Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Transcription

1 Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015

2 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions Nil Nil For public release Issue Date 2 March 2015 Review Date August 2015 Final Document Status (Interim release) Authority Author Office of the Commissioner for Privacy and Data Protection Data Protection Branch Published by Office of the Commissioner for Privacy and Data Protection PO Box Melbourne Victoria Also published on: Copyright State of Victoria, 2015 This publication is copyright. No part of it may be reproduced by any process except in accordance with the provisions of the Copyright Act ISBN

3 3

4 Table of Contents Crime Statistics Data Security Standards... 1 Table of Contents... 4 Foreword... 6 Part One - Introduction... 7 What are the Crime Statistics Data Security Standards?... 7 Requirements... 8 Who do the Crime Statistics Data Security Standards apply to?... 9 Key Definitions Protective security Security by Design Part Two Standards Visual representation of the mandatory Crime Statistics Data Security Standards Crime Statistics Data Security Standards Structure Chapter One Governance Gov Security Management Framework (SMF) Gov Risk Management Gov Security Policies and Procedures Gov Security Plans Gov Personnel Security Obligations Gov Information Access Gov Training and Awareness Gov Business Continuity Management Gov Security Incident Management Gov Assurance Gov Contracted Service Providers Gov Government Services Chapter Two Information Security Info Sec Protective Markings Info Sec Information Lifecycle Info Sec Information Sharing Chapter Three Personnel Security Per Sec Pre employment screening Per Sec Personnel Security Management

5 Chapter Four ICT Security ICT Sec System Lifecycle Chapter Five Physical Security Phys Sec Environmental Security Phys Sec Physical Security Lifecycle Part Three - Rosetta Stone Part Four SLEDS Protocols and implementation guidance Part Five Mandatory requirements Summary table Part Six Definitions

6 Foreword The Crime Statistics Data (CSD) security standards provide the requirements for the protection of crime statistics data on a whole of lifecycle basis from collection, transformation, release and destruction. The level of protection applied to the data will correspond to its sensitivity and value at each lifecycle stage to cover all areas of security (confidentiality, integrity and availability) and ensure data quality. The CSD security standards are derived from the proposed Victorian Protective Data Security Standards that will apply to the wider Victorian government. Given these Victorian standards are currently under development, the CSD security standards have been mapped to the protocols and implementation guidance of the Standards for Law Enforcement Data Security (SLEDS) to enable implementation. The CSD security standards are established under section 92 of the Privacy and Data Protection Act 2014 (Vic). As required under section 92 (3) of the Privacy and Data Protection Act 2014 (Vic), the Commissioner must consult with the Chief Statistician in developing law enforcement data security standards in relation to crime statistics data and crime statistics data systems. Such consultation ensures that standards, once promulgated, not only represents best practice in terms of contemporary management of crime statistics data security, but are also practical, workable and understood by the Crime Statistics Agency. These consultations occurred during the months of December 2014 and January For the convenience of readers and practitioners, an appendix is attached that maps the twenty CSD standards to the SLEDS to assist with the operationalisation of the standards and in order that both the Chief Statistician and Victoria Police take an integrated approach to security. The CSD security standards come into effect on 2 March David Watts Commissioner Privacy and Data Protection 6

7 Part One - Introduction What are the Crime Statistics Data Security Standards? The Crime Statistics Data Security Standards describe the standards, objectives, protocols and best practice implementation guidance required to protect crime statistics data. The standards focus on the outcomes that are required to achieve a proportionate and risk managed approach to security that enables the Crime Statistics Agency (CSA) to function effectively, safely and securely. The 20 standards cover the requirements for protecting crime statistics data. They are drawn from the proposed Victorian Protective Data Security Standards (VPDSS) and reflect principal elements of the existing Victoria Police Standards for Law Enforcement Data Security (SLEDS), Whole-of-Victorian-Government security policies, Australian and international security standards, policies, schemes, frameworks and benchmarks including alignment with the Australian Government Protective Security Policy Framework (PSPF). The standards are designed to support the core functions of the Crime Statistics Agency and reflect contemporary security standards. The standards do not seek to deviate from the existing risk management approach already in operation in Victorian Government, and reflect the Victorian Government Risk Management Framework. The PSPF governs matters of national interest and will remain mandatory in cases where the Crime Statistics Agency handles information and assets of national interest. The standards do not override any obligations imposed by legislation or law. Where the framework conflicts with legislation or law the latter takes precedence. 7

