Protective Security Governance Policy. Outlines ANAO protective security arrangements

Size: px
Start display at page:

Download "Protective Security Governance Policy. Outlines ANAO protective security arrangements"

Transcription

1 Protective Security Governance Policy Outlines ANAO protective security arrangements Version 2.0 Effective JULY 2012

2 Document management Document identification Document ID Document title Release authority SEC_0.0_GOV Protective Security Governance Policy Auditor General Document history Version Date Description 0 04 JAN 12 Initial draft BS JAN 12 Update to align with the PSPF and ISM (stratsec) JAN FEB 12 Continued update to address all Governance sections of the PSPF (stratsec) Update to include feedback from Ben Sladic (ASA) and Gary Pettigrove (ITSA) (stratsec) FEB 12 Update to include feedback from ASA (stratsec) FEB FEB FEB 12 Update to improve integration with the ANAO documentation suite (stratsec) Update to include feedback from ANAO review of policy documents (stratsec) Update to include feedback from ED CMB and edits from Anne Pang (stratsec) MAR 12 Update to reflect tighter terminology and link to other documents 0.9 MAY 12 Additional feedback post circulation to Security Committee 0.10 JUN 12 Final Review by ED CMB / ANAO Exec JUN 12 Approved by Auditor General 2.0 DEC 13 Minor updates relating to development of supplementary guidance for contracted audit firms Governance Framework 2

3 References [1] Australian Government Protective Security Policy Framework (PSPF) 2011 [2] Australian Public Service Code of Conduct [3] ANAO Risk Management Policy [4] ANAO Security Committee Charter January 2011 [5] Australian Government Protective Security Governance Management Guidelines Australian Government Business impact levels 2011 [6] ANAO Security Plan 2013 [7] Risk Review 2013 [8] ANAO ICT Security Policy (SEC_2.0_ICT) 2012 [9] ANAO Physical Security Policy (SEC_3.0_PHY) 2013 [10] ANAO Security Awareness Guidelines (SEC_4.2_PER) 2012 [11] ANAO Incidents Response Guidelines (SEC_4.5_GOV) 2012 [12] Australian Government Investigations Standards [13] ANAO Business Continuity Management Planning Guidelines June 2013 [14] ANAO Business Continuity Management Factsheet 2013 [15] Commonwealth Fraud Control Guidelines March 2011 [16] ANAO Fraud Control Policy Governance Framework 3

4 Table of Contents Auditor General s Foreword 5 Introduction 6 Purpose 6 Scope and applicability 6 Document relationship 6 Document ownership and update 6 Context 8 Overview 8 Security culture 8 Internal factors 8 External factors 9 Legislation 9 Assets 9 Protective security governance policy 11 Overview 11 Roles and responsibilities 11 The ANAO s approach to protective security 14 Overview 14 Security risk management 14 Security training and awareness 15 Audits, reviews and reporting 16 Security incidents and investigations 16 Business continuity management 18 International security agreements 19 Contracting 19 Fraud control 19 Appendix 1 PSPF Mandatory Requirements mapped to Documentation Framework 20 Governance Framework 4

5 Auditor General s Foreword Every person employed or engaged by the ANAO shares responsibility for ensuring that good security practices are employed. The ANAO is committed to protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss, damage, disruption, interference, espionage or unauthorised disclosure. It is critical that we retain the confidence of those who entrust sensitive and classified information to us. Documentation implements broader Government protective security policy reflecting the minimum requirements necessary to maintain an acceptable standard for protecting our assets, those in our care and our reputation. Our protective security arrangements maintain, as a minimum, the requirements of the Australian Government Protective Security Policy Framework (PSPF) as approved by the Australian Government and issued by the Attorney General. I require all managers, particularly SES, to take and demonstrate responsibility for ensuring that the assets and resources under their control receive the appropriate level of protection. In order to do this, managers must familiarise themselves with the principles of security risk management. Managers need to ensure that ANAO personnel, including contractors and consultants, are vigilant in their approach to security and accept that they have a key role to play in maintaining effective security. Protective security should be a part of our office s culture so that we effectively balance the competing requirements of limiting access to those that have a genuine need to know with ensuring key business partners receive information in an appropriate timeframe ( need to share ). Further advice on Protective Security can be obtained from the Agency Security Adviser (ASA) on and for IT Security advice, queries should be directed to the Information Technology Security Adviser (ITSA) on Ian McPhee Auditor General Governance Framework 5

6 Introduction Purpose 1. The Australian National Audit Office (ANAO) Protective Security Governance Policy outlines the ANAO s overall protective security documentation, the roles and responsibilities of individuals and ANAO committees, and summarises key elements of ANAO s approach to protective security. 2. The Protective Security Governance Policy has been developed based on: Australian government best practices; Attorney General s Department s PSPF; and ANAO specific requirements. Scope and applicability 3. The arrangements outlined in this document apply to all ANAO personnel, information and physical assets. Document relationship 4. The Governance Policy is the overarching document within our protective security documentation as shown in Figure 1 ANAO protective security documentation. Document ownership and update 5. The Agency Security Adviser (ASA) is responsible for the periodic review and maintenance of this policy. The ASA is responsible for reviewing this policy for currency and applicability prior to 31 Jul 2014 or as a result of changes to the PSPF or ANAO s environment which impacts this policy. Governance Framework 6

