HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA
|
|
- Marshall Black
- 8 years ago
- Views:
Transcription
1 HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA Standards for Victoria Police Law Enforcement Data Security (Standards 27, 28, 29 & 30) November 2008 Commissioner for Law Enforcement Data Security
2 Acknowledgement This report was prepared for the Commissioner by Gary Sauvarin, Senior Project Officer Information Security, Office of the Commissioner for Law Enforcement Data Security, in consultation with relevant areas and employees of Victoria Police. Appreciation is expressed for the assistance and cooperation of Victoria Police members during the conduct of this review. Published by: The Commissioner for Law Enforcement Data Security PO Box 281 World Trade Centre Melbourne Victoria 8005 November 2008 State of Victoria, 2008
3 Table of Contents Executive Summary 5 1 Introduction Background Purpose and Scope Security Classified Law Enforcement Data Standards Approach Compliance Assessment Rating Definitions and Abbreviations 9 2. Standard Observations Findings Standard Observations Findings Standard Observations Findings Standard Observations Findings Conclusions and Recommendations 17 APPENDIX A Persons Interviewed and Documents Reviewed 19 APPENDIX B Response to the report by the Chief Commissioner of Police 21
4
5 Security Classified Law Enforcement Data Executive Summary Under the Commissioner for Law Enforcement Data Security Act, 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. A high level compliance review has being undertaken of the CLEDS Standards for Victoria Police Law Enforcement Data Security on Security Classified Law Enforcement Data. Standard 27 requires the establishment of procedures for the identification and classification of law enforcement data requiring confidentiality. Standard 28 requires the establishment of policy and procedures to protect that data. Standard 29 requires that only personnel who meet the Australian Government Personnel Security Clearance requirements be given access to Australian Government classified data. Standard 30 requires that Australian Government approved products or solutions be used to protect Australian Government classified data. All four standards also require Victoria Police to ensure Approved Third Parties who access Victoria Police law enforcement data have similar requirements for Victoria Police data. An assessment rating of Compliant (where all Standard requirements are implemented and operating), Partially Compliant (where implementing all requirements is in progress) or Non Compliant (where there is no evidence of action being taken to review and implement Standard requirements) is assigned as a result of the review. Results of the Review Proper implementation of a security classification system can be problematic in many organisations. Misunderstanding about what the various levels of classification mean; how they should be applied; the various levels of protection needed, such as physical security, storage, handling, and movement; and the assumption that only material requiring confidentiality needs to be classified ( unclassified is in itself a classification); can lead to a piece-meal approach to classification and result in bad practices such as over-classification or no classification action at all. Victoria Police has documented policy and procedures for the identification and classification of data which meet the requirements of the CLEDS Standards and the Australian Government Protective Security Manual. Policy is currently under review and it is acknowledged that Victoria Police is already undertaking work to improve the implementation of its security classification system. This review identifies that work remains to be done regarding the implementation of security classified data policy and procedures. 5
6 High Level Compliance Review Standard operating procedures in the areas handling nationally classified data need to be reviewed for consistency and strengthened. Two of the three key areas handling nationally classified information comply with Australian Government requirements with regard to physical security and equipment. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance and Australian Government certification of those areas should be sought and documented. Such a security assessment needs to move beyond those areas which currently hold Australian Security Network (ASNET) equipment to the immediate environments of senior members of Corporate Committee who regularly handle nationally classified material. More generally, implementation of the documented classification procedures needs to be improved. Policy and procedures do not seem to be fully understood, nor carried out in a constant and systematic way across the organisation. A broad review of current practices is required. Identified staff are given the appropriate security clearance to access nationally classified material. However, Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. The IT systems need to be properly classified and BITS should review all IT systems to ensure that only Defence Signals Directorate Approved Products and solutions are used, where required. A security classification awareness campaign is necessary to ensure that staff fully understand how and when to classify information and the implications for protection of each level of classification. It should be noted that it is possible to over-classify, which then places a greater, although unnecessary, duty of protection on the material. Existing agreements with Approved Third Parties do not comply with relevant data security classification requirements. Victoria Police are renegotiating the agreements, after which Victoria Police will be compliant with this section of the Security Classification Standards. The Commissioner finds Victoria Police PARTIALLY COMPLIANT with Standards 27, 28, 29 and 30 of the Standards for Victoria Police Law Enforcement Data. Recommendations 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. 6
7 Security Classified Law Enforcement Data That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. David Watts Commissioner for Law Enforcement Data Security November
8 High Level Compliance Review 1 Introduction 1.1 Background The Standards for Law Enforcement Data Security were established in July 2007 by the Commissioner for Law Enforcement Data Security (CLEDS). The Standards and associated protocols are binding on Victoria Police. Under the Commissioner for Law Enforcement Data Security Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. The Commissioner has established an ongoing program of high level compliance reviews, as well as detailed risk based audits. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet the Standards and Protocols. Security Classified Law Enforcement Data is one of fifteen categories of standards and protocols issued by CLEDS. 1.2 Purpose and Scope The scope of this compliance review is confined to examining the existence and operation of Victoria Police policy and procedures in compliance with the requirements of the CLEDS Standards 27, 28, 29 and 30 on security classified law enforcement data. 1.3 Security Classified Law Enforcement Data Standards Standards 27, 28, 29 and 30 provide that law enforcement data must be suitably classified according to the degree of its sensitivity and confidentiality, that those who access such data have commensurate security clearances and that appropriately approved products and solutions are used for nationally classified data. All four standards also require Victoria Police to ensure Approved Third Parties who access Victoria Police law enforcement data have similar requirements for Victoria Police data. 1.4 Approach The high level compliance review involved discussions with key stakeholders, analysis of policy and procedures for compliance with the requirements of the relevant CLEDS Standards, and verification of process. Agreements with Approved Third Parties for authorised access to Victoria Police law enforcement data were also reviewed for compliance with the relevant Standards. 8
