Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection"

Transcription

1 Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015

2 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions Nil Nil For public release Issue Date 2 March 2015 Review Date August 2015 Final Document Status (Interim release) Authority Author Office of the Commissioner for Privacy and Data Protection Data Protection Branch Published by Office of the Commissioner for Privacy and Data Protection PO Box Melbourne Victoria Also published on: Copyright State of Victoria, 2015 This publication is copyright. No part of it may be reproduced by any process except in accordance with the provisions of the Copyright Act ISBN

3 3

4 Table of Contents Crime Statistics Data Security Standards... 1 Table of Contents... 4 Foreword... 6 Part One - Introduction... 7 What are the Crime Statistics Data Security Standards?... 7 Requirements... 8 Who do the Crime Statistics Data Security Standards apply to?... 9 Key Definitions Protective security Security by Design Part Two Standards Visual representation of the mandatory Crime Statistics Data Security Standards Crime Statistics Data Security Standards Structure Chapter One Governance Gov Security Management Framework (SMF) Gov Risk Management Gov Security Policies and Procedures Gov Security Plans Gov Personnel Security Obligations Gov Information Access Gov Training and Awareness Gov Business Continuity Management Gov Security Incident Management Gov Assurance Gov Contracted Service Providers Gov Government Services Chapter Two Information Security Info Sec Protective Markings Info Sec Information Lifecycle Info Sec Information Sharing Chapter Three Personnel Security Per Sec Pre employment screening Per Sec Personnel Security Management

5 Chapter Four ICT Security ICT Sec System Lifecycle Chapter Five Physical Security Phys Sec Environmental Security Phys Sec Physical Security Lifecycle Part Three - Rosetta Stone Part Four SLEDS Protocols and implementation guidance Part Five Mandatory requirements Summary table Part Six Definitions

6 Foreword The Crime Statistics Data (CSD) security standards provide the requirements for the protection of crime statistics data on a whole of lifecycle basis from collection, transformation, release and destruction. The level of protection applied to the data will correspond to its sensitivity and value at each lifecycle stage to cover all areas of security (confidentiality, integrity and availability) and ensure data quality. The CSD security standards are derived from the proposed Victorian Protective Data Security Standards that will apply to the wider Victorian government. Given these Victorian standards are currently under development, the CSD security standards have been mapped to the protocols and implementation guidance of the Standards for Law Enforcement Data Security (SLEDS) to enable implementation. The CSD security standards are established under section 92 of the Privacy and Data Protection Act 2014 (Vic). As required under section 92 (3) of the Privacy and Data Protection Act 2014 (Vic), the Commissioner must consult with the Chief Statistician in developing law enforcement data security standards in relation to crime statistics data and crime statistics data systems. Such consultation ensures that standards, once promulgated, not only represents best practice in terms of contemporary management of crime statistics data security, but are also practical, workable and understood by the Crime Statistics Agency. These consultations occurred during the months of December 2014 and January For the convenience of readers and practitioners, an appendix is attached that maps the twenty CSD standards to the SLEDS to assist with the operationalisation of the standards and in order that both the Chief Statistician and Victoria Police take an integrated approach to security. The CSD security standards come into effect on 2 March David Watts Commissioner Privacy and Data Protection 6

7 Part One - Introduction What are the Crime Statistics Data Security Standards? The Crime Statistics Data Security Standards describe the standards, objectives, protocols and best practice implementation guidance required to protect crime statistics data. The standards focus on the outcomes that are required to achieve a proportionate and risk managed approach to security that enables the Crime Statistics Agency (CSA) to function effectively, safely and securely. The 20 standards cover the requirements for protecting crime statistics data. They are drawn from the proposed Victorian Protective Data Security Standards (VPDSS) and reflect principal elements of the existing Victoria Police Standards for Law Enforcement Data Security (SLEDS), Whole-of-Victorian-Government security policies, Australian and international security standards, policies, schemes, frameworks and benchmarks including alignment with the Australian Government Protective Security Policy Framework (PSPF). The standards are designed to support the core functions of the Crime Statistics Agency and reflect contemporary security standards. The standards do not seek to deviate from the existing risk management approach already in operation in Victorian Government, and reflect the Victorian Government Risk Management Framework. The PSPF governs matters of national interest and will remain mandatory in cases where the Crime Statistics Agency handles information and assets of national interest. The standards do not override any obligations imposed by legislation or law. Where the framework conflicts with legislation or law the latter takes precedence. 7

8 Requirements The Crime Statistics Data Security Standards provide tailored standards, protocols and guidelines for executives, security practitioners and users of Crime Statistics data. The 20 core standards derived from the Victorian Protective Data Security Framework (VPDSF) describe the high-level mandatory requirements applicable to Victorian government agencies or bodies. The Crime Statistics Data Security Standards and supporting framework comprises: 1. Standards (high level statement explaining the key principle - what) 2. Statement of objectives (key intent of the standard - why) 3. Protocols (statement of requirements extracted from the SLEDS, which must, at a minimum, be addressed in order to meet a prescribed standard) 4. Implementation guidance (extracts from the SLEDS to assist with the implementation of the standards - how) Detailed protocols and guidelines derived from the Victoria Police Standards for Law Enforcement Data Security (SLEDS) support the core Victorian Protective Data Security Standards (VPDSS). The guidelines will set out procedural minimum requirements to support the interim practical implementation of the standards until such a time as the Victorian framework is finalised and issued and the transition to this new framework can be achieved. Crime Statistics Agency is to implement security measures for each standard commensurate with the sensitivity and value of the data at the different stages of its lifecycle. 8

