defence by a foreign government? This information may be subject to control and foreign release restrictions; 1 Extensive advice exists on this subject. As a starting point, see the Australian Government Information Management Office s Cloud Computing Strategic Directions paper. DSM Part 2:51 Page 5 of 14

6 b. How could the integrity of government information be affected? What would be the impact of loss of confidence in the integrity of the information? c. How could an unintended disclosure of government information occur in an outsourced or offshore arrangement? What are the sources of risk? What threats are there? d. What would the impact of an unintended disclosure be for the various classes of information? e. Why could an unintended disclosure occur? What is the cause (actions, incidents or factors) behind the source of risk? Are there any measures in place that limit or encourage sources of risk? f. What would an unintended disclosure look like? What would an event or incident look like? g. Where would this happen? Based on arrangements, would this happen in Australia? If offshore, what countries could the information be stored or processed through? h. When could an unintended disclosure happen? What is the length of the proposed arrangement? What is the time period that risks need to be considered over? i. Who would be involved in an unintended disclosure? Who is the threat source? Who will be involved in a response? Who would be impacted? Does this include the Australian public, individual Defence members, protected identity holders, or is it limited togovernment? j. Is the cloud host country a known intelligence collector against Australia? 21. Defence ability to effectively manage and control its information in an outsourced or offshore arrangement can potentially be put at risk from any of the following: a. compromise of the integrity of the information which impacts on business functioning; b. unavailability of the information which impacts on business functioning; c. unauthorised access by a third party; d. unauthorised access by the service provider s other customers; e. unauthorised access by rogue service provider employees and f. inadequate resilience and security measures applied to the associated physical infrastructure, supply chain and ICT networks. 22. In addition to the risks associated with outsourcing arrangements, entering into an agreement with an offshore component can cause additional complications due to: a. the nature of the legal powers to access or restrict data; b. the lack of transparency (and reduced ability to directly monitor operations); c. the prevailing culture of some countries; and d. complications arising from data being simultaneously subject to multiple legal jurisdictions. DSM Part 2:51 Page 6 of 14

7 The Nature of Legal Powers to Access or Restrict Data 23. Like Australia, most foreign jurisdictions have legislated powers that allow access to communications and stored information for the purposes of law enforcement and national security. In some cases these laws allow law enforcement and national security agencies to access information held overseas or in Australia. Lack of Transparency 24. Should Defence enter into arrangements where information is held offshore, there is the potential for that information to be stored or processed in jurisdictions where foreign government information access mechanisms operate without transparency or outside of established legal frameworks. Alternatively, the lack of effective rule of law may fail to deter attempts by non-state actors to misappropriate information. 25. These matters of particular concern in high FIS threat countries with known intelligence collection requirements against Australia. The Defence Security and Vetting Service (DS&VS) can assist with advice in this area. Prevailing Culture of Some Countries 26. The prevailing culture of some countries may give rise to additional risks. For example, the tolerance (legal and/or law enforcement effectiveness) and acceptance of corruption and white collar crime differs across countries and may impact on an agency s ability to ensure the confidentiality, availability and integrity of government information. Similarly, extrajudicial behaviour of government agencies, and the ability of citizens to refuse those demands may be limited, potentially giving rise to further risks that need to be considered. Complications Arising from Data being simultaneously subject to Multiple Legal Jurisdictions 27. Complications may arise from information being subject to the laws of multiple jurisdictions. This may occur in circumstances where: a. foreign laws apply to a vendor because it is located offshore; b. foreign laws have an extra territorial application to vendors located in Australia; or c. the services provided by the vendor pass through a foreign jurisdiction. How to Assess Risk 28. Having identified a range of relevant risks, they are to be assessed in terms of their likelihood and consequence and acceptable levels of tolerance. The sources of risk events, and the effectiveness of existing controls to prevent the occurrence or reduce the consequences of risk events should be considered. This includes the level of oversight and control Defence and contractors have on the management of their information. 29. For additional information on assessing risks, see HB 167:2006 Security Risk Management. Guidance on Determining Potential Consequences 30. The risk assessment process must [Auth:None] assess the consequence with respect to Confidentiality, Integrity and Availability impacts on both individual items of information (or sub systems) and aggregated information and sub systems. The risk assessment may also assess against other risks such as reputation and financial risk as required. 31. A Confidentiality, Integrity and Availability Business Impact Level (BIL) must [Auth:None] be assigned to the individual items and the aggregation dependent on the worst consequence identified. DSM Part 2:51 Page 7 of 14

