department of commerce information security policy · deliverable: version: file: page no: nsw...

Deliverable: Version: File: Page No:

NSW Department of Commerce Information Security Policy (Printed: 1 July, 2010) 1.4 NSW Department of Commerce Information Security Policy 1 of 34

Department of Commerce

Information Security Policy


NSW Department of Commerce Information Security Policy 1 July 2010 1.5 NSW Department of Commerce Information Security Policy 2 of 34

Document Control

Document Purpose Policy

Distribution control Version Number: 1.5

Document authors Information Security Manager

Copyright owner This document is owned by the NSW Department of Commerce

Document Approval

Approved: Date: 31 May 2007

General Manager, Information Management and Technology Approved:

Date: 31 May 2007 Director, Corporate Services and Review

Approved: Date: 31 May 2007

Acting Director-General

Acceptance and Release Notice This Information Security Policy is a managed document. The distribution list identifies the current version of the Information Security Policy and the person or position to which copies are issued. Changes will be issued as a complete replacement document covered by a release notice.

Version Control and Distribution Version Date

issued Author Description Issued To

1.0 23/09/06 Information Security Manager

Revised and edited Managers


Updated feedback CRG


Updated feedback from CRG

CRG


Updated requirements CRG

1.4 20/03/07 Information Security

Reviewed and endorsed by CRG

IM&T Board



Version Date issued

Author Description Issued To

Manager 1.4 31/05/07 Information

Security Manager

Approved by IM&T Board All staff


Approved for public release



TABLE OF CONTENTS 1. POLICY ............................................................................................................................ 6

1.1 INTRODUCTION............................................................................................................ 6

1.2 POLICY SCOPE............................................................................................................. 6

1.3 POLICY OBJECTIVES.................................................................................................... 6

1.4 PERSONS AFFECTED BY POLICY .................................................................................. 7

1.5 BACKGROUND ............................................................................................................. 7

1.6 POLICY OWNER AND STRUCTURE................................................................................ 7

1.6.1 Policy Owner...................................................................................................... 7

1.6.2 Policy Structure.................................................................................................. 7

2 SECURITY PRINCIPLES.............................................................................................. 9

3 INFORMATION SECURITY ORGANISATION...................................................... 10 3.1 ROLES AND RESPONSIBILITIES .................................................................................. 10

3.1.1 Asset Owners and Asset Custodians................................................................. 10

3.1.2 Information Security Manager ......................................................................... 11

3.1.3 General Manager, Information Management and Technology ....................... 12

3.1.4 Managers.......................................................................................................... 12

3.1.5 Information Technology Managers.................................................................. 13

3.1.6 System Administrators...................................................................................... 13

3.1.7 All Staff ............................................................................................................. 13

3.1.8 Audit Branch .................................................................................................... 14

3.1.9 IT Security Forum ............................................................................................ 14

3.1.10 Business Unit Security Representative............................................................. 15

4. SECURITY POLICY STATEMENTS ........................................................................ 16 4.1 ORGANISATION OF INFORMATION SECURITY................................................................... 16

4.2 ASSET MANAGEMENT ..................................................................................................... 18

4.3 HUMAN RESOURCES SECURITY ....................................................................................... 19

4.4 PHYSICAL AND ENVIRONMENTAL SECURITY ................................................................... 20

4.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT ..................................................... 21

4.6 ACCESS CONTROL ........................................................................................................... 25

4.7 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE .................. 28

4.8 INFORMATION SECURITY INCIDENT MANAGEMENT ........................................................ 29



4.9 BUSINESS CONTINUITY MANAGEMENT ........................................................................... 30

4.10 COMPLIANCE ................................................................................................................. 30

5 COMPLIANCE ................................................................................................................... 32 5.1 CONSEQUENCES OF NON-COMPLIANCE..................................................................... 32

5.2 PROCEDURES FOR REQUESTING EXCEPTIONS TO POLICIES ......................................... 32

5.3 REPORTING................................................................................................................ 32

5.4 SECURITY AUDITS AND REVIEWS.............................................................................. 32

6 REVIEW AND MAINTENANCE................................................................................ 34 6.1 REVIEW AND FEEDBACK............................................................................................ 34

6.2 POLICY CHANGES...................................................................................................... 34

6.3 DIVISION RESPONSIBLE FOR THE MAINTENANCE OF THIS POLICY............................... 34

6.4 RELATED DOCUMENTS AND POLICIES ....................................................................... 34



1. POLICY 1.1 Introduction Information is vital in the NSW Department of Commerce (“Commerce”) for strategic and operational decision making, supporting business processes and delivering our services. Information and the underlying information systems are important and valuable Commerce assets that must be protected. Significant business benefits arise from managing information security in a structured and formal way, including improving competitive edge, profitability, legal compliance and commercial image. The following characteristics of Commerce’s information need to be appropriately protected:

• Confidentiality – protection from inappropriate disclosure;

• Integrity – protection of the information’s completeness, accuracy and

currency;

• Availability – protection from information loss or delay of its delivery.