8 Requirements The Crime Statistics Data Security Standards provide tailored standards, protocols and guidelines for executives, security practitioners and users of Crime Statistics data. The 20 core standards derived from the Victorian Protective Data Security Framework (VPDSF) describe the high-level mandatory requirements applicable to Victorian government agencies or bodies. The Crime Statistics Data Security Standards and supporting framework comprises: 1. Standards (high level statement explaining the key principle - what) 2. Statement of objectives (key intent of the standard - why) 3. Protocols (statement of requirements extracted from the SLEDS, which must, at a minimum, be addressed in order to meet a prescribed standard) 4. Implementation guidance (extracts from the SLEDS to assist with the implementation of the standards - how) Detailed protocols and guidelines derived from the Victoria Police Standards for Law Enforcement Data Security (SLEDS) support the core Victorian Protective Data Security Standards (VPDSS). The guidelines will set out procedural minimum requirements to support the interim practical implementation of the standards until such a time as the Victorian framework is finalised and issued and the transition to this new framework can be achieved. Crime Statistics Agency is to implement security measures for each standard commensurate with the sensitivity and value of the data at the different stages of its lifecycle. 8

9 Who do the Crime Statistics Data Security Standards apply to? Extract from the Privacy and Data Protection Act 2014 (Vic): Application of Part 5 Law Enforcement Data Security This Part applies to (b) the Chief Statistician; and (c) an employee or consultant employed or engaged under section 6 of the Crime Statistics Act The standards also apply to any contracted service providers and external parties who by way of agreement with the CSA have authorised access to crime statistics data. CSA should consider what level of assurance is required of any other associated delivery partners, and where equivalent security policies may be accepted based on a security risk assessment. The Crime Statistics Data Security Standards take precedence over the Victorian Protective Data Security Standards to the degree of any inconsistency. 9

10 Key Definitions Protective security Protective security is a risk management process designed to safeguard official information assets and services proportionate to threats in a way that supports (and does not inhibit) business. Government agencies or bodies process vast volumes of sensitive and valuable information and manage assets and services that are critical to public safety and citizens way of life. Protective security implementation guards against a range of threats including negligent behaviours, criminality, terrorism, and espionage, as well as natural hazards. There are five interdependent elements / domains that underpin protective security. They are: Governance executive sponsorship and investment in security management Information security official information whether hard copy or electronic ICT security communications and technology systems Personnel security people Physical security facilities/buildings, property, etc. Security by Design A productive approach to protecting official information assets involves re-imagining security within an integrated framework that embodies and operationalises security so it is encompassed within systems and processes from the start rather than being imposed through regulation and oversight. This type of approach has recently been labelled security by design and promotes full functionality of Victorian government business with no trade offs. In order to promote security as a business enabler and not as an impediment, CSA is to continually apply security using a risk management approach proportionate to their risk tolerance levels to protect official assets for their entire lifecycle (cradle to grave). The 10

11 proactive approach to embedding security in the design of systems and processes supports the work of Dr Ann Cavoukian, Information and Privacy Commissioner for Ontario, Canada who originated seven core principles which apply to both security and privacy including: 1. Proactive not reactive: preventative not remedial 2. Security as the default setting 3. Security embedded into design 4. Full-functionality positive sum, not zero sum 5. End-to-end security full lifecycle protection 6. Visibility and transparency keep it open 7. Respect for user security keep it user centric. By building a security culture, these principles can be practically adopted and implemented by CSA for the protection of crime statistics data from the signing off on a new program of work; to the review of their training content; to the updating of their project processes to include security at all stages to the end user handling that information asset on a daily basis. This smart security is not only an efficient economical investment but also promotes organisational resilience in managing risks appropriately and reinforces that security is not a secret and accessible by all. 11

