ISMF Standard 141 Endpoint Protection. OCIO/S4.6 Government standard on cyber security



Similar documents
Remote Working (Policy & Procedure)

CHANGE MANAGEMENT STANDARD

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

LINCOLNSHIRE POLICE Policy Document

Privacy and Security Training Policy (PS.Pol.051)

GUIDANCE FOR BUSINESS ASSOCIATES

HIPAA HITECH ACT Compliance, Review and Training Services

Business Continuity Management Policy

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Human Resources Policy pol-020

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Data Protection Policy & Procedure

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Session 9 : Information Security and Risk

Personal Data Security Breach Management Policy

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Issuing of qualifications and statement of attainment Policy and Procedures Version: 3.0 Last Modified: 1 March 2015

Data Protection Act Data security breach management

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Employee Benefits Liability Policy

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Issuing of qualifications and statement of attainment Policy and Procedures Version: 5.0 Last Modified: 12 February 2015

Information & Communications Technology ICT Security Compliance Guide (Student)

DisplayNote Technologies Limited Data Protection Policy July 2014

South Australia Police POSITION INFORMATION DOCUMENT

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

Change Management Process For [Project Name]

Change Management Process

UBC Incident Response Plan V1.5

SaaS Listing CA Cloud Service Management

Professional indemnity insurance arrangements for enrolled nurses, registered nurses and nurse practitioners

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

ensure that all users understand how mobile phones supplied by the council should and should not be used.

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Systems Support - Extended

How To Ensure Your Health Care Is Safe

Outsourcing arrangements

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Electronic and Information Resources Accessibility Compliance Plan

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Schools and Preschools Financial Management Policy

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

VCU Payment Card Policy

Sources of Federal Government and Employee Information

Introduction to Mindjet MindManager Server

10 th May Dear Peter, Re: Audit Quality in Australia: A Strategic Review

Chief Finance and Operations Officer IfM Education and Consultancy Services (IfM ECS)

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

Projects Director Report Guidelines. IPMA Level A

Process for Responding to Privacy Breaches

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Helicopter Landing Sites Planning, Implementation and Management

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

1.2 Supporting References For information relating to the Company Hardware Request project, see the SharePoint web site.

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Directives to LHINs in respect of Reporting Requirements under the BPSAA. Issued By Minister of Health and Long-Term Care

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

NSW Government. Software Asset Management Standard. Version 1.0. October 2014

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

URM 11g Implementation Tips, Tricks & Gotchas ALAN MACKENTHUN FISHBOWL SOLUTIONS, INC.

Implementing an electronic document and records management system using SharePoint 7

EA-POL-015 Enterprise Architecture - Encryption Policy

Risk Management Policy AGL Energy Limited

Network Security Trends in the Era of Cloud and Mobile Computing

Training - Quality Manual

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Symantec User Authentication Service Level Agreement

australian nursing federation

Duty Statement Manager The Early Years at Seymour (TEYS)

E-Business Strategies For a Cmpany s Bard

Cyber Security: Simulation Platform

Equal Pay Audit 2014 Summary

Internal Audit Charter and operating standards

Audit Committee Charter

Transcription:

ISMF Standard 141 OCIO/S4.6 Gvernment standard n cyber security Prepared by: Office f the Chief Infrmatin Officer Versin: v1.0 Date: 12 September 2014

GOVERNMENT STANDARD ON CYBER SECURITY OCIO/S4.6 Cnfidentiality: Public Versin: 1.0 Status: Final Audience: Cmpliance: Creatr: Mandate/Authrity: Original Authrisatin Date: Last Updated and Apprved: Issued: Primary Cntact: SA Gvernment Agencies; Suppliers t SA Gvernment Mandatry Office f the Chief Infrmatin Officer Security and Risk Steering Cmmittee 01 August 2014 01 August 2014 12 September 2014 Nt Applicable Security and Risk Assurance, Office f the Chief Infrmatin Officer, Tel: +61 (8) 8463 4003 Cverage: The Suth Australian public authrities required t adhere t this standard are defined in OCIO/F4.1 Gvernment framewrk n cyber security Infrmatin Security Management Framewrk [ISMF]. This standard is intended fr use by Suth Australian Gvernment agencies and suppliers t Gvernment whse cntractual bligatins require them t cmply with this dcument. Reliance upn this plicy r standard by any ther persn is entirely at their wn risk and the Crwn in the right f Suth Australia disclaims all respnsibility r liability t the extent permissible by law fr any such reliance. T attribute this material, cite the Office f the Chief Infrmatin Officer, Gvernment f Suth Australia, ISMF Standard 141. This wrk is licensed under a Creative Cmmns Attributin 3.0 Australia Licence Cpyright Suth Australian Gvernment, 2014. Disclaimer OCIO/S4.6 versin 1.0 Page 2 f 10