8 Example: The assessment may identify that whilst there is a low to medium confidentiality impact (unclassified DLM marked information maps to a Confidentiality BIL of 1-2) there could be High or Catastrophic integrity or availability impacts (BIL 5 and 6). In this case, information with a Confidentiality BIL of 2, an Integrity BIL of 3 and an Availability BIL of 4 would be assigned an overall BIL of 4. The aggregation of such information may require a higher BIL. 32. Further information is contained in DSM Part 2:7 Business Impact Levels. 33. The consequence of unintended disclosure of government information will depend on the profile of that information. The majority of government information is neither publicly available nor security classified. This includes information that is unclassified, but potentially sensitive, such as health and financial records; details of business dealings with government; correspondence between citizens and Ministers; and public service employee records. 34. Loss of Confidentiality, Integrity or Availability could for example: a. affect Defence operational capability; b. affect Defence capacity to make administrative decisions or operate; c. affect privacy and integrity of personal information about Defence employees and Australian citizens; d. affect the safety of persons; e. affect the public s confidence in government; f. affect Defence morale; g. interfere with commercial interests and the competitive process; h. result in non-compliance with legislation; i. incur additional cost restoring integrity; j. interrupt the operation of the Department whilst integrity is restored; and k. affect employee entitlements. Guidance on Determining Likelihood 35. The likelihood is the chance or probability that an event or incident will occur resulting in the unintended disclosure, interruption, modification of fabrication of government information. When considering the likelihood, agencies should consider the timeframe in which the risk could potentially occur. Likelihood may be expressed using a qualitative, pre-determined scale such as low, medium and high or a quantitative, numerical representation such as a 70 per cent chance of occurrence. Evaluating the Risks 36. Evaluating the risks of unintended disclosure of government information in outsourced or offshore arrangements involves considering the risks within the context of the agency risk tolerance and potential treatment options. 37. In some circumstances, the risks to Australian Government information can be quantified almost entirely in financial terms based on a loss of revenue or the cost to restore it to a trusted state. In these circumstances, determining the risk is a matter of financial calculation. However, in most circumstances, DSM Part 2:51 Page 8 of 14

9 Defence will need to consider a wider range of factors, including the potential reputational cost of a disclosure due to aggregated national security impacts. In these circumstances, calculating the risk is a more complex process and the acceptance of that risk is a responsibility of the Minister. 38. There may be circumstances where the factors for consideration and judgments required are so complex that the risk of outsourcing or storing data offshore is incalculable. If the risk is determined to be incalculable, it will not be possible to manage it. Under these circumstances the PSPF directs that Secretary Defence as the agency head is required not to enter into these arrangements. 39. For further information on evaluating risks, see HB 167:2006 Security Risk Management. Incapacity to manage risk Figure 2:51-1 Risk Tolerance Tolerable risk Increasing risk Intolerable risk Scope for agency determination of risk tolerance 40. Determining risk tolerance will be highly dependent on the organisational context of Defence and the Secretary. However, in most cases the concept can be understood as a gradient, where the risk may become increasingly less tolerable as the risk level is elevated (see Figure 2:51-1 above). 41. The CSGB may also refer the matter to the Defence Security Counter Intelligence Board or Secretary Chief of Defence Force Advisory Committee as a source of information on the overall enterprise risk tolerance, especially in the context of multiple capability owners. How to Consider Potential Risk Treatment Options 42. There is no such thing as absolute security. This means that efforts to treat risks will not remove them completely, but should aim to make the risk levels more tolerable. HB 167:2006 Security Risk Management outlines strategies for risk treatment. This includes a six step process where Defence: a. prioritises intolerable risks; b. establishes treatment options; c. identifies and develop treatment options; d. evaluates treatment options; e. details the design and conducts a review of chosen options, including the management of residual risks; and f. undertakes communication and implementation. DSM Part 2:51 Page 9 of 14

