Information Security Management System (ISMS) Policy

Transcription

1 Identification Item Title Description Document No: D12/ Business Centre: Governance Area: Process: Owner: Information Security Management System (ISMS) Policy Information Technology Services Service Strategy Information Security Date of Effect: 1 March 2014 Contact: Next Review: June 2016 Classification: Acceptance Executive Director, ITS (CIO) Director, ICT Governance Unclassified Role Name Signature Date ITS Governance: Joy Gault 13 June 2014 Document Owner: Aaron Liu 11 June 2014 Revision History Date Review by Comment 2 July 2014 H. Markovtzev Transferred to new DJ logo. 6 June 2014 D. Winter Inclusion of Appendices relating to Executive Committee, Information Security Forum and Legal and Regulatory Requirements 10 March 2014 A. Benazzi Updated to reflect ISF discussion outcomes 7 Mar and general editorial modifications 21 February 2014 D. Winter Updated to reflect requirements of ISO/IEC 27001:2013 and policy implementation details Printed copies of this document may not be up to date. Ensure you have the latest version before using this document.

2 Table of Contents 1. Introduction 4 2. Scope 5 3. Objectives 5 4. Policies General Requirements Risk Assessment and Treatment ISMS Planning and Implementation Performance evaluation Continuous Improvement Management Responsibilities 8 5. Policy Implementation ISMS Structure IC&T Asset Register Risk Assessment & Treatment Statement of Applicability Continuous Improvement Roles & Responsibilities Secretary of the Department Executive Committee Information Security Forum Executive Director, ITS (CIO) Director ICT Governance Information Security Manager Information Security Team ITS Employees Information Users External Service Providers and Contractual Obligations Key Performance Measures Compliance 18 Information Technology Services Page 2 of 37 D12/305416

3 9. Glossary 19 Appendix A ITS Service Directory 20 Appendix B Executive Committee 24 Appendix C Information Security Forum 26 Appendix D Legal & Regulatory Requirements 28 Information Technology Services Page 3 of 37 D12/305416

4 1. Introduction The Department of Justice (the Department) supports the NSW community by providing access to justice services, through the protection of rights and public safety initiatives. The Department is responsible for: The provision of an accessible and effective criminal and civil justice system Initiatives to prevent crime The provision of advice on law reform and legal matters The safe, secure and humane management of adult offenders in custody The effective supervision and management of offenders in the community The delivery of programs and services which reduce the risk of reoffending and enhance community safety Supervision, case management and court support for young offenders with community and custodial orders, and initiatives to reduce juvenile reoffending The Department is comprised of the following six Divisions: Courts and Tribunal Services Juvenile Justice NSW Corrective Services NSW Crime Prevention and Community Programs Justice Policy and Legal Services Corporate Services The Department s information assets are exposed to a variety of internal and external security threats and must be protected through an effective Information Security Management System (ISMS). The purpose of this Policy is to define and communicate the ISMS, and in association with the Statement of Applicability (SOA), to define the various sub policies and procedures which implement the selected controls of the ISMS. Information Technology Services Page 4 of 37 D12/305416

5 2. Scope Information Security Management System Policy The scope of the ISMS has been determined taking into account the following factors: The Department s statutory responsibilities and organisational objectives The sensitivity of information stored and processed by the Department The security requirements of information exchanged with other government agencies, service providers and customers The business criticality of the Department s information assets NSW Government policies, directives and guidance Public expectations in respect of the security and privacy of information managed by the Department The ISMS scope is limited to the provision of information, communication and technology (ICT) services to the Department, by the Information Technology Services (ITS) group. Details of the services and the associated information assets are included in Appendix A to this document. 3. Objectives The ISMS will be aligned to, and used to support achievement of the Department s strategic objectives and organisational goals (refer Annual Report), and to meet the needs and expectations of both internal and external stakeholders. The Department s ISMS objectives are as follows: The confidentiality of information is appropriately protected The integrity of information is maintained through safeguarding accuracy and completeness and protecting against unauthorised modification Information is available when required with minimal disruption to the business To provide assurance over the adequacy of information security management to internal and external stakeholders. Security risks to information assets are identified and managed Security management processes support the departmental business objectives Information Technology Services Page 5 of 37 D12/305416

6 Information security education, awareness and training are available to all staff Monitoring and review processes are instituted to maintain established levels of security Legislative, regulatory and contractual requirements shall be met for the management of information assets Business continuity requirements shall meet expectations of relevant parties Breaches of information security are reported and appropriately investigated 4. Policies 4.1 General Requirements The Department must establish, implement, maintain and continually improve an Information Security Management System (ISMS), in accordance with the requirements of ISO/IEC In order for the Department to verify compliance with the NSW Government s Digital Information Security Policy, the ISMS must be independently certified as compliant with ISO/IEC and certification achieved and continuously maintained. The scope of the ISMS must be documented and consider internal and external issues and interested parties that are relevant to its purpose and that affect its ability to achieve the intended outcomes. An information security policy and associated objectives must be defined, documented and communicated to relevant individuals. ISMS documented information must be securely managed to ensure its continuing confidentiality, integrity and availability. 4.2 Risk Assessment and Treatment An information security risk assessment process must be defined and documented that: a) establishes and maintains information security risk criteria b) ensures risk assessments produce consistent, valid and comparable results c) identifies, analyses and evaluates the information security risks. Information Technology Services Page 6 of 37 D12/305416

