Professional Documents
Culture Documents
Management Policy
Purpose
Replaces
Commences
<date>
File:
Scope
Principle
Date
Date
Director General
Date
Approver
Endorser
Page 1 of 12
Department of . . .
1.
Policy
The Department of . . . is responsible for the security of its information and
information systems.
2.
Objectives
To ensure that Department requirements for information security are satisfied in
accordance with the principles of risk management:
a. the control of access to and proper use of information and information
systems
b. the availability, confidentiality and integrity of information
c. the authentication of users
d. the non-repudiation of electronic transactions
3.
Definition
4.
Application
a. The Department will adopt relevant standards for information security
management and risk management, including WA Government
guidelines
b. The compliance with these guidelines is to be managed by the
Information Security Group
c. Compliance means:
regular reviews of security exposures
investigation of security infringements, as required
an ongoing action plan to achieve continuous improvement in
security, within the operational budget allocation
d. The Departments framework for information security management is
summarised in the appendices. <Departments should include, policy
lists, and delegations>
Page 2 of 12
Department of . . .
5.
5.1.
Staff
System Owners
a. Are responsible for ensuring the compliance of their systems with this
Information Security Management Policy.
Page 3 of 12
Department of . . .
5.7.
6.
Policy Promulgation
Commencement date
Communication process
7.
Policy Review
8.
Contact
Questions related to this policy document may be directed to the Director, Information
Services on (08) 9999-9999.
Page 4 of 12
Department of . . .
9.
Appendix
17799:2006)
Minimum
Standards
(per
ISO
AS/NZS
ISO/IEC
Information security is the protection of information from a wide range of threats in order to
ensure business continuity, minimize business risk, and maximize return on investments
and business opportunities.
Information security is achieved by implementing a suitable set of controls, including
policies, processes, procedures, organizational structures and software and hardware
functions.
9.1.
It is essential that an organization identifies its security requirements. There are three
main sources of security requirements.
1. One source is derived from assessing risks to the organization, taking into account
the organizations overall business strategy and objectives. Through a risk
assessment, threats to assets are identified, vulnerability to and likelihood of
occurrence is evaluated and potential impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that
an organization, its trading partners, contractors, and service providers have to
satisfy, and their socio-cultural environment.
3. A further source is the particular set of principles, objectives and business
requirements for information processing that an organization has developed to
support its operations.
9.2.
Selecting Controls
Once security requirements and risks have been identified and decisions for the treatment
of risks have been made, appropriate controls should be selected and implemented to
ensure risks are reduced to an acceptable level [for the Department].
9.4.
Page 5 of 12
Department of . . .
Summary
Risk assessment
Security policy
management direction
Asset management
inventory
and
information assets
Access control
classification
of
anticipating
and
responding
appropriately to information security
breaches
Compliance
AS/NZS ISO/IEC 17799:2006 is identical with and has been reproduced from ISO/IEC
17799:2005.
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC
17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005.
ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from
17799 to 27002.
Page 6 of 12
Information Security
Management Policy
11. Appendix Information Security Controls (delete as needed)
AS/NZS ISO/IEC 17799:2006 defines 39 information security controls in twelve categories.
Category
4 Risk Assessment
Section
4.1 Assessing Security risks
4.2 Treating Security risks
5 Security Policy
6 Organization Of
Information Security
7 Asset Management
7.2 Information
Classification
Purpose
Risk assessments should identify,
quantify, and prioritize risks against
criteria relevant to the organization.
Controls to manage or reduce the risk
or its impact
To provide management direction and
support for information security in
accordance with business
requirements and relevant laws and
regulations.
To manage information security within
the organization.
Sub-sections
Department of . . .
Category
8 Human Resources
Security
Section
8.1 Prior To Employment
10 Communications
And Operations
Management
10.1 Operational
Procedures And
Responsibilities
Purpose
To ensure that employees,
contractors and third party users
understand their responsibilities, and
are suitable for the roles they are
considered for, and to reduce the risk
of theft, fraud or misuse of facilities.
