You are on page 1of 12

Information Security

Management Policy
Purpose

This policy defines the objectives, accountabilities and application of


information security management in the Department of . . ..

Replaces

<Previous Policy Document>

Commences

<date>

File:

<file reference or policy number>

Scope

This policy covers the management of security for Department information


including technology infrastructure, information systems, business
information systems, and the systems and services that store, process
and communicate Department information.

Principle

The <Director General/Chief Executive Officer/Commissioner> is


accountable for use of Department resources and to ensure the
requirements for information security are satisfied in accordance with the
principles of risk management, including:
protecting the availability, confidentiality and integrity of
information;
control of access to and proper use of information and information
systems;
authentication of users; and
non-repudiation of electronic transactions

Responsibility The Departments Corporate Executive Committee is responsible to


oversee this policy.
Staff members, including contractors and consultants, are responsible to
ensure they comply with this policy.
Custodian
Director, Information Services

Date

Executive Director, Corporate Services

Date

Director General

Date

Approver

Endorser

Copyright 2010 The State of Western Australia


279039628.doc

Page 1 of 12

Department of . . .

1.

Information Security Management Policy

Policy
The Department of . . . is responsible for the security of its information and
information systems.

2.

Objectives
To ensure that Department requirements for information security are satisfied in
accordance with the principles of risk management:
a. the control of access to and proper use of information and information
systems
b. the availability, confidentiality and integrity of information
c. the authentication of users
d. the non-repudiation of electronic transactions

3.

Definition

Department information means


e. any official information, government record or personal information
(see the Criminal Code, the State Records Act 2000 (WA), Freedom
of Information Act 1992)
f. which is created or obtained by the Department, stored by the
Department or on Department facilities

Department resources includes


g. official information, equipment and facilities (see the Public Sector
Management Act (1994), section 9(b))

4.

Application
a. The Department will adopt relevant standards for information security
management and risk management, including WA Government
guidelines
b. The compliance with these guidelines is to be managed by the
Information Security Group
c. Compliance means:
regular reviews of security exposures
investigation of security infringements, as required
an ongoing action plan to achieve continuous improvement in
security, within the operational budget allocation
d. The Departments framework for information security management is
summarised in the appendices. <Departments should include, policy
lists, and delegations>

Copyright 2010 The State of Western Australia


279039628.doc

Page 2 of 12

Department of . . .

5.
5.1.

Information Security Management Policy

Accountabilities and Responsibilities


The Director General

a. Is accountable for Department compliance with this information


security management policy
b. Shall establish a management group to approve information security
policies, standards and procedures, and to supervise the
management of the information security management process.
5.2.

Director, Information Services

Director, Information Services is responsible for:


a. Information
b. Information infrastructure
c. Information policies
5.3.

Information Security Group

The Information Security Group is responsible for:


a. formulating and managing the Departments information security
policy
b. Coordinating the implementation of security across the Department.
5.4.

Information Security Manager

The Information Security Manager, <Section>, is responsible for:


a. establishing and maintaining a management system for the
information security process within the Department
b. maintaining the Departments information and security policies, such
as the Computer and Telecommunications Facility Policy.
5.5.

Staff

Department staff are responsible to:


c. understand and comply with the Departments information security
policies, standards and procedures, such as:
the Computer and Telecommunications Facilities Policy
the Intellectual Property Policy
the Backup and Recovery Policy
the Virus and Vulnerability Patching Policy
d. never subvert or attempt to subvert any security measures related to
the protection of Department information systems and assets
e. report immediately any actual or suspected security incidents,
weaknesses or failures to the Service Desk, Line Manager or
Information Security Manager
5.6.

System Owners

a. Are responsible for ensuring the compliance of their systems with this
Information Security Management Policy.

Copyright 2010 The State of Western Australia


279039628.doc

Page 3 of 12

Department of . . .

5.7.

Information Security Management Policy

Divisional Heads, Executive Directors, Directors

a. Are responsible for managing the risks to their business processes


and assets
b. Must manage the information and information systems that belong to
their business processes and assets
c. Must ensure that the security requirements that are justified for their
processes and assets are satisfied
d. Are responsible for managing the risks to their information and
information systems
e. Are responsible for authorising, controlling access to and
administering their information and systems
f. Must identify and justify security requirements for their information
and information systems
g. Are responsible for the development, management and maintenance
of jurisdiction specific information security management system
including policy, standards and procedures
h. Are responsible for their staff and contractors being properly educated
about relevant Department information security policy, standards and
procedures and being properly trained and authorised to use the
information and information systems necessary to perform their work.

6.

Policy Promulgation

Commencement date
Communication process

7.

Policy Review

The Department reviews and updates this policy as needed.

8.

Contact

Questions related to this policy document may be directed to the Director, Information
Services on (08) 9999-9999.