12 Part Two Standards Visual representation of the mandatory Crime Statistics Data Security Standards 12

13 Crime Statistics Data Security Standards Structure The Crime Statistics Data Security Standards articulates the requirements for data security to not only be a business enabler by enhancing the agency s ability to work in a secure environment of trust and confidence, but also ensure the provision of core service delivery functions. To support this, a set of standards have been derived from the proposed Victorian Protective Data Security Framework to govern and apply security measures to crime statistics data. Each of the Crime Statistics Data Security Standards is underpinned by a statement of objective; supporting protocols; and implementation guidance, to provide a clear direction and instructions around the development and implementation of protective security practices for crime statistics data. Tier 1 Standards High-level mandatory requirements providing a clear statement on what the Crime Statistics Agency is expected to comply with. These standards extend across all the core security domains with a distinct focus on governance, information security, ICT security, personnel security and physical security. Tier 2 Objective High-level statement outlining the intention of the standard, by providing clear direction as to why this is standard is required. The statement of objective identifies the desired outcome of complying with the standard. Tier 3 Protocols A mandatory statement of requirements, which must, at a minimum, be addressed in order to meet a prescribed standard. Standard operating procedures and business rules implemented to give effect to a standard should include and further describe matters contained in the relevant protocol. Risk management should be used to demonstrate the implementation of the standards and functional equivalents to meet the intent of the standard. Tier 4 Implementation Guidance Implementation guidance providing further instruction on how the agency can meet the requirements of the standard. 13

14 Chapter One Governance 1 Gov Security Management Framework (SMF) The Crime Statistics Agency must establish and maintain an internal security management framework proportionate to its size, resources and risk posture. Statement of Objective Securing your business SMF Implementation To ensure that the security direction of the agency is established and maintained via a security management framework proportionate to its business needs, in order to protect crime statistics data. The framework should provide a solid foundation for the operationalisation of security by design, and foster an environment where security risks and incidents are minimised or prevented. Protocol Refer to SLEDS protocol 40.1 Implementation Guidance Refer to SLEDS - standard 1 implementation guidance Refer to SLEDS - standard 2 implementation guidance 14

15 2 Gov Risk Management The Crime Statistics Agency must adopt a risk management approach to cover the core security domains (information, ICT, personnel and physical security). Statement of Objective To enhance the agency s ability to safeguard crime statistics data against a range of threats and hazards (internal and external) through the implementation of a comprehensive and effective risk management approach, covering core security domains. Looking after Risk Intent - To enhance the agency s ability to manage its risks in a holistic manner. This includes: Regular review of the risks Regular review of the framework to ensure it is in line with the agency s security posture with proportionate security controls Communication and consultation about risk across the business including external parties. Managing risk with external parties Intent - To enhance the agency s ability to manage security risks associated with doing business with external parties (such as service delivery partners). Protocol Nil Implementation Guidance Refer to SLEDS - standard 31 implementation guidance 15

16 3 Gov Security Policies and Procedures The Crime Statistics Agency must develop its own set of policies and procedures across the core security domains (information, ICT, personnel and physical security). Statement of Objective Security policy and planning Good security is good business To ensure the security expectations of the agency are developed, communicated, maintained and implemented across the core security domains. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 11.2 Refer to SLEDS protocol 11.3 Refer to SLEDS protocol 11.4 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 40.1 Implementation Guidance Refer to SLEDS - standard 3 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance 16

17 The Crime Statistics Agency is to develop and implement an information security policy and procedures, identifying how it will adequately protect any crime statistics data held, stored or processed, regardless of format or media, and address information security requirements as part of the agency s overarching protective data security plan. This policy is to be informed by the security risk profile assessment to provide assurances supporting the core principles of confidentiality, integrity and availability and be reviewed regularly to ensure currency. Intent - To ensure the information security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect the confidentiality, integrity and availability of crime statistics data. The Crime Statistics Agency is to develop and implement an ICT security policy and address ICT security requirements as part of the agency s overarching protective data security plan. Intent - To ensure the ICT security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect the confidentiality, integrity and availability of crime statistics data. 17

18 The Crime Statistics Agency is to develop and implement a physical security policy and address physical security requirements as part of the agency s overarching protective data security plan. Intent - To ensure the physical security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect crime statistics data. The Crime Statistics Agency is to develop and implement a personnel security policy and address personnel security requirements as part of the agency s overarching security plan. Intent - To ensure the personnel security requirements of the agency are explicitly defined, communicated and reviewed in line with the agency s protective data security plan to protect crime statistics data. 18