DOCUMENT TERMINOLOGY AND CONVENTIONS The terms that are used in this dcument are t be interpreted as described in Internet Engineering Task Frce (IETF) RFC 2119 entitled Key wrds fr use in RFCs t Indicate Requirement Levels 1. The RFC 2119 definitins are summarised in the table belw. Term Descriptin MUST This wrd, r the terms "REQUIRED" r "SHALL", means that the definitin is an abslute requirement f the specificatin. MUST NOT This phrase, r the phrase SHALL NOT, means that is an abslute prhibitin f the specificatin. SHOULD This wrd, r the adjective "RECOMMENDED", means that there may exist valid reasns in particular circumstances t ignre a particular item, but the full implicatins must be understd and carefully weighed befre chsing a different curse. SHOULD NOT This phrase, r the phrase "NOT RECOMMENDED" means that there may exist valid reasns in particular circumstances when the particular behaviur is acceptable r even useful, but the full implicatins shuld be understd and the case carefully weighed befre implementing any behaviur described with this label. MAY This wrd, r the adjective OPTIONAL, means that an item is truly ptinal. 1 www.ietf.rg/rfc/rfc2119.txt?number=2119 OCIO/S4.6 versin 1.0 Page 3 f 10

DOCUMENT CONTROL Dcument lcatin Q:\SecurityRiskAssurance\Plicy Develpment Sub-prgram\Plicy and Standards\ISMF\ISMFv3.2\ Electrnic recrds management infrmatin File Flder Number: OCIO08/0073/0003 Dcument Number: 8092515 Authr(s) Jasn Caley Anthny Stevens Functin / rle Principal Plicy Adviser, Security and Risk Assurance Senir Analyst, Security and Risk Assurance Release details Versin Date Initial release accmpanying issue f ISMF v3.2.0 1.0 September 2014 Distributed t Versin Date Published t http://dpc.sa.gv.au/ 1.0 September 2014 CLASSIFICATION Cnfidentiality Descriptin Circulatin limit PUBLIC-I2-A1 N harm culd be caused t an rganisatin r individual and n unfair advantage culd be given t any entity and n vilatin wuld ccur t smebdy s right t privacy. Integrity 2 with lw availability requirements. Unrestricted access. OCIO/S4.6 versin 1.0 Page 4 f 10

TABLE OF CONTENTS 1. AUTHORITY... 6 2. CONTEXT... 6 2.1. Backgrund... 6 2.2. Histry... 6 3. SCOPE... 7 4. TERMS AND ABBREVIATIONS... 7 4.1. Terms... 7 5. IMPLEMENTATION... 9 5.1. ISMF Standard 141... 9 5.2. Business Cntrls... 9 6. REFERENCES AND LINKS...10 OCIO/S4.6 versin 1.0 Page 5 f 10

