ISMF Standard 138

Privacy and Confidentiality OCIO/S4.2

Government standard on cyber security
Prepared by: Version: Date: Office of the Chief Information Officer 3.0.1 15 November 2012

ISMF Standard 138

GOVERNMENT STANDARD ON CYBER SECURITY

OCIO/S4.2 Privacy and Confidentiality
Confidentiality: Public Version: 3.0.1 Status: Final

Audience: Compliance: Creator: Mandate/Authority: Original Authorisation Date: Last Updated and Approved: Issued: Expiry Date: Primary Contact:

SA Government Agencies; Suppliers to SA Government Mandatory Office of the Chief Information Officer Security and Risk Steering Committee September 1996 15 November 2012 15 November 2012 Not Applicable Security and Risk Assurance, Office of the Chief Information Officer, Tel: +61 (8) 8463 4003

Coverage: The South Australian public authorities required to adhere to this standard are defined in OCIO/F4.1 Government framework on cyber security Information Security Management Framework [ISMF]. This standard is intended for use by South Australian Government agencies and suppliers to Government whose contractual obligations require them to comply with this document. Reliance upon this policy or standard by any other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or liability to the extent permissible by law for any such reliance.

To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Standard 138.

This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright South Australian Government, 2012. Disclaimer

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 2 of 10

ISMF Standard 138

DOCUMENT TERMINOLOGY AND CONVENTIONS

The terms that are used in this document are to be interpreted as described in Internet Engineering Task Force (IETF) RFC 2119 entitled Key words for use in RFCs to Indicate Requirement Levels1. The RFC 2119 definitions are summarised in the table below.

Term
MUST

Description
This word, or the terms "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the specification. This phrase, or the phrase SHALL NOT, means that is an absolute prohibition of the specification. This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. This phrase, or the phrase "NOT RECOMMENDED" means that there may exist valid reasons in particular circumstances when the particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label. This word, or the adjective OPTIONAL, means that an item is truly optional.

MUST NOT

SHOULD

SHOULD NOT

MAY

www.ietf.org/rfc/rfc2119.txt?number=2119
Page 3 of 10

Privacy and Confidentiality OCIO/S4.2 version 3.0.1

ISMF Standard 138

DOCUMENT CONTROL
Document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\ISMFstandards\ ISMF_standard138.doc

Electronic records management information

File Folder Number: OCIO08/0073/0003 Document Number: 5281874

Author(s)
Andrew Jones Jason Caley

Function / role
Manager Strategy and Standards Principal Policy Adviser, Security and Risk Assurance

Release details
Published document. Revised format no content changes. Issued as a standard under ISMF version 3.0; Released under terms of Australian Governments Open Access and Licensing framework [AusGOAL]. Minor revision to remove obsolete entries under References & Links

Version
2.3.1 2.4

Date
10 May 2007 03 June 2009

3.0

06 October 2011

3.0.1

15 November 2012

Distributed to
Published to www.sa.gov.au website

Version
3.0.1

Date
November 2012

CLASSIFICATION
Confidentiality
PUBLIC-I2-A1

Description
No harm could be caused to an organisation or individual and no unfair advantage could be given to any entity and no violation would occur to somebodys right to privacy. Integrity 2 with low availability requirements.

Circulation limit
Unrestricted access.

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 4 of 10

ISMF Standard 138

TABLE OF CONTENTS

1. 2.

PURPOSE .................................................................................................................... 6 CONTEXT................................................................................................................... 6

2.1. 2.2. Background ................................................................................................. 6 History ......................................................................................................... 6

3. 4.

SCOPE ......................................................................................................................... 6 TERMS AND ABBREVIATIONS ............................................................................ 7

4.1. 4.2. Terms ........................................................................................................... 7 Abbreviations .............................................................................................. 8

5.

STANDARD ................................................................................................................ 8
5.1. South Australian Government standard ................................................... 8

6.

IMPLEMENTATION ................................................................................................ 8
6.1. 6.2. 6.3. Implementation considerations ................................................................. 8 Exemptions ................................................................................................. 9 Responsibilities .......................................................................................... 9

7.

REFERENCES AND LINKS .................................................................................... 9

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 5 of 10

ISMF Standard 138

1. PURPOSE
This document states the standard of the Government of South Australia in relation to privacy and confidentiality of electronic information.

2. CONTEXT
2.1. Background

The government has obligations in relation to the: privacy and security of information it holds. integrity of data it generates and/or retains to support service delivery functions and development.

2.2. History

This standard revises the following policies and/or standards: OCIO/P4.2 Security Privacy and Confidentiality, Version 2.4.

This document replaces and shall be considered a full substitute for its predecessor.