19 4 Gov Security Plans The Crime Statistics Agency must undertake a security risk profile assessment and develop a protective data security plan to manage its security risks. The protective data security plan must be reviewed and updated every two years or sooner as dictated by changes in organisational risks, strategic direction or operating environment. A copy of the agency s current plan must be provided to the Commissioner for Privacy and Data Protection. Statement of Objective Security Solutions Protective Data Security Plan To ensure the protection of crime statistics data and assist the agency in making informed business decisions, while determining and applying cost-effective security controls in order to mitigate the identified risks within agency agreed appetites. Protocol Nil Implementation Guidance Refer to SLEDS standard 31 implementation guidance 19

20 5 Gov Personnel Security Obligations The Crime Statistics Agency must define, document, communicate and regularly review the security obligations and responsibilities of all persons with access to crime statistics data. Statement of Objective Security obligations and responsibilities in your agency or body To ensure all persons with access to crime statistics data understand their security obligations. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Implementation Guidance Refer to SLEDS - standard 5 implementation guidance 20

21 6 Gov Information Access The Crime Statistics Agency must establish and maintain an access management framework for access to crime statistics data. Statement of Objective Access granted To ensure access to crime statistics data is authorised and controlled. Protocol Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.3 Refer to SLEDS protocol 9.4 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 10.1 Implementation Guidance Refer to SLEDS - standard 6 - implementation guidance Refer to SLEDS - standard 10 - implementation guidance 21

22 7 Gov Training and Awareness The Crime Statistics Agency must ensure all persons with access to crime statistics data undertake security training and awareness. Statement of Objective Did you know? Security training and awareness To create a strong security culture through comprehensive training and awareness programs. Tailored programs will ensure all persons understand the importance of security across the core security domains in the agency and their security obligations in protecting crime statistics data. Protocol Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 14.4 Implementation guidance Refer to SLEDS - standard 7 - implementation guidance 22

23 8 Gov Business Continuity Management The Crime Statistics Agency must establish and maintain a business continuity management (BCM) program. Statement of Objective Keeping the lights on Business Continuity Management To ensure the agency understands its critical information services and crime statistics data in order to protect the integrity and availability of these from threats. Protocol Nil Implementation Guidance Refer to SLEDS standard 16 implementation guidance Refer to SLEDS standard 34 implementation guidance Refer to SLEDS standard 35 implementation guidance 23

24 9 Gov Security Incident Management The Crime Statistics Agency must establish and maintain a security incident management framework. Statement of Objective Security incident management system To enable timely corrective action to be taken by the agency in the event of an information security incident in order to protect crime statistics data and ensure effective reporting and continuous improvement of incident management. Protocol Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 39.1 Implementation guidance Refer to SLEDS - standard 6 - implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance 24

25 10 Gov Assurance The Crime Statistics Agency must undertake an annual assessment of its implementation of the Crime Statistics Data Security Standards and report their level of compliance to the Commissioner for Privacy and Data Protection. Statement of Objective Are you compliant? Annual assurance assessment To promote security maturity, visibility and transparency across the agency and ensure adequate tracking of compliance with the Crime Statistics Data Security Standards. Protocol Nil Implementation guidance Nil 25

26 11 Gov Contracted Service Providers The Crime Statistics Agency must ensure that contracted service providers with access to crime statistics data do not do an act or engage in a practice that contravenes the Crime Statistics Data Security Standards. Statement of Objective Critical engagement Security and contracted service providers To ensure the protection of crime statistics data across core security domains (information, ICT, personnel and physical), through the inclusion of Crime Statistics Data Security Standards in contracted service provider arrangements. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 9.1 Refer to SLEDS protocol 9.2 Refer to SLEDS protocol 9.3 Refer to SLEDS protocol 9.4 Refer to SLEDS protocol 9.5 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 14.4 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Refer to SLEDS protocol

27 Refer to SLEDS protocol 36.1 Refer to SLEDS protocol 37.1 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS - standard 10 - implementation guidance Refer to SLEDS standard 16 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance Refer to SLEDS standard 29 implementation guidance Refer to SLEDS standard 30 implementation guidance Refer to SLEDS - standard 31 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance Refer to SLEDS - standard 34 - implementation guidance Refer to SLEDS standard 35 implementation guidance 27