1.2 Policy Scope This policy applies to:

• All information assets and information processing assets (e.g. hardware and software), including assets owned by Commerce and assets it has a custodial responsibility for, regardless of whether the assets are on Commerce property or at other locations, such as third party sites and private residences.

• Information in all of its forms, whether printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films or spoken in conversation.

1.3 Policy Objectives The policy and objective of information security in Commerce is to protect the interests of those relying upon, or supplying, information, and the underlying information systems, from harm that may arise from failures in confidentiality, integrity and availability. This policy and the supporting policies and standards aim to ensure awareness of:

• Commerce policies, standards, and guidelines relating to use of information, information systems and storage and communication on information assets.

• Obligations to Commerce Asset Owners and Asset Custodians when contemplating any form of information communication.



• The consequences of inappropriate access and use of information, information systems and information communication tools such as emails, internet, mobile phones and facsimiles.

1.4 Persons Affected by Policy This policy applies to all permanent, temporary, contract and vendor staff wishing to access Commerce Information and Information Systems. Persons affected by the policy are referred to as “staff”.

1.5 Background The dominant factors that have shaped this policy are:

To ensure accessing Commerce information and information systems is in compliance with the Privacy and Personal Information Protection Act NSW 1998 and Workplace Surveillance Act 2005;

Monitoring and surveillance complies with the Federal and State Government Legislation including the Privacy and Personal Information Protection Act NSW 1998 and Workplace Surveillance Act 2005;

Commerce has statutory and organisational responsibilities to ensure confidentiality, integrity and availability of Commerce information and systems;

Compliance with the current State Government directives concerning information security (ISO 27001). This directive has been mandated by the NSW Premier’s Department “CIRCULAR NO. 2004 – 06” to protect the government against incidents and attacks on its Information, Communication and Technology Systems that could significantly reduce the operational effectiveness of Government.

1.6 Policy Owner and Structure

1.6.1 Policy Owner

The Commerce Director-General owns the Information Security Policy. The General Manager, Information Management and Technology (“GM, IM&T”), the IM&T Board endorses and the Director-General approves the Information Security Policy. Minor changes to the policy will be reviewed by the IT Security Forum and approved by GM IM&T.

1.6.2 Policy Structure

The information security policy is supported by supporting security policies, standards and procedures. The supporting policies such as the Acceptable Use of Information and Information Systems and the Internet and Email Use will be reviewed by the IT Security Forum and approved by GM IM&T. The policies are supported by technical security standards and procedures, which are referenced throughout this document but exist elsewhere. Policies are often generalised requirements containing high-level statements, whereas technical security standards make specific



mention of technologies, methodologies, implementation procedures and other detailed factors. Procedures are specific operational steps.

State and Federal Legislation

ISO 27001Information Security

Standard

Commerce Security Standards

Information Security Policy

(this document)

Commerce Security Procedures

Other Commerce Security

Policies

Commerce Compliance Map

Commerce will use the International Standard ISO 27001 and the Australian Standard AS/NZS (ISO/IEC) 17799 – Code of Practice for Information Security Management as its target information security management framework. The Standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security within Commerce. It is intended to provide a common basis for developing organisational security standards and effective security management practice and to provide confidence in inter-organisational dealings. These information security policies are an expansion and interpretation of various parts of the Australian Standard and are not a repetition of them. Therefore both documents should be referenced when further detail is required on a particular topic. A copy of the Standard is available from the Commerce Intranet (Policies and Procedures – Information Security).



2 SECURITY PRINCIPLES In all aspects of managing Commerce’s information security, including policy management, the following principles are applicable:

1. Information is accessible only to those authorised to have access; 2. The accuracy and completeness of information and its processing shall be

safeguarded; 3. Information is to be available to authorised users in a timely manner; 4. Commerce risk framework and tolerances will be used to identify

appropriate protection levels; 5. All significant actions shall be auditable and may be subject to ongoing

monitoring of user activity as needed/required; 6. Information processing assets (including information itself) shall be

protected to a level consistent with their value to the government and department, or as determined by its external originator;

7. There shall be a single, identified Owner or a Custodian for each information asset who is accountable to Commerce for the asset’s protection and maintenance;

8. All users of Commerce’s information processing resources shall be accountable for their actions;

9. Security awareness shall be maintained across all parties involved in Commerce’s information processing;

10. Compliance with legislation and organisational policy will be verified; 11. Privileged users shall ensure that their access is used only for the purpose

granted.



3 INFORMATION SECURITY ORGANISATION Information held by the Commerce is owned either by the Crown or by non-government entities and individuals, who may have provided it on the basis of non-disclosure. Ownership or Custodianship of information assets and information processing assets is to be assigned appropriately within Commerce based on the authorities and responsibilities of roles. Ownership of information security policies rests with the Director General and with it authority to approve or decline changes to information security policy. This may be delegated to the GM, IM&T and sub delegated to the Information Security Manager. New information security policies and changes to existing policies are to be endorsed by the IM&T Board. The Information Security Manager and the GM, IM&T are the focal point for all information security issues and liaise with all areas of Commerce including the IT Security Forum and Business Unit Security Representatives. Business Unit Security Representatives as representatives of Asset Owners and Custodians are the information security focal point for their area of Commerce.

