The use of information and information systems is an integral part of most NSW Government activities. Electronic information assets are increasingly critical in agencies' operations and a key element in delivering trustworthy government services.

The security threats to information assets are increasing. The Government has a duty to safeguard its large information holdings and must provide credible assurance that it is doing so.

In 2001 Cabinet recognised these trends and directed that all agencies were to appropriately protect electronic information. In 2006 'People First – A new direction for ICT in NSW' reaffirmed the importance of information security.

The Government's electronic information security objectives are:

• Integrity. To protect information against unauthorised alteration or destruction and prevent successful challenges to its authenticity;
• Availability. To provide authorised users with timely and reliable access to information and services;
• Confidentiality. To uphold authorised restrictions on access to and disclosure of information including safeguarding personal or proprietary information;
• Compliance. To comply with all statutes, regulations, Cabinet Conventions, policies and contractual obligations requiring information to be available, safeguarded or lawfully used; and
• Assurance. To provide assurance to Parliament and the people of New South Wales that information held by the Government is appropriately secure.
  Agencies are to act as follows in achieving these objectives:
• Policy and Organisation. Establish policies and practices, an appropriate management structure and responsibilities up to executive level for information security management;
• Risk. Identify information assets and use a risk management process to reduce the likelihood and or consequences of security incidents to an appropriate and acceptable level;
• Appropriateness. Ensure the totality of security measures is commensurate with the significance, value of and risks to their information assets;
• Compliance. Establish and maintain an agency wide Information Security Management System that complies with the national standard and covers all electronic information; and
• Certification. Gain and maintain certified compliance to the standard of the main part(s) of their Information Security Management System by an accredited certifier. Exemptions from this requirement may be granted based on the risks to an agency's information assets.

This memorandum applies to all agencies that process, hold or use electronic information or data.

Morris Iemma MP
Premier

Issued : Government Chief Information Office, Department of Commerce
Contact : Nigel Evans
Email : [email protected]
Telephone : 02 9372 8246
Date : Friday 4 May 2007

This memorandum supersedes C2001-46, M2001-14, C2003-02, C2004-06

_____________________________________________________________

Security of Electronic Information

Implementation Guidelines

Intention and Principles
The intention is that all agencies operate a comprehensive electronic information security management system that meets their business oriented security needs. This system is to comply appropriately with the national standard for such systems. Appropriateness is determined by the risks to the agency's information assets and their 'business' implications. To provide assurance to stakeholders, including partners in electronic government or business, the main part of the Information Security Management System (ISMS) is to maintain certified compliance with the national standard.

The three principles for implementing electronic information security are:

• Managing risks to information assets is the basis for selecting and operating information security measures;
• Information security measures are implemented and operated as elements of an information security management system that is planned and controlled through effective management processes; and
• The sum of information security measures must be proportionate to the risks to information assets.

Risks and Threats
An information security risk is the combination of the likelihood and consequences of an information security incident. Information security risks arise from threats that may affect information assets in a way that adversely impacts information security objectives:

• Threats usually exploit vulnerabilities in information systems and the people that use them;
• Threats may originate internally or externally, they may be accidental or deliberate, malicious or well-meant and have human, technical or environmental sources;
• The motives behind malicious or criminal threats vary widely and will in part depend on how information assets can be exploited for unauthorised purposes;
• The potential value of unauthorised use of information is an important consideration and may indicate the likelihood of a threat; and
• Unacceptable information security risks are those that the 'business' cannot tolerate.

The key to managing information security risks in an agency is to understand the agency's information assets, their 'business' significance and active involvement of the information owners in managing security of their information. 

An information asset has a 'business' owner, 'business' purpose and 'business' value. Asset significance includes both its legitimate value and its value to unauthorised users as well as its importance to the 'business' and the 'business' and wider consequences of a security incident.
 