9 Who do the Crime Statistics Data Security Standards apply to? Extract from the Privacy and Data Protection Act 2014 (Vic): Application of Part 5 Law Enforcement Data Security This Part applies to (b) the Chief Statistician; and (c) an employee or consultant employed or engaged under section 6 of the Crime Statistics Act The standards also apply to any contracted service providers and external parties who by way of agreement with the CSA have authorised access to crime statistics data. CSA should consider what level of assurance is required of any other associated delivery partners, and where equivalent security policies may be accepted based on a security risk assessment. The Crime Statistics Data Security Standards take precedence over the Victorian Protective Data Security Standards to the degree of any inconsistency. 9

10 Key Definitions Protective security Protective security is a risk management process designed to safeguard official information assets and services proportionate to threats in a way that supports (and does not inhibit) business. Government agencies or bodies process vast volumes of sensitive and valuable information and manage assets and services that are critical to public safety and citizens way of life. Protective security implementation guards against a range of threats including negligent behaviours, criminality, terrorism, and espionage, as well as natural hazards. There are five interdependent elements / domains that underpin protective security. They are: Governance executive sponsorship and investment in security management Information security official information whether hard copy or electronic ICT security communications and technology systems Personnel security people Physical security facilities/buildings, property, etc. Security by Design A productive approach to protecting official information assets involves re-imagining security within an integrated framework that embodies and operationalises security so it is encompassed within systems and processes from the start rather than being imposed through regulation and oversight. This type of approach has recently been labelled security by design and promotes full functionality of Victorian government business with no trade offs. In order to promote security as a business enabler and not as an impediment, CSA is to continually apply security using a risk management approach proportionate to their risk tolerance levels to protect official assets for their entire lifecycle (cradle to grave). The 10

11 proactive approach to embedding security in the design of systems and processes supports the work of Dr Ann Cavoukian, Information and Privacy Commissioner for Ontario, Canada who originated seven core principles which apply to both security and privacy including: 1. Proactive not reactive: preventative not remedial 2. Security as the default setting 3. Security embedded into design 4. Full-functionality positive sum, not zero sum 5. End-to-end security full lifecycle protection 6. Visibility and transparency keep it open 7. Respect for user security keep it user centric. By building a security culture, these principles can be practically adopted and implemented by CSA for the protection of crime statistics data from the signing off on a new program of work; to the review of their training content; to the updating of their project processes to include security at all stages to the end user handling that information asset on a daily basis. This smart security is not only an efficient economical investment but also promotes organisational resilience in managing risks appropriately and reinforces that security is not a secret and accessible by all. 11

12 Part Two Standards Visual representation of the mandatory Crime Statistics Data Security Standards 12

13 Crime Statistics Data Security Standards Structure The Crime Statistics Data Security Standards articulates the requirements for data security to not only be a business enabler by enhancing the agency s ability to work in a secure environment of trust and confidence, but also ensure the provision of core service delivery functions. To support this, a set of standards have been derived from the proposed Victorian Protective Data Security Framework to govern and apply security measures to crime statistics data. Each of the Crime Statistics Data Security Standards is underpinned by a statement of objective; supporting protocols; and implementation guidance, to provide a clear direction and instructions around the development and implementation of protective security practices for crime statistics data. Tier 1 Standards High-level mandatory requirements providing a clear statement on what the Crime Statistics Agency is expected to comply with. These standards extend across all the core security domains with a distinct focus on governance, information security, ICT security, personnel security and physical security. Tier 2 Objective High-level statement outlining the intention of the standard, by providing clear direction as to why this is standard is required. The statement of objective identifies the desired outcome of complying with the standard. Tier 3 Protocols A mandatory statement of requirements, which must, at a minimum, be addressed in order to meet a prescribed standard. Standard operating procedures and business rules implemented to give effect to a standard should include and further describe matters contained in the relevant protocol. Risk management should be used to demonstrate the implementation of the standards and functional equivalents to meet the intent of the standard. Tier 4 Implementation Guidance Implementation guidance providing further instruction on how the agency can meet the requirements of the standard. 13

14 Chapter One Governance 1 Gov Security Management Framework (SMF) The Crime Statistics Agency must establish and maintain an internal security management framework proportionate to its size, resources and risk posture. Statement of Objective Securing your business SMF Implementation To ensure that the security direction of the agency is established and maintained via a security management framework proportionate to its business needs, in order to protect crime statistics data. The framework should provide a solid foundation for the operationalisation of security by design, and foster an environment where security risks and incidents are minimised or prevented. Protocol Refer to SLEDS protocol 40.1 Implementation Guidance Refer to SLEDS - standard 1 implementation guidance Refer to SLEDS - standard 2 implementation guidance 14