3.1 Roles and Responsibilities The following key roles have responsibilities associated with Commerce’s Information Security Policy:

3.1.1 Asset Owners and Asset Custodians

The Owner or Custodian of an asset as identified in the asset register (held by the Information Security Manager) is the individual with:

• The greatest vested interest in the availability, integrity and confidentiality of the asset; and

• The authorities (stated in their position description) necessary to carry full responsibility for the asset or where they have delegated authority.

The Owner or the Custodian has the ultimate responsibility for the asset. For assets associated with delivering business functionality, the most appropriate asset Owner or Custodian is usually the role with responsibility and authority for that business function, irrespective of what technology is used to deliver it. The Owner or the Custodian may delegate responsibilities for day-to-day management of the asset but retains ultimate responsibility and accountability. The Owner or Custodian has responsibility to:

• Formally classify their information asset and identify access control requirements;

• Ensure the protection and operation of their asset complies with Commerce policies and standards;



• Clearly state which positions (if any) have delegated responsibilities and the nature of their responsibilities;

• Inform the Information Security Manager of any change in asset Ownership/Custodianship or delegations;

• Regularly review the asset’s access rights for currency;

• Provide security awareness training to all users of their assets including all personnel, vendors, other government agencies and external business partners;

• Approve/decline requests for access to their asset;

• Ensure changes to the asset have been adequately tested to verify the change meets requirements and that it will not negatively impact any other asset; and

• Monitor usage of information assets to ensure it is appropriate and acceptable.

3.1.2 Information Security Manager

The Information Security Manager is the focal point for all information security issues. The Information Security Manager has the following responsibilities:

• Being the primary contact point within Commerce for advice on information security issues generally;

• Regularly confirming ownership details with Asset Owners and Custodians;

• Assist in investigating potential, suspected and actual security breaches;

• Reporting actual security breaches to the Asset Owners and Custodians, and to the GM, IM&T;

• Reviewing business/user requirements to ensure information security requirements are adequately represented;

• Approving any information security products and procedures for use within Commerce’s environment;

• Advising Asset Owners and Custodians (or their delegates) on exposure and vulnerability information relating to their asset;

• Liaison on information security matters with other government agencies and external organisations as required;

• Liaising with Building Security and the property managers on issues that may impact information security;

• Ensuring that the interpretation of access control business requirements are applied in a consistent manner across Commerce’s environment;

• Advising on and carrying out security awareness training to Commerce staff;

• Developing and reviewing access and use policy and standards;



• Providing advice on classification, access and use of information assets, including advising on appropriate access paths, levels of access, authentication mechanisms and risks; and

• Initiating or assisting follow up of non-compliance or breaches of this policy.

3.1.3 General Manager, Information Management and Technology The GM, IM&T represents the Director General with regard to information security across the organisation. The GM, IM&T’s responsibilities include:

• Ensuring the Director General and the Asset Owners and Custodians are informed of any significant information security issues;

• Providing the Director General and the Asset Owners and Custodians with regular reports on the status of Commerce’s information security;

• Promoting information security to Commerce’s senior management;

• Approving supporting security policies and standards; and

• Ensuring information security policies and standards are developed, implemented and maintained.

3.1.4 Managers

All managers within Commerce have responsibility for:

• Maintaining the security of all staff, assets, information, intellectual property and resources under their control, including physical security controls and practices;

• Ensuring that all staff under their control are aware of their responsibilities under the Information Security Policy before approving access to Commerce’s information;

• Advising the relevant System Administrators and the Information Security Manager of any access privilege changes required as a result of staff separations, transfers or changes in responsibilities;

• Grant, deny, rescind or withhold security clearances relevant to the Manager’s area;

• Recovery of all access cards, keys and tokens from separated staff and terminating contractors; and

• Ensuring appropriate performance management and investigation action is taken where non-compliance is identified or referred to them.

Staff security pertains to the procedures that are established to ensure that all staff who have access to sensitive information have the required authority as well as appropriate security clearances and reference checks.



3.1.5 Information Technology Managers

All Managers within Commerce’s IT group have responsibility for:

• Ensuring the physical and environmental security of key information technology assets including, but not limited to, servers, cabling, communications devices, consoles, databases, back-up media and original application system media; and

• Monitor and report to the Information Security Manager or the Chief Auditor any unusual or unauthorised access to, or use of Commerce information and systems.