7 Information security risk assessments must be performed at planned intervals or when significant changes are proposed or occur. The results of information security risk assessments must be documented and retained. An information security risk treatment process must be defined and documented to: a) select appropriate information security risk treatment options b) determine the controls that are necessary to implement the risk treatment option(s) chosen c) compare the controls chosen to ISO/IEC Annex A and verify that no necessary controls have been omitted d) produce a Statement of Applicability that documents the necessary controls e) formulate an information security risk treatment plan f) obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. Information security risk treatment plans must be implemented, and the results of treatment activities must be documented and retained. 4.3 ISMS Planning and Implementation ISMS processes needed to meet information security objectives, and to implement the actions determined during risk assessment activity, must be planned implemented and controlled. Documented information must be retained to ensure that that the ISMS processes have been implemented as planned. Changes to ISMS processes must be controlled and subject to review, and appropriate actions taken to mitigate any adverse effects. 4.4 Performance evaluation The performance and the effectiveness of the ISMS must be evaluated and appropriate documented information must be retained as evidence of the monitoring and measurement of results. (See Section 7 Key Performance Measures) Internal audits must be completed at planned intervals to provide information on whether the ISMS: a) meets defined requirements b) requirements of ISO/IEC Information Technology Services Page 7 of 37 D12/305416

8 c) has been effectively implemented and maintained. An ISMS controls audit programme must be defined, implemented and maintained that: a) defines the audit criteria and scope for each audit b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process c) ensures that the results of the audits are reported to relevant management d) ensures that documented information is retained as evidence of the audit programme and results. 4.5 Continuous Improvement The suitability, adequacy and effectiveness of the ISMS must be subject to continuous improvement. (See Section 5.5 Continuous Improvement) Where a nonconformity occurs, management must: a) take action to control and correct it, and manage the consequences b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere c) implement any action needed d) review the effectiveness of any corrective action taken e) make changes to the ISMS if appropriate. Documented information must be retained as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action. 4.6 Management Responsibilities Management must ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. (See Section 6 Roles & Responsibilities) Management must assign the responsibility and authority for: a) ensuring that the ISMS conforms to the requirements of ISO/IEC b) reporting on the performance of the ISMS. Management must demonstrate leadership and commitment with respect to the ISMS by: Information Technology Services Page 8 of 37 D12/305416

9 a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the Department b) ensuring the integration of the ISMS requirements into the Department s processes c) ensuring that the resources needed for the ISMS are available d) communicating the importance of effective information security management and of conforming to the ISMS requirements e) ensuring that the ISMS achieves its intended outcomes f) directing and supporting individuals to contribute to the effectiveness of the ISMS system g) promoting continual improvement h) supporting other relevant management roles as it applies to their areas of responsibility. Management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness, and take into consideration the following factors: a) the status of actions from previous management reviews b) changes impacting on the scope of the ISMS c) nonconformities and corrective actions d) monitoring and measurement results e) audit results f) fulfilment of information security objectives g) feedback from interested parties h) results of risk assessment and status of risk treatment plan i) opportunities for continual improvement. The management review must be documented and retained and include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Management must determine the necessary competence of person(s) doing work under its control that affects its information security performance and ensure that these individuals are competent on the basis of appropriate education, training, or experience. Management must ensure that individuals doing work under the Department s control are aware of: Information Technology Services Page 9 of 37 D12/305416

10 the information security policy their contribution to the effectiveness of the ISMS hthe consequences of not conforming with the ISMS requirements. Information Technology Services Page 10 of 37 D12/305416

11 5. Policy Implementation 5.1 ISMS Structure The following ISMS structure has been implemented within ITS to ensure compliance to ISO/IEC Ministerial Portfolio / Political requirements Changes in government policy and strategy Legislative / Regulatory compliance requirements Business Objectives / Strategic Plans TRA - one appendix per entity SoA IC&T Assets Register Operational Procedures / documents Identification of operational incidents ISMS Policy (this document) Information Security Calendar Training (Initial and on-going) Audit and Compliance Checking Implementation / Mitigation Plan/s - PDCA Cycle Incident investigation Incident Log/register Evidence / Proof / Findings Audit Register / CINC Information Technology Services Page 11 of 37 <TRIM Doc No.>