1. AUTHORITY This dcument states the standard f the Gvernment f Suth Australia with respect t endpint prtectin. Implementatin f this standard supprts the bjectives f ISMF Plicy Statement 18. Plicy Statement 18 Respnsible Parties shall undertake an active rle in prtecting infrmatin assets frm expsure t malicius sftware and scripts including but nt limited t: implementing cntrls t prevent and restrict the prliferatin f virus and trjan sftware, educating persnnel in the risks assciated with the use and/r intrductin f unauthrised sftware prducts, and, where apprpriate, intrducing custm cntrls t detect r prevent its intrductin. 2. CONTEXT 2.1. Backgrund Dependence n infrmatin systems and services means agencies are mre vulnerable t security threats. The intercnnecting f public and private netwrks and sharing f infrmatin resurces increases the difficulty f achieving access cntrl. Reliance n technical means alne t prvide cmprehensive security is unrealistic it needs t be supprted by apprpriate management f Infrmatin Assets. Generally, the weakest pint in any infrmatin system is where the perating envirnment is accessible t users typically via an endpint. Prtecting these endpints requires a cmbinatin f technlgy cntrls (bth hardware and sftware), cmprehensive plicies which utline users respnsibilities, and nging educatin t ensure users (and Business Owners) are aware f the risks, and the threats. 2.2. Histry This standard has n direct predecessrs. It is an evlutin and replacement f the frmer Threat Prtectin Standard (OCIO/S6.8.1 Technlgy Threat Prtectin Infrastructure Threat Prtectin Sftware Standard). Shifting technlgy emphasis frm centralised cmputing and traditinal client-server desktp envirnments t mbile devices (e.g. tablets, smartphnes, prtable PCs) has led t a requirement t cnsider endpints in a variety f situatins. This standard brings t the fre a number f prtectin measures which are derived frm and described within the ISO/IEC 27002 cde f practice. OCIO/S4.6 versin 1.0 Page 6 f 10

3. SCOPE This standard encmpasses all Gvernment f Suth Australia data and infrmatin. The ISMF and all security Bulletins, Ntificatins and standards issued under it shall apply, unless therwise advised, t all bdies that are: Suth Australian Gvernment public sectr agencies (as defined in the Public Sectr Act 2009), that is, administrative units, bdies crprate, statutry authrities, and instrumentalities f the Crwn. Public sectr agencies are herein referred t as Agencies ; OR Suppliers t the Suth Australian Gvernment r its Agencies that have cntractual cnditins which require cmpliance t the ISMF as described in sectin 2.1 f the ISMF The ISMF and all security Bulletins, Ntificatins and standards issued under it shall apply t: All infrmatin prcessed, stred r cmmunicated by ICT equipment, where that infrmatin is either: Official Infrmatin f the Suth Australian Gvernment r its Agencies; r Infrmatin f which the Suth Australian Gvernment r any f its Agencies has custdy 2 Infrmatin as described abve which Suppliers that have cntractual cnditins that require cmpliance t the ISMF as described in sectin 2.1 f the ISMF hld n behalf f the Suth Australian Gvernment r any its Agencies Anything that acts upn an ICT asset, including creating, cntrlling, validating, and therwise managing the ICT asset thrughut the lifecycle f the asset. 4. TERMS AND ABBREVIATIONS 4.1. Terms Respnsible Party is used in tw cntexts within the ISMF. These are: An Agency the internal t gvernment bdy that retains ultimate respnsibility fr all aspects cvered by the Infrmatin Security Management Framewrk [ISMF] as it relates t a particular agency and its infrmatin assets. A Supplier an external t gvernment entity that is typically respnsible fr cmpliance with the ISMF by way f a cntractual agreement that cntains clauses requiring security f Agency infrmatin and the regulatin f access t an Agency s infrmatin assets. The term Supplier shall be read as Suppliers wh are subject t cntractual cnditins that require them t cmply with the ISMF unless anther intentin is apparent. 2 Nte the definitin f custdy in the ISMF differs frm State Recrds interpretatin. OCIO/S4.6 versin 1.0 Page 7 f 10