28 12 Gov Government Services All parties providing a crime statistics service must ensure that the service complies with the Crime Statistics Data Security Standards. Statement of Objective Its out there! Managing government service arrangements To provide assurance that crime statistics data is protected when the agency engages with external parties. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 21.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance 28

29 Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance 29

30 Chapter Two Information Security 13 Info Sec Protective Markings The Crime Statistics Agency must identify, categorise and apply protective markings to crime statistics data, commensurate with its sensitivity. Statement of Objective Value your information To ensure the agency applies consistent valuation criteria to crime statistics data and enable secure information sharing through the application of appropriate protective measures. Protocol Nil Implementation Guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance 30

31 14 Info Sec Information Lifecycle The Crime Statistics Agency must ensure that security measures are applied in accordance with the value of the crime statistics data, across all stages of the information lifecycle. Statement of Objective Managing your information, cradle to grave Information Lifecycle To ensure the agency protects the confidentiality, integrity and availability of crime statistics data at all stages of its lifecycle, regardless of media or format using security by design principles. Protocol Refer to SLEDS protocol 13.1 Implementation Guidance Refer to SLEDS standard 42 implementation guidance 31

32 15 Info Sec Information Sharing The Crime Statistics Agency must ensure that security measures are applied prior to sharing crime statistics data with an external party. Statement of Objective Get the balance right Balancing need to know with need to share To enable secure information sharing practices between parties and prevent the unauthorised sharing of official information. Protocol Refer to SLEDS protocol 3.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 6.1 Refer to SLEDS protocol 7.1 Refer to SLEDS protocol 8.1 Refer to SLEDS protocol 10.1 Refer to SLEDS protocol 11.1 Refer to SLEDS protocol 11.2 Refer to SLEDS protocol 11.3 Refer to SLEDS protocol 11.4 Refer to SLEDS protocol 11.5 Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Refer to SLEDS protocol 21.1 Refer to SLEDS protocol 36.1 Refer to SLEDS protocol

33 Refer to SLEDS protocol 38.1 Refer to SLEDS protocol 39.1 Implementation Guidance Refer to SLEDS - standard 7 - implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance Refer to SLEDS standard 27 implementation guidance Refer to SLEDS standard 28 implementation guidance Refer to SLEDS standard 29 implementation guidance Refer to SLEDS - standard 32 - implementation guidance Refer to SLEDS - standard 33 - implementation guidance Refer to SLEDS standard 39 implementation guidance 33

34 Chapter Three Personnel Security 16 Per Sec Pre employment screening The Crime Statistics Agency must ensure that personnel security risks are effectively managed through pre-employment screening measures. Statement of Objective Check and balance Recruitment controls and personnel security checks To ensure the agency employs suitable and eligible persons, using approved personnel security screening measures prior to formal engagement. Protocol Refer to SLEDS protocol 4.1 Refer to SLEDS protocol 5.1 Refer to SLEDS protocol 8.1 Implementation Guidance Refer to SLEDS - standard 5 implementation guidance Refer to SLEDS - standard 8 implementation guidance Refer to SLEDS standard 29 implementation guidance 34

35 17 Per Sec Personnel Security Management The Crime Statistics Agency must, as part of an ongoing personnel security management regime, monitor all persons continued suitability and eligibility with access to crime statistics data. Statement of Objective Are you still eligible? Ongoing personnel management To maintain a secure environment by actively managing all persons, from pre-engagement through to their departure. Protocol Refer to SLEDS protocol 8.1 Implementation guidance Refer to SLEDS - standard 8 implementation guidance 35

36 Chapter Four ICT Security 18 ICT Sec System Lifecycle The Crime Statistics Agency must ensure that security measures are integrated and implemented through all stages of the ICT system development lifecycle. Statement of Objective Do it once, do it right System Lifecycle To ensure crime statistics data is protected through the use of secure ICT systems, applying repeatable and consistent security measures throughout the system development lifecycle (SDLC). Protocol Refer to SLEDS protocol 12.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 21.1 Implementation Guidance Refer to SLEDS standard 15 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 20 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 23 implementation guidance Refer to SLEDS standard 24 implementation guidance 36