15 2 Gov Risk Management The Crime Statistics Agency must adopt a risk management approach to cover the core security domains (information, ICT, personnel and physical security). Statement of Objective To enhance the agency s ability to safeguard crime statistics data against a range of threats and hazards (internal and external) through the implementation of a comprehensive and effective risk management approach, covering core security domains. Looking after Risk Intent - To enhance the agency s ability to manage its risks in a holistic manner. This includes: Regular review of the risks Regular review of the framework to ensure it is in line with the agency s security posture with proportionate security controls Communication and consultation about risk across the business including external parties. Managing risk with external parties Intent - To enhance the agency s ability to manage security risks associated with doing business with external parties (such as service delivery partners). Protocol Nil Implementation Guidance Refer to SLEDS - standard 31 implementation guidance 15

16 3 Gov Security Policies and Procedures The Crime Statistics Agency must develop its own set of policies and procedures across the core security domains (information, ICT, personnel and physical security). Statement of Objective Security policy and planning Good security is good business To ensure the security expectations of the agency are developed, communicated, maintained and implemented across the core security domains. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 11.2 Refer to SLEDS protocol 11.3 Refer to SLEDS protocol 11.4 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 40.1 Implementation Guidance Refer to SLEDS - standard 3 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance 16

17 The Crime Statistics Agency is to develop and implement an information security policy and procedures, identifying how it will adequately protect any crime statistics data held, stored or processed, regardless of format or media, and address information security requirements as part of the agency s overarching protective data security plan. This policy is to be informed by the security risk profile assessment to provide assurances supporting the core principles of confidentiality, integrity and availability and be reviewed regularly to ensure currency. Intent - To ensure the information security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect the confidentiality, integrity and availability of crime statistics data. The Crime Statistics Agency is to develop and implement an ICT security policy and address ICT security requirements as part of the agency s overarching protective data security plan. Intent - To ensure the ICT security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect the confidentiality, integrity and availability of crime statistics data. 17

18 The Crime Statistics Agency is to develop and implement a physical security policy and address physical security requirements as part of the agency s overarching protective data security plan. Intent - To ensure the physical security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect crime statistics data. The Crime Statistics Agency is to develop and implement a personnel security policy and address personnel security requirements as part of the agency s overarching security plan. Intent - To ensure the personnel security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect crime statistics data. 18

19 4 Gov Security Plans The Crime Statistics Agency must undertake a security risk profile assessment and develop a protective data security plan to manage its security risks. The protective data security plan must be reviewed and updated every two years or sooner as dictated by changes in organisational risks, strategic direction or operating environment. A copy of the agency s current plan must be provided to the Commissioner for Privacy and Data Protection. Statement of Objective Security Solutions Protective Data Security Plan To ensure the protection of crime statistics data and assist the agency in making informed business decisions, while determining and applying cost-effective security controls in order to mitigate the identified risks within agency agreed appetites. Protocol Nil Implementation Guidance Refer to SLEDS standard 31 implementation guidance 19

20 5 Gov Personnel Security Obligations The Crime Statistics Agency must define, document, communicate and regularly review the security obligations and responsibilities of all persons with access to crime statistics data. Statement of Objective Security obligations and responsibilities in your agency or body To ensure all persons with access to crime statistics data understand their security obligations. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Implementation Guidance Refer to SLEDS - standard 5 implementation guidance 20

21 6 Gov Information Access The Crime Statistics Agency must establish and maintain an access management framework for access to crime statistics data. Statement of Objective Access granted To ensure access to crime statistics data is authorised and controlled. Protocol Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.3 Refer to SLEDS protocol 9.4 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 10.1 Implementation Guidance Refer to SLEDS - standard 6 - implementation guidance Refer to SLEDS - standard 10 - implementation guidance 21

22 7 Gov Training and Awareness The Crime Statistics Agency must ensure all persons with access to crime statistics data undertake security training and awareness. Statement of Objective Did you know? Security training and awareness To create a strong security culture through comprehensive training and awareness programs. Tailored programs will ensure all persons understand the importance of security across the core security domains in the agency and their security obligations in protecting crime statistics data. Protocol Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 14.4 Implementation guidance Refer to SLEDS - standard 7 - implementation guidance 22

23 8 Gov Business Continuity Management The Crime Statistics Agency must establish and maintain a business continuity management (BCM) program. Statement of Objective Keeping the lights on Business Continuity Management To ensure the agency understands its critical information services and crime statistics data in order to protect the integrity and availability of these from threats. Protocol Nil Implementation Guidance Refer to SLEDS standard 16 implementation guidance Refer to SLEDS standard 34 implementation guidance Refer to SLEDS standard 35 implementation guidance 23

24 9 Gov Security Incident Management The Crime Statistics Agency must establish and maintain a security incident management framework. Statement of Objective Security incident management system To enable timely corrective action to be taken by the agency in the event of an information security incident in order to protect crime statistics data and ensure effective reporting and continuous improvement of incident management. Protocol Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 39.1 Implementation guidance Refer to SLEDS - standard 6 - implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance 24

