Victorian Government Information Management - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Victorian Government Information Management

Description:

The secrets out... The monkey is out of the bottle... The policy is published... budget departments and agencies - Victoria Police, VicRoads, State Revenue ... – PowerPoint PPT presentation

Number of Views:189
Avg rating:3.0/5.0
Slides: 20
Provided by: steve1473
Category:

less

Transcript and Presenter's Notes

Title: Victorian Government Information Management


1
Victorian Government Information Management
Security Policy
  • Peter Mason
  • Enterprise Architecture Standards
  • Government Services Group

2
Who is Peter Mason and why is he here?
  • Peter Mason, MACS(Snr), SA Fin, MAICD, RANR
  • Head of Enterprise Architecture Standards,
    Government Services Group, Department of Treasury
    Finance
  • GSG Mission - Lead the Whole of Victorian
    Government (WoVG) to improve its operational
    efficiency, through the provision of enabling
    services
  • GSG Technology Mission - Providing technology
    policy and standards direction and leadership in
    consultation with technology stakeholders across
    WoVG

3
Presentation alternative titles?
  • Diligence versus Negligence
  • Create an environment of information management
    diligence
  • Protection not Prevention
  • Create and environment where information is
    managed and protected
  • The end of Plausible Deniability
  • The cat is out of the bag
  • The secrets out
  • The monkey is out of the bottle
  • The policy is published

4
Policy, Standards Guidelines 101
  • Policy
  • A policy is a deliberate plan of action to guide
    decisions and achieve rational outcome
  • Standards
  • Supports Policy
  • Mandatory compliance within the Policy domain
  • Specifies performance criteria
  • May be multiple Standards supporting a Policy
  • Guidelines
  • Outlines a recommended way of complying with a
    Standard

5
GSG Advisory Note, 9 April 2009
6
Information Security Management Policy
  • SEC/POL/01
  • Statement of the Policy
  • Victorian Government Departments and Agencies
    will use identified and approved Whole of
    Victorian Government (WoVG) standards and
    guidelines to manage ICT security appropriate to
    the sensitivity of information and assets to be
    protected.
  • Scope 10 inner budget departments and agencies -
    Victoria Police, VicRoads, State Revenue Office
    and Environment Protection Authority
  • Date of Effect 1 Jul 2005
  • Next review date 31 Dec 2009
  • http//www.gsgictonline.dtf.vic.gov.au/

7
Information Security Data Classification
Management SEC/STD/02
  • Background
  • In July 2007, Minister Holding established the
    Victorian Government Risk Management Framework -
    personal annual attestation by each agency head
  • In December 2008, Helen Silver, Secretary DPC
    wrote to department and agency heads recommending
    adoption of the Protective Security Manual (PSM)
    for securing classified non-national information
  • Existing Federal-State MOU covers securing
    classified national information

8
Part C Information Security Information
collected and generated by Government agencies,
including individuals private information and
security classified information, requires
adequate protection. Part C of the PSM provides
agencies with guidance on the development of
security policies that address the issues of
awareness, responsibility, behaviour and
deterrence to ensure official information is not
compromised. This includes the need for agencies
to be cognizant of their obligations under
relevant legislation such as the Privacy Act 1988
and the Freedom of Information Act 1982.
9
Information Security Data Classification
Management SEC/STD/02
  • Principles
  • Business is the custodian of information,
    therefore, only the business can own the risk
    associated with information
  • Business defines its risk appetite and manages
    risk accordingly
  • ICT manages electronic information on behalf of
    the business within the business defined risk
    appetite
  • Requirement
  • Business assess and classify information under
    PSM guidance
  • Business formally signs off on risk plan
    acceptance
  • ICT units design solutions using ICT Security
    Manual (ISM) as a guide, within risk plan
  • SEC/STD/02 applies to all new work (retrospective
    discretion)

10
(No Transcript)
11
Information Security Management Framework
SEC/STD/01
  • This standard updates and replaces existing an
    standard approved in July 2005
  • Updates to standards from ISO17799.2 to ISO27001
    and ISO17799 to ISO27002
  • Changes compliance requirement from discretionary
    to a requirement to submit proposed ISMF
    compliance plan to GSG within six months for
    endorsement
  • Requirement for reporting to GSG six monthly on
    actual progress to GSG endorsed plan
  • Full compliance is the stated goal, BUT
  • The journey is what its really about build and
    execute a plan
  • Start on gradual, planned and coordinated
    improvement.