7 Figure 1 ANAO protective security documentation Governance Framework 7 UNCLASSIFIED

8 Context Overview 6. The Australian National Audit Office (ANAO) provides a range of audit and assurance services to the Parliament and public sector entities with the Australian Parliament as its primary client. 7. ANAO staff, contractors and contractor employees, consultants, and the staff of other Government Agencies that work for or on behalf of the ANAO are referred to collectively as ANAO personnel. 8. The ANAO s principal asset is its reputation. If this were tarnished by an incident of note, then it would become difficult for ANAO to conduct its business. ANAO s reputation is underpinned by three core abilities: ANAO s ability to protect its information assets from disclosure, compromise or loss; ANAO s ability to provide its services in an accurate and timely manner; and ANAO s ability to remain relevant in its service offerings. Security culture 9. The ANAO takes a proactive and positive attitude towards protective security. All ANAO personnel share responsibility for ensuring good security practice is employed. 10. Managing security risks proportionately and effectively enables the ANAO to provide the necessary protection of its key assets (our people, property, information and reputation). 11. Protective security is a part of the ANAO culture. The ANAO seeks to effectively balance the competing requirements of limiting access to those that have a genuine need to know with ensuring key business partners receive information in an appropriate timeframe ( need toshare ). 12. Security is more than a collection of documents outlining policy and procedures. It is a fundamental consideration in every task conducted by ANAO personnel. Internal factors 13. The Attorney General s Department released the PSPF [1] in July 2010 and has been releasing Security Management Protocols and Guidelines since this date. Governance Framework 8

9 14. The Attorney General wrote to Agency Heads in December 2011 informing them of the compliance timelines for implementing policy. Those deadlines were: Agencies must implement the new policy by 31 July 2012; Agencies can grandfather existing policy to 31 July 2013; and Initial Ministerial report due in August The ANAO established a timeline to implement the policy to meet this timeframe. The implementation of the PSPF [1] involves reworking internal policies and procedures in order for personnel to understand the new framework and the ANAO s implementation of it. External factors 16. The ANAO collects information from external agencies in order to conduct its audit activities. 17. As a result, the ANAO must maintain its reputation to protect the confidentiality, integrity and availability of the information it collects, processes and stores on behalf of its stakeholders. 18. Any significant reputational damage to ANAO could result in the loss of confidence from its stakeholders. Legislation 19. The PSPF s [1] mandatory requirements are not legally set down, but are based on legislation relating to protective security and reflect the aims and objectives of the Australian Government. 20. In addition to the mandatory requirements of the PSPF, there are additional protective security requirements relating to the ANAO set out in the Auditor General Act 1997, the Public Service Act 1999 and the APS Code of Conduct [2]. 21. The combined effect of section 36 of the Auditor General Act 1997, sections 70 and 79 of the Crimes Act 1914 and section 91.1 of the Criminal Code 1995 is that the unauthorised disclosure of information held by the Australian Government is subject to the sanction of criminal law. 22. Disclosure of official information should only occur if that disclosure is authorised. Authorisation may be granted under the express authority of an agency head, subject to the provisions of the Freedom of Information Act 1982 (the FOI Act) and, in relation to personal information, must be in compliance with the Privacy Act 1988 (the Privacy Act). Assets 23. The following ANAO assets must be effectively protected through our protective security arrangements: Governance Framework 9

10 Table 1: ANAO assets Asset ID A1 A2 A3 A4 A5 A6 Description Confidentiality of ANAO Information Integrity of ANAO Information Availability of ANAO Information Systems ANAO s Reputation Physical Security of ANAO Assets ANAO Staff and Contractors 24. The ANAO s principal asset is its reputation. The ANAO s reputation is underpinned by its ability to: protect information assets from disclosure, compromise or loss; provide audit services in an accurate and timely manner; and remain relevant in our service offerings. 25. The term information assets within this policy refers to any form of information, including: electronic data; the software or information and communication technology (ICT) systems and networks on which the information is stored, processed or communicated; printed documents and papers; the intellectual information (knowledge) acquired by individuals; and physical items from which information regarding design, components or use could be derived. Governance Framework 10

11 Protective security governance policy Overview 26. The Governance Policy ensures that : ANAO personnel are provided with sufficient information and security awareness training to allow them to meet the requirements of the PSPF [1]; policies and procedures are in place that are effective and applicable to the ANAO context; and a security plan is in place to manage ANAO risks and that the security plan is updated in line with changing risks and the ANAO operating environment. 27. The Government is responsible for the protective security of the Commonwealth. Individual Ministers are responsible for securing the operation of their portfolios (the independent statutory office of the Auditor General reports for administrative purposes to the Prime Minister). Within an agency, the Agency Head is responsible for the protection of agency functions, official resources and employees (including contractors). 28. Implementation, management and improvement of the ANAO security framework are the responsibility of the Auditor General as the ANAO Agency Head. The Security Committee has been created to provide advice and assurance to the Auditor General in the discharge of his security responsibilities. Further information on the roles and responsibilities for protective security can be found in the Roles and responsibilities section below. 29. All ANAO personnel are required to adhere to the policies and guidelines outlined in Figure 1 ANAO protective security documentation. Roles and responsibilities Auditor General 30. Primary responsibility for the management of ANAO security rests with the Auditor General. A Security Committee has been established to provide independent assurance and assistance to the Auditor General and the Executive Board of Management (EBOM) on the ANAO s security framework. Governance Framework 11