To ensure that employees,
contractors and third party users are
aware of information security threats
and concerns, their responsibilities
and liabilities, and are equipped to
support organizational security policy
in the course of their normal work,
and to reduce the risk of human error
To ensure that employees,
contractors and third party users exit
an organization or change
employment in an orderly manner.
To prevent unauthorized physical
access, damage, and interference to
the organizations premises and
information.
Sub-sections
Page 8 of 12
Department of . . .
Category
Section
10.2 Third Party Service
Delivery Management
10.8 Exchange Of
Information
10.9 Electronic Commerce
Services
10.10 Monitoring
11 Access Control
Purpose
To implement and maintain the
appropriate level of information
security and service delivery in line
with third party service delivery
agreements.
To minimize the risk of systems
failures.
To protect the integrity of software
and information.
To maintain the integrity and
availability of information and
information processing
facilities.
To ensure the protection of
information in networks and the
protection of the supporting
infrastructure
To prevent unauthorized disclosure,
modification, removal or destruction of
assets, and interruption to business
activities.
To maintain the security of information
and software exchanged within an
organization and with any external
entity.
To ensure the security of electronic
commerce services, and their secure
use.
To detect unauthorized information
processing activities.
Sub-sections
10.2.1 Service Delivery
10.2.2 Monitoring And Review Of Third Party Services
10.2.3 Managing Changes To Third Party Services
10.3.1 Capacity Management
10.3.2 System Acceptance
10.4.1 Controls Against Malicious Code
10.4.2 Controls Against Mobile Code
10.5.1 Information Back-Up
Page 9 of 12
Department of . . .
Category
Section
11.2 User Access
Management
Purpose
To ensure authorized user access and
to prevent unauthorized access to
information systems.
Sub-sections
11.2.1 User Registration
11.2.2 Privilege Management
11.2.3 User Password Management
11.2.4 Review Of User Access Rights
11.3.1 Password Use
11.3.2 Unattended User Equipment
11.3.3 Clear Desk And Clear Screen Policy
11.4.1 Policy On Use Of Network Services
11.4.2 User Authentication For External Connections
11.4.3 Equipment Identification In Networks
11.4.4 Remote Diagnostic And Configuration Port Protection
11.4.5 Segregation In Networks
11.4.6 Network Connection Control
11.4.7 Network Routing Control
11.5.1 Secure Log-On Procedures
11.5.2 User Identification And Authentication
11.5.3 Password Management System
11.5.4 Use Of System Utilities
11.5.5 Session Time-Out
11.5.6 Limitation Of Connection Time
11.6.1 Information Access Restriction
11.6.2 Sensitive System Isolation
11.7.1 Mobile Computing And Communications
11.7.2 Teleworking
12.1.1 Security Requirements Analysis And Specification
Page 10 of 12
Department of . . .
Category
Section
12.3 Cryptographic
Controls
12.4 Security Of System
Files
12.5 Security In
Development And Support
Processes
14 Business
Continuity
Management
13.2 Management Of
Information Security
Incidents And
Improvements
14.1 Information Security
Aspects Of Business
Continuity Management
Purpose
To protect the confidentiality,
authenticity or integrity of information
by cryptographic means.
To ensure the security of system files.
Sub-sections
12.3.1 Policy On The Use Of Cryptographic Controls
12.3.2 Key Management
Page 11 of 12
Department of . . .
Category
15 Compliance
Section
15.1 Compliance With
Legal Requirements
Purpose
To avoid breaches of any law,
statutory, regulatory or contractual
obligations, and of any security
requirements.
Sub-sections
15.1.1 Identification Of Applicable Legislation
15.1.2 Intellectual Property Rights (Ipr)
15.1.3 Protection Of Organizational Records
15.1.4 Data Protection And Privacy Of Personal Information
15.1.5 Prevention Of Misuse Of Information Processing
Facilities
15.1.6 Regulation Of Cryptographic Controls
15.2.1 Compliance With Security Policies And Standards
15.2.2 Technical Compliance Checking
15.3.1 Information Systems Audit Controls
Page 12 of 12