25 10 Gov Assurance The Crime Statistics Agency must undertake an annual assessment of its implementation of the Crime Statistics Data Security Standards and report their level of compliance to the Commissioner for Privacy and Data Protection. Statement of Objective Are you compliant? Annual assurance assessment To promote security maturity, visibility and transparency across the agency and ensure adequate tracking of compliance with the Crime Statistics Data Security Standards. Protocol Nil Implementation guidance Nil 25

26 11 Gov Contracted Service Providers The Crime Statistics Agency must ensure that contracted service providers with access to crime statistics data do not do an act or engage in a practice that contravenes the Crime Statistics Data Security Standards. Statement of Objective Critical engagement Security and contracted service providers To ensure the protection of crime statistics data across core security domains (information, ICT, personnel and physical), through the inclusion of Crime Statistics Data Security Standards in contracted service provider arrangements. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.3 Refer to SLEDS protocol 9.4 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 14.4 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Refer to SLEDS protocol

27 Refer to SLEDS protocol 36.1 Refer to SLEDS protocol 37.1 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS - standard 10 - implementation guidance Refer to SLEDS standard 16 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance Refer to SLEDS standard 29 implementation guidance Refer to SLEDS standard 30 implementation guidance Refer to SLEDS - standard 31 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance Refer to SLEDS - standard 34 - implementation guidance Refer to SLEDS standard 35 implementation guidance 27

28 12 Gov Government Services All parties providing a crime statistics service must ensure that the service complies with the Crime Statistics Data Security Standards. Statement of Objective Its out there! Managing government service arrangements To provide assurance that crime statistics data is protected when the agency engages with external parties. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 21.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance 28

29 Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance 29

30 Chapter Two Information Security 13 Info Sec Protective Markings The Crime Statistics Agency must identify, categorise and apply protective markings to crime statistics data, commensurate with its sensitivity. Statement of Objective Value your information To ensure the agency applies consistent valuation criteria to crime statistics data and enable secure information sharing through the application of appropriate protective measures. Protocol Nil Implementation Guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance 30

31 14 Info Sec Information Lifecycle The Crime Statistics Agency must ensure that security measures are applied in accordance with the value of the crime statistics data, across all stages of the information lifecycle. Statement of Objective Managing your information, cradle to grave Information Lifecycle To ensure the agency protects the confidentiality, integrity and availability of crime statistics data at all stages of its lifecycle, regardless of media or format using security by design principles. Protocol Refer to SLEDS protocol 13.1 Implementation Guidance Refer to SLEDS standard 42 implementation guidance 31

32 15 Info Sec Information Sharing The Crime Statistics Agency must ensure that security measures are applied prior to sharing crime statistics data with an external party. Statement of Objective Get the balance right Balancing need to know with need to share To enable secure information sharing practices between parties and prevent the unauthorised sharing of official information. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 11.2 Refer to SLEDS protocol 11.3 Refer to SLEDS protocol 11.4 Refer to SLEDS protocol 11.5 Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Refer to SLEDS protocol 21.1 Refer to SLEDS protocol 36.1 Refer to SLEDS protocol

33 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance Refer to SLEDS standard 29 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance Refer to SLEDS standard 39 implementation guidance 33

34 Chapter Three Personnel Security 16 Per Sec Pre employment screening The Crime Statistics Agency must ensure that personnel security risks are effectively managed through pre-employment screening measures. Statement of Objective Check and balance Recruitment controls and personnel security checks To ensure the agency employs suitable and eligible persons, using approved personnel security screening measures prior to formal engagement. Protocol Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 8.1 Implementation Guidance Refer to SLEDS - standard 5 implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 29 implementation guidance 34

35 17 Per Sec Personnel Security Management The Crime Statistics Agency must, as part of an ongoing personnel security management regime, monitor all persons continued suitability and eligibility with access to crime statistics data. Statement of Objective Are you still eligible? Ongoing personnel management To maintain a secure environment by actively managing all persons, from pre-engagement through to their departure. Protocol Refer to SLEDS protocol 8.1 Implementation guidance Refer to SLEDS - standard 8 implementation guidance 35

36 Chapter Four ICT Security 18 ICT Sec System Lifecycle The Crime Statistics Agency must ensure that security measures are integrated and implemented through all stages of the ICT system development lifecycle. Statement of Objective Do it once, do it right System Lifecycle To ensure crime statistics data is protected through the use of secure ICT systems, applying repeatable and consistent security measures throughout the system development lifecycle (SDLC). Protocol Refer to SLEDS protocol 12.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 21.1 Implementation Guidance Refer to SLEDS standard 15 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance 36

37 Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS standard 30 implementation guidance 37

38 Chapter Five Physical Security 19 Phys Sec Environmental Security The Crime Statistics Agency must ensure physical assets designed to protect crime statistics data have integrated and updated security measures throughout the planning, selection, build and modification process. Statement of Objective You hold the key Protecting your assets To maintain a secure environment where crime statistics data is protected through physical security measures. Protocol Refer to SLEDS protocol 14.1 Refer to SLEDS protocol 14.2 Refer to SLEDS protocol 14.3 Refer to SLEDS protocol 14.4 Refer to SLEDS protocol 14.5 Implementation Guidance Refer to SLEDS standard 14 implementation guidance Refer to SLEDS standard 16 implementation guidance 38