12 Security Committee 31. The Security Committee (the Committee) supports the Auditor General to discharge his responsibilities. The Committee has no executive powers, supervisory functions or decisionmaking authority in relation to the operation of the ANAO; it is an advisory body only. 32. The Committee is directly responsible and accountable to the Auditor General and must report any significant security matter that may impact the operations of the ANAO to the Deputy Auditor General and/or EBOM. The Committee must report to EBOM on its operations and activities during the year (more information can be found in the Security Committee Charter [2]. 33. The Committee includes representatives from the service groups and support branches who attend each meeting as observers. The following staff with specific responsibilities for protective security comprise the membership of the Committee: Executive Director Corporate Management Branch (ED CMB) 34. The ED CMB chairs the Security Committee and is responsible for the ongoing development and oversight of the office s protective security policy and practices and for providing guidance to the ASA and ITSA. In addition to formal reporting through the Security Committee, the ED CMB is also responsible for ensuring a security brief is provided as required to each monthly meeting of EBOM. The Agency Security Adviser (ASA) 35. The ASA reports to the ED CMB and plays an integral role in the ongoing monitoring of the ANAO security procedures and systems. The ASA helps the Executive to analyse the agency s security environment and to plan to counter unacceptable security risks. The ASA also plays a key role in managing the office s personnel security program to ensure ANAO personnel are aware of their security responsibilities and obligations. The Senior Director Governance and External Relations has been appointed to this role. 36. The ASA has an Assistant Agency Security Adviser (A ASA) to support with the discharge their security responsibilities, in particular the day to day management of security. The Operations Manager has been appointed to this role. The Information Technology Security Adviser (ITSA) 37. The ITSA also reports to the ED CMB and is responsible for advising the Executive on the security measures required to ensure that the information stored, processed or communicated by the ANAO information communications technology (ICT) systems is protected in accordance with the law, Australian Government policies, and the information security requirements detailed in the ANAO Security Plan. The Chief Information Officer has been appointed to this role. Governance Framework 12

13 ANAO personnel 38. Security is everyone s responsibility. It follows that all ANAO personnel are held accountable for their actions and managers held accountable for the security of their area of responsibility. 39. ANAO personnel need to be aware of the policies and guidelines put in place to ensure that confidence and trust in the Office is maintained and our reputation and standing are upheld. This includes this policy document as well as all supporting policies and guidelines. It also includes completing mandatory annual security and awareness training. 40. The ASA and ITSA work closely together to ensure that security measures taken to protect their respective environments complement and support each other. The ASA, A ASA and ITSA are always available to assist. However, it is your responsibility to familiarise yourself with the information sources available to you on security and to seek advice in cases of uncertainty. 41. ANAO personnel should familiarise themselves with the Auditor General Instructions, the Guide to Conduct in the ANAO and the ANAO Fraud Control Plan, all of which contain information of relevance to security. For contracted firms, the ANAO has prepared summary guidelines on the key requirements from the ANAO protective security document framework for consideration in addition to this overall governance policy. Governance Framework 13

14 The ANAO s approach to protective security Overview 42. Good protective security governance is about both: conformance how an agency uses protective security arrangements to ensure it meets the obligations of policy and standards and Government s expectations; and performance how an agency uses protective security arrangements to contribute to its overall performance through the secure delivery of goods, services or programmes as well as ensuring the confidentiality, integrity and availability of its people, information and assets. 43. The ANAO security framework is a holistic approach to protective security which incorporates complementary controls for Information, ICT, Physical and Personnel security. It is based on principles of public sector governance including: accountability being answerable for decisions and having meaningful mechanisms in place to ensure the agency adheres to all applicable protective security standards; transparency/openness having clear roles and responsibilities for protective security functions and clear procedures for making decisions and exercising authority; efficiency ensuring the best use of limited protective security resources to further the aims of the agency, with a commitment to risk based strategies for improvement; and leadership achieving an agency wide commitment to good protective security performance through leadership from the top. Security risk management 44. The ANAO is committed to risk management as an integral part of its planning and operations focussing on strategies and practices designed to effectively manage the risks to achieving corporate goals and objectives. ANAO protective security arrangements are based on effective security risk management. 45. The ANAO has adopted a formal risk management framework to support this commitment. The ANAO risk management framework is based on the guidance provided by the international risk Governance Framework 14