9 Security Classified Law Enforcement Data 1.5 Compliance Assessment Rating The assessment of compliance was rated as one of the following: Compliant Partially Compliant Non Compliant Existing security controls meet the requirements and intent of the Standards and Protocols Existing security controls partially or inconsistently meet the requirements and intent of the Standards and Protocols Existing security controls are consistently inadequate in meeting the requirements and intent of the Standards and Protocols Recommendations are made where less than full compliance is identified. 1.6 Definitions and Abbreviations The following definitions and abbreviations are used throughout this report. ASA Agency Security Advisor ASNET Australian Security Network BITS Business Information Technology Services, Victoria Police CLEDS Commissioner for Law Enforcement Data Security CTCU Counter Terrorism Co-ordination Unit, Victoria Police DAP Defence Signals Directorate (DSD) Approved Products DSAP Designated Security Assessed Position (a designated position with a security clearance to access nationally classified data) EISP Enterprise Information Security Policy ITSA Information Technology Security Advisor POT Position of Trust (a position with a security clearance to access non-nationally classified data) PSM Australian Government Protective Security Manual SOP Standard Operating Procedure VPM Victoria Police Manual WITSEC Witness Security Unit, Victoria Police 9
10 High Level Compliance Review 2. Standard Observations Victoria Police must establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. The security classification procedures contained in VPM Instruction and the Document Security Best Practice Guideline are detailed and very clear. They reflect exactly the security classifications contained in the CLEDS Standards and the Australian Government Protective Security Manual (PSM). The definition of document for the purpose of the binding VPM Instruction is anything on which information is recorded as words, symbols, images or impressions. Examples adequately cover all forms of law enforcement data as they include (but are not restricted to): electronic data, electronic documents, correspondence, film recordings, hardcopy documents, information stored on discs or removable media, photographs, screen printouts and sound recordings. National security classified material is considered to be out of scope for VPM The Instruction, however, mandates that workplaces that receive, create and/or disseminate documents containing NATIONAL security information must protect that information by fully implementing all relevant security controls documented in the Protective Security Manual. The Victoria Police Document Security Best Practice Guideline, which predates promulgation of the CLEDS Standards, cites the Protective Security Manual as the authoritative reference for document security. The security classification regime is further reinforced by current work in two areas. The Agency Security Advisor (ASA) has widely distributed a simple two page sheet for classification and developed a comprehensive (draft) Quick Reference Guide. Business Information Technology Services (BITS) is developing a Security Classification Framework, which will lead staff through a series of questions about a document and automatically generate a security classification. The work being undertaken by the ASA and BITS will considerably assist with the implementation of Victoria Police s documented procedures for the security classification of law enforcement data. While Victoria Police have policy and procedures in place for the identification and classification of documents, implementation is a problem. Incorrect or over-classification of documents is an issue for many organisations. Documents sighted by the Reviewer indicate that Victoria Police is no different. The proper implementation of a classification system is best addressed by an organisation-wide security classification awareness campaign to distribute the clear guidance which is already available. Victoria Police IT systems are currently and notionally classified as x-in-confidence, although not given the protection that the Australian Government Protective Security Manual requires for that level of classification. There is also no doubt that parts of those systems hold data of a higher classification. 10
11 Security Classified Law Enforcement Data Existing agreements with Approved Third Parties do not include the requirement to establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. Victoria Police has already agreed to renegotiate agreements with Approved Third Parties to ensure compliance with the CLEDS Standards (management response to CLEDS Relationships between Victoria Police and Approved Third Parties: Report of Compliance Review, March 2008). When all new agreements have been executed Victoria Police will be compliant with this section of Standard Findings Clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality are contained in the Victoria Police Manual (VPM Instruction Document Security), the Victoria Police Document Security Best Practice Guideline and the Enterprise Information Security Policy (EISP). The procedures documented meet the requirements of the Data Classification Scheme/Standards for Victoria Police Data Security issued by the Commissioner for Law Enforcement Data Security (Standards for Victoria Police Law Enforcement Data Security, chapter 10). It must be noted that implementation of the documented procedures needs to be improved. The existence of improperly classified documents or files indicates that staff either ignore or are not fully aware of the simple and clearly documented procedures for identifying and classifying information. Security classified data needs adequate protection. A file should be classified to the same level as the most highly classified document it contains. For the same reason, systems that hold electronic data need to be classified. Because of the large quantities of data held in electronic systems, the principle of aggregation needs to be applied to the classification of those systems (that is, that the value and therefore level of protection accorded to a large quantity of interrelated documents may be greater than that of the individual documents themselves). The Commissioner is aware that the process of classifying Victoria Police IT systems will be complex and cannot be achieved quickly. Once new CLEDS compliant agreements are executed with Approved Third Parties, Victoria Police will comply with this Standard. Victoria Police partially complies with Standard