Generally an information security incident could have one or more of the following 'business' consequences:

• Loss of financial or material assets by agency or public - May include losses through theft or fraud, rectification costs, legal liabilities, other unbudgeted costs or lost entitlements. Losses will usually be a consequence of an information integrity failure but confidentiality or availability failures may create opportunities for loss or illegitimate gain.
• Injury or death of public or staff - Could be the result of confidentiality, integrity or availability failures. If the consequences are a direct result of an ICT failure (eg in a real-time control system) then that system is 'safety critical' and appropriate methods must be applied to it.
• Inconvenience or distress to public or staff - May be a direct or secondary consequence of an event, eg a temporary financial loss may cause inconvenience and distress. Could arise from confidentiality, integrity or availability failures.
• Damage to standing or reputation of the Government, an agency or person Includes the confidence or morale of stakeholders in a service or agency. It may be lost by confidentiality, integrity or availability failures. Treatments may include publicity campaigns to rebuild reputation or confidence and these have financial costs.
• Assist an offence or regulatory breech, hinder investigation or enforcement - May directly impact law enforcement or regulatory operations. Crime or regulatory avoidance may threaten confidentiality, integrity and availability elsewhere and have other consequences.
• Degrade the capability to deliver services internally or externally - A loss of operating capability is most likely from loss of information integrity or availability. The period required for a failure to become significant will depend on the nature of the information affected and the extent of operating dependency on it. Loss of capability may also cause regulatory non-compliance, adverse effects on stakeholders and loss of control over activities

The National Standards
The National Standards for an ISMS are:

• ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements; and
• ISO/IEC 17799:2005 Information technology – Security techniques - Code of practice for information security management.

Both have been formally adopted unchanged as Australian And New Zealand standards and 17799 will be renumbered as 27002. The standards are reviewed and updated about every 3 years and compliance is always to be to the current editions. Certification is to (AS/NZS) ISO/IEC 27001 and certifiers must be accredited by an accreditation body authorised by a national government.

The security standards are management standards and there are synergies between information security management and other management standards such as AS/NZS ISO 9001 Quality Management Systems or ISO/IEC 20000 Information technology - Service management (ITIL). It is strongly recommended that agencies that have or are seeking compliance with other management standards reduce their implementation effort by using the same management system infrastructure for compliance with different standards.

Approach
The overall objective of a management system is to ensure that current information security risks are properly identified and effectively and efficiently managed. This emphasises that information security is a management issue and a matter of information and communication technology (ICT) governance, not merely a technical problem. Deploying appropriate technical measures is necessary but insufficient to ensure continuing information security. When identifying possible threats a broad 'business' approach must be taken to the value of an agency's information. This approach must consider at least agency, government and public perspectives.
Identification and assessment of the main risks enables suitable management arrangements and key policies to be established. These provide the information security management framework. Once this framework exists critical risks can be assessed more thoroughly and other risks considered. With management arrangements in place appropriate security measures, including procedures and processes, can be planned, adapted or implemented.

Scope of Compliance and its Certification
Most of the security controls in the current standards will be applicable to some extent. However, in practice some controls will only be marginally relevant or treating acceptable residual risks. These controls should be given low priority and compliant information security management can be achieved without applying them. The standard is not a 'checklist' requiring a 'tick' in every box.

The cost of any security measures must be less than the cost of the consequences of security incidents taking account of their likelihood. This means that some standard security controls may not be used but the agency will still have a suitably comprehensive, compliant and partially certifiable ISMS. Nevertheless, all risks must be periodically reviewed and if they become unacceptable they must be treated with additional or updated security measures.

Suitably comprehensive compliance does not mean comprehensive certification. The purpose of certification is similar to having independently audited financial accounts. It gives assurance to the stakeholders that information security risks are being properly managed. Full certification does not always provide value for money in large agencies with many local offices if each requires auditing. However, an excessively narrow certification rarely provides value for money or an appropriate degree of assurance. Certification should focus on the main part of the business critical ISMS.

When deciding the business critical part of an ISMS the following approach is to be used:

• The certification covers the agency's most important information assets and those most at risk in terms of the likelihood of a security incident and its consequences; and
• The certification covers significant information assets including those:
  • about identifiable members of the public;
  • with sensitive information about identifiable employees;
  • where a security failure could:
    • result in loss of life or injury
    • result in significant fraud;
    • affect the delivery of major services;
    • result in significant damage to government reputation;
    • undermine regulatory or law enforcement activity;
  • where electronic information is received from or provided to another agency; or
  • where electronic information is X-IN-CONFIDENCE, PROTECTED, HIGHLY PROTECTED (Premier's Circular 2002-69) or has a national security classification of RESTRICTED or higher.

The certified ISMS should include security policies, procedures and processes that are used throughout the agency. This does not mean that all parts of the agency using these have to be within the certified ISMA. Certification of policies, etc, in an ISMS gives confidence that they are generally satisfactory.