12 5.2 IC&T Asset Register The ISMS assets are defined within the IC&T Assets Register. Maintenance and protection requirements for these assets are contained in the Department s Information Security Policy and supporting operational documents. 5.3 Risk Assessment & Treatment The ISMS Threat and Risk Assessment and risk treatment methodology is detailed in the D14/ A threat and risk assessment covering security risks to the assets within the ISMS scope is documented. A risk treatment plan covering treatment actions to address security risks to the assets within the ISMS scope is documented. 5.4 Statement of Applicability This document defines the applicability of individual articles of ISO and controls used to manage and ameliorate the risks to the ISMS Assets. 5.5 Continuous Improvement The ITS continuous improvement program drives organisational development and improvement, promotes proactive practices of identifying and applying improvement to services and processes and service delivery processes. Continuous Improvement is linked to this Framework by a series of monitoring and review activities: Conduct and review of outcomes of the Compliance Program facilitated by the ICT Governance function Regular review and action of Continuous Improvement and Non-conformance Reports An Information Security Calendar is maintained which provides triggers for process and control review and which are inputted to the continuous improvement process. Scheduled Internal Audits to test the efficacy of the control structure defined in the Statement of Applicability. An Information Security Forum agenda item at meetings of the Department s Executive Committee (that provides organizational direction on Information Security matters as required). An approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of the ISMS has been adopted, as per the following model: Information Technology Services Page 12 of 37 <TRIM Doc No.>

13 The Plan phase of the model is established through the development of the ISMS Framework. To demonstrate, the following activities have been conducted: The risks have been assessed in the Threat Risk Assessment (TRA) The plan for the treatment of the applicable risks has been established and documented in the Threat Risk Assessment (TRA) and the Statement of Applicability The commitment of the Executive Director, ITS has been demonstrated in the Information Security Management System Policy ; The plan for ensuring that the framework continues to work is demonstrated in this Policy and as scheduled in the Information Security Calendar. The Do phase of the model is demonstrated through the establishment of the controls in mitigation of the applicable risks. In some cases the risks have been assessed as acceptable. The risks that are unacceptable and therefore require mitigation are addressed in this ISMS framework. Awareness programs are established to ensure that all staff are aware of the risks and their responsibilities. An incident reporting process has been established to facilitate the reporting and tracking of actual or perceived security risks. The Check phase comprises the described controls which are monitored to ensure that they are in place and working in accordance with expectations. The Information Technology Services Page 13 of 37 <TRIM Doc No.>

14 effectiveness of controls is assessed through routine review as described in the Information Security Calendar and Internal Audit Schedule. The Act phase ensures that the ISMS is subject to continuous improvement, as a result of compliance testing and review activities. To enable this, corrective / preventive action shall be taken where required, via: Security Incident Reporting process. Information Security Forum items, agenda & minutes. Threat Risk Assessment Report Internal and external Audit Reports Continual Improvement Process Non-conformance & Continuous Improvement Reports Action Registers. 6. Roles & Responsibilities The organisational structure of ISMS responsibility is depicted in the following chart. Roles of individuals and a summary of responsibilities in respect to the ISMS are also identified. Role responsibilities and descriptions are available from Human Resources. Communication regarding the ISMS occurs reciprocally via the following organisational structure. Information Technology Services Page 14 of 37 <TRIM Doc No.>

15 Secretary Senior Executive Level Executive Committee ITS Director Level Information Security Forum Internal Audit Operational Staff Director ICT Governance ITS Staff (Directors, Managers, Staff) Information Users Information Security Manager Information Security Team External Service Providers 6.1 Secretary of the Department The Secretary of the Department is accountable to the NSW Parliament for the security of the Department s information assets. The Secretary of the Department reports on the status of the Department s information security through the inclusion of an attestation within the Annual Report. 6.2 Executive Committee The Executive Committee is responsible for providing Policy advice and oversight of the ISMS and exercises that responsibility through the CIO. 6.3 Information Security Forum The forum is chaired by the CIO and promotes security within the Department through appropriate commitment and adequate resourcing. The forum forms part of the ITS Management Group, and typically undertakes the following: Reviews and approves the ISMS, including the Information Security Policy and Information Security Calendar, and overall responsibilities Monitors significant changes in the exposure of information assets to major threats Reviews and monitors significant information security incidents Information Technology Services Page 15 of 37 <TRIM Doc No.>

16 Approves major initiatives to enhance information security Reviews the effectiveness of ISMS and KPI s. 6.4 Executive Director, ITS (CIO) The Executive Director, ITS (CIO) is responsible for: Management of the overall information security management framework at the business level Allocation of funding and resource requirements to develop, implement and maintain the ISMS Chairs the Information Security Forum Note: During periods of prolonged absence, the CIO s authority in respect of the ISMS will be delegated to the Director, ICT Governance. 6.5 Director ICT Governance The Director ICT Governance is responsible for: Measurement and reporting of the performance of the ISMS against agreed performance indicators and identification of these to ISF Implementation of corrective actions and improvements identified via the ISMS 6.6 Information Security Manager The Information Security Manager responsible for: Implementation and day-to-day operation of the ISMS framework Provision of information security advice to employees and information users Organising the conduct of Internal Audits to carry out review and assessment of the controls supporting the ISMS. An Internal Audit program defines audit intervals and areas to be addressed on a progressive basis. 6.7 Information Security Team The Information Security Team is responsible for: Supporting the Information Security Manager in the implementation and day-today operation of the ISMS framework Operational delivery of information security controls specified in the ISMS. 6.8 ITS Employees ITS staff provides technical and procedural operation support for security and provide security advice for electronic information systems and the IC&T environment. Information Technology Services Page 16 of 37 <TRIM Doc No.>