3.1.6 System Administrators

A “System Administrator” is any position with operational information security responsibilities, such as userid/password management and access or security policy/rule or profile maintenance. Systems Administrators usually have higher system access or user privileges than normal users. These positions may range from specialist Information Security staff through to positions with operational security responsibilities as part of their overall responsibilities (e.g. Unix, LAN and server administrators). System Administrator responsibilities include:

• Securely managing the provision of user access to Commerce’s information systems as approved by the asset’s Owner or Custodian (or their delegate);

• Monitoring system/security logs for evidence of unauthorised activity;

• Reporting potential, suspected and actual security breaches to the Information Security Manager;

• Assisting the Information Security Manager in investigation of potential, suspected and actual security breaches;

• Enforcement of and adherence to formal change control procedures for any changes to production environments;

• Ensuring all patches are applied and upgrades are implemented;

• Development and maintenance of information security procedures, under guidance of the Information Security Manager.

3.1.7 All Staff

All staff employed by Commerce, including temporary employees, permanent employees, seconded staff, vendors and those contracted by Commerce, shall comply with Commerce’s Information Security Policy and associated security policies, standards and procedures and be accountable for their actions, including:



• Inform themselves of information security policies and standards;

• Responsibility for all actions performed through their user account;

• Only accessing or attempting to access computer systems, applications, databases and files they are authorised to access;

• Non disclosure of passwords or access codes;

• Only using Commerce’s information and other resources for their approved purposes;

• Compliance with all copyright and license requirements;

• Immediately notifying the Information Security Manager or their senior management should they become aware of or suspect:

− Any security exposures;

− Any security breaches. Reports will be treated confidentially consistent with the Internal Reporting Procedures and Confidentiality Disclosures.

• Compliance with associated policies;

• Physical protection of all equipment (eg. desktop and laptop PCs) and removable storage media (eg. diskettes, tapes, CDs) under their control; and

• Signing Commerce’s confidentiality agreement, which details the expected standards of confidentiality.

Physical protection includes controls and procedures that are put into place to prevent intruders from physically accessing equipment and media, for example the use of cable lock for laptops, storing of sensitive diskettes or other removable media in secure and lockable cabinets, etc.

3.1.8 Audit Branch Audit Branch has responsibility to:

• Perform periodic reviews of compliance with Commerce’s Information Security Policy and its associated policies and standards, and in accordance with the annual audit plan; and

• Report issues of non-compliance to the appropriate management. The Chief Auditor, Audit Branch is responsible for the formal investigation and reporting of allegations of unauthorised access to or use of Commerce information or related assets.

3.1.9 IT Security Forum

The IT Security Forum has a Commerce-wide scope for agreeing broad information security initiatives and providing advice on information security to the GM, IM&T. The Forum consists of the following members:



• GM, IM&T;

• Information Security Manager;

• IT Services Manager;

• Audit Branch Representative;

• Corporate Risk Manager; and

• Asset Owners and Custodians or Business Unit Security Representative(s) (Asset Owner and Custodian delegates).

The IT Security Forum has the following responsibilities:

− Application of a risk management approach to information security decisions;

− Review and advise on information security policy in a timely manner;

− Oversee, monitor and report key incidents detected from logs and recommend appropriate mitigating actions; and

− Promotion of security training and awareness.

3.1.10 Business Unit Security Representative

Asset Owners and Custodians will appoint information security representative to facilitate implementation and management of information security for their information asset in line with ISO 27001 Information Security Management Requirements. The Business Unit Security Representative’s responsibilities include:

• Liaising with Asset Owners and Custodians (or their delegates) and the Information Security Manager on implementation of information security policy for the business unit;

• Encouraging a culture of reporting issues of non-compliance with information security policy;

• Assisting the Information Security Manager in any security incident investigations;

• Communicating and promoting information security awareness within the business unit; and

• Facilitating timely correction of any non-compliance issues brought to the attention of the business unit.



4. SECURITY POLICY STATEMENTS The policy statements below address ISO 27001 security standard requirements. Where necessary, additional detailed policies have been developed to support specific aspects of this information Security Policy.

4.1 Organisation of Information Security

27001 Clause Commerce Policy Statement Responsibility ISO 27001 Reference

A.6.1 Internal organization

Commerce management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

Asset Owners and Custodians

A.6.1.1

All information security activities shall be co-ordinated by representatives from all business units with relevant roles and job functions.


A.6.1.2

Management must ensure all information security responsibilities are clearly defined.


A.6.1.3

Asset Owner or Custodian authorization process for new information processing facilities shall be defined and implemented.


A.61.4

Confidentiality or non-disclosure agreements must be identified, documented and reviewed regularly.


A.6.1.5

Appropriate contacts with relevant authorities such as Police shall be maintained.


A.6.1.6

Appropriate contacts with security interest

groups or other specialist security forums and professional associations shall be maintained.

GM IM&T

A.6.1.7

Commerce approach to managing information security and its implementation

GM IM&T A.6.1.8




shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

A.6.2 Security of third party access

Third party access to Commerce assets shall only be provided upon explicit approval by appropriate Commerce management whether it is hosted and managed internally or externally.

Access to Commerce’s network and information processing facilities must be controlled and based on an assessment of the risk of granting such access.