Uncertified parts of an information security management system are to be periodically audited for compliance with the agency's policies and procedures by internal or external auditors. Results are to be formally reported to the agency's board or equivalent executive group if there is no board.

Hardcopy Information
The primary focus of these guidelines is on electronic information. In practice the boundary between hard and softcopy is seldom clear-cut from a security perspective because of transformation between them. However, the inherent characteristics of the different media mean that the risks are different.

Generally the integrity and confidentiality of hardcopy information is less vulnerable to large-scale loss but the difficult of maintaining hardcopy 'backups' makes availability more vulnerable to disasters. It is not the intention that agencies review and update the security measures for all their existing hardcopy information. However, improved physical security for information assets will often improve the security of hardcopy information. Further guidance is given in Premier's Circular 2002-69 Labelling Sensitive Information.

Information Asset
Narrowly defined electronic information assets are the data and software owned by, licensed or entrusted to an agency. It may be at rest or in transit within an agency's systems, or being communicated to an external party. An extended definition includes hardware, networks and intangibles such as reputation, goodwill, trust, staff morale and productivity. It may be appropriate to deal with the intangibles as possible consequences of security incidents affecting other information assets.

Each information asset has an owner or custodian within the agency. The ICT group may be the 'owner' of ICT infrastructure. However, business information is 'owned' by business units. These units are responsible for ensuring that the risks to their information assets are realistically assessed and appropriately treated in accordance with Government and agency policies, etc. The appropriate level of management must formally accept any residual risks to information assets.

Outsourcing
Agencies that outsource any of their electronic information operations retain ownership of and responsibility for their information assets. These agencies' ISMSs must include these assets. Agency policies, etc, are to define clearly the detailed security responsibilities of the agency and of the provider of outsourced services affecting the agency's information assets. These will be reflected in contracts and service level agreements with service providers, including mechanisms to ensure they can be modified to reflect changing risks. The goal is to ensure there are no gaps or ambiguities between the ISMSs of the two parties. 

Generally, agencies are to require the certification of outsource service providers' ISMS to the national standard. This certification provides assurance to the agency about the security of their assets entrusted to the outsourcer and hence to the agency's stakeholders. Exceptionally this may be unnecessary where the agency's information assets are not at unacceptable risk from a security incident affecting the outsourcer's capabilities; for example agency operated encryption on outsourced communications bearers. 

Outsourcing agencies will still require their own compliant and certified ISMS, even when they have no residual 'insourced' ICT. Subject to risk assessment, the outsourcing agency's ISMS Statement of Applicability will focus on their security policies and organisation, compliance with legal obligations, asset management, staff behaviour, physical security, security incident management and business continuity. This will ensure that the agency has effective measures for the control of their information assets and the use of assets provided by the outsourcer.

Small agencies that function as units of larger ones or are supported by secretariats or staff from larger agencies should be treated as part of the larger agency for information security compliance and certification purposes. Their inclusion should be noted in the larger agency's Statement of Applicability.

Timescale and Resources
Agencies are to achieve the Government's information security objectives as soon as possible. Progress will be monitored through a security status framework. Achievement of the objectives is marked by appropriate certified compliance with the standards and continuance of certification.

Information security, like physical security, is a routine function in which all staff have some role. Agencies are to act economically by making maximum use of their internal resources. Training may be necessary in some agencies. Agencies are also strongly encouraged to share security knowledge and resources. In some agencies external resources may be needed to advise, mentor inexperienced security staff and provide expert review of risk assessments and security plans.

Exemption
Agencies without significant information assets may apply for an exemption from the requirement to obtain and maintain certified compliance. Such agencies will still need to achieve appropriate uncertified compliance. Details will be promulgated separately.
In the framework of the significant information assets outlined above, exemptions will consider the extent and sensitivity of individual records, the consequences of significant fraud or altered information, of compromise to regulatory or law enforcement activities, service delivery failures, the impact of a security failure on government reputation or if the agency exchanges significant electronic information with another agency.

For very small agencies resource limitations will also be considered. Such limitations would make an average of 3 or 4 certification auditor days per year unaffordable.

Reporting
Agencies are to report their security status at least annually to the Government Chief Information Office. This reporting will be online and be based on a security status framework. Details will be promulgated separately.