39 20 Phys Sec Physical Security Lifecycle The Crime Statistics Agency must implement, monitor and review physical security measures in respect to the transfer, storage and disposal of crime statistics data. Statement of Objective Duty of care protecting official information assets To ensure the agency adopts and monitors effective physical security controls for the protection of crime statistics data. Protocol Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Implementation Guidance Refer to SLEDS standard 15 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 42 implementation guidance 39

40 Part Three - Rosetta Stone VPDSF SLEDS (formerly CLEDS Standards) GOVERNANCE 1 Gov - Security Management Framework 1. Information Security Management Structure 2. Security Roles (Security Exec, ASA, ITSA) 40. Identify and document legal requirements 2 Gov - Risk Management 31. Risk Management Policy 3 Gov - Security Policies and Procedures 3. User Roles and Responsibilities 9. Access Control policy 11. Authorised and documented release of information 19. Clear desk and screen policy 24. Cryptographic policy and key management plans 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 38. Formal exchange policies, procedures and controls 40. Identify and document legal requirements 4 Gov - Security Plans 31. Risk Management Policy 5 Gov - Personnel Security Obligations 3. User Roles and Responsibilities 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 6 Gov - Information Access 6. Disciplinary system for breaches 9. Access Control policy 10. Monitoring access 7 Gov - Training and Awareness 7. Induction and security training 14. Physical controls of facilities 8 Gov - Business Continuity Management 16. Physical controls against service disruptions to infrastructure services 34. Business Continuity Plans 35. Testing and review of BCP

41 VPDSF SLEDS (formerly CLEDS Standards) 9 Gov - Security Incident Management 6. Disciplinary system for breaches 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 39. Monitor compliance of third party agreements 10 Gov - Assurance 43. System for monitoring and audit for compliance against CLEDS standards 11 Gov - Contracted Service Providers 3. User Roles and Responsibilities 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 9. Access Control policy 10. Monitoring access 11. Authorised and documented release of information 13. Authorised and timely disposal 14. Physical controls of facilities 15. Physical transport controls of portable storage devices 16. Physical controls of facilities against service disruptions to infrastructure services 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 41

42 VPDSF SLEDS (formerly CLEDS Standards) 29. Personnel security clearance requirements for access to classified information 30. Use of Government approved products and solutions 31. Risk Management Policy 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 34. Business Continuity Plans 35. Testing and review of BCP 36. Authorised third party access 37. Formal exchange agreements with third parties 38. Formal exchange policies, procedures and controls 39. Monitor compliance of third party agreements 12 Gov - Government Services 3. User Roles and Responsibilities 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 10. Monitoring access 11. Authorised and documented release of information 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 39. Monitor compliance of third party agreements CORE DOMAINS 42

43 VPDSF SLEDS (formerly CLEDS Standards) INFORMATION SECURITY 13 Info Sec Protective Markings 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 14 Info Sec - Information Lifecycle 13. Authorised and timely disposal 42. Protection of records regarding CIA 15 Info Sec - Information Sharing 3. User Roles and Responsibilities 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 10. Monitoring access 11. Authorised release of information 13. Authorised and timely disposal 15. Physical transport controls of portable storage devices 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 29. Personnel security clearance requirements for access to classified information 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 36. Authorised third party access 37. Formal exchange agreements with third parties 38. Formal exchange policies, procedures and controls 39. Monitor compliance of third party agreements PERSONNEL SECURITY 43

44 VPDSF SLEDS (formerly CLEDS Standards) 16 Per Sec Pre employment Screening 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 8. Suitable persons (need to know) and security checks 29. Personnel security clearance requirements for access to classified information 17 Per Sec - Personnel Security Management 8. Suitable persons (need to know) and security checks ICT SECURITY 18 ICT Sec - System Lifecycle 12. Minimum electronic transfer measures 15. Physical controls of portable storage devices 17. Protections for ICT infrastructure 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 30. Use of Government approved products and solutions PHYSICAL SECURITY 19 Phys Sec - Environmental Security 14. Physical controls of facilities 16. Physical controls of facilities against service disruptions to infrastructure services 20 Phys Sec Physical Security Lifecycle 13. Authorised and timely disposal 15. Physical transport controls of portable storage devices 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 22. Removal of portable storage devices when not required 42. Protection of records regarding CIA 44

45 VPDSF SLEDS (formerly CLEDS Standards) SLEDS sections not covered: 41. Controls for legal, regulatory and contractual compliance regarding IP and proprietary software 45

46 Part Four SLEDS Protocols and implementation guidance SLEDS PROTOCOL SLEDS IMPLEMENTATION GUIDANCE SLEDS Standard 1 Implementation Guidance Establishing a management framework is essential to initiate and control the implementation of information security. Such a framework defines a structure, which support the Crime Statistics Agency to implement effective and coordinated security for crime statistics data. Documenting a security framework assists users and management to quickly and easily identify where and with whom (usually on a position-basis) all Crime Statistics Agency responsibilities reside in relation to the security of crime statistics data. Effective implementation of information security requires demonstrated management support. Visible and active support for security across the organisation can be achieved through demonstrated commitment, clear direction, and the assignment and acknowledgment of information security responsibilities. In particular management should: a) provide clear direction and visible support for security initiatives, identify information security goals, and tailor these to meet Crime Statistics Agency

