• Good Governance Guidelines for Securing the WA Public Sector’s Electronic Information

    Introduction

    In 2010 the Public Sector Commission produced the Good Governance Guidelines for Securing the Western Australian Public Sector’s Electronic Information (the Good Governance Guidelines) to address issues identified by the Auditor General in a series of Information Systems Security Audits. The Good Governance Guidelines are as oulined below together with a link to a good practice checklist.

    Aim

    To support agency executives in achieving their information security responsibilities.

    Scope

    Measures relating to the confidentiality, integrity and availability of computing equipment and information that is processed, stored and communicated by electronic or similar means in the Western Australian Public Sector.

    What are the Risks?

    Without adequate and appropriate measures, agencies are leaving themselves vulnerable to computer system failures, unauthorised access to information, loss of information, fraudulent activity, reputational damage and loss of public confidence.

    What’s Causing the Risks?

    Lack of awareness by agencies  on  the importance of effectively managing the security of their information systems.

    A lack of fundamental controls to protect information  creating a significant risk of inappropriate disclosure or access to the information held by agencies. The Auditor General audits have found in many cases agencies have no way of knowing if data theft or manipulation has occurred. Weaknesses in information systems controls can compromise the confidentiality, integrity and availability of computer systems themselves, potentially impacting on delivery of key services to the public and financial loss.

    Who Owns These Risks?

    On 27 March 2006 Cabinet directed that the Director General/Chief Executive Officer of each Government agency is responsible for ensuring their agency implements an appropriate level of information and Internet security. The Director General/Chief Executive Officer is the custodian of the information that is processed, stored and communicated within each agency and is responsible for the effective management of their information systems.

    What Should be Done?

    Good practice checklist for DGs and CEOs

    1. Establish accountability and authority for information security matters by allocating management of information security to a senior executive.
    2. Ensure that information security is integrated into corporate strategies that support the overall business mission.
    3. Ensure that an information security risk management plan is in place and kept updated.
    4. Ensure that a risk management approach guides formulation of information security policies within an agency.
    5. Direct regular (e.g. quarterly)  reviews  and reporting on information security including but not limited to:
    • significant risks;
    • recommended actions/remediation of the risks; and
    • actions taken since the last report to facilitate continual improvement. 

    Refer to A Checklist for Your Ageny's Current Information Security Practices  for details.

    For more information contact the Cyber Security Team.