17 6.9 Information Users This role encompasses all users of the Department s information systems and services. Information Users are responsible for maintaining the security of information and appropriately protect all of its information assets in agreement with applicable corporate policy directives and guidelines. Users are required, where identified, to participate in information security training and awareness programmes External Service Providers and Contractual Obligations Employees are subject to employment terms and conditions. Outsourcers of the Department, vendors and third-parties are subject to contractual obligations or memoranda of understanding. Contractual obligations are also addressed within the SOA. Formal performance meetings are held with external service providers to review service delivery quality on a regular basis. These meetings are held under the auspices of the relevant ITS Director. 7. Key Performance Measures The ISMS s strategic goals Confidentiality, Integrity & Availability drive objectives and outcomes that help support the information security framework for providing reliable information systems to the organisation. The ISMS sets the course for achieving measurable results that improve service confidence to the ITS client. The following table lists the KPI in support of each of the strategic ISMS goals which are reported to the Executive Committee via the ITS Balanced Scorecard. Security Category Responsibility KPI Measure All Director ICT Governance ISMS Management Reviews completed in Financial Year # Reviews completed All Director ICT Governance Implement agreed recommendations within from ISMS Reviews 100% implemented All Information Security Manager Scheduled Internal Audits conducted 100% completed All Information Security Manager Security Policy is reviewed and approved by due date All policies updated All Information Security Manager Compliance with Information Security processes and procedures are observed during Compliance Program completed and non compliances resolved Information Technology Services Page 17 of 37 <TRIM Doc No.>

18 the financial year Availability CIO Security SLA s in place for outsourcing contract Availability CIO Security Incidents per annum resulting in system downtime (e.g. OIMS, BIMS) Availability Confidentiality Confidentiality Director ICT Governance Information Security Manager Information Security Manager BCP remains current and provides required system availability MOU in place for every Agency with access to ITS managed corporate systems Security awareness articles published each year Confidentiality CIO Controls over Privacy & Data Protection is effective Integrity Integrity Director ICT Governance Information Security Manager Access to ITS areas is Authorised Reported security incidents are all resolved All outsourcing contract include relevant SLA s Maximum acceptable incidents <5 per annum 100% Scheduled Disaster Recovery Tests completed each year 100% of MOU signed by Executive Three articles published in the CSNSW Bulletin No breaches reported Building security reports confirms all access cards to ITS areas are authorised. Incidents resolved within 14 days. Integrity Directors, ITS System intrusions prevented No successful intrusions Integrity CIO Compliance with software copyrights Integrity & Confidentiality Directors, ITS User access rights confirmed on ITS managed corporate systems Annual audit of software usage confirms compliance with licensing requirements Verification reports on user access are on record 8. Compliance Compliance to this policy is mandatory. Compliance test are to be in place and executed on a regular basis to confirm compliance to this policy. Compliance tests are to form part of the existing ISMS Compliance Program and managed by ICT Governance. All non-compliance will be tabled via the Information Security Forum via the CINC system. Information Technology Services Page 18 of 37 <TRIM Doc No.>

19 9. Glossary Information Security Management System Policy Term CIO CINC DJ ICT ISMS ISF ITS SOA TRA Definition Chief Information Officer Continuous Improvement Nonconformace Department of Justice Information, Communication & Technology Information Security Management System Information Security Forum Information Technology Services Statement of Applicability Threat and Risk Assessment END OF DOCUMENT Information Technology Services Page 19 of 37 <TRIM Doc No.>

20 Appendix A ITS Service Directory 1. Service Desk 1.1 Incident management 1.2 User account management 1.3 Application access management 1.4 Desktop support (1st level) 1.5 Service level reporting Assets used in delivery of this service: Service Desk Management System External service providers Policies, Standards & Procedures Software Management tools Servers Computers ITS Staff Identity & Access Management Systems 2. Continuity Management 2.1 Monitor change impacting Disaster Recovery Plan (DRP) 2.2 Maintain DRP 2.3 Recover business applications Assets used in delivery of this service: Service Desk Management System External service providers Business Continuity Plan Disaster Recovery Plan Software Management tools Application Software Software licenses ITS Staff Servers Computers 3. Change Management 3.1 Record Request For Change (RFC) 3.2 Classify change 3.3 Approve change 3.4 Review/close change 3.5 Distribution and installation 3.6 Maintain Definitive Software Library (DSL) & Change Management Database (CMDB) Assets used in delivery of this service: Change Management System Project Management Procedures CMDB & DSL Change Management Process Servers Computers Information Technology Services Page 20 of 37 <TRIM Doc No.>