15 standard ISO 31000:2009 Risk Management. Further information on the ANAO risk management framework can be found within the ANAO Risk Management Policy [3]. 46. The ANAO has a low risk appetite for risks that would result in damaging the ANAO s reputation or other key organisational assets. Risk assessment and treatment 47. An overarching Protective Security Risk Review (PSRR) [7] is updated at least annually to identify the key threats and risks to the ANAO s ongoing security. Various threat sources are identified and assessed as to their potential to bring harm to the ANAO s assets. 48. The PSRR [7] is completed with reference to the Business Impact Levels (BILs) outlined in the PSPF Australian Government protective security governance guidelines Business impact levels [5]. 49. The PSRR [7] guides the security control selection to support the technical and administrative implementation of security within the ANAO and provides significant input into the ANAO Security Plan [6] which defines the security controls in use at ANAO and how they are to be implemented. 50. The PSRR is a living document and is updated annually; or in response to changes in the environment in which the ANAO operates; or if a security breach or incident is identified that would indicate a control failure or absence. The ANAO Security Plan [6] is updated at least every 2 years or in response to changes in our protective security risks. 51. The PSRR and ANAO Security Plan [6] are classified as For Official Use Only and cannot be released without the written permission of the ASA. 52. There are also a number of system related and site specific risk reviews and security plans in place for key ANAO ICT systems, Incidents and the ANAO facility at 19 National Circuit in Barton. Security training and awareness 53. The effectiveness of ANAO protective security arrangements relies on ANAO personnel being well informed and aware of their responsibilities for security under the PSPF [1]. 54. The ASA works closely with the ITSA to ensure that regular, up to date security training and awareness programs are developed and delivered to ANAO personnel. 55. The security awareness and training programs include: Security briefings (at induction, and regularly during the year for all ANAO personnel); Governance Framework 15

16 Online electronic access to security documentation; Online security awareness e learning modules; and Security flyers (provided in hard copy to ANAO personnel and available electronically via Audit Central). 56. The ASA and ITSA are also available to provide security advice directly to ANAO personnel on request. 57. Further information can be found in the ANAO Security Awareness Guidelines [10]. Audits, reviews and reporting 58. The Governance Policy and associated policies and guidelines will be reviewed at least every two years, or in response to changes flowing from the Protective Security Risk Review (PSRR) process. 59. The Security Committee is responsible for oversighting the annual security assessment against the PSPF s [1] mandatory requirements (the first report is due in August 2013). The ANAO Security Plan [6] includes complete details on our compliance with the PSPF mandatory requirements. 60. The Security Committee will advise the Auditor General through EBOM on our compliance with the requirements prior to the report being lodged with the Attorney General s Department (and other entities as required by the PSPF [1] mandatory requirement GOV 7). The Chair of the Security Committee is also an observer on the ANAO Audit Committee and will monitor internal audit strategies and programs to ensure adequate coverage of the ANAO security environment. 61. Where the ANAO identifies a situation where the policies in this security framework and supporting guidelines cannot apply, the Auditor General, or delegate, will make a clear, riskbased decision on whether to allow the policy exception. 62. Before granting a policy exception, advice will be sought from the ASA, ITSA, relevant information originators or asset owners and other stakeholders who may be affected by the non compliance. Any non compliance will then be included in the annual security assessment against the PSPF s [1] mandatory requirements. Security incidents and investigations 63. All ANAO personnel are responsible for the security of ANAO assets in their control and must ensure these are properly protected from unauthorised access by adhering with the requirements of the ANAO protective security policies and guidelines. Governance Framework 16

17 64. ANAO Security Staff undertake periodic afterhours security checks within ANAO facilities at 19 National Circuit to ensure ANAO personnel are complying with their close of business responsibilities. ANAO personnel also have an important role in alerting ANAO Security Staff on instances of suspected intrusion or the occurrence of a security incident. The reporting and investigation of security incidents is an essential element in monitoring and managing the risks to ANAO assets. Additional guidance is contained in the ANAO Personnel Incident Response Guidelines [11].The ASA has responsibility to determine if a security incident will result in a security breach being issued to ANAO personnel. The ASA will make this determination after taking into account the circumstances and severity of the identified incident. 65. Incidents identified as a result of the afterhours security checks or the reporting of security incidents more broadly may fall into either of the following categories: Security Breaches: which relate to the accidental or unintentional failure to observe ANAO security policies and guidelines e.g. failure to properly secure official information and unsecured portable and attractive items; and Security Violations: which relate to deliberate actions that lead, or could lead to the loss, damage or corruption or disclosure of official information and assets and results in a formal investigation. Any suspected security violation will be considered as a possible breach of the APS Code of Conduct and may be reported to the Australian Federal Police. 66. ANAO personnel responsible for a security breach will be issued with a breach notice and Security Staff will advise their Executive Director (or Engagement Manager for contracted firms). ANAO personnel will need to explain the reasons for the breach and the actions taken to ensure it will not reoccur. 67. Personnel who incur three (3) security breaches during their employment or engagement with the ANAO must provide an explanation report to their responsible Group Executive Director and a copy to the Deputy Auditor General. Personnel who incur more than three (3) security breaches within 12 months may be considered to have breached the APS Code of Conduct and may have their employment or contract terminated. 68. The ASA is responsible for maintaining a register of ANAO security incidents and reported incidents. Aggregated information on security incidents and breaches is reported monthly to EBOM. 69. Where necessary, investigations are conducted by the ASA, ITSA or A ASA in accordance with the type, size and impact of a security breach. External assistance is sought, as required, to satisfy the Australian Government Investigations Standards [12]. Access logs relating to ANAO personnel entering and exiting 19 National Circuit, as well as CCTV footage of the Zone One General Reception Area may also be also be used to assist security investigations. Governance Framework 17