12 High Level Compliance Review 3. Standard 28 Victoria Police must establish policy and protocols to ensure that all Security Classified law enforcement data is adequately protected. Australian Government Security Classified data must be protected in accordance with Australian Government protective security standards. Victoria Police must ensure that Agreements with Approved Third Parties establish policy and protocols to ensure that all Security Classified law enforcement data is adequately protected. 3.1 Observations VPM Instruction (section 6) gives brief procedures for the management and handling of security classified documents, including physical security, and refers staff to the Document Security Best Practice Guideline. The Guideline is not a binding instruction. It should be noted that the VPM is currently under review by the Corporate Strategy and Performance Department. The Enterprise Information Security Policy is also a key policy document for Security Classified Information. It is currently under review by Business Information Technology Services. Proper harmonisation and continuity between policy, procedure and implementation needs to be ensured. VPM clearly mandates that Australian Government Security Classified data must be protected in accordance with Australian Government protective security standards (the Protective Security Manual). The Document Security Best Practice Guideline gives considerable detail of how security classified material is to be protected. The Guideline covers (other than the identification and classification of documents) the protective marking, auditing and recording, disclosure/access, storage, movement and disposal of security classified documents. Of particular interest to the requirements of Standard 28 are the Security Procedure Tables which sit in Part 4 of the Guideline, which succinctly and very clearly tabulate the different procedures for the protection of documents at each level of classification up to, but not including, nationallyclassified material. Those procedures are reinforced in the Agency Security Advisor s (draft) Quick Reference/ Security Awareness. The Information Security Tables contained in the ASA s Quick Reference, cover all levels of classification, including nationally classified material and deal succinctly with identification, preparation and handling, removal and auditing, copying, storage and disposal, physical transfer and electronic transmission. Standard Operating Procedures sighted from areas with a high concentration of sensitive, particularly nationally classified data, are inconsistent in their coverage of procedures to protect security classified information. While all provide data protection measures, not all do this with the degree of detail given in the Guideline and not all refer the user back to VPM (although some more recent SOPs do refer the user generally to the CLEDS Standards). It should be noted that documented procedures for an area of considerable sensitivity like WITSEC are very comprehensive. 12
13 Security Classified Law Enforcement Data High level interviews conducted indicate that areas of Victoria Police handling nationally classified material understand the nature of the information they are receiving and holding and of the need to protect it. While issues of physical security and security clearance access are dealt with elsewhere in this report, areas handling nationally classified material are physically separated from other areas. There is not always clear separation within those of areas of security cleared staff handling nationally classified material and uncleared staff handling material of a lower classification. Procedures exist to limit access to secure stand-alone terminals and SCEC (Security Construction Equipment Committee) endorsed equipment is known to be used. The degree to which these procedures and equipment are always used to the satisfaction of PSM requirements is unknown and should be the subject of review by the Agency Security Advisor. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Policy and protocols have been established to protect Australian Government classified law enforcement data. A number of these are under review. Harmonisation needs to be ensured. Standard operating procedures could be strengthened and implementation of the documented procedures needs to be improved. While PSM compliant procedures and solutions are in place in areas handling nationally classified material, there is no certainty that they are always implemented in all such areas. Once new CLEDS compliant agreements are executed with Approved Third Parties, Victoria Police will comply with this Standard. Victoria Police partially complies with Standard
14 High Level Compliance Review 4. Standard 29 Prior to being granted access to Australian Government Security Classified law enforcement data, Victoria Police Employees, Contractors, Consultants and Approved Third Parties must meet Australian Government Personnel Security Clearance requirements for access to that data. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to meet Australian Government Personnel Security Clearance requirements prior to being granted access to Security Classified law enforcement data. 4.1 Observations Victoria Police departments/units handling Australian Government classified law enforcement data maintain spreadsheets of staff with national security clearances able to access that data. The Agency Security Advisor maintains the agency-wide, central security clearance database. Procedures are implemented in the relevant areas to ensure that only staff with the appropriate security clearance access nationally classified material. Spreadsheets of staff with national security clearances are no longer shared between departments/units. The Agency Security Advisor s central database is currently held on the CTCU G:/ drive (with limited access), but will shortly be moved to a stand-alone computer in a secure area and be populated with the proper amount of detail. The system for dealing with classified information promulgated in the Australian Government Protective Security Manual requires that certain positions are Designated Security Assessed Positions or Positions of Trust. Designated Security Assessed Positions (DSAP) are designated positions with a security clearance to access nationally classified data. Positions of Trust (POT) are positions with a security clearance to access non-nationally classified data. Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Implementation of policy to ensure that only appropriately cleared staff have access to nationally classified data depends on proper access procedures being in place. While security clearances are obtained for persons with access to nationally classified material, a system of Designated Security Assessed Positions and Positions of Trust should be introduced and access arrangements need to be reviewed to ensure policy is properly implemented. New CLEDS compliant agreements need to be executed with Approved Third Parties. Victoria Police partially complies with Standard