Copyright 2010 The State of Western Australia


279039628.doc

Page 4 of 12

Department of . . .

9.

Appendix
17799:2006)

Information Security Management Policy

Minimum

Standards

(per

ISO

AS/NZS

ISO/IEC

Information security is the protection of information from a wide range of threats in order to
ensure business continuity, minimize business risk, and maximize return on investments
and business opportunities.
Information security is achieved by implementing a suitable set of controls, including
policies, processes, procedures, organizational structures and software and hardware
functions.
9.1.

How to establish security requirements

It is essential that an organization identifies its security requirements. There are three
main sources of security requirements.
1. One source is derived from assessing risks to the organization, taking into account
the organizations overall business strategy and objectives. Through a risk
assessment, threats to assets are identified, vulnerability to and likelihood of
occurrence is evaluated and potential impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that
an organization, its trading partners, contractors, and service providers have to
satisfy, and their socio-cultural environment.
3. A further source is the particular set of principles, objectives and business
requirements for information processing that an organization has developed to
support its operations.
9.2.

Assessing Security Risks

Security requirements are identified by a methodical assessment of security risks.


Expenditure on controls needs to be balanced against the business harm likely to result
from security failures.
9.3.

Selecting Controls

Once security requirements and risks have been identified and decisions for the treatment
of risks have been made, appropriate controls should be selected and implemented to
ensure risks are reduced to an acceptable level [for the Department].
9.4.

Minimum Controls [Protections or Objectives]

Controls considered to be essential to an organization from a legislative point of view


include, depending on applicable legislation[, must address]:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organizational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
9.5.

[Recommended] Common Controls

Controls considered to be common practice for information security include:


a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);

Copyright 2010 The State of Western Australia


279039628.doc

Page 5 of 12

Department of . . .

Information Security Management Policy

c) information security awareness, education, and training (see 8.2.2);


d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).

10. Appendix Information Security Categories (delete as needed)


The International standards define the following information security categories:
Category

Summary

Risk assessment
Security policy

management direction

Organization of information security

governance of information security

Asset management

inventory
and
information assets

Human resources security

security aspects for employees joining,


moving and leaving an organization

Physical and environmental security

protection of the computer facilities

Communications and operations management

management of technical security


controls in systems and networks

Access control

restriction of access rights to networks,


systems, applications, functions and
data

classification

of

Information systems acquisition, development building security into applications


and maintenance
Information security incident management

anticipating
and
responding
appropriately to information security
breaches

Business continuity management

protecting, maintaining and recovering


business- critical processes and
systems

Compliance

ensuring conformance with information


security policies, standards, laws and
regulations

AS/NZS ISO/IEC 17799:2006 is identical with and has been reproduced from ISO/IEC
17799:2005.
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC
17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005.
ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from
17799 to 27002.

Copyright 2010 The State of Western Australia


279039628.doc

Page 6 of 12

Information Security
Management Policy
11. Appendix Information Security Controls (delete as needed)
AS/NZS ISO/IEC 17799:2006 defines 39 information security controls in twelve categories.
Category
4 Risk Assessment

Section
4.1 Assessing Security risks
4.2 Treating Security risks

5 Security Policy

5.1 Information Security


Policy

6 Organization Of
Information Security

6.1 Internal Organization

6.2 External Parties

7 Asset Management

7.1 Responsibility For


Assets

To maintain the security of the


organizations information and
information processing facilities that
are accessed, processed,
communicated to, or managed by
external parties.
To achieve and maintain appropriate
protection of organizational assets.

7.2 Information
Classification

To ensure that information receives


an appropriate level of protection.

Copyright 2010 The State of Western Australia


279039628.doc

Purpose
Risk assessments should identify,
quantify, and prioritize risks against
criteria relevant to the organization.
Controls to manage or reduce the risk
or its impact
To provide management direction and
support for information security in
accordance with business
requirements and relevant laws and
regulations.
To manage information security within
the organization.

Sub-sections

6.1.1 Management Commitment To Information Security


6.1.2 Information Security Co-Ordination
6.1.3 Allocation Of Information Security Responsibilities
6.1.4 Authorization Process For Information Processing
Facilities
6.1.5 Confidentiality Agreements
6.1.6 Contact With Authorities
6.1.7 Contact With Special Interest Groups
6.1.8 Independent Review Of Information Security
6.2.1 Identification Of Risks Related To External Parties
6.2.2 Addressing Security When Dealing With Customers
6.2.3 Addressing Security In Third Party Agreements

7.1.1 Inventory Of Assets


7.1.2 Ownership Of Assets
7.1.3 Acceptable Use Of Assets
7.2.1 Classification Guidelines
7.2.2 Information Labelling And Handling
Page 7 of 12

Department of . . .