18 70. The ASA or ITSA will report: incidents suspected of constituting criminal offences to the appropriate law enforcement authority ; incidents suspected of involving the compromise of information or assets classified at or above CONFIDENTIAL to ASIO; major ICT incidents to the Defence Signals Directorate; incidents involving the compromise of Cabinet material to the Cabinet Secretariat; and to AGSVA for maintenance of security clearances. Business continuity management 71. Critical services and associated assets need to remain available in order to assure the health, safety, security and economic well being of Australians, and the effective functioning of government. 72. Business continuity management (BCM) is a part of the ANAO s overall approach to effective risk management. 73. Business continuity planning is a process whereby key risks to ANAO business operations as a result of an emergency are identified, assessed and controls are identified to enable the ANAO to manage the immediate crisis and restore business operations as soon as possible. 74. The ASA is also responsible for the coordination of the ANAO BCM development and maintenance, including: identifying essential services; identifying key resource dependencies; developing crisis management and business continuity teams; developing crisis communications protocols; conducting simulated crisis exercises; and development and maintenance of contingency arrangements. 75. The ANAO Business Continuity Management Planning Guidelines [13] and associated Fact Sheets [14] which detail the ANAO emergency and crisis management procedures are available on Audit Central. Governance Framework 18

19 International security agreements 76. The ANAO has not entered into any agreements to share protectively marked information with international organisations, or those that handle another country s protectively marked information on their behalf. Contracting 77. The ANAO protective security policies and procedures are also applicable to private sector organisations and individuals who have ongoing access to ANAO assets. The ANAO will provide access to training and awareness materials and conduct information sessions for contractors as part of its overall training and awareness strategy. This includes the development of specific guidelines for contracted firms delivering audit services on behalf of the ANAO, which are updated annually and made available, along with this policy, on the ANAO extranet. 78. The ANAO will specify protective security requirements in the terms and conditions of any contractual documentation. 79. The ANAO will obtain independent assurance as required to verify that the contracted service provider complies with the terms and conditions of any contractual documentation. Fraud control 80. Fraud control measures are part of the risk management process. The Commonwealth Fraud Control Guidelines [15] outline the principles of fraud control within the Commonwealth and set national minimum standards to help agencies carry out their responsibilities to combat fraud against their programs. 81. The Auditor General has delegated responsibility for fraud control management to the ED CMB who works with the Chief Finance Officer (CFO) to manage the fraud control plan and fraud risk assessment process. 82. Further information can be found in the ANAO Fraud Control Policy [16]. Governance Framework 19

20 Appendix 1 PSPF Mandatory Requirements mapped to Documentation Framework The following table references each of the PSPF mandatory requirements to relevant ANAO protective security documentation or supporting policy (with detailed compliance mapping against the PSPF mandatory requirements included as an annex to the ANAO Security Plan): Mandatory Requirement GOV 1 GOV 2 Detail Agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of this Framework. To fulfil their security obligations, agencies must appoint: a member of the Senior Executive Service as the security executive, responsible for the agency protective security policy and oversight of protective security practices ANAO Reference document) ANAO Security Awareness Process (SEC_4.2_PER) document) Roles and responsibilities an agency security adviser (ASA) responsible for the day to day performance of protective security functions, and an information technology security adviser (ITSA) to advise senior management on the security of the agency s Information Communications Technology (ICT) systems. GOV 3 Agencies must ensure that the agency security adviser (ASA) and information technology security adviser (ITSA) have detailed knowledge of agency specific protective security policy, protocols and mandatory protective security requirements in order to fulfil their protective security responsibilities. document) Roles and responsibilities Governance Framework 20

21 GOV 4 Agencies must prepare a security plan to manage their security risks. The security plan must be updated or revised every two years or sooner when changes in risks and the agency s operating environment dictate. ANAO Risk Management Plan document) Security risk management GOV 5 GOV 6 Agencies must develop their own set of protective security policies and procedures to meet their specific business needs. Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management. Governance Policy and associated security policies ANAO Fraud Control Plan ANAO Risk Management Policy ANAO Business Continuity Management Plan GOV 7 For internal audit and reporting, agencies must: undertake an annual security assessment against the mandatory requirements detailed within this Framework, and report their compliance with the mandatory requirements to the relevant portfolio Minister. The report must: contain a declaration of compliance by the agency head, and state any areas of non compliance, including details on measures taken to lessen identified risks. In addition to their portfolio Minister, agencies must send a copy of their annual report on compliance with the mandatory requirements to: document) Audits, reviews and Reporting ANAO Security Incident Response Plan (SEC_4.5_PER) Governance Framework 21

22 the Secretary, Attorney General s Department, and the Auditor General. Agencies must also advise any non compliance with mandatory requirements to: the Director, Defence Signals Directorate for matters relating to the Australian Government ICT Security Manual (ISM). the Director General, Australian Security Intelligence Organisation for matters relating to national security, and GOV 8 GOV 9 the heads of any agencies whose people, information or assets may be affected by the non compliance. Agencies must ensure investigators are appropriately trained and have in place procedures for reporting and investigating security incidents and taking corrective action, in accordance with the provisions of: Australian Government Guidelines on Security incidents and Investigations, and/or The Australian Government Investigations Standards. Agencies must give all employees, including contractors, guidance on Sections 70 and 79 of the Crimes Act 1914, section 91.1 of the Criminal Code 1995, the Freedom of Information Act 1982 and the Information Privacy Principles contained in the Privacy Act 1988 including how this legislation relates to their role. document) Security incidents and investigations document) Legislation ANAO Security Awareness Process (SEC_4.2_PER) GOV 10 Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which Australia is a party. document) International security agreements Governance Framework 22