15 Security Classified Law Enforcement Data 5. Standard 30 When implementing security for the protection of Australian Government Security Classified law enforcement data and systems, Victoria Police must use Defence Signals Directorate (DSD) Approved Products (DAP) or solutions that are in accordance with Australian Government protective security. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to use DSD Approved Products (DAP) or solutions that are in accordance with Australian Government protective security standards for the protection of Security Classified law enforcement data. 5.1 Observations There are three principle areas of Victoria Police that handle nationally classified material the Specialist Support Department, Intelligence and Covert Support Department and the Counter Terrorism Co-ordination Unit. It should be noted that a number of senior members of Victoria Police in other areas also handle such material as required. The Agency Security Advisor has advised this reviewer that both the Specialist Support Department and Intelligence and Covert Support Department have in place physical security and equipment that meets Australian Government protective security requirements. However, no documented evidence of T4 certification was sighted by this reviewer. The Counter Terrorism Co-ordination Unit does not have T4 certification nor does the area comply with Australian Government requirements with regard to physical security/equipment. A T4 review of the area occupied by the Counter Terrorism Co-ordination Unit (CTCU) was carried out in The area failed to meet T4 standards and recommendations were made. Not all of these recommendations were implemented, particularly with regard to the physical structure of the area, audio security and compartmentalisation of security cleared staff. A further review, based on the 2006 review, was carried out by the Agency Security Advisor in 2008, with further recommendations being made. It is understood that compliance with T4 specifications for a secure area is on-hold while a refurbishment of the area occupied by this department is considered. Asnet is the agency responsible for the secure communications network used for the exchange of information related to national security between Commonwealth and State agencies. It is scheduled to make a security assessment in the final quarter of 2008 of all areas within Victoria Police holding Asnet and replacement Speakeasy (Government communications secure terminals) equipment. Asnet will now be self-accrediting for both types of equipment. The Asnet security assessment will not cover areas without Asnet/Speakeasy equipment, but which handle hardcopy Australian Government classified data, for example Deputy and Assistant Commissioners who handle highly classified information. The degree to which the protective security of the offices and office procedures of these senior members meet Australian Government requirements should be assessed. A concern, by way of example, is that while Assistant Commissioners and above have the appropriate level of security clearance to handle Australian Government classified information, their immediate staff, who would certainly physically handle and transport that information, may not. A specific issue that needs to be addressed is ensuring the appropriate clearance for temporary or short-term rotation staff officers. 15
16 High Level Compliance Review Victoria Police IT systems are yet to be properly classified. Once that has taken place, the Business Information Technology Services (BITS) will need to ensure that only DAP products and solutions are being used to protect the system where relevant. DAP products are currently used in parts of the IT system, but not all. It should be noted that nationally classified information is received and stored on systems that stand alone from the BITS-controlled Victoria Police IT systems. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Victoria Police already compartmentalises areas containing sensitive data by restricting physical access to those areas. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance with the requirements of the Protective Security Manual, with particular regard to physical security, access controls, storage and handling of data. Where necessary, Australian Government certification of those areas should be sought and documented. New CLEDS compliant agreements need to be executed with Approved Third Parties. Victoria Police partially complies with Standard
17 Security Classified Law Enforcement Data 6. Conclusions and Recommendations Proper implementation of a security classification system can be problematic in many organisations. Misunderstanding about what the various levels of classification mean; how they should be applied; the various levels of protection needed, such as physical security, storage, handling, and movement; and the assumption that only material requiring confidentiality needs to be classified ( unclassified is in itself a classification); can lead to a piece-meal approach to classification and result in bad practices such as over-classification or no classification action at all. Victoria Police has documented policy and procedures for the identification and classification of data which meet the requirements of the CLEDS Standards and the Australian Government Protective Security Manual. Policy is currently under review and it is acknowledged that Victoria Police is already undertaking work to improve the implementation of its security classification system. There needs, however, to be a much broader review undertaken by the Office of the ASA to ensure the implementation of policy and procedures for the classification and protection of information, particularly of nationally classified material to PSM standards. This review identifies that work remains to be done regarding the implementation of security classified data policy and procedures. Standard operating procedures in the areas handling nationally classified data need to be reviewed for consistency and strengthened. Two of the three key areas handling nationally classified information comply with Australian Government requirements with regard to physical security and equipment. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance and Australian Government certification of those areas should be sought and documented. Such a security assessment needs to move beyond those areas which currently hold Australian Security Network (ASNET) equipment to the immediate environments of senior members of Corporate Committee who regularly handle nationally classified material. More generally, implementation of the documented classification procedures needs to be improved. Policy and procedures do not seem to be fully understood, nor carried out in a constant and systematic way across the organisation. A broad review of current practices is required. Identified staff are given the appropriate security clearance to access nationally classified material. However, Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. The IT systems need to be properly classified and BITS should review all IT systems to ensure that only Defence Signals Directorate Approved Products and solutions are used, where required. A security classification awareness campaign is necessary to ensure that staff fully understand how and when to classify information and the implications for protection of each level of classification. It should be noted that it is possible to over-classify, which then places a greater, although unnecessary, duty of protection on the material. Existing agreements with Approved Third Parties do not comply with relevant data security classification requirements. Victoria Police are renegotiating the agreements, after Victoria Police will be compliant with these Security Classification Standards. 17