10 Suggested Treatment Options 43. Contractual arrangements present a potential tool that agencies can use to mitigate risks associated with the outsourcing or offshoring of government information through: a. specifying the necessary protective security requirements in the terms and conditions of any contractual documentation (including sub-contractual arrangements), and b. verifying that the contracted service provider complies with the terms and conditions of any contractual documentation. 44. In some cases however it may be impractical or impossible for Defence to verify if the service provider is adhering to the contract. This can be addressed through the use of third party audits, including certifications and accreditations, but at an additional cost. Finalise the Risk Assessment 45. Documenting the risk assessment and risk treatment 46. The risk assessment must be documented and agreed by the appropriate decision maker. The risk assessment must include a statement that the decision maker has considered, calculated and accepted the associated security risks in outsourced or offshore arrangements. 47. The risk assessment will determine whether accreditation is required. In some instances Defence accreditation may be replaced by an assessment by an external certification body. Example: A health service provider may be providing services for other government Agencies and undergone a certification to participate in that program. In this example it may be appropriate to recognise the certification. Secretary Approval 48. The CSGB will notify the appropriate format and mechanism to request Secretary approval. In some instances this will be via a senior committee. 49. The approval must include a letter for signature advising the Secretaries ICT Governance Board that they have entered into outsourced or offshore arrangements for the storage and processing of Australian Government information. The purpose of this measure is to support information sharing and inform potential whole-of-government ICT procurement arrangements. Ministerial Approval 50. Where there are risks to personal information, the potential impacts are broader than just financial considerations and include loss of public confidence and trust in government. Where these risks are calculable and manageable, under the PSPF the Minister is required to accept those risks before Secretary Defence can enter into such an arrangement. The Minster for Defence is required to consult with the Attorney General before granting approval. 51. The CSGB will coordinate the mechanisms for gaining Ministerial and Attorney General Approval. Roles and Responsibilities 52. Attorney-General. The Attorney-General is the Minister responsible for privacy and protective security within the Australian Government. They set overall protective security policy via the Protective Security Policy Framework, including minimum approval thresholds. They consider government wide impacts of DSM Part 2:51 Page 10 of 14

11 Privacy issues and act as a joint approval authority in conjunction with Secretary Defence for some offshore processing and outsourcing activities identified within this DSM part. 53. Secretary of Defence. The Secretary is the Agency Head under the PSPF, and in consultation with the Chief of the Defence Force, is the approval authority for some onshore processing and activities identified in this DSM part. 54. Chief Information Officer. The CIO sets policy direction for the outsourcing of Defence ICT arrangements and chairs the CSGB which approves business cases for outsourcing and cloud based computing initiatives and manages approvals for those business cases that require acceptance by the Secretary or the Minister for Defence. 55. Chief Information Security Officer. The CISO provides advice to projects considering outsourcing or cloud based computing and determines whether projects that do not meet mandatory criteria for approval by the Secretary or Minister will be managed by the CSGB. 56. Australian Signals Directorate. ASD publishes the ISM and other advice on security considerations for cloud services. Readers are encouraged to refer to ASD public website for further information on these topics. 57. System Owners, Project Managers and Contractors. Are responsible for seeking approvals for outsourced and cloud projects in accordance with this paper. Key Definitions 58. Unclassified - not publicly available information. This comprises information that is unclassified, but requires additional protections as it is not publically releasable. It includes Information marked with any DLM. 59. Unclassified - information subject to the Privacy Act This comprises information that is subject to the Privacy Act 1988 and includes both Personal and Sensitive information as described in the Act. It includes: a. Personal information. This is information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. b. Sensitive information (1) information or an opinion about an individual that is also personal information: i. racial or ethnic origin; ii. iii. political opinions; membership of a political association; iv. religious beliefs or affiliations; v. philosophical beliefs; vi. vii. membership of a professional or trade association; membership of a trade union; DSM Part 2:51 Page 11 of 14