47 requirements b) ensure information security policy is developed, reviewed, and approved c) ensure availability of resources needed for information security d) assign specific roles and responsibilities for information security across the Crime Statistics Agency e) initiate plans and programs to maintain information security awareness f) ensure that the implementation of information security controls is coordinated across the Crime Statistics Agency. The implementation of information security is not solely the responsibility of users and security staff but requires the collaboration of management, administration staff, developers and specialist staff (including auditors, insurance, legal, human resource, education and security personnel). The coordination of information security involves: a) developing and approving methodologies and processes for reviewing information security, such as: assessing the adequacy and coordinating the implementation of information security controls, and risk assessment to identify significant threat changes and exposure of information and information processing facilities to threats b) ensuring that security activities are executed in compliance with an information security policy and a mechanism to respond to non-compliance exists c) evaluating information received from monitoring and reviewing of information security incidents and recommending appropriate actions in 47

48 response to identified information security incidents d) effectively promoting information security education, training and awareness throughout the organisation. It is very important to establish a single point of coordination regarding security of crime statistics data and security more generally. Whilst not necessarily ultimately responsible for security, a single point of coordination will assist in ensuring a holistic and integrated approach. SLEDS Standard 2 Implementation Guidance It is essential that the Crime Statistics Agency designates a senior executive to have overall responsibility for the security of crime statistics data. Given that Crime Statistics Agency crime statistics data includes Australian Government classified information, an agency security advisor (ASA) and information technology security advisor (ITSA) are also required under the Australian Government Protective Security Policy Framework. These two positions may be designated as responsible for the security of all crime statistics data or just protectively marked Australian Government data. The security executive is a member of the executive management group designated as responsible for the ongoing development of the Crime Statistics Agency s security policy and the oversight of all matters relating to information security, including crime statistics data. The security executive is responsible for providing high-level guidance to the ASA and the ITSA and should also report to the Chief Statistician on information security procedures, incidents and matters of interest or concern. The role of the agency security advisor is to manage and coordinate the Crime Statistics Agency s information security functions on a day-to-day 48

49 basis. The role of the information technology security advisor is to oversee Information Communications Technology (ICT) security within the Crime Statistics Agency, including overseeing the security of information that is stored electronically or otherwise dealt with using the Crime Statistics Agency s ICT systems. Both the ASA and the ITSA should report to the security executive who should, in turn, report to the Chief Statistician. In addition to possessing general information security qualifications, knowledge and experience commensurate with the role, both the ASA and the ITSA must be trained in Australian Government and the Crime Statistics Agency protective security policy, principles and minimum standards. Both positions should be sufficiently senior to enable the respective office holders to effectively develop and implement protective security arrangements for the Crime Statistics Agency in conjunction with senior management. SLEDS Protocol 3.1 The Crime Statistics Agency s Information Security Policy must be approved by the Chief Statistician, be published and communicated to all Crime Statistics Agency employees, contractors, consultants and approved third parties and contain statements relevant to access to, and release of crime statistics data including: a) a definition of general and specific responsibilities for the secure management of crime statistics data including reporting information security incidents b) a statement of management intent, supporting the goals and principles of SLEDS Standard 3 Implementation Guidance Further advice on the process for reviewing an information security policy is available in Section of the ISO/IEC 27002, Code of practice for information security controls,

50 crime statistics data security in line with the Crime Statistics Agency business strategy and objectives c) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the Crime Statistics Agency, including: compliance with any relevant legal requirements, including legislative, regulatory and contractual requirements information security education, training and awareness requirements the consequences of information security breaches. Information security roles and responsibilities must include the requirement to: a) implement and act in accordance with the Crime Statistics Agency s information security policies b) protect assets from unauthorised access, release, modification, destruction or interference c) ensure responsibility is assigned to the individual for actions taken by that individual. The information security policy must be communicated throughout the Crime Statistics Agency to all who access crime statistics data in a form and manner that is relevant, accessible and understandable to the intended reader. The information security policy must be reviewed at regular planned intervals or when significant changes occur, to ensure its continuing suitability, adequacy and effectiveness. The Crime Statistics Agency must ensure that agreements with approved third parties include the requirement for the development of an information 50

51 security policy which specifies adherence to the requirements detailed in Protocol 3.1, as they would apply to the approved third party. SLEDS Protocol 4.1 Job descriptions and documentation prepared for the engagement of employees, consultants and contractors must include reference to the Crime Statistics Agency s information security policy and briefly outline the information security principles, standards and compliance requirements of particular importance to the Crime Statistics Agency. All position advertisements and background documentation prepared for employees, contractors and consultants must contain a reference to the appointment being dependent upon a full security check, including fingerprinting. The Crime Statistics Agency must ensure that agreements with approved third parties include the requirement that information security responsibilities be addressed in job descriptions or in relevant background documentation provided for positions that will require access to crime statistics data. SLEDS Protocol 5.1 The Crime Statistics Agency must ensure that Crime Statistics Agency employees, contractors, consultants and approved third parties agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organisation s crime statistics data assets. The terms and conditions of the agreement must reflect the Crime Statistics SLEDS Standard 5 Implementation Guidance In addition to the protocols above, Codes of Conduct of the Crime Statistics Agency and the State Public Service may also be used to address the responsibilities of Crime Statistics Agency employees and contractors, regarding confidentiality, data protection, ethics, appropriate use of Crime Statistics Agency s assets and facilities, as well as reputable practices expected by the Crime Statistics Agency. 51