18 The Table below summarises the compliance ratings arising from this review of Victoria Police compliance with the Security Classification Standards. Standard Standard 27 Standard 28 Standard 29 Standard 30 CLEDS Compliance Level Partially Compliant Partially Compliant Partially Compliant Partially Compliant Recommendations 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. David Watts Commissioner for Law Enforcement Data Security November
19 Security Classified Law Enforcement Data APPENDIX A Persons Interviewed and Documents Reviewed The assistance and cooperation of the following Victoria Police members during the conduct of the compliance review is appreciated: Superintendent Geoff Alway, Protective Security Division, SSD Superintendent Tony Biggin, Covert Support Division, Intelligence and Covert Support Department Inspector Sue Clark, SOCAU Co-ordination Unit Mr Anthony Corso, Manager, IT Infrastructure Security, Business Information Technology Services Assistant Commissioner Stephen Fontana, Counter Terrorism Co-ordination and Emergency Management Department Commander Jim Hart, Specialist Support Department Mr Peter Kapadais, Security Specialist, Business Information Technology Services Mr Marshall Lee, Group Manager, Technical Standards and Architecture, Business Information Technology Services Inspector Bob Mayne, LEAP Management Unit Ms Diane Morland, Agency Security Advisor, Victoria Police S/Sergeant Gillian Wilson, Staff Officer, Intelligence and Covert Support Department The following Victoria Police documents were used to conduct this review: Victoria Police Manual (VPM) Victoria Police Enterprise Information Security Policy (September 2004) Victoria Police Document Security Best Practice Guidelines, version 1.3 (May 2007) Quick Reference Guide Security Awareness (Agency Security Advisor, draft, 2008) Security Requirements for Non-National Security and Cabinet-in-Confidence Information (Agency Security Advisor, 2008) Security Requirements for National Security Information (Agency Security Advisor, 2008) Special Operations Group Standard Operating Procedures (undated) System Security Plan Witness Security Unit Stand Alone Network (WSU-SAN) Information System (draft, undated) Witness Security Unit Stand Alone Network Standard Operating Procedures (draft, September 2006) Witness Security Unit Stand Alone Network Information System Security Procedures and Practices (version 1.0 draft, September 2006) 19
20 High Level Compliance Review Information security extracts from current Standard Operating Procedures for the following units of the Intelligence and Covert Department, Victoria Police: Undercover Unit Source Development Unit Special Projects Unit Information Services Unit Technical Support Unit State Surveillance Unit Security Intelligence Group Crime Stoppers Sex Offender Registry Human Source Management Operations Intelligence Unit State Intelligence Training Unit State Intelligence Services DNA Management Unit 20
21 Security Classified Law Enforcement Data APPENDIX B Response to the report by the Chief Commissioner of Police I refer to your request of 30 September 2008 for comments on the Draft Report titled High Level Compliance Monitoring of CLEDS Standards 27, 28, 29 & 30: Security Classified Law Enforcement Data September Recommendations I advise that Victoria Police has no issue with the content of the Draft Report or the proposed recommendations. 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. Victoria Police recognises the value of this document and the professional approach adopted during its development. I would like to thank you for the opportunity to provide comments on the Draft. Yours sincerely, Christine Nixon a p m Chief Commissioner 23/10/08 21
22 22
Independent Auditors Report to the Commissioner for Law Enforcement Data Security -
Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April -
More informationHIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES
HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES Standards for Victoria Police Law Enforcement Data Security (Standard 22) November 2008 Commissioner for Law Enforcement Data Security Acknowledgement
More informationReview of Education and Training on Law Enforcement Data Security in Victoria Police. March 2008 Commissioner for Law Enforcement Data Security
Review of Education and Training on Law Enforcement Data Security in Victoria Police March 2008 Commissioner for Law Enforcement Data Security Acknowledgement This report was prepared for the Commissioner
More informationSecurity Awareness and Training
T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115
More informationHIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY. Standards 14 19 of the Standards for Victoria Police Law Enforcement Data Security.
HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY Standards 14 19 of the Standards for Victoria Police Law Enforcement Data Security June 2008 Acknowledgement This report was prepared for the Commissioner
More informationCrime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection
Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions
More informationCommissioner for Law Enforcement Data Security. Review of Information Governance within Victoria Police. Final Report. April 2009
Commissioner for Law Enforcement Data Security Review of Information Governance within Victoria Police Final Report 2009 KPMG, an Australian partnership and a member firm of the KPMG network of independent
More informationThe Management of Physical Security
The Auditor-General Audit Report No.49 2013 14 Performance Audit Australian Crime Commission Geoscience Australia Royal Australian Mint Australian National Audit Office Commonwealth of Australia 2014 ISSN
More informationACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services
ACT Auditor-General s Office Performance Audit Report Whole-of-Government Information and Communication Technology Security Management and Services Report No. 2 / 2012 PA 09/03 The Speaker ACT Legislative
More informationFacilitating Information Management Through the Use of Protective Markings in Emails. Better Practice in egovernment Seminar
Facilitating Information Management Through the Use of Protective Markings in Emails Better Practice in egovernment Seminar Thursday 10 November 2005 The Australian Government Information Management Office
More informationCompliance. Group Standard
Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
More informationWest Midlands Police and Crime Commissioner Records Management Policy 1 Contents
West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED
More informationSouth Australia Police POSITION INFORMATION DOCUMENT
South Australia Police POSITION INFORMATION DOCUMENT Stream : Administrative Services Career Group : Financial Related Discipline : Financial Services Classification : ASO-7 Service : Crime Service Position
More informationGraduate Project Engineer
Position Information Package Graduate Project Engineer POSITION NUMBER: R15/16.15 APPLICATIONS CLOSE: 5:00pm Friday 2 nd October 2015 POSITION INFORMATION Salary: $52 344 - $60 501 (Band 5) Hours: Location:
More informationPRINCIPLES FOR ACCESSING AND USING PUBLICLY-FUNDED DATA FOR HEALTH RESEARCH