23 GOV 11 Agencies must establish a business continuity management (BCM) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment. document) Business continuity management ANAO Business Continuity Management Planning Guidelines ANAO Business Continuity Management Factsheet GOV 12 PERSEC 1 PERSEC 2 Agencies must ensure the contracted service provider complies with the requirements of this policy and any protective security protocols. Agencies must ensure that Australian Government employees, contractors and temporary staff who require ongoing access to Australian Government information and resources: are eligible to have access have had their identity established are suitable to have access, and are willing to comply with the Government s policies, standards, protocols and guidelines that safeguard that agency s resources (people, information and assets) from harm. Access to higher levels of classified resources is dependent upon the granting of the requisite security clearance. Agencies must, as part of their risk management approach to protective security, identify designated security assessed positions (DSAPs) within their organisation that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information. Agencies must ensure that security vetting is only applied where it document) Contracting document) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Security Vetting Guidelines (SEC_4.1_PER) ANAO Security Awareness Guidelines (SEC_4.2_PER) ANAO Personnel Security Policy (SEC_4.0_PER) Governance Framework 23

24 is necessary. PERSEC 3 Agencies must maintain a DSAP register. ANAO Personnel Security Policy (SEC_4.0_PER) PERSEC 4 PERSEC 5 PERSEC 6 INFOSEC 1 INFOSEC 2 Security clearances must be sponsored by an Australian government agency. Security clearances are not available on demand or on a speculative basis. All Government agencies must follow the Australian Government Personnel Security Protocol for personnel security as contained in supplementary material within the Protective Security Policy Framework. Only the Australian Government Security Vetting Agency and exempt agencies can grant, continue, deny, revoke or vary a security clearance. Exempt agencies can only issue clearances for their own agency. Agencies must have in place personnel security aftercare arrangements, including the requirement for individuals holding security clearances to advise the AGSVA or the relevant exempt agency of any significant change in personal circumstance that may impact on their continuing suitability to access security classified resources. Agency heads must provide clear direction on information security through the development and implementation of an agency information security policy and an agency information security plan. Each agency must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risks to the agency s information environment. ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Security Awareness Guidelines (SEC_4.2_PER) document) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) document) ANAO Information Security Policy (SEC_1.0_INF) Governance Framework 24

25 INFOSEC 3 INFOSEC 4 Agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper based formats) which match their value, importance and sensitivity. Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Classification & Handling Guidelines (SEC_1.1_INF) ANAO Data Transfer Storage & Disposal Guidelines (SEC_2.3_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) INFOSEC 5 Agencies must have in place control measures based on business owner requirements and assessed/accepted risks for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications. Agency access control rules must be consistent with agency business requirements and information classification as well as legal obligations. ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Identity & Access Management Guidelines(SEC_2.2_ICT) Governance Framework 25

26 INFOSEC 6 INFOSEC 7 Agencies must have in place security measures during all stages of ICT system development, as well as when new ICT systems are implemented into the operational environment. Such measures must match the assessed security risk of the information holdings contained within, or passing across, ICT networks infrastructures and applications. Agencies must ensure that agency information security measures for all information processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under which the agency operates. ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) PHYSEC 1 PHYSEC 2 PHYSEC 3 Agency heads must provide clear direction on physical security through the development and implementation of an agency physical security policy and an agency physical security plan. Agencies must have in place policies and procedures to: identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support to family members and others report incidents to management, human resources, security and law enforcement authorities, as appropriate provide information, training and counselling to employees, and maintain thorough records and statements on reported incidents. Agencies must ensure they fully integrate protective security early in the process of planning, selecting, designing and modifying their facilities. document) ANAO Physical Security Policy (SEC_3.0_PHY) document) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) Governance Framework 26

27 PHYSEC 4 PHYSEC 5 PHYSEC 6 PHYSEC 7 Agencies must ensure that any proposed physical security measure or activity does not breach relevant employer occupational health and safety obligations. Agencies must show a duty of care for the physical safety of those members of the public interacting directly with the Australian Government. Where an agency s function involves providing services, the agency must ensure that clients can transact with the Australian Government with confidence about their physical well being. Agencies must implement a level of physical security measures that minimises or removes the risk of ICT equipment and information being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation. Agencies must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Australian Government may direct its agencies to implement heightened security levels. ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) END OF DOCUMENT Governance Framework 27

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework Department of the Premier and Cabinet Circular PC030 Protective Security Policy Framework February 2012 PROTECTIVE SECURITY MANAGEMENT FRAMEWORK TABLE OF CONTENTS TABLE OF CONTENTS 2 1. PURPOSE 3 2. SCOPE

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Security of outsourced services and functions Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this publication

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

The Management of Physical Security

The Management of Physical Security The Auditor-General Audit Report No.49 2013 14 Performance Audit Australian Crime Commission Geoscience Australia Royal Australian Mint Australian National Audit Office Commonwealth of Australia 2014 ISSN

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

UNCLASSIFIED. Victorian Protective Data Security Framework (VPDSF) ROSETTA STONE

UNCLASSIFIED. Victorian Protective Data Security Framework (VPDSF) ROSETTA STONE 1 Security Management Framework 1. Information Security Management Structure 2. Security Roles (Security Exec, ASA, ITSA) 40. Identify and document legal GOV-2 Security Roles (Security Executive, ASA and