21 4. Configuration Management 4.1 ICT asset & configuration accounting 4.2 Configuration Item (CI) status accounting 4.3 Verify CI existence and recording in CMDB Assets used in delivery of this service: Asset Register Component Licenses Business Applications CMDB Computers Purchase Requisitions 5. Security Management 5.1 Risk management 5.2 Compliance assessment 5.3 Control application 5.4 Policy development 5.5 Security awareness 5.6 Site management Assets used in delivery of this service: Change Management Process Compliance programs Policies, Standards and Procedures Security Software Applications Physical security controls Audit logs and report tools Service Desk Management System ITS Staff Computers Business Continuity Plan Disaster Recovery Plan 6. Problem Management 6.1 Problem identification 6.2 Investigate & diagnose problem 6.3 Correct error 6.4 Monitor resolution progress 6.5 Trend analysis Assets used in delivery of this service: Service Desk Management System Knowledge Data base Known Error Data Base CMDB ITS Staff Computers 7. Strategy & Governance 7.1 Architecture 7.2 Project management Assets used in delivery of this service: Business Planning App & INF Lifecycle Roadmaps Project Management Procedures ITS Staff Computers Information Technology Services Page 21 of 37 <TRIM Doc No.>

22 8. Applications Management 8.1 Version management 8.2 Application change management 8.3 Applications support 8.4 Applications development 8.5 Business application management Assets used in delivery of this service: Service Desk Management System Network infrastructure Change Management Process ITS Staff External service providers Source code Contracts Project management procedures Computers Servers Identity & Access Management Systems Database Management Systems 9. Information Management Records Management 9.1 Record security 9.2 Records storage 9.3 Record distribution Assets used in delivery of this service: Business records External service providers ITS Staff Records management system Computers Servers 10. Information Management Executive Reporting 10.1 Report writing 10.2 Data warehousing Assets used in delivery of this service: Business Reporting Applications Information ware house ITS Staff Computers 11. Infrastructure - Technical Support 11.1 Server support & management 11.2 Infrastructure security 11.3 Operating system (OS) management 11.4 Local Area Network (LAN) Management 11.5 File & print services 11.6 Backup & recovery Assets used in delivery of this service: Service Desk Management System External service providers Policies, Standards & Procedures Contracts Software Management tools Servers Enterprise software (Operating System) Environmental services ITS Staff Information Technology Services Page 22 of 37 <TRIM Doc No.>

23 Computers Printers and MFDs Network Storage Infrastructure Network Infrastructure Backup & Storage Management System Backups 12. Infrastructure Managed Operating Environment (MOE) Management 12.1 MOE development 12.2 Standard Operating Environment (SOE) development & support 12.3 Application installation 12.4 SOE security hardening 12.5 Software licensing 12.6 Desktop support Assets used in delivery of this service: Service Desk Management System External service providers Contracts Documentation Software Distribution Management System Software Management tools Application Software Software licenses Computers ITS Staff 13. Infrastructure - Network Communications Management 13.1 Hardware maintenance & support 13.2 Network build 13.3 Network software support 13.4 Telephony design & build 13.5 Network security management Assets used in delivery of this service: Service Desk Management System External service providers Contracts Policies, Standards & Procedures Network Management tools ITS Staff Computers Network Infrastructure Telephony infrastructure Remote Access Management Infrastructure Information Technology Services Page 23 of 37 <TRIM Doc No.>

24 Appendix B Executive Committee Purpose The Department of Justice Executive Committee is the peak strategy and governance forum with a focus on the long-term direction of the organisation. It meets on a monthly basis unless otherwise convened by the Secretary. It determines the department s position on key issues and provides strategic and operational advice to the Secretary for effective decision making. Membership The membership of the DJ Executive includes the Secretary, and the following senior staff: Chief Executive Juvenile Justice Commissioner, Corrective Services Assistant Director General, Courts and Tribunal Services Assistant Director General, Crime Prevention and Community Programs Assistant Director General, Justice Policy and Legal Services Assistant Director General, Corporate Services Chief Executive, NSW Trustee & Guardian Executive Director Finance (CFO) (Ex-Officio member) Executive Director, Human Resources (CHRO) (Ex-Officio member) Any other individual may attend all or any part of a meeting with the Chair s agreement for the purpose of providing advice and assistance. Other senior Department staff will be asked to attend for specific items of the agenda. Key Functions The DJ Executive Committee has the following key functions: Maintain an overview of the Department s performance and ensure the Minister, Government, and Secretary are appropriately advised. Monitor the progress of key Government, Justice Cluster and Department plans and priorities Advise the Secretary by formulating an agreed Executive position and endorsing changes to: o Strategic priorities and policies Information Technology Services Page 24 of 37 <TRIM Doc No.>