37 Refer to SLEDS standard 25 implementation guidance Refer to SLEDS standard 26 implementation guidance Refer to SLEDS standard 30 implementation guidance 37

38 Chapter Five Physical Security 19 Phys Sec Environmental Security The Crime Statistics Agency must ensure physical assets designed to protect crime statistics data have integrated and updated security measures throughout the planning, selection, build and modification process. Statement of Objective You hold the key Protecting your assets To maintain a secure environment where crime statistics data is protected through physical security measures. Protocol Refer to SLEDS protocol 14.1 Refer to SLEDS protocol 14.2 Refer to SLEDS protocol 14.3 Refer to SLEDS protocol 14.4 Refer to SLEDS protocol 14.5 Implementation Guidance Refer to SLEDS standard 14 implementation guidance Refer to SLEDS standard 16 implementation guidance 38

39 20 Phys Sec Physical Security Lifecycle The Crime Statistics Agency must implement, monitor and review physical security measures in respect to the transfer, storage and disposal of crime statistics data. Statement of Objective Duty of care protecting official information assets To ensure the agency adopts and monitors effective physical security controls for the protection of crime statistics data. Protocol Refer to SLEDS protocol 13.1 Refer to SLEDS protocol 15.1 Refer to SLEDS protocol 15.2 Implementation Guidance Refer to SLEDS standard 15 implementation guidance Refer to SLEDS standard 17 implementation guidance Refer to SLEDS standard 18 implementation guidance Refer to SLEDS standard 19 implementation guidance Refer to SLEDS standard 22 implementation guidance Refer to SLEDS standard 42 implementation guidance 39

40 Part Three - Rosetta Stone VPDSF SLEDS (formerly CLEDS Standards) GOVERNANCE 1 Gov - Security Management Framework 1. Information Security Management Structure 2. Security Roles (Security Exec, ASA, ITSA) 40. Identify and document legal requirements 2 Gov - Risk Management 31. Risk Management Policy 3 Gov - Security Policies and Procedures 3. User Roles and Responsibilities 9. Access Control policy 11. Authorised and documented release of information 19. Clear desk and screen policy 24. Cryptographic policy and key management plans 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 38. Formal exchange policies, procedures and controls 40. Identify and document legal requirements 4 Gov - Security Plans 31. Risk Management Policy 5 Gov - Personnel Security Obligations 3. User Roles and Responsibilities 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 6 Gov - Information Access 6. Disciplinary system for breaches 9. Access Control policy 10. Monitoring access 7 Gov - Training and Awareness 7. Induction and security training 14. Physical controls of facilities 8 Gov - Business Continuity Management 16. Physical controls against service disruptions to infrastructure services 34. Business Continuity Plans 35. Testing and review of BCP

41 VPDSF SLEDS (formerly CLEDS Standards) 9 Gov - Security Incident Management 6. Disciplinary system for breaches 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 39. Monitor compliance of third party agreements 10 Gov - Assurance 43. System for monitoring and audit for compliance against CLEDS standards 11 Gov - Contracted Service Providers 3. User Roles and Responsibilities 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 9. Access Control policy 10. Monitoring access 11. Authorised and documented release of information 13. Authorised and timely disposal 14. Physical controls of facilities 15. Physical transport controls of portable storage devices 16. Physical controls of facilities against service disruptions to infrastructure services 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 41

42 VPDSF SLEDS (formerly CLEDS Standards) 29. Personnel security clearance requirements for access to classified information 30. Use of Government approved products and solutions 31. Risk Management Policy 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 34. Business Continuity Plans 35. Testing and review of BCP 36. Authorised third party access 37. Formal exchange agreements with third parties 38. Formal exchange policies, procedures and controls 39. Monitor compliance of third party agreements 12 Gov - Government Services 3. User Roles and Responsibilities 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 10. Monitoring access 11. Authorised and documented release of information 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 39. Monitor compliance of third party agreements CORE DOMAINS 42