12 viii. ix. sexual preferences or practices; criminal record; (2) health information about an individual; (3) genetic information about an individual that is not otherwise health information. 60. Within Defence this information will be marked with the DLM Sensitive: Personal. However for the purposes of this part it is necessary to differentiate between the types of information and the definitions above are used. 61. Unclassified - publicly available information. This comprises information that the Australian Government makes publicly available. Example: The Defence internet presence and press releases. 62. Security classified information. Information which is security classified at PROTECTED, CONFIDENTIAL, SECRET or TOP SECRET. 63. Offshore arrangements. Information is stored or processed in equipment that is located outside of Australia. The mere transit of information is not considered storage or processing for the purposes of this policy. 64. Onshore arrangements. Information is stored or processed in equipment that is located within Australia. 65. Cloud computing. Is a delivery model for IT services. It is defined by the US National Institute of Standards and Technology (NIST) as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 66. There are three cloud service models indentified by NIST: a. Infrastructure as a Service (IaaS). This involves the vendor providing physical computer hardware including CPU processing, memory, data storage and network connectivity. The vendor may share their hardware among multiple customers referred to as multiple tenants using virtualisation software. IaaS enables customers to run operating systems and software applications of their choice. Typically the vendor controls and maintains the physical computer hardware and the customer controls and maintains the operating systems and software applications. b. Platform as a Service (PaaS). This involves the vendor providing Infrastructure as a Service plus operating systems and server applications such as web servers. PaaS enables customers to use the vendor s cloud infrastructure to deploy web applications and other software developed by the customer using programming languages supported by the vendor. Typically the vendor controls and maintains the physical computer hardware, operating systems and server applications and the customer only controls and maintains the software applications that they develop. c. Software as a Service (SaaS). This involves the vendor using their cloud infrastructure and cloud platforms to provide customers with software applications. Example applications include and collaborative working environments for users to develop and share files such as documents and spreadsheets. These end-user applications are typically accessed by users via a web browser, eliminating the need for the user to install or maintain additional software. Typically the vendor controls and maintains the physical computer hardware, operating systems DSM Part 2:51 Page 12 of 14

13 and software applications. The customer only controls and maintains limited application configuration settings specific to users such as creating address distribution lists. 67. There are three cloud deployment models indentified in the PSPF. These models are PSPF policy specific, NIST uses different deployment models: a. Domestically hosted public cloud. Information is stored or processed by equipment which is located in Australia, offers services to the public, and is not under the direct control of the Australian Government. It involves an organisation using a vendor s cloud infrastructure which is shared via the Internet with many other organisations and members of the public. For example, a multi-tenant data centre located in Australia. Note: An internationally hosted public cloud has the same requirements as Offshore Processing and is therefore not differentiated in this policy. b. Domestically hosted private cloud. Information that is stored or processed by equipment which is located in Australia, is serviced by Australian residents and is restricted to a single or small class of tenants. The facility can be under the direct control of the Australian Government. It involves Defence exclusive use of cloud infrastructure and services located at the Defence premises or offsite, and managed by the Defence or a vendor. Example: A data centre in operated and managed in Australia operated by the private sector for use by the government. c. Community cloud. A type of private cloud that is shared by several organisations with similar security requirements and a need to store or process data of similar sensitivity. Example: A data centre shared between multiple departments. Further Definitions 68. Further definitions for common DSM terms can be found in the Glossary DSM Part 2:51 Page 13 of 14

14 Annexes and Attachments N/A This part currently has no annexes or attachments. DSM Part 2:51 Page 14 of 14

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public Defence Security Manual DSM Part 2:5 Security Awareness and Training Version 4 ation date July 2015 Amendment list 17 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements Defence

More information

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public Defence Security Manual DSM Part 2:41 Security for Projects and Capability Planning Version 3 ation date July 2015 Amendment list 24 Optimised for Screen; Print; Screen Reader Releasable to Compliance

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2015 All material presented in this publication

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

Email Protective Marking Standard Implementation Guide for the Australian Government

Email Protective Marking Standard Implementation Guide for the Australian Government Email Protective Marking Standard Implementation Guide for the Australian Government May 2012 (V2012.1) Page 1 of 14 Disclaimer The Department of Finance and Deregulation (Finance) has prepared this document

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2014 All material presented in this publication

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Security of outsourced services and functions Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this publication

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Whitepaper. Implications of Federal Privacy Reforms for Federal Government Agencies. Date Released: 1 August 2013

Whitepaper. Implications of Federal Privacy Reforms for Federal Government Agencies. Date Released: 1 August 2013 Whitepaper Implications of Federal Privacy Reforms for Federal Government Agencies Date Released: 1 August 2013 Authors: Amanda Biggs and Helaine Leggat Disclaimer This White Paper is published for general

More information

Information System Audit Guide

Information System Audit Guide Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public Defence Security Manual DSM Part 2:61 Access Control and Identity Management Version 7 ation date July 2015 Amendment list 16 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

Protective Security Governance Policy. Outlines ANAO protective security arrangements

Protective Security Governance Policy. Outlines ANAO protective security arrangements Protective Security Governance Policy Outlines ANAO protective security arrangements Version 2.0 Effective JULY 2012 Document management Document identification Document ID Document title Release authority

More information

Guidelines approved under Section 95A of the Privacy Act 1988. December 2001

Guidelines approved under Section 95A of the Privacy Act 1988. December 2001 Guidelines approved under Section 95A of the Privacy Act 1988 December 2001 i Commonwealth of Australia 2001 ISBN Print: 1864961074 Online: 1864961139 This work is copyright. Apart from any use as permitted

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V2.0 NOVEMBER 2014 Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V 2.0 NOVEMBER

More information

IRAP Policy and Procedures up to date as of 16 September 2014.