Category
8 Human Resources
Security

Information Security Management Policy

Section
8.1 Prior To Employment

8.2 During Employment

8.3 Termination Or Change


Of Employment
9 Physical And
Environmental
Security

10 Communications
And Operations
Management

9.1 Secure Areas

9.2 Equipment Security

To prevent loss, damage, theft or


compromise of assets and
interruption to the organizations
activities.

10.1 Operational
Procedures And
Responsibilities

To ensure the correct and secure


operation of information processing
facilities.

Copyright 2010 The State of Western Australia


279039628.doc

Purpose
To ensure that employees,
contractors and third party users
understand their responsibilities, and
are suitable for the roles they are
considered for, and to reduce the risk
of theft, fraud or misuse of facilities.
To ensure that employees,
contractors and third party users are
aware of information security threats
and concerns, their responsibilities
and liabilities, and are equipped to
support organizational security policy
in the course of their normal work,
and to reduce the risk of human error
To ensure that employees,
contractors and third party users exit
an organization or change
employment in an orderly manner.
To prevent unauthorized physical
access, damage, and interference to
the organizations premises and
information.

Sub-sections

8.2.1 Management Responsibilities


8.2.2 Information Security Awareness, Education, And
Training
8.2.3 Disciplinary Process

8.3.1 Termination Responsibilities


8.3.2 Return Of Assets
8.3.3 Removal Of Access Rights
9.1.1 Physical Security Perimeter
9.1.2 Physical Entry Controls
9.1.3 Securing Offices, Rooms, And Facilities
9.1.4 Protecting Against External And Environmental
Threats
9.1.5 Working In Secure Areas
9.1.6 Public Access, Delivery, And Loading Areas
9.2.1 Equipment Siting And Protection
9.2.2 Supporting Utilities
9.2.3 Cabling Security
9.2.4 Equipment Maintenance
9.2.5 Security Of Equipment Off-Premises
9.2.6 Secure Disposal Or Re-Use Of Equipment
9.2.7 Removal Of Property
10.1.1 Documented Operating Procedures
10.1.2 Change Management
10.1.3 Segregation Of Duties
10.1.4 Separation Of Development, Test, And Operational
Facilities

Page 8 of 12

Department of . . .

Category

Information Security Management Policy

Section
10.2 Third Party Service
Delivery Management

10.3 System Planning And


Acceptance
10.4 Protection Against
Malicious And Mobile Code
10.5 Back-Up

10.6 Network Security


Management
10.7 Media Handling

10.8 Exchange Of
Information
10.9 Electronic Commerce
Services
10.10 Monitoring

11 Access Control

11.1 Business Requirement


For Access Control

Copyright 2010 The State of Western Australia


279039628.doc

Purpose
To implement and maintain the
appropriate level of information
security and service delivery in line
with third party service delivery
agreements.
To minimize the risk of systems
failures.
To protect the integrity of software
and information.
To maintain the integrity and
availability of information and
information processing
facilities.
To ensure the protection of
information in networks and the
protection of the supporting
infrastructure
To prevent unauthorized disclosure,
modification, removal or destruction of
assets, and interruption to business
activities.
To maintain the security of information
and software exchanged within an
organization and with any external
entity.
To ensure the security of electronic
commerce services, and their secure
use.
To detect unauthorized information
processing activities.

To control access to information.

Sub-sections
10.2.1 Service Delivery
10.2.2 Monitoring And Review Of Third Party Services
10.2.3 Managing Changes To Third Party Services
10.3.1 Capacity Management
10.3.2 System Acceptance
10.4.1 Controls Against Malicious Code
10.4.2 Controls Against Mobile Code
10.5.1 Information Back-Up

10.6.1 Network Controls


10.6.2 Security Of Network Services
10.7.1 Management Of Removable Media
10.7.2 Disposal Of Media
10.7.3 Information Handling Procedures
10.7.4 Security Of System Documentation

10.9.1 Electronic Commerce


10.9.2 On-Line Transactions
10.9.3 Publicly Available Information
10.10.1 Audit Logging
10.10.2 Monitoring System Use
10.10.3 Protection Of Log Information
10.10.4 Administrator And Operator Logs
10.10.5 Fault Logging
10.10.6 Clock Synchronization
11.1.1 Access Control Policy

Page 9 of 12

Department of . . .

Category

Information Security Management Policy

Section
11.2 User Access
Management

Purpose
To ensure authorized user access and
to prevent unauthorized access to
information systems.

11.3 User Responsibilities

11.4 Network Access


Control

To prevent unauthorized user access,


and
compromise
or
theft
of
information
and
information
processing facilities.
To prevent unauthorized access to
networked services.

11.5 Operating System


Access Control

To prevent unauthorized access to


operating systems.

11.6 Application And


Information Access Control

To prevent unauthorized access to


information held in application
systems.
To ensure information security when
using mobile computing and
teleworking facilities.
To ensure that security is an integral
part of information systems.