3. SCOPE
The ISMF and all security Bulletins, Notifications and standards issued under it shall apply, unless otherwise advised, to all bodies that are: o South Australian Government public sector agencies (as defined in the Public Sector Act 2009), that is, administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown. Public sector agencies are herein referred to as Agencies; OR Suppliers to the South Australian Government or its Agencies that have contractual conditions which require compliance to the ISMF as described in section 2.1 of the ISMF

The ISMF and all security Bulletins, Notifications and standards issued under it shall apply to: o All information processed, stored or communicated by ICT equipment, where that information is either: Official Information of the South Australian Government or its Agencies; or

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 6 of 10

ISMF Standard 138

Information of which the South Australian Government or any of its Agencies has custody2 Information as described above which Suppliers that have contractual conditions that require compliance to the ISMF as described in section 2.1 of the ISMF hold on behalf of the South Australian Government or any its Agencies

Anything that acts upon an ICT asset, including creating, controlling, validating, and otherwise managing the ICT asset throughout the lifecycle of the asset.

4. TERMS AND ABBREVIATIONS

4.1. Terms

Authorised access means access to, use of, copying of, or any form of communication with, the information/data owned by an agency.

Responsible Party is used in two contexts within the ISMF. These are: o An Agency the internal to government body that retains ultimate responsibility for all aspects covered by the Information Security Management Framework [ISMF] as it relates to a particular agency and its information assets. A Supplier an external to government entity that is typically responsible for compliance with the ISMF by way of a contractual agreement that contains clauses requiring security of Agency information and the regulation of access to an Agencys information assets. The term Supplier shall be read as Suppliers who are subject to contractual conditions that require them to comply with the ISMF unless another intention is apparent.

When a Supplier has contracted with the State, the provisions of the ISMF will apply to the Supplier either: o o under the terms of a Purchasing Agreement for whole of Government contracts and associated Customer Agreements; or by way of an individual contract with an Agency whereby the Agency has specified the parts of its Information Security Management System [ISMS] for which compliance is sought.

It should be noted that Agency Chief Executives retain ultimate accountability for all security matters within their agencies. The application of the ISMF to a Supplier via a contract with the State or Agency shall not absolve the Agency from these obligations and responsibilities. Responsible Parties includes both Agencies and Suppliers who are subject to contractual conditions that require them to comply with the ISMF. Where any ambiguity arises between these entities in relation to adherence to the ISMF, the Agency Controls implemented in the Customer Agreement shall prevail (i.e. The Agency remains the default party and the Customer Agreement is used as the vehicle for setting the scope and requirements for the Supplier to comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may
2

Note the definition of custody in the ISMF differs from State Records interpretation. Page 7 of 10

Privacy and Confidentiality OCIO/S4.2 version 3.0.1

ISMF Standard 138

also introduce additional Agency-specific controls and policies that the Supplier must comply with). Business Owner represents the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units should own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner. A Business Owner or group of Business Owners must be identified for each information asset.

4.2. Abbreviations

ICT ISMF PSMF

Information and Communication Technology Information Security Management Framework Protective Security Management Framework

5. STANDARD
5.1. South Australian Government standard

Privacy and confidentiality of government data is governed by the Information Privacy Principles Instruction (Cabinet Administrative Instruction 1/89) issued as Premier and Cabinet Circular No. 12.

6. IMPLEMENTATION
6.1. Implementation considerations

As part of a data management plan, Responsible Parties must define authorised access for all its data, including who has access, the level of authority required, and the level of access allowed. The Government of South Australia Information Security Management Framework describes a series of policies, standards and controls for the protection of information in South Australian government ICT environments. The framework has been written and structured to align closely with AS/NZS ISO/IEC 27001:2006 Information Technology Security techniques - Information security management systems Requirements. The ISMF applies a risk-based approach to cyber security in accord with the governments Risk Management Policy Statement.

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 8 of 10

ISMF Standard 138

6.2. Exemptions

None.

6.3. Responsibilities

Chief executives have ultimate responsibility for all security matters within their agencies. Treasurer's instruction 2, Financial Management Policies establishes certain obligations and expectations on how entities of the South Australian Government manage risk including those pertaining to ICT projects. On the issue of information security management, it is required that the entity implements whatever control measures are necessary to provide adequate protection for its information and that, where applicable, the entity shall comply with the instructions detailed in the Protective Security Management Framework issued as Premier and Cabinet Circular No. 30.

7. REFERENCES AND LINKS

Government of South Australia Information Privacy Principles Instruction (Cabinet Administrative Instruction 1/89) issued as Premier and Cabinet Circular No. 12 AS/NZS ISO/IEC 27001:2006 Information Technology Security techniques - Information security management systems Requirements OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] Government of South Australia Protective Security Management Framework [PSMF] issued as Premier and Cabinet Circular No. 30

Privacy and Confidentiality OCIO/S4.2 version 3.0.1 Page 9 of 10

This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright South Australian Government, 2012. Disclaimer