25 o Budgets and financial performance o Organisational performance o Operational policies, procedures and arrangements/improvements. o Audit and risk requirements o Recommendations/ reports from Committees and Taskforces related to key priorities of the Department Establish time-limited committees/working groups to ensure achievement of the Department s priorities as required. Provide a forum for Department managers to present proposals and to contribute to strategic thinking and operational initiatives of the Department. Other matters There will be an annual facilitated meeting focussing on risk identification and management. The Chair of the Audit and Risk Committee will be invited to attend once a year for the purposes of briefing and information exchange. Chair and Secretariat The Secretary (or their delegate) acts as Chair of the DJ Executive Committee. Support is provided by the Secretariat, located within the Office of the Secretary. Frequency of Meetings The Executive Committee meets on a monthly basis. Extraordinary meetings may be held depending on requirements. All Executive Committee members are required to attend each meeting; representatives will not be permitted to attend unless officially appointed in an acting capacity for the Executive Committee member (i.e. annual/extended leave). Information Technology Services Page 25 of 37 <TRIM Doc No.>

26 Appendix C Information Security Forum Purpose The purpose of the Information Security Forum is to: Consider the operational status the ISMS Identify and prioritise information security risks Actively review information security risk and risk mitigation status Make decisions on and oversee progress of information security initiatives and activities. To deliver these outcomes, the Information Security Forum has authority to: Define information security risk appetite on behalf of ITS Determine appropriate risk mitigation Delegate information security related tasks for execution, investigation and/or resolution Recommend internal assurance/audit reviews Report Information Security non-compliance to appropriate internal authorities. Membership The Information Security Forum is comprised of the membership of the ITS Senior Management Team as follows: Executive Director Information Technology (CIO) - Chairperson Director, ICT Service Management Director, Specialist Solutions Assistant Director, Infrastructure & Platforms Juvenile Justice & Joint Programs & Assistant Director, CSNSW Infrastructure & Platforms Director, Governance & Planning and Strategy Assistant Director, AGD Infrastructure Director, ERP Systems Manager, Business Services Team (CIO Support) Manager, Courtroom Technology Group ICT Transformation Project Manager and EA (CIO Support) Director, CS Integration Information Technology Services Page 26 of 37 <TRIM Doc No.>

27 Director, Information Management Manager, Information Technology (Juvenile Justice) Director, Justice Integrated Systems Functions The Information Security Forum is responsible for the following: Ensuring that Information Security strategy/program is aligned with the overall ICT strategy and the Department s business requirements Ensuring periodic revision and renewal of the Information Security Management System Policy and relevant supporting policies, standards, procedures and guidance. Protecting the interest of the organisation s stakeholders by adequately protecting information assets Participate in the resolution of information security risk and audit items Reporting on the progress of Information Security risks and issues to the Executive Committee In fulfilling these responsibilities, the members of the ISF will give consideration to the following: Internal and external audit findings Recommendations of policy reviews Threat and Risk Assessment recommendations Updates on the status of preventive and corrective actions (CINC items) Reports relating to security incidents Status of external vendor security reporting Frequency of Meetings Standing agenda item for ITS Management Meeting monthly. Information Technology Services Page 27 of 37 <TRIM Doc No.>

28 Appendix D Legal & Regulatory Requirements 1. Purpose The purpose of this document is record summary information in respect of legislation (both state and commonwealth), regulations and directives (Memorandums, Circulars and Guidelines) that significantly impacts on the management of information security within the Department. The document is intended to be used as a compliance guide in the design and implementation of information security management controls including policies, standards, procedures and technical controls. 2. Federal Legislation 2.1 Electronic Transactions Act 1999 The Act states that a transaction under a law of the Commonwealth will not be invalid simply because it was conducted by the use of electronic communications. The Act allows any of the following requirements or permissions under Commonwealth law to be fulfilled in electronic form: Giving information in writing Providing a handwritten signature Producing a document in material form Recording or retaining information. 2.2 Electronic Transactions Amendment Act 2011 The amendments include: Clarification that a contract can still be legally effective despite being formed by an automated message system Refinement of default rules for determining whether the method used for an electronic signature is reliable Provision of default rules to ascertain the place of business of the parties to a transaction, taking into account modern business practices, such as the use of automated message systems, assisting parties to determine the jurisdiction in which the contract was formed. 2.3 Copyright Act 1968 The copyright law of Australia defines the legally enforceable rights of creators of creative and artistic works under Australian law. The scope of copyright in Australia is Information Technology Services Page 28 of 37 <TRIM Doc No.>