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2014 All material presented in this publication

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2015 All material presented in this publication

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

The Protection and Security of Electronic Information Held by Australian Government Agencies

The Protection and Security of Electronic Information Held by Australian Government Agencies The Auditor-General Audit Report No.33 2010 11 Performance Audit The Protection and Security of Electronic Information Held by Australian Government Agencies Australian National Audit Office Commonwealth

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Reporting incidents and conducting security investigations Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this

More information

INTERNAL AUDIT FRAMEWORK

INTERNAL AUDIT FRAMEWORK INTERNAL AUDIT FRAMEWORK April 2007 Contents 1. Introduction... 3 2. Internal Audit Definition... 4 3. Structure... 5 3.1. Roles, Responsibilities and Accountabilities... 5 3.2. Authority... 11 3.3. Composition...

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

Quality Manual Quality Management System Description

Quality Manual Quality Management System Description Australian Government Security Vetting Agency Quality Manual Quality Management System Description Commonwealth of Australia 2013 This work is copyright. Apart from any use as permitted under the Copyright

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Tasmanian Government Information Security Framework

Tasmanian Government Information Security Framework Tasmanian Government Information Security Framework Tasmanian Government Information Security Charter Version 1.0 May 2003 Department of Premier and Cabinet Inter Agency Policy And Projects Unit 1 Purpose

More information

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper august09 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper Preface Corporate governance - which refers broadly to the processes

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations Government Owned Corporations Corporate Governance Guidelines for Government Owned Corporations Version 2.0 The State of Queensland (Queensland Treasury) The Queensland Government supports and encourages

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

IT Security Management

IT Security Management The Auditor-General Audit Report No.23 2005 06 Protective Security Audit Australian National Audit Office Commonwealth of Australia 2005 ISSN 1036 7632 ISBN 0 642 80882 1 COPYRIGHT INFORMATION This work

More information

APES 320 Quality Control for Firms

APES 320 Quality Control for Firms APES 320 Quality Control for Firms APES 320 Quality Control for Firms is based on International Standard on Quality Control (ISQC 1) (as published in the Handbook of International Auditing, Assurance,

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Not Protectively Marked

Not Protectively Marked TITLE CCMT Sponsor Department/Area Section/Sector INFORMATION SECURITY POLICY Deputy Chief Constable Professional Standards Department Force Security 1.0 Rationale 1.1 This policy sets out the approach

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER APPENDIX A INTERNAL AUDIT CHARTER Version Control Version No Author Date 1.2 Anna Wright September 2014 Shared Service Senior Auditor 1.3 Lisa Cotton August 2015 Shared Service Senior Auditor 1.4 Lisa

More information

Department of Infrastructure and Planning: Governance Framework for Infrastructure Delivery Special Purpose Vehicles

Department of Infrastructure and Planning: Governance Framework for Infrastructure Delivery Special Purpose Vehicles Department of Infrastructure and Planning: Governance Framework for Infrastructure Delivery Special Purpose Vehicles Governance Framework for Special Purpose Vehicles Table of Contents Executive Summary...3

More information

FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY

FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY FSDF SPATIAL INFORMATION MANAGEMENT POLICIES SECURITY Objective: Securing the Foundation Spatial Data Framework. This document is presented by ANZLIC the Spatial Information Council, representing the Australian

More information

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V2.0 NOVEMBER 2014 Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V 2.0 NOVEMBER

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER INTERNAL AUDIT CHARTER Version Control Version No Author Date 1.1 Anna Wright Shared Services Senior Auditor September 2013 Contents 1 Introduction 1 2 Definitions 1 3 Purpose of Internal Audit 1 4 Scope

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Wiltshire Police Force Information Security Policy

Wiltshire Police Force Information Security Policy Wiltshire Police Force Information Security Policy Table of Contents 1. INTRODUCTION 2. PURPOSE 3. SCOPE 4. POLICY STATEMENT 5. ROLES & RESPONSIBILITIES 6. ACCREDITATION 7. MOBILE & REMOTE WORKING 8. 3

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Entrepreneurs Programme - Business Evaluation. Version: 3

Entrepreneurs Programme - Business Evaluation. Version: 3 Entrepreneurs Programme - Business Evaluation Version: 3 20 October 2015 Contents 1 Purpose of this guide... 4 2 Programme overview... 4 2.1 Business Management overview... 4 3 Business Evaluations...