A.6.2.1

Third parties shall formally commit to compliance with Commerce’s information security policies and requirements.

Permission for access to and use of any Commerce information by a third party must be governed through clauses built into agreements and contracts.

Commerce’s security standards must be defined and included in agreements and contracts. This should include, as a minimum, the need for the third party to:

a) generally comply with the requirements of ISO 27001

b) report security breaches and violation attempts

c) comply with Commerce’s Privacy Policy and all privacy legislation that applies to the third party

d) submit to regular reviews by Commerce or the third party’s internal audit function in order to measure compliance with Commerce’s security requirements

Contractors must sign a standard contract and statement of confidentiality, which confirms their adherence to Commerce’s information security policies. It should advise penalties for non-compliance and should allow for termination of the agreement and recovery of expenses if security or privacy policies are breached.


A.6.2.2




Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.


A.6.2.3

4.2 Asset Management


A.7.1 Responsibility for assets

A register of critical assets shall be established and maintained. Information

Security Manager

A.7.1.1

All information and assets associated with information processing facilities shall be identified and allocated an Owner or Custodian.

Information Security Manager

A.7.1.2

Policy for acceptable use of information and assets associated with information processing systems must be documented and implemented. Refer to the detailed policy via the link below: http://dpwsnet.dpws.nsw.gov.au/Policy+and+Procedures/IMT/Information+Security/Acceptable+use.htm

Information Security Manager

A.7.1.3

A.7.2 Information classification

All information assets used and held by Commerce, including the systems used in information processing shall be classified in terms of business criticality, confidentiality.


A.7.2.1

Procedures for information labelling and handling shall be developed and implemented.


A.7.2.2



4.3 Human Resources Security


A.8.1 Security in job definition and resourcing

Where information security responsibilities are materially greater than those applying to all management and all staff, the role’s Position Description shall include the information security responsibilities.

Manager (Manager of the role)

A.8.1.1

A.8.1 Staff screening policy

Verification checks on permanent staff, contractors and temporary staff are carried out at time of job application.

Manager (Manager of the role) and HR Manager

A.8.1.2

A.8.1 Terms and conditions of employment

General information security responsibilities shall be included in employment terms and conditions for all staff.

HR Manager A.8.1.3

A.8.2 During Employment

Management must ensure their staff comply with Commerce policies and procedures

All Managers

A.8.2.1

All staff shall be regularly educated on their information security responsibilities and good security practices, including prevailing security threats and counter-measures and information security incident identification and reporting.


A.8.2.2

Commerce shall have a formal disciplinary process for employees who have breached information security policies.

HR Manager A.8.2.3

A.8.3 Termination or change of employment

Procedures for employment termination or change must be clearly documented and implemented.

GM, IM&T A.8.3.1

Managers must ensure all employees, contractors and third party users return all Commerce assets in their possession upon termination of their employment, contract or agreement.

Managers A.8.3.2

Managers must ensure the access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Managers A.8.3.3



4.4 Physical and Environmental Security


A.9.1 Secure Areas Areas hosting Commerce information processing facilities shall be protected by security perimeters.

GM Business Infrastructure

A.9.1.1

Appropriate physical security entry controls must be implemented for the protection of designated secure areas within Commerce


A.9.1.2

Consistent with assessed risks and special security requirements, secure areas shall be created within Commerce premises to protect offices, rooms and facilities


A.9.1.3

Procedures to protect against external and environmental threats shall be designed and implemented.


A.9.1.4

Formal procedures and guidelines shall be developed and additional controls implemented for working in designated Commerce secure areas.


A.9.1.5

Delivery and loading areas must be controlled. If possible, those areas should be isolated from information processing facilities.


A.9.1.6

A.9.2 Equipment Security

Computer and communications equipment should be located in areas where risks through environmental threats and hazards and opportunities for unauthorised access are minimised.

GM, IM&T A.9.2.1

Protect equipment from power failures and other electrical anomalies.

GM, IM&T A.9.2.2

Power and telecommunications cable carrying data shall be protected from interception or damage.

GM, IM&T A.9.2.3

Equipment is maintained at recommended service intervals and as per supplier specifications.

Maintenance is to be carried out only by authorised administrators.

GM IM&T A.9.2.4




Fault logs are to be kept and maintained.

Control mechanisms shall be in place to when sending equipment off premises.

All information processing equipment use outside Commerce must be authorised by management.

Security of equipment outside shall be equivalent to or better than on Commerce premises.


A.9.2.5

Information shall be erased from equipment prior to disposal or reuse.


A.9.2.6

Staff must have approval before equipment, information or software is taken off-site. (Authority to take portable devices such as Laptops, Mobile Phones and Personal Digital Assistants is permitted by management when these devices are approved for staff. Separate authorization is not required.)

Managers A.9.2.7

4.5 Communications and Operations Management


A.10.1. Operational procedures and responsibilities

All operating procedures shall be documented, treated as assets and placed under change control.