29 defined in the Australian Copyright Act 1968 (as amended), which applies the national law throughout Australia. The Copyright Amendment Act 2006 introduced a series of new exceptions into Australian copyright law. The most publicised are the private copying exceptions, to allow people to record most television or radio program at home to watch at a later time with family or friends, and to format-shift their music (make copies from CDs onto personal computers and portable music players. 2.4 Cybercrime Act 2001 The Act created a number of investigation powers and criminal offences designed to protect the security, reliability, and integrity of computer data and electronic communications in the Australian Criminal Code Act It outlaws activities such as unauthorized access to restricted data and spreading computer viruses. 2.5 Telecommunications (Interception and Access) Act 1979 Under the Telecommunications (Interception and Access) Act 1979, it is prohibited to intercept communications, except in certain limited exceptions where privacy is outweighed by other considerations. Recognising that accessing, monitoring and/or recording and Internet communications are an essential part of many filtering, quarantining, archiving, disaster recovery and professional IT standards related practices, it is permitted for employers and network administrators to lawfully access and record communications held on equipment they possess and operate at any time except when the communications are passing over a telecommunications system. 2.6 SPAM Act 2003 The Spam Act 2003 set up a scheme for the regulation of commercial and other types of commercial electronic messages. It restricts spam, especially spam and some types of phone spam, as well as address harvesting, however there are broad exemptions. The key points of the act provide that: Commercial electronic messages must include information about the individual or organisation that authorised the sending of the message Commercial electronic messages must contain a functional unsubscribe facility The main remedies for breaches of this Act are civil penalties and injunctions. 3. NSW State Legislation 3.1 Privacy and Personal Information Protection Act 1998 Information Technology Services Page 29 of 37 <TRIM Doc No.>

30 The Privacy and Personal Information Protection Act 1998 (or PPIP Act) deals with how all NSW public sector agencies manage personal information. The Act includes 12 information protection principles (IPPs), establishes methods for enforcement of privacy, establishes a mechanism for complaints if you think that your personal information has been mishandled, and sets out the role of the NSW Privacy Commissioner. The public sector agencies that are bound by the PPIP Act are state government departments, statutory or declared authorities, the police service, local councils, and bodies whose accounts are subject to the Auditor General. The information protection principles apply to how personal information is handled. Personal information refers to any information that relates to an identifiable person. The 12 information protection principles form the backbone of the Act and must be adhered to by all NSW public sector agencies. They can be grouped under five main headings - collection, storage, access and accuracy, use, and disclosure. The Act also contains lawful exemptions from these principles, as well as the power to investigate and conciliate complaints concerning breaches. The Administrative Decisions Tribunal can enforce remedies against public sector agencies. The PPIP Act allows the NSW Privacy Commissioner to investigate and conciliate privacy complaints made against any person or organisation. These investigations are not limited to complaints about mishandling of personal information. Privacy NSW deals with many types of privacy issues, including: Information privacy Privacy of communications Physical and bodily privacy Privacy of personal behaviour. 3.2 Government Information (Public Access) Act 2009 The Government Information (Public Access) Act 2009 (NSW) (GIPA Act) establishes a freer, more open approach to gaining access to government information in NSW. The objects of the GIPA Act are to maintain and advance a system of responsible and representative democratic Government that is open, accountable, fair and effective, by: Authorising and encouraging the proactive public release of government information by agencies Giving members of the public an enforceable right to access government information Providing that access to government information is restricted only when there is an overriding public interest against disclosure. Information Technology Services Page 30 of 37 <TRIM Doc No.>

31 The GIPA Act applies to all NSW government departments, and also extends to Ministers and their staff, local councils, state owned corporations, courts in their nonjudicial functions, and to certain public authorities such as universities. The guiding principle of the GIPA Act is the public interest it is a 'push' model, with a general presumption that disclosure of information is in the public interest, unless a strong case to the contrary can be demonstrated. Under the GIPA Act, it is compulsory for agencies to disclose information about their structure, functions and policies, and the proactive and informal disclosure of other information is promoted and encouraged. 3.3 Electronic Transactions Act 2000 State legislation reflects the commonwealth ACT. A transaction is not invalid because it took place by means of one or more electronic communications. The following requirements imposed under a law of this jurisdiction can generally be met in electronic form: A requirement to give information in writing A requirement to provide a signature A requirement to produce a document A requirement to record information A requirement to retain a document. The Act also contains provisions applying to contracts involving electronic communications, including provisions (relating to the internet in particular) for the following: An unaddressed proposal to form a contract is to be regarded as an invitation to make offers, rather than as an offer that if accepted would result in a contract A contract formed automatically is not invalid, void or unenforceable because there was no human review or intervention A portion of an electronic communication containing an input error can be withdrawn in certain circumstances The application of certain provisions of Part 2 to the extent they do not apply of their own force. 3.4 State Records Act 1998 and Regulations The Act replaced the Archives Act 1960 and established the State Records Authority of New South Wales, known as State Records, and its Board. The State Records Act 1998 is designed to ensure the better management of Government records throughout their existence and promote more efficient and accountable government through improved recordkeeping. Information Technology Services Page 31 of 37 <TRIM Doc No.>

