Good Governance Guidelines for Securing the WA Public Sector’s Electronic Information
In 2010 the Public Sector Commission produced the Good Governance Guidelines for Securing the Western Australian Public Sector’s Electronic Information (the Good Governance Guidelines) to address issues identified by the Auditor General in a series of Information Systems Security Audits undertaken over the previous 4 years. The Good Governance Guidelines were originally produced in a brochure format and distributed to agency CEOs and DGs. They are reproduced here with a link to download a good practice checklist.
To support agency executives in achieving their information security responsibilities.
Measures relating to the confidentiality, integrity and availability of computing equipment and information that is processed, stored and communicated by electronic or similar means in the Western Australian Public Sector.
What are the Risks?
Without adequate and appropriate measures, agencies are leaving themselves vulnerable to computer system failures, unauthorised access to information, loss of information, fraudulent activity, reputational damage and loss of public confidence.
What’s Causing the Risks?
Many agencies are unaware of, or in some cases ignore, the importance of effectively managing the security of their information systems.
A lack of fundamental controls to protect information means that there is a real and significant risk of inappropriate disclosure or access to the information held by agencies. The Auditor General has found that in many cases agencies have no way of knowing if data theft or manipulation has occurred. Weaknesses in information systems controls can compromise the confidentiality, integrity and availability of computer systems themselves, potentially impacting on delivery of key services to the public and financial loss.
Who Owns These Risks?
On 27 March 2006 Cabinet directed that the Director General/Chief Executive Officer of each Government agency is responsible for ensuring their agency implements an appropriate level of information and Internet security. The Director General/Chief Executive Officer is the custodian of the information that is processed, stored and communicated within each agency and is responsible for the effective management of their information systems.
What Should be Done?
Good practice checklist for DGs and CEOs
- Establish accountability and authority for information security matters by allocating management of information security to a senior executive.
- Ensure that information security is integrated into corporate strategies that support the overall business mission.
- Ensure that an information security risk management plan is in place and kept updated.
- Ensure that a risk management approach guides formulation of information security policies.
- Direct regular (e.g. quarterly) reports on information security. This may be as simple as a ‘traffic light’ snapshot report, and must at least include:
- significant risks;
- recommended actions/remediation of the risks; and
- actions taken since the last report to facilitate continual improvement.
Refer to A Checklist for Your Ageny's Current Information Security Practices for details.
For more information contact the Cyber Security Team.