When a Supplier has cntracted with the State, the prvisins f the ISMF will apply t the Supplier either: under the terms f a Purchasing Agreement fr whle f Gvernment cntracts and assciated Custmer Agreements; r by way f an individual cntract with an Agency whereby the Agency has specified the parts f its Infrmatin Security Management System [ISMS] fr which cmpliance is sught. It shuld be nted that Agency Chief Executives retain ultimate accuntability fr all security matters within their agencies. The applicatin f the ISMF t a Supplier via a cntract with the State r Agency shall nt abslve the Agency frm these bligatins and respnsibilities. Respnsible Parties includes bth Agencies and Suppliers wh are subject t cntractual cnditins that require them t cmply with the ISMF. Where any ambiguity arises between these entities in relatin t adherence t the ISMF, the Agency Cntrls implemented in the Custmer Agreement shall prevail (i.e. The Agency remains the default party and the Custmer Agreement is used as the vehicle fr setting the scpe and requirements fr the Supplier t cmply with either the entirety f the ISMF r part(s) theref. The Custmer Agreement may als intrduce additinal Agency-specific cntrls and plicies that the Supplier must cmply with). Business Owner represents the persn r grup that is ultimately respnsible fr an infrmatin asset. This persn r grup is distinct frm an infrmatin custdian, wh may take respnsibility fr the nging management f the infrmatin (such as a CIO r system administratr). Individual business units shuld wn business critical infrmatin, rather than infrmatin technlgy r infrmatin security departments (they are custdians, nt wners). The manager f the business unit respnsible fr the creatin f any infrmatin and / r the business unit directly impacted by the lss f the infrmatin is usually the Business Owner. A Business Owner r grup f Business Owners must be identified fr each infrmatin asset. Endpint means any device that is the final interface at the edge f a netwrk and directly used, managed r accessed by a persn r persns. These devices may include desktp PCs, laptps, tablets, smartphnes, pint f sale terminals, thin-client terminals, etc. refers t the security measures implemented fr user accessible devices at the edge f a netwrk that may cntain, r prvide access t, infrmatin fr an end user. OCIO/S4.6 versin 1.0 Page 8 f 10

5. IMPLEMENTATION 5.1. ISMF Standard 141 Agencies must establish and maintain security measures that ensure prprtinate prtectin f Endpint devices relative t the cnfidentiality, integrity and availability classificatin f infrmatin being accessed r prcessed n such devices. 5.2. Business Cntrls The fllwing general guidance applies regardless f the classificatin levels f the infrmatin assets: S141.1 Respnsible Parties shall deply and maintain apprpriate anti-virus/anti-malware slutins encmpassing Endpint devices (ISMF Standards 54 and 55) S141.2 Respnsible Parties shall maintain the perating system and installed applicatins with relevant patches as prvided by the manufacturer (ISMF Standard 121, Cntrl S134.3) S141.3 Respnsible Parties shuld establish prcedures fr the granting and revcatin f administrative privileges while discuraging their use unless explicitly required (ISMF Standard 78) S141.4 Agencies shuld cnsider implementing applicatin whitelisting, t prevent the use f applicatins that are nt sanctined by the business, have nt been adequately tested r are nt required by the user t perfrm their duties (Cntrl S54.1) S141.5 Agencies shuld remve r therwise disable nn-essential sftware and functinality that are nt required by the user (e.g. autrun, IPv6). Such measures shuld als take int accunt brwser and web navigatin plug-ins. (e.g. Java, Shckwave, Flash etc.) (ISMF Standard 54) S141.6 Agencies shall establish specific cntrls t prevent unauthrised access t mbility devices (ISMF Standard 101) S141.7 Respnsible Parties shuld cnsider additinal cntrls fr unattended equipment (ISMF Standard 82) S141.8 Respnsible Parties shall implement sessin/inactivity timeuts n all Endpint devices (ISMF Standard 97). Additinal cntrls based n DLMs and prtective markings CLASSIFICATION ADDITIONAL CONTROLS [P] Prtected [SC] Sensitive: Cabinet [I4] Integrity 4 S141.9 Endpint devices must nt be cnnected t public internet WiFi htspts (irrespective f whether they are free r fr fee services). S141.10 Endpint devices must nt be cnnected t Internet Kisks and ther generally accessible public facilities. OCIO/S4.6 versin 1.0 Page 9 f 10

6. REFERENCES AND LINKS ISMF Guideline 18 - Endpint prtectin (incl. smartphnes and prtable devices) OCIO/F4.1 Gvernment f Suth Australia Infrmatin Security Management Framewrk [ISMF] Gvernment f Suth Australia Prtective Security Management Framewrk [PSMF] issued as Premier and Cabinet Circular N. 30 AS/NZS ISO/IEC 27002:2006 Infrmatin Technlgy Security techniques Cde f Practice fr Infrmatin Security Management Applicatin Whitelisting Explained, Australian Signals Directrate, Australian Gvernment, Canberra. This wrk is licensed under a Creative Cmmns Attributin 3.0 Australia Licence Cpyright Suth Australian Gvernment, 2014. Disclaimer

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information