GM, IM&T

A.10.1.1

Changes to information processing assets, including hardware, software and documentation, shall be managed via a formal change control process.

GM, IM&T

A.10.1.2

Duties and areas of responsibility are separated in order to reduce opportunities for unauthorised modification or misuse of information or services.


A.10.1.3

Operational facilities shall be segregated from development and testing facilities.


A.10.1.4




A.10.2 Third party service delivery management

Security controls, service definitions and delivery levels shall be included in the third party agreements


A.10.2.1

Third party services must be monitored and reviewed.


A.10.2.2

All third party service changes shall be risk assessed.


A.10.2.3

A.10.3 System planning and acceptance

All ICT resources shall be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.

GM, IM&T A.10.3.1

All acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance.

GM, IM&T A.10.3.2

A.10.4 Protection against malicious software

Protection against malicious software shall apply defence-in-depth and defence-by-diversity.

Anti-virus and malicious software must be installed on all eligible IT systems and its currency maintained.

The anti-virus and malicious software, its settings, parameters and general operation must not be altered or disabled.

All electronic information from external sources, including diskettes, CD-ROM’s, attachments to email messages and downloaded files must be scanned for viruses before use.

GM, IM&T

A.10.4.1

Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorised mobile code shall be prevented from executing.

GM, IM&T

A.10.4.2

A.10.5 Backup Regular backup of essential business information such as production server, critical network components and configuration shall be implemented.

Backup media and restoration procedures to be stored offsite.

GM, IM&T

A.10.5.1




Backup media to be tested for restoration within allotted time frame for recovery.

A.10.6 Network Security management

All authentication functions operated over shared networks shall use strong authentication. Controls must be implemented on all applications and systems.

GM, IM&T

A.10.6.1

Security features, services levels and management requirements of all network services shall be identified and included in any network service agreement.

GM, IM&T

A.10.6.2

A.10.7 Media handling

Clear standards and procedures on appropriate management of removable media shall be developed and regularly communicated to all involved parties.

GM, IM&T

A.10.7.1

All media shall be disposed of in a manner that ensures the confidentiality of information is not compromised.

GM, IM&T

A.10.7.2

Procedure for handling and storage of information and protection from unauthorised disclosure shall be implemented.

GM, IM&T

A.10.7.3

System documentation shall be protected from unauthorised access.

GM, IM&T

A.10.7.4

A.10.8 Exchanges of information

Formal policies, procedures must be in place when exchanging information with external agencies.


A.10.8.1

Management must ensure agreements are established for the exchange of information and software between Commerce and external parties


A.10.8.2

Media while being transported shall be protected from unauthorised access, misuse or corruption.


A.10.8.3




Electronic commerce shall be protected and controls implemented to protect against fraudulent activity, contract dispute and disclosure or modification of information.

Security controls such as Authentication, Authorisation shall be considered in the e-commerce environment.

E-commerce arrangements between trading partners shall include a documented agreement, which commits both parties to agreed terms of trading, including detailed security issues.


A.10.8.4

Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems.


A.10.8.5

A.10.9 Electronic commerce services

Information in electronic commerce passing over public networks shall be protected from fraudulent activity, contract dispute, and unauthorised disclosure and modification.


A.10.9.1

Business must ensure on-line transactions are protected against security breach.


A.10.9.2

Integrity of information available on public systems must be maintained. Asset Owners

and Custodians A.10.9.3

A10.10 Monitoring Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

GM, IM&T

A.10.10.1

Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.

GM, IM&T

A.10.10.2

Logging facilities and log information shall be protected against tampering and unauthorised access.

GM, IM&T A.10.10.3

System administrator and system operator activities shall be logged. GM, IM&T A.10.10.4

Faults shall be logged, analyzed, and appropriate action taken. GM, IM&T A.10.10.5




The clocks of all relevant information processing systems within an organisation or security domain shall be synchronised with an agreed accurate time source.

GM, IM&T

A.10.10.6

4.6 Access Control


A.11.1Business requirement for access control

Access controls requirements must be implemented, as per the policy.


GM IM&T

A.11.1.1

A.11.2 User access management

Formal procedures shall be used for user registration, de-registration, granting access, removing access and reviewing access rights to ensure actions are timely, appropriate, documented and auditable.

GM, IM&T A.11.2.1

Allocation and use of privileges shall be restricted and controlled.

Access shall be granted on need-to-know and least possible privilege basis and only after formal authorisation.

Privileged access such as System Administrator access must be auditable and strictly controlled.


A.11.2.2

The allocation and reallocation of passwords shall be controlled through a formal management process.

GM, IM&T A.11.2.3

User access rights shall be reviewed regularly.


A.11.2.4

A.11.3 User responsibilities

Password standards shall be in place to guide users in selecting and maintaining secure passwords.

GM, IM&T A.11.3.1

Users are to be made aware of security requirements and procedures for protecting unattended equipment.


A.11.3.2

A clear desk policy for sensitive papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.


A.11.3.3




A.11.4 Network access control

Access to Commerce network services shall be explicitly approved. No default access shall be available.