TARGETED CONSULTATION DRAFT National Health and Medical Research Council PRINCIPLES FOR ACCESSING AND USING PUBLICLY-FUNDED DATA FOR HEALTH RESEARCH Developed by NHMRC s Prevention and Community Health
More informationTRUST SECURITY MANAGEMENT POLICY
TRUST SECURITY MANAGEMENT POLICY EXECUTIVE SUMMARY The Board recognises that security management is an integral part of good, effective and efficient risk management practise and to be effective should
More informationUnited States Department of Agriculture Office of Inspector General
United States Department of Agriculture Office of Inspector General U.S. Department of Agriculture s Office of Homeland Security and Emergency Coordination - Classification Management Audit Report 61701-0001-32
More informationNORTHERN TERRITORY OF AUSTRALIA HEALTH SERVICES ACT 2014. As in force at 1 July 2014. Table of provisions
NORTHERN TERRITORY OF AUSTRALIA HEALTH SERVICES ACT 2014 As in force at 1 July 2014 Table of provisions Part 1 Preliminary matters 1 Short title... 1 2 Commencement... 1 3 Principles and objectives of
More informationInformation System Audit Guide
Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE
More informationInformation Management Advice 50 Developing a Records Management policy
Information Management Advice 50 Developing a Records Management policy Introduction This advice explains how to develop and implement a Records Management policy. Policy is central to the development
More informationDepartment of Finance and Administration. Australian Government Information Management Office. Archived
Department of Finance and Administration Australian Government Information Management Office Implementation Guide for Email Protective Markings for Australian Government Agencies October 2005 Version:
More informationGUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES
Level 37, 2 Lonsdale Street Melbourne 3000, Australia Telephone.+61 3 9302 1300 +61 1300 664 969 Facsimile +61 3 9302 1303 GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES ENERGY INDUSTRIES JANUARY
More informationProtective Security Governance Policy. Outlines ANAO protective security arrangements
Protective Security Governance Policy Outlines ANAO protective security arrangements Version 2.0 Effective JULY 2012 Document management Document identification Document ID Document title Release authority
More informationScotland s Commissioner for Children and Young People Records Management Policy
Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives
More informationClosed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV www.ico.gov.uk
Closed Circuit Television (CCTV) code of practice Based on the publication A Code of Practice for CCTV www.ico.gov.uk Owner: Ian Heywood Last reviewed: July 2011 Contents 1.0 Introduction... 4 2.0 CCTV
More informationProcess for reporting and learning from serious incidents requiring investigation
Process for reporting and learning from serious incidents requiring investigation Date: 9 March 2012 NHS South of England Process for reporting and learning from serious incidents requiring investigation
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationSouth Australia Police POSITION INFORMATION DOCUMENT
South Australia Police POSITION INFORMATION DOCUMENT Stream : Administrative Services Career Group : Financial Related Discipline : Financial Services Classification : ASO-6 Service : Crime Service Position
More informationAudit of Business Continuity Planning
Cumbria Office of the Police & Crime Commissioner Audit of Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens),
More informationInformation and Compliance Management Information Management Policy
Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and
More informationDivision of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014
Official Audit Report Issued March 6, 2015 Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014 State House Room 230 Boston, MA 02133 auditor@sao.state.ma.us www.mass.gov/auditor
More informationRecords Management - Department of Health
Policy Directive Records Management - Department of Health Document Number PD2009_057 Publication date 24-Sep-2009 Functional Sub group Corporate Administration - Records Ministry of Health, NSW 73 Miller
More informationProtective security governance guidelines
Protective security governance guidelines Security of outsourced services and functions Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this publication
More informationORGANIZATIONAL STRUCTURE, MANAGEMENT AND POLICIES OF QUEENSLAND POLICE INVOLVED WITH CHILD PROTECTION INVESTIGATIONS
ORGANIZATIONAL STRUCTURE, MANAGEMENT AND POLICIES OF QUEENSLAND POLICE INVOLVED WITH CHILD PROTECTION INVESTIGATIONS Detective Superintendent John Reilly State Crime Operations Command Queensland Police
More informationNATIONAL COMPLIANCE AND ENFORCEMENT POLICY
1. Introduction NATIONAL COMPLIANCE AND ENFORCEMENT POLICY The Commonwealth, state and territory governments have agreed to harmonised work health and safety laws to improve work health and safety, provide
More informationCONTROL AND COMPLIANCE AUDITS
V I C T O R I A Auditor-General of Victoria CONTROL AND COMPLIANCE AUDITS Payroll management and Administration of the goods and services tax March 2003 Ordered to be printed by Authority. Government Printer
More information1.1 Terms of Reference Y P N Comments/Areas for Improvement
1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational
More informationThe Protection and Security of Electronic Information Held by Australian Government Agencies
The Auditor-General Audit Report No.33 2010 11 Performance Audit The Protection and Security of Electronic Information Held by Australian Government Agencies Australian National Audit Office Commonwealth
More informationHow To Get A Training Certificate In Australia
VET Activity Reporting (TVA) Improving VET information Presenters from the Department of Industry Jason Coutts General Manager VET Data Infrastructure Martin Graham General Manager VET Reform Anthony Krieg
More informationHigh Level Compliance Review Business Continuity Management
High Level Compliance Review Business Continuity Management Standards 34 and 35 of the Standards for Victoria Police Law Enforcement Data Security April 2010 Commissioner for Law Enforcement Data Security
More informationBudget development and management within departments
V I C T O R I A Auditor General Victoria Budget development and management within departments Ordered to be printed by Authority. Government Printer for the State of Victoria No. 39, Session 2003-2004
More informationInternal Audit (policy & procedure)
Internal Audit (policy & procedure) Objective (purpose) The purpose of this document is to ensure the Crime and Corruption Commission s (CCC) internal audit function operates efficiently and effectively
More informationGUIDELINES FOR THE CONDUCT OF PERFORMANCE AUDITS
GUIDELINES FOR THE CONDUCT OF PERFORMANCE AUDITS NOVEMBER 2013 THE ANAO S LEGISLATIVE FRAMEWORK The Auditor-General Act 1997 (the Act) sets out the functions, mandate and powers of the Auditor-General
More informationPiecing Digital Evidence Together. Service Information
Piecing Digital Evidence Together Service Information Services Overview Mobile and Tablet Forensics Mobile Phone Forensics is the legally tested and approved systematic examination of mobile phones, SIM
More informationSOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager
SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director
More informationCommonwealth Department of Family and Community Services. Submission to the Joint Committee of Public Accounts and Audit (JCPAA)
Commonwealth Department of Family and Community Services Submission to the Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into the Management and Integrity of Electronic Information in the
More informationFINANCIAL ACCOUNTANT. North East Water Enterprise Agreement 2011 - Band 5
NORTH POSITION: FINANCIAL ACCOUNTANT INCUMBENT: PORTFOLIO: BUSINESS UNIT: CLASSIFICATION: Corporate Services Finance North East Water Enterprise Agreement 2011 - Band 5 AWARD: Victorian Local Authorities
More informationCORPORATE GOVERNANCE
CORPORATE GOVERNANCE CRIMTRAC ANNUAL REPORT 2013 2014 part 3: corporate governance 57 5 PART 3: CORPORATE GOVERNANCE CRIMTRAC ANNUAL REPORT 2013 2014 2013-2014 part 3: corporate governance Our robust governance
More informationSuccession Planning Policy and Procedure
Succession Planning Policy and Procedure Reference No. P08:2012 Implementation date 07022013 Version Number V1.0 Reference No: Name. Linked documents P14:2002 Police Staff Recruitment and Selection Policy
More informationInformation Security Policy. Chapter 12. Asset Management
Information Security Policy Chapter 12 Asset Management Author: Policy & Strategy Team Version: 0.5 Date: April 2008 Version 0.5 Page 1 of 7 Document Control Information Document ID Document title Sefton
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationTHE STRATEGIC POLICING REQUIREMENT. July 2012
THE STRATEGIC POLICING REQUIREMENT July 2012 Contents Foreward by the Home Secretary...3 1. Introduction...5 2. National Threats...8 3. Capacity and contribution...9 4. Capability...11 5. Consistency...12
More informationQuestions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand
Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand and labour hire worker service firms are a great way of complementing your business or organisation, however,
More informationInformation Management Policy CCG Policy Reference: IG 2 v4.1
Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control
More informationBusiness Continuity Management Framework
Business Continuity Management Framework Date of Issue: November 2013 Review Date: November 2014 Written by: Jackie Orchard Risk & Business Continuity Manager Authorised by: Signed off by: DCC Francis
More informationQuality Manual Quality Management System Description
Australian Government Security Vetting Agency Quality Manual Quality Management System Description Commonwealth of Australia 2013 This work is copyright. Apart from any use as permitted under the Copyright
More informationHow To Check If Nasa Can Protect Itself From Hackers
SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration
More informationNHS AND HEALTH SUB-COMMITTEE OF THE COMMUNITY SERVICES OVERVIEW AND SCRUTINY COMMITTEE 19 JUNE 2007 FUNDAMENTAL REVIEW OF DRUGS AND ALCOHOL
NHS AND HEALTH SUB-COMMITTEE OF THE COMMUNITY SERVICES OVERVIEW AND SCRUTINY COMMITTEE 19 JUNE 2007 FUNDAMENTAL REVIEW OF DRUGS AND ALCOHOL Report from: Author: Robin Cooper Director Regeneration and Development
More informationDeveloping and Managing Contracts GETTING THE RIGHT OUTCOME, PAYING THE RIGHT PRICE
Developing and Managing Contracts GETTING THE RIGHT OUTCOME, PAYING THE RIGHT PRICE Better Practice Guide February 2007 Foreword Contracting is an integral part of doing business in the public sector.
More informationPROJECT MANAGEMENT FRAMEWORK
PROJECT MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Executive Assistant to
More informationPOLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES
POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES January 2003 CONTENTS Page 1. POLICY FRAMEWORK 1.1 Introduction 1 1.2 Policy Statement 1 1.3 Aims of the Policy 1 1.4 Principles
More informationPersonally controlled electronic health record (ehealth record) system
Personally controlled electronic health record (ehealth record) system ehealth record System Operator Audit report Information Privacy Principles audit Section 27(1)(h) Privacy Act 1988 Audit undertaken:
More informationRTO Delegations Guidelines
RTO Delegations Guidelines ISBN 0 7594 0389 9 Victorian Qualifications Authority 2004 Published by the Victorian Qualifications Authority This publication is copyright. Apart from any use permitted under
More informationProtective security governance guidelines
Protective security governance guidelines Reporting incidents and conducting security investigations Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this
More informationDEFENCE INSTRUCTIONS (GENERAL)
DEFENCE INSTRUCTIONS (GENERAL) New instruction 0 LOG 4 5 012 Regulation of technical integrity of Australian Defence Force materiel Department of Defence CANBERRA ACT 2600 10 September 2010 Issued with
More informationFINANCIAL SERVICES TRAINING PACKAGE FNB99
FINANCIAL SERVICES TRAINING PACKAGE FNB99 This is Volume 12 of a 13-volume set. This volume should not be used in isolation but in the context of the complete set for the Financial Services Training Package.
More informationAsset and Development Coordinator
Department: Section: Location: Works and Services Technical Services City Offices Position Overview The is a critical role within Council s Technical Services section of the Works and Services Department
More informationData Quality Policy. Appendix A. 1. Why do we need a Data Quality Policy?... 2. 2 Scope of this Policy... 2. 3 Principles of data quality...
Data Quality Policy Appendix A Updated August 2011 Contents 1. Why do we need a Data Quality Policy?... 2 2 Scope of this Policy... 2 3 Principles of data quality... 3 4 Applying the policy... 4 5. Roles
More informationOnline Research and Investigation
Online Research and Investigation This document is intended to provide guidance to police officers or staff engaged in research and investigation across the internet. This guidance is not a source of law
More informationSickness Reporting Audit Final Report
ITEM 7 APPENDIX B(2) Sickness Reporting Audit Report Michael George Auditor Contact Details 07768 635682 Date of Review November 2013 Draft Report Issued 19 December 2013 Report Issued 14 January 2014
More information9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4
9. GOVERNANCE Policy 9.8 RECORDS MANAGEMENT POLICY Version 4 9. GOVERNANCE 9.8 RECORDS MANAGEMENT POLICY OBJECTIVES: To establish the framework for, and accountabilities of, Lithgow City Council s Records
More informationGeneral Records Authority
General Records Authority Transfer of custody and ownership of Personal Security Files (PSFs) Job no 2008/00174731 18 April 2008 Commonwealth of Australia 2008 This work is copyright. Apart from any use
More informationNorwegian Data Inspectorate
Norwegian Data Inspectorate Narvik kommune Postboks 64 8501 NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/00593-7/SEV 16 January 2012 Notification of decision
More informationVICTORIAN GOVERNMENT DEPARTMENT ENVIRONMENTAL MANAGEMENT SYSTEM MODEL MANUAL
MODEL FINAL VERSION 1, MARCH 2003 ACKNOWLEDGMENTS This Manual is based on Environment Australia s Model EMS 1 and has been adapted for use by Victorian Government agencies by Richard Oliver International.
More informationINTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT
INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT FOLLOW UP REVIEW TO AUDIT OF COURTROOM AUTOMATION Karleen F. De Blaker Clerk of the Circuit Court Ex officio County Auditor Robert W. Melton, CPA*, CIA,
More informationNational VET Provider Collection Data Requirements Policy
National VET Provider Collection Data Requirements Policy Introduction Australian, state and territory governments are pursuing a number of reforms to support better information about vocational education
More informationLancashire County Council Information Governance Framework
Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice
More informationProcurement Capability Standards
IPAA PROFESSIONAL CAPABILITIES PROJECT Procurement Capability Standards Definition Professional Role Procurement is the process of acquiring goods and/or services. It can include: identifying a procurement
More informationRecords Management Plan. April 2015
Records Management Plan April 2015 Prepared in accordance with the Public Records (Scotland) Act 2011 and submitted to the Keeper of the Records of Scotland for their agreement on 28 April 2015 (Revised
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:
Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal
More informationInternal Audit Quality Assessment Framework
Internal Audit Quality Assessment Framework May 2013 Internal Audit Quality Assessment Framework May 2013 Crown copyright 2013 You may re-use this information (excluding logos) free of charge in any format
More informationforesightconsulting.com.au
Mr. James Kavanagh National Security Officer Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 02 March 2015 Microsoft Office 365 IRAP Assessment Letter of Compliance Dear Mr. Kavanagh,
More informationEmail Protective Marking Standard Implementation Guide for the Australian Government
Email Protective Marking Standard Implementation Guide for the Australian Government May 2012 (V2012.1) Page 1 of 14 Disclaimer The Department of Finance and Deregulation (Finance) has prepared this document
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations
More informationPolicy. VBA Enterprise Risk Management. Governance Unit
Policy VBA Enterprise Risk Management Governance Unit Keywords: Policy; risk; governance. ID: Version no: Status: VBAPOL-0074 2.0 Final Issue date: Date of effect: Next review date: 14/07/2015 14/07/2015
More informationBIG LOTTERY FUND Document archive and retention policy
BIG LOTTERY FUND Document archive and retention policy December 2010 Sonia Howe Head of Information Governance For further information regarding retention schedules please contact Page 1 of 18 Version
More informationAUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationFREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT
FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT November 2003 Laid before the Scottish Parliament on 10th November 2003 pursuant to section 61(6) of the Freedom of Information
More informationPSPSOHS602A Develop OHS information and data analysis and reporting and recording processes
PSPSOHS602A Develop OHS information and data analysis and reporting and recording processes Release: 3 PSPSOHS602A Develop OHS information and data analysis and reporting and recording processes Modification
More informationDepartment of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 8140.01 August 11, 2015 DoD CIO SUBJECT: Cyberspace Workforce Management References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues and renumbers DoD Directive
More informationAUDIT OF DET ASBESTOS MANAGEMENT IN QUEENSLAND SCHOOLS
AUDIT OF DET ASBESTOS MANAGEMENT IN QUEENSLAND SCHOOLS Conducted By GASKIN CONSTRUCTION SERVICES PTY LTD TABLE OF CONTENTS SECTIONS Section 1 Section 2 Section 3 Section 4 Section 5 Section 6 Section 7
More informationDerbyshire Trading Standards Service Quality Manual
Derbyshire Trading Standards Service Quality Manual This Quality Manual has been developed to give a broad outline of how the Trading Standards Division s range of services comply with the requirements
More informationAudit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance
Audit Report for South Lakeland District Council People and Places Directorate Neighbourhood Services Audit of Grounds Maintenance Cumbria Shared Internal Audit Service: Internal Audit Report 7 th November
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationopinion piece Is your Contact Centre Healthy? Consult Design Implement Transform
opinion piece Is your Contact Centre Healthy? Consult Design Implement Transform The Contact Centre is not a new phenomenon, Servicing customers via the telephone has been in play since the early 1980
More informationAutomatic Number Plate Recognition (ANPR) Strategy 2016-2020
Automatic Number Plate Recognition (ANPR) Strategy 2016-2020 Version 1.0 April 2016 Document Control Change Control Version Date Change Author 0.1 2 March 2016 Initial draft version Bill Mandeville 0.2
More informationDodo Power & Gas Complaint Management Policy
DODO POWER & GAS PTY LTD Dodo Power & Gas Complaint Management Policy Jurisdiction: All 2013 Policy Reference ref DPG 100-004 Version: 1.2 Author: Status Andrew Mair Draft Publication Date 7/06/2013 Location:
More informationComplaints Management Policy
Complaints Management Policy Effective date This policy will take effect from 15 March 2012. This document has an information security classification of PUBLIC. The State of Queensland (Department of Transport
More informationQuality Assurance Checklist
Internal Audit Foundations Standards 1000, 1010, 1100, 1110, 1111, 1120, 1130, 1300, 1310, 1320, 1321, 1322, 2000, 2040 There is an Internal Audit Charter in place Internal Audit Charter is in place The
More information