IRAP Policy and Procedures up to date as of 16 September 2014. Australian Signals Directorate Cyber and Information Security Division Information Security Registered Assessors Program Policy and Procedures 09/2014 IRAP Policy and Procedures 09/2014 1 IRAP Policy and

More information

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper august09 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper Preface Corporate governance - which refers broadly to the processes

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION 1. Introduction E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION Australia s national security and economic and social well-being rely upon the use and availability of a range of Information

More information

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide Third Party Identity Services Assurance Framework Information Security Registered Assessors Program Guide Version 2.0 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015 NSW Government Data Centre & Cloud Readiness Assessment Services Standard v1.0 June 2015 ICT Services Office of Finance & Services McKell Building 2-24 Rawson Place SYDNEY NSW 2000 standards@finance.nsw.gov.au

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers)

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) June 2011 DISCLAIMER: This document is intended as a general guide only. To the extent permitted by law,

More information

The Management of Physical Security

The Management of Physical Security The Auditor-General Audit Report No.49 2013 14 Performance Audit Australian Crime Commission Geoscience Australia Royal Australian Mint Australian National Audit Office Commonwealth of Australia 2014 ISSN

More information

TICSA. Telecommunications (Interception Capability and Security) Act 2013. Guidance for Network Operators. www.gcsb.govt.nz www.ncsc.govt.

TICSA. Telecommunications (Interception Capability and Security) Act 2013. Guidance for Network Operators. www.gcsb.govt.nz www.ncsc.govt. TICSA Telecommunications (Interception Capability and Security) Act 2013 Guidance for Network Operators www.gcsb.govt.nz www.ncsc.govt.nz Contents Introduction...2 Overview of the Guidance...3 Focus of

More information

Information Privacy Policy

Information Privacy Policy Information Privacy Policy pol-032 Version: 2.01 Last amendment: Oct 2014 Next Review: Aug 2017 Approved By: Council Date: 04 May 2005 Contact Officer: Director, Strategic Services and Governance INTRODUCTION

More information

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework Department of the Premier and Cabinet Circular PC030 Protective Security Policy Framework February 2012 PROTECTIVE SECURITY MANAGEMENT FRAMEWORK TABLE OF CONTENTS TABLE OF CONTENTS 2 1. PURPOSE 3 2. SCOPE

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

Entrepreneurs Programme - Business Growth Grants

Entrepreneurs Programme - Business Growth Grants Entrepreneurs Programme - Business Growth Grants Version: 15 July 2015 Contents 1 Purpose of this guide... 4 2 Programme overview... 4 2.1 Business Management overview... 4 3 Business Growth Grant... 5

More information

Information Sheet: Cloud Computing

Information Sheet: Cloud Computing info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.

More information

IT Security Management

IT Security Management The Auditor-General Audit Report No.23 2005 06 Protective Security Audit Australian National Audit Office Commonwealth of Australia 2005 ISSN 1036 7632 ISBN 0 642 80882 1 COPYRIGHT INFORMATION This work

More information

FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY

FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY Objective: Securing the Foundation Spatial Data Framework. This document is presented by ANZLIC the Spatial Information Council, representing the Australian

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Security in the Cloud: Visibility & Control of your Cloud Service Providers Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,

More information

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations Government Owned Corporations Corporate Governance Guidelines for Government Owned Corporations Version 2.0 The State of Queensland (Queensland Treasury) The Queensland Government supports and encourages

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

NSW Government. Cloud Services Policy and Guidelines

NSW Government. Cloud Services Policy and Guidelines NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services ACT Auditor-General s Office Performance Audit Report Whole-of-Government Information and Communication Technology Security Management and Services Report No. 2 / 2012 PA 09/03 The Speaker ACT Legislative

More information

Entrepreneurs Programme - Business Evaluation. Version: 3

Entrepreneurs Programme - Business Evaluation. Version: 3 Entrepreneurs Programme - Business Evaluation Version: 3 20 October 2015 Contents 1 Purpose of this guide... 4 2 Programme overview... 4 2.1 Business Management overview... 4 3 Business Evaluations...