GM, IM&T A.11.4.1

External or remote user connections shall be authenticated and challenged before connection is permitted. Controls shall be identified and implemented.

GM, IM&T A.11.4.2

Specific information security standards and controls shall apply to all remote equipment and remote access, consistent with the increased risks. All remote equipment must be identified.

GM, IM&T A.11.4.3

Access to all diagnostic ports must be securely controlled.

GM, IM&T A.11.4.4

Networks with different levels of security shall be segregated to protect the network with the higher security requirements

GM, IM&T A.11.4.5

Users access to shared networks must be restricted.

GM, IM&T A.11.4.6

Shared network shall have routing controls to ensure that computer connections and information flows do not breach the access control policy of the business applications.

GM, IM&T

A.11.4.7

A.11.5 Operating system access control

All access to systems shall be secured by a logon procedure. Logon procedure should have minimal visible disclosure of information about system and user details.


A.11.5.1

Secure automatic terminal identification shall be used to authenticate connections to specific locations. Appropriate user identification and authentication shall be used to ensure accountability of user’s actions.


A.11.5.2




All users shall have unique user id to ensure accountability.

Generic user accounts should only be supplied under exceptional circumstances where there is a clear business benefit. A password management system, which enforces password controls such as individual passwords for accountability, enforce password changes, store passwords in encrypted form and not display passwords on screen.


A.11.5.3

Use of system utilities programs shall be restricted and tightly controlled.

GM, IM&T A.11.5.4

Inactive terminals in public areas to be configured to clear screen or shutdown automatically after a defined period of inactivity.


A.11.5.5

Restrictions on connection times shall be used for high risk applications or terminals in high risk locations.


A.11.5.6

A.11.6 Application and information access control

Access to information and application systems shall be restricted and in accordance to access control policy.


A.11.6.1

Sensitive systems shall have isolated computing environment such as running on a dedicated computer and share resources only with trusted application systems.


A.11.6.2

A.11.7 Mobile Computing and teleworking

Formal policy controls shall be implemented that takes into account the risks of working remotely and the use of mobile computing facilities.

GM, IM&T A.11.7.1

Policies, procedures and standards shall be developed to authorize and control teleworking activities.

GM, IM&T A.11.7.2



4.7 Information Systems Acquisition, Development and Maintenance


A.12.1 Security requirements of systems

Information security requirements shall be included with business requirements in all developments. These will normally be identified as a result of a risk assessment.


A.12.1.1

A.12.2 Security in application systems

Data input to application systems shall be validated to ensure that it is correct and appropriate.


A.12.2.1

Validation checks shall be incorporated into systems to detect any corruption of the data processed.


A.12.2.2

Message authentication shall be used for applications where there is a security requirement to protect the integrity of the message content.


A.12.2.3

Data output of application system shall be validated to ensure that the processing of stored information is correct and appropriate to circumstances.


A.12.2.4

A.12.3 Cryptographic controls

Cryptography shall be used when confidentiality, authenticity or integrity requirements cannot reasonably be met by other means.


A.12.3.1

Encryption techniques shall used to protect the data confidentiality of sensitive or critical information.


A.12.3.2

A.12.4 Security of System files

Controls shall be in place for the implementation of software on operational systems.


A.12.4.1

System test data shall be protected and controlled.


A.12.4.2

Strict controls shall be maintained over access to program source libraries. This is to reduce the potential for corruption of computer programs.


A.12.4.3




A.12.5 Security in development and support processes

Strict control procedures shall be in place over implementation of changes to the information system.


A.12.5.1

Technical review of operating system changes

Application systems shall be reviewed and tested after changes occur.


A.12.5.2

Restrictions on changes to software packages

Changes to software packages shall be strictly controlled.


A.12.5.3

Covert channels and Trojan code

Controls shall be in place to ensure that the covert channels and Trojan codes are not introduced into new or upgraded system. It is to ensure there is no information leakage.


A.12.5.4

Outsourced software development

Controls shall be applied to secure outsourcing of software development.

Controls must include: Licensing arrangements, escrow arrangements, contractual requirement for quality assurance, testing before installation to detect Trojan code etc.


A.12.5.5

Control of Technical vulnerabilities

Procedures shall be in place to ensure vulnerability information is obtained and appropriate measures are taken to address associated risks.


A.12.6.1

4.8 Information Security Incident Management


A.13.1 Reporting information security events

All critical information security events shall be reported to appropriate management.

All Managers A.13.1.1

All staff shall report any observed or suspected security weakness in systems and services to management.

Managers A.13.1.2

Responsibilities and procedures

Management shall ensures responsibilities and procedures are established.


A.13.2.1




Management shall ensure procedures are in place to learn from security incidents.


A.13.2.2

Management shall ensure evidence of any security incidents is retained.


A.13.2.3

4.9 Business Continuity Management


A.14.1 Aspects of business continuity management

Formal processes for the business continuity and recovery of systems within agreed timeframes shall be developed, maintained and regularly tested.