UNCLASSIFIED. Victorian Protective Data Security Framework (VPDSF) ROSETTA STONE

UNCLASSIFIED. Victorian Protective Data Security Framework (VPDSF) ROSETTA STONE 1 Security Management Framework 1. Information Security Management Structure 2. Security Roles (Security Exec, ASA, ITSA) 40. Identify and document legal GOV-2 Security Roles (Security Executive, ASA and

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Protective Security Governance Policy. Outlines ANAO protective security arrangements

Protective Security Governance Policy. Outlines ANAO protective security arrangements Protective Security Governance Policy Outlines ANAO protective security arrangements Version 2.0 Effective JULY 2012 Document management Document identification Document ID Document title Release authority

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

APPENDIX 50. Enterprise risk management - Risk management overview

APPENDIX 50. Enterprise risk management - Risk management overview APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

APES 320 Quality Control for Firms

APES 320 Quality Control for Firms APES 320 Quality Control for Firms APES 320 Quality Control for Firms is based on International Standard on Quality Control (ISQC 1) (as published in the Handbook of International Auditing, Assurance,

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Compliance Policy AGL Energy Limited

Compliance Policy AGL Energy Limited Compliance Policy AGL Energy Limited November 2013 Table of Contents 1. About this Document... 3 2. Policy Statement... 4 3. Purpose... 4 4. AGL Compliance Context... 4 5. Scope... 5 6. Objectives... 5

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive Insurance Guidance Note No. 14 Transition to Governance Requirements established under the Solvency II Directive Date of Paper : 31 December 2013 Version Number : V1.00 Table of Contents General governance

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

The Management of Physical Security

The Management of Physical Security The Auditor-General Audit Report No.49 2013 14 Performance Audit Australian Crime Commission Geoscience Australia Royal Australian Mint Australian National Audit Office Commonwealth of Australia 2014 ISSN

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework Department of the Premier and Cabinet Circular PC030 Protective Security Policy Framework February 2012 PROTECTIVE SECURITY MANAGEMENT FRAMEWORK TABLE OF CONTENTS TABLE OF CONTENTS 2 1. PURPOSE 3 2. SCOPE

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Governance and Assurance Framework Version 1.0

Information Governance and Assurance Framework Version 1.0 Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Administrative systems, policies, and procedures

Administrative systems, policies, and procedures Alan Pedley 2008-01-15 03:28:00 G005_ADMINISTRATIVE_SYSTEMS Administrative systems, policies, and procedures Guidelines G 005 Page 1 of 12 Alan Pedley 1. Preliminary 1.1 Authority This document is issued

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Human Services Quality Framework. User Guide

Human Services Quality Framework. User Guide Human Services Quality Framework User Guide Purpose The purpose of the user guide is to assist in interpreting and applying the Human Services Quality Standards and associated indicators across all service

More information

Information System Audit Guide

Information System Audit Guide Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version) Smart Meters Programme Schedule 2.5 (Security Management Plan) (CSP South version) Schedule 2.5 (Security Management Plan) (CSP South version) Amendment History Version Date Author Status v.1 Signature

More information

Council Policy. Records & Information Management

Council Policy. Records & Information Management Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND

More information

A Guide to Corporate Governance for QFC Authorised Firms

A Guide to Corporate Governance for QFC Authorised Firms A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Security of outsourced services and functions Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this publication

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

RISK MANAGEMENT AND COMPLIANCE

RISK MANAGEMENT AND COMPLIANCE RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6

More information

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement. Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement June 2011 DISCLAIMER: This document is intended as a general guide only.

More information

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services ACT Auditor-General s Office Performance Audit Report Whole-of-Government Information and Communication Technology Security Management and Services Report No. 2 / 2012 PA 09/03 The Speaker ACT Legislative

More information

Compliance and Enforcement Policy. November 2013

Compliance and Enforcement Policy. November 2013 Compliance and Enforcement Policy November 2013 Contents 1. Context... 3 2. VBA compliance and enforcement public value... 3 2.1 Purpose...3 2.2 Outcome...3 2.3 Authority...3 2.4 Capability...3 2.4.1 Building...