More information

Guideline for Roles & Responsibilities in Information Asset Management

Guideline for Roles & Responsibilities in Information Asset Management ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009

More information

Australian Government Cloud Computing Policy

Australian Government Cloud Computing Policy Australian Government Cloud Computing Policy Maximising the Value of Cloud VERSION 2.1 JULY 2013 AGIMO is part of the Department of Finance and Deregulation Contents Foreword 3 Introduction 4 Policy 5

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

Information Security Guideline for NSW Government Part 1 Information Security Risk Management Department of Commerce Guidelines Information Security Guideline for NSW Government Part 1 Information Security Risk Management Issue No: 3.2 First Published: Sept 1997 Current Version: Jun 2003 Table

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Australian Government Cloud Computing Policy

Australian Government Cloud Computing Policy Australian Government Cloud Computing Policy Maximising the Value of Cloud VERSION 2.0 MAY 2013 AGIMO is part of the Department of Finance and Deregulation Contents Foreword 3 Introduction 4 Australian

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public DSM Supplementary Document Annex I to DSM Part 2:30 Classificvation and Protection of Official Information - Disposal and Destruction of Protectively Marked Information and Assets Version 7 ation date

More information

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

Disclosure is the action of making new or secret information known.

Disclosure is the action of making new or secret information known. /PURPOSE OF POLICY Pty Limited (Momentum) is required and committed to comply with the Australian Privacy Principles (APPs) in the Privacy Act 1998 (Cth) (Privacy Act). The APPs regulate the manner in

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

AISA Position Statement: Mandatory Data Breach Notification in Australia

AISA Position Statement: Mandatory Data Breach Notification in Australia AISA Position Statement: Mandatory Data Breach Notification in Australia Overview Although AISA members are broadly in support of mandatory data breach notification in Australia they have a number of concerns

More information

Electronic business conditions of use

Electronic business conditions of use Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH Council of Australian Governments An agreement between the Commonwealth of Australia and the States and Territories, being: The State of New South Wales The State

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Compliance Management Framework. Managing Compliance at the University

Compliance Management Framework. Managing Compliance at the University Compliance Management Framework Managing Compliance at the University Risk and Compliance Office Effective from 07-10-2014 Contents 1 Compliance Management Framework... 2 1.1 Purpose of the Compliance

More information

Microsoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions

Microsoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions Microsoft Pty Ltd Australian Financial System Inquiry: Response to request for further submissions August 2014 1 Response in relation to Chapter 9 of the Interim Report Microsoft is pleased to respond

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Recordkeeping Policy

Recordkeeping Policy Public Record Office Victoria Standards and Policy Recordkeeping Policy Cloud Computing: Implications for Records Management Version Number: 1.0 Issue date: 04/04/2012 Closing for comments: 31/05/2012

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Cloud Procurement Discussion Paper. For Comment

Cloud Procurement Discussion Paper. For Comment Cloud Procurement Discussion Paper For Comment AUGUST 2014 Acronyms Acronym AGIMO ASD DCaaS MUL IaaS NIST PaaS RFT SaaS SCS Definition Australian Government Information Management Office Australian Signals

More information

APES GN 30 Outsourced Services

APES GN 30 Outsourced Services APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited

More information

Cloud Computing. Information Security and Privacy Considerations. April 2014

Cloud Computing. Information Security and Privacy Considerations. April 2014 Cloud Computing Information Security and Privacy Considerations April 2014 All-of-Government Cloud Computing: Information Security and Privacy Considerations April 2014 1 Crown copyright. This copyright

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

ZEN Telecom Pty. Ltd. Privacy Policy

ZEN Telecom Pty. Ltd. Privacy Policy ZEN Telecom Pty. Ltd. Privacy Policy ZEN Telecom provides broadband internet, mobile voice & data, and PSTN fixed landline telephone, products and services, to residential and small to medium business

More information

Standards for Registered Training Organisations (RTOs) 2015

Standards for Registered Training Organisations (RTOs) 2015 Standards for Registered Training Organisations (RTOs) 2015 I, Ian Elgin Macfarlane, Minister for Industry, make this legislative instrument under subsection 185(1) and subsection 186(1) of the National

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:

More information