32 Key objectives of the act include the following: To set out the records management responsibilities of public offices To protect State records from unauthorised destruction and disposal by public offices To ensure that records of continuing value and no longer in use by the public office that generated them are controlled and properly managed as State archives To ensure a balance between the protection of sensitivity in records for as long as necessary on the one hand and the rights of the people of New South Wales to access State records on the other To define the powers and responsibilities the State Records Authority of New South Wales which administers the Act. 3.5 Workplace Surveillance Act 2005 The Workplace Surveillance Act 2005: Prohibits the surveillance by employers of their employees at work except where employees have been given notice or where the employer has a covert surveillance authority Applies to camera surveillance, computer surveillance (surveillance of the input, output or other use of a computer by an employee) and tracking surveillance (surveillance by means of an electronic device the primary purpose of which is to monitor or record geographical location or movement) Extends beyond the workplace to any place where an employee is working Restricts and regulates the blocking by employers of s and Internet access of employees at work. In particular it prevents employers from blocking access to s or Internet sites because the content relates to industrial matters. 3.6 Surveillance Devices Act 2007 The Surveillance Devices Act 2007 (NSW) covers the installation, use and maintenance of listening, optical, tracking, and data surveillance devices and restricts the communication and publication of private conversations, surveillance activities, and information obtained from their use. Furthermore, the Act allows for surveillance devices to be used in crime investigations and to allow evidence to be obtained of the crime, identity or location of the person who has offended. 3.7 Public Sector Employment and Management Act 2002 Information Technology Services Page 32 of 37 <TRIM Doc No.>

33 The object of this Act is to replace the Public Sector Management Act 1988 with modern public sector employment and management legislation. The principal reforms effected by the Act are as follows: To introduce a streamlined disciplinary scheme for Public Service staff that deals with both misconduct by officers and management of poor performance To facilitate the movement of staff across the whole of the public sector on both a temporary and permanent basis and to make provision for crossagency employment arrangements To make changes with respect to the employment of Departmental temporary employees, including providing for employment on a temporary basis for periods of up to 3 years as well as for merit selection for periods of employment that exceed 12 months To provide for the employment of casual employees in Departments; To remove the role of the Governor in the appointment of Public Service staff and in the termination of their employment To simplify and clarify existing provisions relating to chief and senior executive officers in the public sector. 4. State Directives & Guidelines 4.1 M Digital Information Security Policy This Policy establishes the digital information security requirements for the NSW public sector, including the requirement to have an Information Security Management System (ISMS) that takes into account a minimum set of controls, and requirements relating to certification, attestation and the establishment of the Digital Information Security Community of Practice. This policy aims to ensure that the following digital information and digital information systems security objectives are achieved by the NSW Government: Confidentiality to uphold authorised restrictions on access to and disclosure of information including personal or proprietary information. Integrity to protect information against unauthorised alteration or destruction and prevent successful challenges to its authenticity. Availability to provide authorised users with timely and reliable access to information and services. Information Technology Services Page 33 of 37 <TRIM Doc No.>

34 Compliance to comply with all applicable legislation, regulations, Cabinet Conventions, policies and contractual obligations requiring information to be available, safeguarded or lawfully used. Assurance to provide assurance to Parliament and the people of NSW that information held by the Government is appropriately protected and handled. The core requirements of the policy are as follows: All NSW Government Departments, Statutory Bodies and Shared Service Providers must have an Information Security Management System (ISMS) based on a comprehensive assessment of the risk to digital information and digital information systems. In developing the ISMS, all controls from AS/NZS ISO/IEC Information technology - Security techniques - Code of practice for information security management must be considered. Certified compliance with AS/NZS ISO/IEC Information technology - Security techniques - Information security management systems - Requirements must be maintained by all Shared Service Providers and any Department or Statutory Body, or part thereof, or Public Sector Agency under the control of a Department or Statutory Body whose risk profile is sufficient to make certification necessary. Digital information security events, incidents and near misses that pose a threat across the public sector must be disseminated through the Digital Information Security Community of Practice in a time and manner appropriate to the nature and magnitude of the threat. Each Department and Statutory Body must attest annually to the adequacy of its digital information and information systems security. Attestation must be presented in the Annual Reports of all Departments and Statutory Bodies. 4.2 DFS C Information Classification and Labelling Guidelines The guideline focuses on defining the NSW Government Classification scheme, including Document Limitation Markers (DLMs), classifications, and caveats, and the rules for handling this information to protect confidentiality. In some instances (particularly information in electronic form) the labels may also indicate a need for additional measures to safeguard integrity and ensure availability. This guideline is primarily to assist agencies in safeguarding information in accordance with the Privacy and Personal Information Protection Act (1998) and to ensure that agencies do not create their own labelling schemes. 4.3 NSW Government Personnel Handbook Information Technology Services Page 34 of 37 <TRIM Doc No.>