More information

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations Government Owned Corporations Corporate Governance Guidelines for Government Owned Corporations Version 2.0 The State of Queensland (Queensland Treasury) The Queensland Government supports and encourages

More information

Procurement Capability Standards

Procurement Capability Standards IPAA PROFESSIONAL CAPABILITIES PROJECT Procurement Capability Standards Definition Professional Role Procurement is the process of acquiring goods and/or services. It can include: identifying a procurement

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Consequence Management

Consequence Management Group Standard Consequence Management Serco is committed to creating an open and transparent environment, where good behaviour is rewarded and where employees feel safe in the knowledge that poor behaviour

More information

Victorian Government Risk Management Framework. March 2015

Victorian Government Risk Management Framework. March 2015 Victorian Government Risk Management Framework March 2015 This document reproduces parts of the AS/NZS ISO 31000:2099 Risk Management Principles and Guidelines. Permission has been granted by SAI Global

More information

National Occupational Standards. Compliance

National Occupational Standards. Compliance National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements

More information

Business Continuity & Crisis Management

Business Continuity & Crisis Management Group Standard Business Continuity & Crisis Management The need to plan and respond effectively is critical to the successful management of any crisis situation. Business Continuity Management is the holistic

More information

Privacy by Design: Effective Privacy Management in the Victorian Public Sector

Privacy by Design: Effective Privacy Management in the Victorian Public Sector Privacy by Design: Effective Privacy Management in the Victorian public sector Release date: October 2014 The Commissioner for Privacy and Data Protection (CPDP) has formally adopted Privacy by Design

More information

Personal Health Information Privacy Policy

Personal Health Information Privacy Policy Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Compliance. Group Standard

Compliance. Group Standard Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public

More information

Title: Rio Tinto management system

Title: Rio Tinto management system Standard Rio Tinto management system December 2014 Group Title: Rio Tinto management system Document No: HSEC-B-01 Standard Function: Health, Safety, Environment and Communities (HSEC) No. of pages: 23

More information

A Firm s System of Quality Control

A Firm s System of Quality Control A Firm s System of Quality Control 2523 QC Section 10 A Firm s System of Quality Control (Supersedes SQCS No. 7.) Source: SQCS No. 8. Effective date: Applicable to a CPA firm s system of quality control

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Business Continuity Management Policy

Business Continuity Management Policy Governance: Business Committee Policy Owner: Chief Superintendent, Corporate Services Department: Corporate Services Policy Number: 002 Version: 3.0 Policy Writer: Business Continuity Co-ordinator Effective

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Review Policy Reference Number Title CSD-014 Information Security Review Policy Version Number 1.2 Document Status Document Classification Active Open Effective

More information

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015 FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period Updated May 2015 The Secretary Department of Treasury and Finance 1 Treasury Place Melbourne Victoria

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Graduate Project Engineer

Graduate Project Engineer Position Information Package Graduate Project Engineer POSITION NUMBER: R15/16.15 APPLICATIONS CLOSE: 5:00pm Friday 2 nd October 2015 POSITION INFORMATION Salary: $52 344 - $60 501 (Band 5) Hours: Location:

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

CONTROLLED DOCUMENT. Traffic Management Policy

CONTROLLED DOCUMENT. Traffic Management Policy CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: PURPOSE Controlled Number: Document Version Number: 1 Controlled Sponsor: Controlled Lead: Approved By: On: Document Document Policy Governance To set out

More information

Information Security Management System Information Security Policy

Information Security Management System Information Security Policy Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been

More information

Information Security Management System Policy

Information Security Management System Policy Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements

Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements HKSQC 1 Issued June 2009; revised July 2010, May 2013, February 2015 Effective as of 15 December 2009 Hong Kong Standard on Quality Control 1 Quality Control for Firms that Perform Audits and Reviews of

More information

HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM

HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM September 2011 OUR HEALTH, SAFETY AND ENVIRONMENT POLICY OUR PRINCIPLE OF DUE CARE We care about the wellbeing of our people and our impact on the environment.

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

august09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper august09 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper Preface Corporate governance - which refers broadly to the processes

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Module 4. Risk assessment for your AML/CTF program

Module 4. Risk assessment for your AML/CTF program Module 4 Risk assessment for your AML/CTF program AML/CTF Programs Risk assessment for your AML/CTF program Page 1 of 27 Module 4 Risk assessment for your AML/CTF program Risk assessment for your AML/CTF

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

IT Security Management

IT Security Management The Auditor-General Audit Report No.23 2005 06 Protective Security Audit Australian National Audit Office Commonwealth of Australia 2005 ISSN 1036 7632 ISBN 0 642 80882 1 COPYRIGHT INFORMATION This work

More information

APES 310 Dealing with Client Monies

APES 310 Dealing with Client Monies EXPOSURE DRAFT ED 01/10 (April 2010) APES 310 Dealing with Client Monies ISSUED: December 2010 Proposed Standard: APES 310 Dealing with Client Monies (Supersedes APS 10) Prepared and issued by Accounting

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

The NHS Foundation Trust Code of Governance

The NHS Foundation Trust Code of Governance The NHS Foundation Trust Code of Governance www.monitor-nhsft.gov.uk The NHS Foundation Trust Code of Governance 1 Contents 1 Introduction 4 1.1 Why is there a code of governance for NHS foundation trusts?

More information

Information Management Advice 50 Developing a Records Management policy

Information Management Advice 50 Developing a Records Management policy Information Management Advice 50 Developing a Records Management policy Introduction This advice explains how to develop and implement a Records Management policy. Policy is central to the development

More information