Victorian Government Information Management

1
Victorian Government Information Management
Security Policy

• Peter Mason
• Enterprise Architecture Standards
• Government Services Group

2
Who is Peter Mason and why is he here?

• Peter Mason, MACS(Snr), SA Fin, MAICD, RANR
• Head of Enterprise Architecture Standards,
  Government Services Group, Department of Treasury
  Finance
• GSG Mission - Lead the Whole of Victorian
  Government (WoVG) to improve its operational
  efficiency, through the provision of enabling
  services
• GSG Technology Mission - Providing technology
  policy and standards direction and leadership in
  consultation with technology stakeholders across
  WoVG

3
Presentation alternative titles?

• Diligence versus Negligence
• Create an environment of information management
  diligence
• Protection not Prevention
• Create and environment where information is
  managed and protected
• The end of Plausible Deniability
• The cat is out of the bag
• The secrets out
• The monkey is out of the bottle
• The policy is published

4
Policy, Standards Guidelines 101

• Policy
• A policy is a deliberate plan of action to guide
  decisions and achieve rational outcome
• Standards
• Supports Policy
• Mandatory compliance within the Policy domain
• Specifies performance criteria
• May be multiple Standards supporting a Policy
• Guidelines
• Outlines a recommended way of complying with a
  Standard

5
GSG Advisory Note, 9 April 2009
6
Information Security Management Policy

• SEC/POL/01
• Statement of the Policy
• Victorian Government Departments and Agencies
  will use identified and approved Whole of
  Victorian Government (WoVG) standards and
  guidelines to manage ICT security appropriate to
  the sensitivity of information and assets to be
  protected.
• Scope 10 inner budget departments and agencies -
  Victoria Police, VicRoads, State Revenue Office
  and Environment Protection Authority
• Date of Effect 1 Jul 2005
• Next review date 31 Dec 2009
• http//www.gsgictonline.dtf.vic.gov.au/

7
Information Security Data Classification
Management SEC/STD/02

• Background
• In July 2007, Minister Holding established the
  Victorian Government Risk Management Framework -
  personal annual attestation by each agency head
• In December 2008, Helen Silver, Secretary DPC
  wrote to department and agency heads recommending
  adoption of the Protective Security Manual (PSM)
  for securing classified non-national information
• Existing Federal-State MOU covers securing
  classified national information

8
Part C Information Security Information
collected and generated by Government agencies,
including individuals private information and
security classified information, requires
adequate protection. Part C of the PSM provides
agencies with guidance on the development of
security policies that address the issues of
awareness, responsibility, behaviour and
deterrence to ensure official information is not
compromised. This includes the need for agencies
to be cognizant of their obligations under
relevant legislation such as the Privacy Act 1988
and the Freedom of Information Act 1982.
9
Information Security Data Classification
Management SEC/STD/02

• Principles
• Business is the custodian of information,
  therefore, only the business can own the risk
  associated with information
• Business defines its risk appetite and manages
  risk accordingly
• ICT manages electronic information on behalf of
  the business within the business defined risk
  appetite
• Requirement
• Business assess and classify information under
  PSM guidance
• Business formally signs off on risk plan
  acceptance
• ICT units design solutions using ICT Security
  Manual (ISM) as a guide, within risk plan
• SEC/STD/02 applies to all new work (retrospective
  discretion)

10
(No Transcript)
11
Information Security Management Framework
SEC/STD/01

• This standard updates and replaces existing an
  standard approved in July 2005
• Updates to standards from ISO17799.2 to ISO27001
  and ISO17799 to ISO27002
• Changes compliance requirement from discretionary
  to a requirement to submit proposed ISMF
  compliance plan to GSG within six months for
  endorsement
• Requirement for reporting to GSG six monthly on
  actual progress to GSG endorsed plan
• Full compliance is the stated goal, BUT
• The journey is what its really about build and
  execute a plan
• Start on gradual, planned and coordinated
  improvement.

12
Information Security Management Framework
SEC/STD/01

• Requirement Develop an Information Security
  Management Framework (ISMF) consisting of
• Information Security Policy high level security
  document covering the principal security
  objectives of the organisation (refer ISO 27002
  Section 5 as a guide)
• Information Security Management System (ISMS)
  description of the organisational ISMS and its
  operation (effectively ISO 27001)
• Risk Assessment Report a risk assessment
  performed on the scope of the organisations ISMS
• Statement of Applicability A description of
  each of the 132 controls within ISO 27001 and how
  they are achieved in the organisation

13
Information Security Standards Snapshot
14
WoVG Information Security Timeline
WoVG fully ISO Information Security Management
certified
Common DAs ISO 27001 certification. Common WoVG
IDAM compliance for internals externals. Common
PSM / ISM compliance
Some areas of some DAs obtain ISO 27001
certification. Emerging WoVG IDAM compliance for
internals externals. Emerging systemic DA PSM
/ ISM compliance
WoVG DA Business Governance of InfoSec in
place. DA InfoSec structures in place. Defined
ISMS and compliant with IDAM (internals) and PSM
Classification (new).
Organisational Maturity (CMMI)
WoVG InfoSec Standards approved - incl.
IDAM. (ISO 27001 PSM / ISM IDAM)
Time (years)
10
5
2.5
7.5
15
WoVG Information Security Maturity
CMMI for InfoSec / IDAM Processes by Departments
Agencies
PSM ISM
Five
5Optimized
Focus on continual improvement of
process performance (incremental and
innovative).
Four
4...Managed
Use of process metrics to control 'As Is'
(monitor measure). Controlled
adjustments and adaptations.
Three
IdAM Standards Authentication for VPS
3Defined
Sets of defined and standard processes
- improved over time.These are 'As-Is'
processes across the entire
organisation.
Two
2...Repeatable
Some processes repeatable, possibly
with consistent results.Process
discipline unlikely to be rigorous
One
1...Ad-hoc
Undocumented, uncontrolled and
reactive. (chaotic)
Departments (or Agencies) 1 to 14
16
Why standards?

• As information is more widely shared across
  government departments and agencies, information
  security is a critical risk management decision
  that will impact on business process and IT
  solution design.
• By using the standards, departments and agencies
  can benefit from
• a standardised approach in managing information
  security
• reduced risk in information leakage, and
• increased ability to share information faster and
  at lower cost within and across departments and
  agencies through
• greater responsiveness and flexibility
• reuse of existing common infrastructure

17
Guidelines, where?

• Information Security Management Framework
  (SEC/STD/01)
• A template for the Information Security
  Management Framework (ISMF) and its four key
  components is under development
• Information Security - Data Classification and
  Management (SEC/STD/02)
• Guideline on how to security-classify information
  is under development
• Guideline on reporting security-classified
  systems to GSG is under development

18
For copies of the Policy and Standards http//w
ww.gsgictonline.dtf.vic.gov.au/ orsend email to
ict.enquiries_at_dtf.vic.gov.au
19
Questions?

• For further information
• http//www.gsgictonline.dtf.vic.gov.au/
• gt ICT policies standards and guidelines
• gt Information security
• GSG ICT Enquiries - ict.enquiries_at_dtf.vic.gov.au
• Peter Mason peter.j.mason_at_dtf.vic.gov.au
• David Hart david.j.hart_at_dtf.vic.gov.au