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide Third Party Identity Services Assurance Framework Information Security Registered Assessors Program Guide Version 2.0 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

CORPORATE GOVERNANCE STATEMENT... 1

CORPORATE GOVERNANCE STATEMENT... 1 CORPORATE GOVERNANCE STATEMENT... 1 Overview... 1 Appointment Protocols... 2 Written Agreements... 2 Company Secretary... 2 Diversity Policy... 2 Board and Board Committee Performance Evaluation... 2 Senior

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Information Security Policy

Information Security Policy Information Security Policy Author Aleksandra Foy, Office Manager Responsible Director Medical Director Ratified By Quality and Safety Committee Ratified Date June 2014 Review Date December 2015 Version

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

Entrepreneurs Programme - Business Growth Grants

Entrepreneurs Programme - Business Growth Grants Entrepreneurs Programme - Business Growth Grants Version: 15 July 2015 Contents 1 Purpose of this guide... 4 2 Programme overview... 4 2.1 Business Management overview... 4 3 Business Growth Grant... 5

More information

National Assembly for Wales Internal Audit Charter

National Assembly for Wales Internal Audit Charter National Assembly for Wales Internal Audit Charter Purpose 1.1 This charter is a high level statement of how internal audit will be delivered and developed and formally defines the purpose, authority and

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

More information

Appendix 1. Internal Audit Charter

Appendix 1. Internal Audit Charter Appendix 1 Internal Audit Charter Subject to annual review by Head of Internal Audit Reported to Corporate Management Team and Audit Committee: February / March 2015 Introduction Appendix 1: Internal Audit

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

A Guide to Corporate Governance for QFC Authorised Firms

A Guide to Corporate Governance for QFC Authorised Firms A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide

More information

Audit, Risk Management and Compliance Committee Charter

Audit, Risk Management and Compliance Committee Charter Audit, Risk Management and Compliance Committee Charter Woolworths Limited Adopted by the Board on 27 August 2013 page 1 1 Introduction This Charter sets out the responsibilities, structure and composition

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Board Charter. HCF Life Insurance Company Pty Ltd (ACN 001 831 250) (the Company )

Board Charter. HCF Life Insurance Company Pty Ltd (ACN 001 831 250) (the Company ) Board Charter HCF Life Insurance Company Pty Ltd (ACN 001 831 250) (the Company ) Board approval date: 27 October 2015 Contents 1. Introduction and Purpose of this Charter...1 2. Role of the Board...1

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER APPENDIX A INTERNAL AUDIT CHARTER Version Control Version No Author Date 1.2 Anna Wright September 2014 Senior Auditor 1.3 Lisa Cotton Senior Auditor August 2015 Contents 1 Introduction 1 2 Definitions

More information

Information Security Policy

Information Security Policy Information Security Policy 1 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review 1.01 1 st June 2009 T.Monachello Information Governance

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

APES 310 Dealing with Client Monies

APES 310 Dealing with Client Monies M EXPOSURE DRAFT ED 01/10 (April 2010) APES 310 Dealing with Client Monies Proposed Standard: APES 310 Dealing with Client Monies (Supersedes APS 10) [Supersedes APES 310 Dealing with Client Monies issued

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

PROCEDURES FOR DETERMINING BREACHES OF THE CODE OF CONDUCT AND SANCTIONS

PROCEDURES FOR DETERMINING BREACHES OF THE CODE OF CONDUCT AND SANCTIONS PROCEDURES FOR DETERMINING BREACHES OF THE CODE OF CONDUCT AND SANCTIONS VERSION 1.0 EFFECTIVE SEPTEMBER 2013 DOCUMENT CONTROL Contact for enquiries and proposed changes: Name Christine King Phone 6203

More information

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements Defence Security Manual DSM Part 2:51 Outsourced Offshore and Cloud Based Computing Arrangements Version 1 ation date July 2105 Amendment list 23 Optimised for Screen; Print; Screen Reader Releasable to

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Mandatory data breach notification in the ehealth record system

Mandatory data breach notification in the ehealth record system Mandatory data breach notification in the ehealth record system Draft September 2012 A guide to mandatory data breach notification under the personally controlled electronic health record system Contents

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

Developing and Managing Contracts GETTING THE RIGHT OUTCOME, PAYING THE RIGHT PRICE

Developing and Managing Contracts GETTING THE RIGHT OUTCOME, PAYING THE RIGHT PRICE Developing and Managing Contracts GETTING THE RIGHT OUTCOME, PAYING THE RIGHT PRICE Better Practice Guide February 2007 Foreword Contracting is an integral part of doing business in the public sector.

More information

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE CHARTERED INSTITUTE OF INTERNAL AUDIT DEFINITION OF INTERNAL AUDIT Internal auditing is an independent, objective assurance and consulting activity designed

More information

Human Services Quality Framework. User Guide

Human Services Quality Framework. User Guide Human Services Quality Framework User Guide Purpose The purpose of the user guide is to assist in interpreting and applying the Human Services Quality Standards and associated indicators across all service

More information

Data Governance in-brief

Data Governance in-brief Data Governance in-brief What is data governance? Data governance is the system of decision rights and accountabilities surrounding data and the use of data. It can involve legislation, organisational

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Internal Audit Charter. June 2016

Internal Audit Charter. June 2016 Internal Audit Charter June 2016 1 Introduction 1.1 The Internal Audit Charter is a formal document that defines Internal Audit s purpose, authority and responsibility. The charter establishes Internal

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Regulation of Investigatory Powers Act 2000

Regulation of Investigatory Powers Act 2000 Regulation of Investigatory Powers Act 2000 Consultation: Equipment Interference and Interception of Communications Codes of Practice 6 February 2015 Ministerial Foreword The abilities to read or listen

More information

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK RISK MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational Development

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Audit Committee 24 June 2013

Audit Committee 24 June 2013 Agenda Item No Audit Committee 24 June 2013 Public Sector Internal Audit Standards Summary of report: To update members on the new Public Sector Internal Audit Standards (PSIAS), that came into effect

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information