12
Information Security Management Framework
SEC/STD/01
  • Requirement Develop an Information Security
    Management Framework (ISMF) consisting of
  • Information Security Policy high level security
    document covering the principal security
    objectives of the organisation (refer ISO 27002
    Section 5 as a guide)
  • Information Security Management System (ISMS)
    description of the organisational ISMS and its
    operation (effectively ISO 27001)
  • Risk Assessment Report a risk assessment
    performed on the scope of the organisations ISMS
  • Statement of Applicability A description of
    each of the 132 controls within ISO 27001 and how
    they are achieved in the organisation

13
Information Security Standards Snapshot
14
WoVG Information Security Timeline
WoVG fully ISO Information Security Management
certified
Common DAs ISO 27001 certification. Common WoVG
IDAM compliance for internals externals. Common
PSM / ISM compliance
Some areas of some DAs obtain ISO 27001
certification. Emerging WoVG IDAM compliance for
internals externals. Emerging systemic DA PSM
/ ISM compliance
WoVG DA Business Governance of InfoSec in
place. DA InfoSec structures in place. Defined
ISMS and compliant with IDAM (internals) and PSM
Classification (new).
Organisational Maturity (CMMI)
WoVG InfoSec Standards approved - incl.
IDAM. (ISO 27001 PSM / ISM IDAM)
Time (years)
10
5
2.5
7.5
15
WoVG Information Security Maturity
CMMI for InfoSec / IDAM Processes by Departments
Agencies
PSM ISM
Five
5Optimized
Focus on continual improvement of
process performance (incremental and
innovative).
Four
4...Managed
Use of process metrics to control 'As Is'
(monitor measure). Controlled
adjustments and adaptations.
Three
IdAM Standards Authentication for VPS
3Defined
Sets of defined and standard processes
- improved over time.These are 'As-Is'
processes across the entire
organisation.
Two
2...Repeatable
Some processes repeatable, possibly
with consistent results.Process
discipline unlikely to be rigorous
One
1...Ad-hoc
Undocumented, uncontrolled and
reactive. (chaotic)
Departments (or Agencies) 1 to 14
16
Why standards?
  • As information is more widely shared across
    government departments and agencies, information
    security is a critical risk management decision
    that will impact on business process and IT
    solution design.
  • By using the standards, departments and agencies
    can benefit from
  • a standardised approach in managing information
    security
  • reduced risk in information leakage, and
  • increased ability to share information faster and
    at lower cost within and across departments and
    agencies through
  • greater responsiveness and flexibility
  • reuse of existing common infrastructure

17
Guidelines, where?
  • Information Security Management Framework
    (SEC/STD/01)
  • A template for the Information Security
    Management Framework (ISMF) and its four key
    components is under development
  • Information Security - Data Classification and
    Management (SEC/STD/02)
  • Guideline on how to security-classify information
    is under development
  • Guideline on reporting security-classified
    systems to GSG is under development

18
For copies of the Policy and Standards http//w
ww.gsgictonline.dtf.vic.gov.au/ orsend email to
ict.enquiries_at_dtf.vic.gov.au
19
Questions?
  • For further information
  • http//www.gsgictonline.dtf.vic.gov.au/
  • gt ICT policies standards and guidelines
  • gt Information security
  • GSG ICT Enquiries - ict.enquiries_at_dtf.vic.gov.au
  • Peter Mason peter.j.mason_at_dtf.vic.gov.au
  • David Hart david.j.hart_at_dtf.vic.gov.au
Write a Comment
User Comments (0)
About PowerShow.com