11.7 Mobile Computing And


Teleworking
12 Information
Systems Acquisition,
Development and
Maintenance

12.1 Security Requirements


Of Information Systems
12.2 Correct Processing In
Applications

Copyright 2010 The State of Western Australia


279039628.doc

Sub-sections
11.2.1 User Registration
11.2.2 Privilege Management
11.2.3 User Password Management
11.2.4 Review Of User Access Rights
11.3.1 Password Use
11.3.2 Unattended User Equipment
11.3.3 Clear Desk And Clear Screen Policy
11.4.1 Policy On Use Of Network Services
11.4.2 User Authentication For External Connections
11.4.3 Equipment Identification In Networks
11.4.4 Remote Diagnostic And Configuration Port Protection
11.4.5 Segregation In Networks
11.4.6 Network Connection Control
11.4.7 Network Routing Control
11.5.1 Secure Log-On Procedures
11.5.2 User Identification And Authentication
11.5.3 Password Management System
11.5.4 Use Of System Utilities
11.5.5 Session Time-Out
11.5.6 Limitation Of Connection Time
11.6.1 Information Access Restriction
11.6.2 Sensitive System Isolation
11.7.1 Mobile Computing And Communications
11.7.2 Teleworking
12.1.1 Security Requirements Analysis And Specification

To prevent errors, loss, unauthorized


modification or misuse of information
in applications.

12.2.1 Input Data Validation


12.2.2 Control Of Internal Processing
12.2.3 Message Integrity
12.2.4 Output Data Validation

Page 10 of 12

Department of . . .

Category

Information Security Management Policy

Section
12.3 Cryptographic
Controls
12.4 Security Of System
Files
12.5 Security In
Development And Support
Processes

12.6 Technical Vulnerability


Management
13 Information
Security Incident
Management

13.1 Reporting Information


Security Events And
Weaknesses

14 Business
Continuity
Management

13.2 Management Of
Information Security
Incidents And
Improvements
14.1 Information Security
Aspects Of Business
Continuity Management

Copyright 2010 The State of Western Australia


279039628.doc

Purpose
To protect the confidentiality,
authenticity or integrity of information
by cryptographic means.
To ensure the security of system files.

Sub-sections
12.3.1 Policy On The Use Of Cryptographic Controls
12.3.2 Key Management

To maintain the security of application


system software and information.

12.5.1 Change Control Procedures


12.5.2 Technical Review Of Applications After Operating
System Changes
12.5.3 Restrictions On Changes To Software Packages
12.5.4 Information Leakage
12.5.5 Outsourced Software Development
12.6.1 Control Of Technical Vulnerabilities

To reduce risks resulting from


exploitation of published technical
vulnerabilities.
To ensure information security events
and weaknesses associated with
information systems are
communicated in a manner allowing
timely corrective action to be taken.
To ensure a consistent and effective
approach is applied to the
management of information security
incidents.
To counteract interruptions to
business activities and to protect
critical business processes from the
effects of major failures of information
systems or disasters and to ensure
their timely resumption.

13.1.1 Reporting Information Security Events


13.1.2 Reporting Security Weaknesses

13.2.1 Responsibilities And Procedures


13.2.2 Learning From Information Security Incidents
13.2.3 Collection Of Evidence
14.1.1 Including Information Security In The Business
Continuity Management Process
14.1.2 Business Continuity And Risk Assessment
14.1.3 Developing And Implementing Continuity Plans
Including Information Security
14.1.4 Business Continuity Planning Framework
14.1.5 Testing, Maintaining And Re-Assessing Business
Continuity Plans

Page 11 of 12

Department of . . .

Category
15 Compliance

Information Security Management Policy

Section
15.1 Compliance With
Legal Requirements

Purpose
To avoid breaches of any law,
statutory, regulatory or contractual
obligations, and of any security
requirements.

15.2 Compliance With


Security Policies And
Standards, And Technical
Compliance
15.3 Information Systems
Audit Considerations

To ensure compliance of systems with


organizational security policies and
standards.
To maximize the effectiveness of and
to minimize interference to/from the
information systems audit process.

Sub-sections
15.1.1 Identification Of Applicable Legislation
15.1.2 Intellectual Property Rights (Ipr)
15.1.3 Protection Of Organizational Records
15.1.4 Data Protection And Privacy Of Personal Information
15.1.5 Prevention Of Misuse Of Information Processing
Facilities
15.1.6 Regulation Of Cryptographic Controls
15.2.1 Compliance With Security Policies And Standards
15.2.2 Technical Compliance Checking
15.3.1 Information Systems Audit Controls

12. Potential Policies (delete as needed)


The ISO/AS/NZS Information Security Controls can be used as a framework or structure for information security policies.

Copyright 2010 The State of Western Australia


279039628.doc

Page 12 of 12