43 VPDSF SLEDS (formerly CLEDS Standards) INFORMATION SECURITY 13 Info Sec Protective Markings 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 14 Info Sec - Information Lifecycle 13. Authorised and timely disposal 42. Protection of records regarding CIA 15 Info Sec - Information Sharing 3. User Roles and Responsibilities 5. Confidentiality agreements and clauses 6. Disciplinary system for breaches 7. Induction and security training 8. Suitable persons (need to know) and security checks 10. Monitoring access 11. Authorised release of information 13. Authorised and timely disposal 15. Physical transport controls of portable storage devices 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 27. Procedures for classifying information 28. Policy and protocols for protection of classified information 29. Personnel security clearance requirements for access to classified information 32. Reporting, escalation and response procedures for security incidents 33. Continual monitoring and improvement of incident management 36. Authorised third party access 37. Formal exchange agreements with third parties 38. Formal exchange policies, procedures and controls 39. Monitor compliance of third party agreements PERSONNEL SECURITY 43

44 VPDSF SLEDS (formerly CLEDS Standards) 16 Per Sec Pre employment Screening 4. Responsibilities in position descriptions 5. Confidentiality agreements and clauses 8. Suitable persons (need to know) and security checks 29. Personnel security clearance requirements for access to classified information 17 Per Sec - Personnel Security Management 8. Suitable persons (need to know) and security checks ICT SECURITY 18 ICT Sec - System Lifecycle 12. Minimum electronic transfer measures 15. Physical controls of portable storage devices 17. Protections for ICT infrastructure 20. Controls over radio, remote computers and mobile devices 21. Secure remote access 22. Removal of portable storage devices when not required 23. Cryptographic controls implemented IAW government standards 24. Cryptographic policy and key management plans 25. Implement security controls when systems updated/refreshed/changed 26. Procedures to ensure security during development and maintenance 30. Use of Government approved products and solutions PHYSICAL SECURITY 19 Phys Sec - Environmental Security 14. Physical controls of facilities 16. Physical controls of facilities against service disruptions to infrastructure services 20 Phys Sec Physical Security Lifecycle 13. Authorised and timely disposal 15. Physical transport controls of portable storage devices 17. Protections for ICT infrastructure 18. Physical measures during storage, handling and transportation of information 19. Clear desk and screen policy 22. Removal of portable storage devices when not required 42. Protection of records regarding CIA 44

45 VPDSF SLEDS (formerly CLEDS Standards) SLEDS sections not covered: 41. Controls for legal, regulatory and contractual compliance regarding IP and proprietary software 45

46 Part Four SLEDS Protocols and implementation guidance SLEDS PROTOCOL SLEDS IMPLEMENTATION GUIDANCE SLEDS Standard 1 Implementation Guidance Establishing a management framework is essential to initiate and control the implementation of information security. Such a framework defines a structure, which support the Crime Statistics Agency to implement effective and coordinated security for crime statistics data. Documenting a security framework assists users and management to quickly and easily identify where and with whom (usually on a position-basis) all Crime Statistics Agency responsibilities reside in relation to the security of crime statistics data. Effective implementation of information security requires demonstrated management support. Visible and active support for security across the organisation can be achieved through demonstrated commitment, clear direction, and the assignment and acknowledgment of information security responsibilities. In particular management should: a) provide clear direction and visible support for security initiatives, identify information security goals, and tailor these to meet Crime Statistics Agency

47 requirements b) ensure information security policy is developed, reviewed, and approved c) ensure availability of resources needed for information security d) assign specific roles and responsibilities for information security across the Crime Statistics Agency e) initiate plans and programs to maintain information security awareness f) ensure that the implementation of information security controls is coordinated across the Crime Statistics Agency. The implementation of information security is not solely the responsibility of users and security staff but requires the collaboration of management, administration staff, developers and specialist staff (including auditors, insurance, legal, human resource, education and security personnel). The coordination of information security involves: a) developing and approving methodologies and processes for reviewing information security, such as: assessing the adequacy and coordinating the implementation of information security controls, and risk assessment to identify significant threat changes and exposure of information and information processing facilities to threats b) ensuring that security activities are executed in compliance with an information security policy and a mechanism to respond to non-compliance exists c) evaluating information received from monitoring and reviewing of information security incidents and recommending appropriate actions in 47