A.14.1.1

Management shall ensure appropriate plans and resources are in place to maintain business continuity following interruption or failure of critical business processes.


A.14.1.2

All organisational units shall determine which business processes require continuity plans, by use of business impact assessment, and shall develop business continuity plans for them.


A.14.1.3

A single framework of business continuity plans shall be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance.


A.14.1.4

Business continuity plans shall be tested regularly to ensure that they are up to date and effective.


A.14.1.5

4.10 Compliance





A.15.1 Compliance with legal requirements

Relevant statutory, regulatory and contractual obligations shall be identified, documented and enforced for each information processing system.


A.15.1.1

All software used on Commerce systems shall be legally acquired and must comply with copyright and licensing requirements. Personally acquired software is not permitted.

Managers A.15.1.2

Important records of the organisation shall be protected from loss destruction and falsification.


A.15.1.3

There shall be controls in place to protect data and privacy of personal information.


A.15.1.4

Commerce communications resources shall be used in an efficient, lawful and ethical manner.

Managers A.15.1.5

Controls for use of cryptography shall be in place to enable compliance with national agreements, laws and regulations.

GM, IM&T A.15.1.6

A.15.2 Reviews of security policy and technical compliance

Managers shall ensure compliance with all Commerce policies and standards.

Managers A.15.2.1

Information systems shall be regularly checked for compliance with security implementation standards.


A.15.2.2

A.15.3 System audit considerations

Audits of operational systems shall be planned and agreed to minimize the risks of disruptions to business processes.


A.15.3.1

Access to system audit tools shall be protected to prevent any possible misuse or compromise.

GM IM&T

A.15.3.2



5 COMPLIANCE 5.1 Consequences of Non-Compliance Violations of this policy or of any underlying policies, standards and procedures, depending on severity and nature, may result in Commerce taking appropriate actions as stated in Section 9 – Management of Conduct and Performance of the Public Sector Employment & Management Act 2002. This act details actions the Director General may take in the event of a ‘charge’ of misconduct which include but not limited to reprimand, loss of access privileges, termination of employment or contract, recovery of costs and/or legal action. Information may be reported to or provided to law enforcement bodies.

5.2 Procedures for requesting exceptions to policies Requests for exceptions to policies must have a justifiable business case documented. The business case should include any relevant information such as the reason for the request, a designated owner, a scope, and a timeframe for implementation. If policy exceptions will circumvent existing internal controls then mitigating or compensating controls must be implemented and followed. General Manager, IM&T and Information Security Manager must be involved in all instances where internal security controls are bypassed. Exceptions must be approved and signed by the Asset Owner or the Asset Custodian, GM, IM&T and endorsed by the Client Reference Group (CRG). Once approved, exceptions to policy must be reviewed on a periodic basis dependent on the level of risk involved in the exception and the level of mitigating controls implemented to manage the risk of the exception.

5.3 Reporting Any breaches or violations of this policy must be reported immediately to line management and the Chief Auditor, Audit Branch and/or the Information Security Manager. The Information Security Manager is responsible for recording all breaches of security and for informing the appropriate management function of such breaches.

5.4 Security Audits and Reviews Security audits will take place, at a minimum once a year, where relevant aspects of the security policy and security processes are audited. These audits will review the implementation and effectiveness of selected security controls and the level of compliance with the security policy based on the risk profile for Commerce. A review must be initiated immediately following a major security incident.



Security reviews of external parties, including business partners and service providers must be conducted on a regular basis in line with provisions contained in the contract with the external party.



6 REVIEW AND MAINTENANCE 6.1 Review and feedback The Commerce Information Security Manager reviews this Policy, at a minimum, annually for applicability and currency. However changes to this policy will be driven by changes as and when required. Feedback on the Policy is encouraged. Feedback could include suggestions for improvement or updates needed, or where there is difficulty complying with any aspect of the Policy. Feedback should be sent to the Information Security Manager

6.2 Policy Changes Any requests for a change to the Policy shall be in writing to the Information Security Manager. The request is to include:

• An explanation of any problems experienced due to the current policy; and

• A risk analysis of the scope and nature of the change across Commerce if the requested change is implemented.

The Client Reference Group reviews all policy change requests. The Client Reference Group provides a recommendation to the IM&T Board and the Director General as input to the Director General’s decision to approve, decline or amend the request for a policy change.

6.3 Division responsible for the maintenance of this policy Information Management and Technology (IM&T) - Information Security.

6.4 Related Documents and Policies This Information Security Policy should be read and applied in conjunction with the following policies and standards:

• Commerce’s Code of Conduct

• Commerce’s Acceptable Use of Information and Information Systems

• Commerce’s Internet and Email Use Policy

• ISO 17799: Code of Practice for Information Security Management (Standards Australia)

• ISO 27001: Information Security Management Requirements Systems (Standards Australia)

• Privacy and Personal Information Protection Act NSW 1998

• Workplace Surveillance Act 2005.