Overview and Approach
Information is a vital asset for Government and a critical component of the day-to-day transactions and interactions that take place between government, citizens and business. Western Australian government agencies rely heavily on the Internet to deliver services and conduct business. However, operating in cyberspace carries serious security risks to agency information and systems that need to be mitigated. The cyber security threat is no longer an emerging threat – it exists now and the risk is growing.
An agency’s connection to the Internet exposes its information and systems to exploitation from anywhere in the world. The Internet also provides information about how to identify network vulnerabilities and how to exploit them. It is a source of freely available tools that can be used to exploit weaknesses.
Most agencies maintain a wide range of confidential information that has potential value and needs protection. For instance, information about actual and proposed Government business plans, commercial-in-confidence information provided by the private sector during contract negotiations, geospatial information, and personal details of employees and private individuals that in bulk form in particular has potential commercial value.
Agencies have a responsibility to identify and manage the risks to information they hold in order to ensure an appropriate level of information security is maintained.
Information security can be defined as the preservation of:
- Confidentiality: ensuring that information is accessible only to those authorised to have access.
- Integrity: safeguarding the accuracy and completeness of information and information processing methods and facilities.
- Availability: ensuring that authorised users have access to information and supporting assets when required.
- Authentication: ensuring a person accessing or providing information or undertaking a transaction is actually who they claim to be.
- Non-repudiation: ensuring a person who has carried out a transaction is not able to deny having carried out that transaction, and that the transaction recipient cannot deny receiving the transaction.
The objective of information security is to reduce the organisation’s risk of business damage from a security incident to an acceptable level whilst retaining the ability to carry out business.
From a Government perspective, key outcomes sought from this objective are the confidence and trust of stakeholders in the way Government manages private and sensitive information and the capability to ensure continuity of service delivery.
Government Procurement supports an approach to information security in agencies that is based on the identification and assessment of risks and the implementation of controls and procedures appropriate to the level of risk and business needs of the organisation.
A rigorous and systematic approach to information and Internet security can be achieved by implementing an Information Security Management System (ISMS). While the level of security and depth of approach required is based on business needs and will vary from agency to agency, a high level of assurance is attained by implementing an ISMS that adheres to relevant standards.
The following Australian and International standards have been identified as a means of providing agencies with a consistent and best practice approach to information security:
- AS/NZS ISO/IEC 27001:2006, Information technology – Security techniques - Information security management systems – Requirements. Provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). Interested internal or external parties can use this Standard in order to assess conformance.
- AS/NZS ISO/IEC 27002:2006, Information technology – Security techniques – Code of practice for information security management. Provides a practical guideline for developing organisational security, standards and effective security management practices and to help build confidence in inter-organisational activities.
- ISO/IEC 27005, Information technology – Security techniques – Information security risk management. Provides guidelines for information security risk management in an organisation, supporting in particular the requirements of an Information Security Management Systems (ISMS) according to ISO/IEC 27001.
The appropriate classification of information is a key element of any rigorous and systematic approach to information security and is particularly relevant to agencies that share information with other agencies and spheres of government. For agencies considering a standards-based approach to information classification, the adoption of the information classification system specified in the Commonwealth Protective Security Policy Framework (PSPF) is recommended.