48 response to identified information security incidents d) effectively promoting information security education, training and awareness throughout the organisation. It is very important to establish a single point of coordination regarding security of crime statistics data and security more generally. Whilst not necessarily ultimately responsible for security, a single point of coordination will assist in ensuring a holistic and integrated approach. SLEDS Standard 2 Implementation Guidance It is essential that the Crime Statistics Agency designates a senior executive to have overall responsibility for the security of crime statistics data. Given that Crime Statistics Agency crime statistics data includes Australian Government classified information, an agency security advisor (ASA) and information technology security advisor (ITSA) are also required under the Australian Government Protective Security Policy Framework. These two positions may be designated as responsible for the security of all crime statistics data or just protectively marked Australian Government data. The security executive is a member of the executive management group designated as responsible for the ongoing development of the Crime Statistics Agency s security policy and the oversight of all matters relating to information security, including crime statistics data. The security executive is responsible for providing high-level guidance to the ASA and the ITSA and should also report to the Chief Statistician on information security procedures, incidents and matters of interest or concern. The role of the agency security advisor is to manage and coordinate the Crime Statistics Agency s information security functions on a day-to-day 48

49 basis. The role of the information technology security advisor is to oversee Information Communications Technology (ICT) security within the Crime Statistics Agency, including overseeing the security of information that is stored electronically or otherwise dealt with using the Crime Statistics Agency s ICT systems. Both the ASA and the ITSA should report to the security executive who should, in turn, report to the Chief Statistician. In addition to possessing general information security qualifications, knowledge and experience commensurate with the role, both the ASA and the ITSA must be trained in Australian Government and the Crime Statistics Agency protective security policy, principles and minimum standards. Both positions should be sufficiently senior to enable the respective office holders to effectively develop and implement protective security arrangements for the Crime Statistics Agency in conjunction with senior management. SLEDS Protocol 3.1 The Crime Statistics Agency s Information Security Policy must be approved by the Chief Statistician, be published and communicated to all Crime Statistics Agency employees, contractors, consultants and approved third parties and contain statements relevant to access to, and release of crime statistics data including: a) a definition of general and specific responsibilities for the secure management of crime statistics data including reporting information security incidents b) a statement of management intent, supporting the goals and principles of SLEDS Standard 3 Implementation Guidance Further advice on the process for reviewing an information security policy is available in Section of the ISO/IEC 27002, Code of practice for information security controls,

50 crime statistics data security in line with the Crime Statistics Agency business strategy and objectives c) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the Crime Statistics Agency, including: compliance with any relevant legal requirements, including legislative, regulatory and contractual requirements information security education, training and awareness requirements the consequences of information security breaches. Information security roles and responsibilities must include the requirement to: a) implement and act in accordance with the Crime Statistics Agency s information security policies b) protect assets from unauthorised access, release, modification, destruction or interference c) ensure responsibility is assigned to the individual for actions taken by that individual. The information security policy must be communicated throughout the Crime Statistics Agency to all who access crime statistics data in a form and manner that is relevant, accessible and understandable to the intended reader. The information security policy must be reviewed at regular planned intervals or when significant changes occur, to ensure its continuing suitability, adequacy and effectiveness. The Crime Statistics Agency must ensure that agreements with approved third parties include the requirement for the development of an information 50

51 security policy which specifies adherence to the requirements detailed in Protocol 3.1, as they would apply to the approved third party. SLEDS Protocol 4.1 Job descriptions and documentation prepared for the engagement of employees, consultants and contractors must include reference to the Crime Statistics Agency s information security policy and briefly outline the information security principles, standards and compliance requirements of particular importance to the Crime Statistics Agency. All position advertisements and background documentation prepared for employees, contractors and consultants must contain a reference to the appointment being dependent upon a full security check, including fingerprinting. The Crime Statistics Agency must ensure that agreements with approved third parties include the requirement that information security responsibilities be addressed in job descriptions or in relevant background documentation provided for positions that will require access to crime statistics data. SLEDS Protocol 5.1 The Crime Statistics Agency must ensure that Crime Statistics Agency employees, contractors, consultants and approved third parties agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organisation s crime statistics data assets. The terms and conditions of the agreement must reflect the Crime Statistics SLEDS Standard 5 Implementation Guidance In addition to the protocols above, Codes of Conduct of the Crime Statistics Agency and the State Public Service may also be used to address the responsibilities of Crime Statistics Agency employees and contractors, regarding confidentiality, data protection, ethics, appropriate use of Crime Statistics Agency s assets and facilities, as well as reputable practices expected by the Crime Statistics Agency. 51