Embed Size (px)
Citation preview
ITSS_17 IT Security Standard – Information Security Risk & Compliance Management
Version Approved by Approval date Effective date Next review date
1.0 Vice-President, Finance and Operations 7 June 2016 7 June 2016 7 June 2017
Standard Statement Purpose
UNSW Australia (UNSW) has developed an Information Security Management System (“ISMS”) which is comprised of Policies, Standards and Processes. The framework is implemented to protect UNSW against current and emerging security threats that could cause an information security incident. UNSW has legal obligations which must be clearly understood and addressed accordingly.
Risk is the possibility of damage happening; Risk Management is the process of identifying, analysing and mitigating risk to an acceptable level by implementing controls to maintain an acceptable appetite and tolerance to risk. This standard sets out the requirements to enable informed risk-based business decisions from an information security perspective.
To seed the risk process an information security compliance program ensures the controls documented with the ISMS standards are working effectively and efficiently.
Scope
This standard applies to all users of University Information and Communication Technology resources – including (but not limited to) staff (including casuals), students, consultants and contractors, third parties, agency staff, alumni, associates and honoraries, conjoint appointments and visitors to UNSW.
Are Local Documents on this subject permitted?
□ Yes □ Yes, subject to any areas specifically restricted within this Document
□ No
Standard
1. Controls ..................................................................................................................................... 1 1.1 Risk Management ......................................................................................................... 1 1.2 Phase 1 - Risk Identification ......................................................................................... 2 1.3 Phase 2 - Risk Assessment & Evaluation .................................................................... 2 1.4 Phase 3 - Risk Treatment & Monitoring ........................................................................ 2 Compliance Management ......................................................................................................... 3 1.5 Compliance with Information Security Management System (ISMS) ........................... 3 1.6 Compliance with the Legal and Regulatory Framework ............................................... 4
2. Control Exceptions .................................................................................................................... 4 3. ISMS Mapping with Industry Standards.................................................................................... 4 4. Document Review, Approval & History ..................................................................................... 4
4.1 Quality Assurance ......................................................................................................... 4 4.2 Sign Off ......................................................................................................................... 4
1. Controls
1.1 Risk Management 1.1.1 A formalised and documented risk management plan must be deployed, detailing the necessary
steps for risk identification, assessment, evaluation, treatment and monitoring. The risk management plan must consider:
a) UNSW Enterprise Risk Management Framework.
b) Established information security risk assessment frameworks and methodologies such as ISO 31000 and ISACA principles.
c) Information assets included in the UNSW IT Asset Inventory as per the ITSS_08 IT Asset Management Standard.
Information Security Risk and Compliance Management Standard – ITSS_17 Version 1.0 Effective 7 June 2016
Page 1 of 5
1.2 Phase 1 - Risk Identification
Security risks can be identified by a number of sources. These risk sources include, but are not limited to, the following:
a) Scheduled risk assessments on a regular basis. The scope of these assessments may include a set of information systems, IT operational areas, processes and procedures or a UNSW Division or Faculty.
b) Risk assessments conducted on a case by case basis as required by the ISMS, for example during the change management process or during the acquisition and development of an information system.
c) Internal or external audit involving the review of ISMS components.
d) ISMS compliance assessments (see 2.5 Compliance Management Section).
e) A potential or actual security incident revealing a weakness and the related security risk
f) UNSW staff members who identified a security risk as part of their job responsibilities.
Identified security risks must be subject to appropriate assessment, treatment and monitoring processes as described below.
1.3 Phase 2 - Risk Assessment & Evaluation 1.3.1 Identified security risks must be assessed using the principles contained within UNSW
Enterprise Risk Management Framework, including:
a) Information risks must be managed in line with the UNSW IT Risk Management Plan.
b) UNSW’s exposure to identified risks is estimated using the Rating Scales and Criteria included in the Risk Exposure Map.
UNSW’s Enterprise Risk Management Framework provides the flexibility to UNSW Divisions and Faculties to tailor the criteria for risk assessments in accordance with their operating environment.
1.4 Phase 3 - Risk Treatment & Monitoring 1.4.1 Risk treatment options must be selected based on the outcome of the Risk
Identification and Assessment Phases.
There are four options available for risk treatment which are not mutually exclusive and can be used in combination:
Risk Treatment Option Description
Risk Reduction The level of risk will be reduced through the selection of controls so that the residual risk can be reassessed as being acceptable.
Risk Retention If the level of risk meets the risk acceptance criteria, there is no need to implement additional controls and the risk can be retained.
Risk Avoidance
When the identified risks are considered too high, or the costs of implementing other risk treatment options exceed the benefits, a decision may be made to avoid the risk completely, by withdrawing from a planned or existing activity or set of activities, or changing the conditions under which the activity is operated
Risk Transfer
Transfer the risk to another party that can most effectively manage the particular risk depending on risk evaluation. Risk transfer involves a decision to share certain risks with external parties. Risk transfer can create new risks or modify existing, identified risks. Therefore, additional risk treatment may be necessary.
Information Security Risk and Compliance Management Standard – ITSS_17 Version 1.0 Effective 7 June 2016
Page 2 of 5
1.4.2 Based on the list of risk treatment decisions, UNSW must select cost effective controls designed to reduce, retain, avoid, or transfer the risks. Controls can include the use of technical and non-technical or preventative and detective in nature:
a) Technical controls are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software).
b) Non-technical controls are management and operational controls, such as security Policies, Standards and Processes, reporting and escalation and personnel security.
1.4.3 A risk treatment plan must be developed that clearly identifies the priority for which individual risk treatments must be implemented and their respective timeframes. The plan must include:
a) A prioritised information risk register which lists all identified risks and respective owner.
b) Final risk treatment decisions.
c) Recommended risk treatment controls to reduce, retain, avoid, or transfer the risks grouped according to their relative complexity and time horizon (for example short term versus longer term initiatives) and interdependencies between identified projects and applicable constraints.
1.4.4 The risk treatment plan must be submitted to the risk owner (business owner) for validation and approval. The risk treatment plan progress must be monitored and reported by the local Information Security focal point.
Compliance Management
1.5 Compliance with Information Security Management System (ISMS) 1.5.1 ISMS compliance assessments must be executed by qualified staff and take place on a
regular basis. Responsibility for the execution of compliance assessments is the Information Security Governance Manager or delegate (local information security focal point).
1.5.2 All compliance assessment activities must undergo proper planning and execution, including:
a) Identifying the assessment scope
b) Minimising any disruption to business operations.
c) Agreeing on all compliance assessment activities and objectives with management.
d) Identifying resource and skill needs for any technical tasks.
1.5.3 The UNSW Information Security Governance Manager or delegate (local information security focal point) must ensure that all compliance assessment activities are appropriately planned, logged, and monitored via a documented compliance assessment plan.
1.5.4 Compliance assessments must be conducted which involve procedural and technical reviews for ensuring compliance with the UNSW ISMS. Compliance assessments must be:
a) Conducted at least annually.
b) Performed by individuals who are not involved in activities being audited.
1.5.5 All compliance deviations should be recorded and considered as part of the risk management process and classified as “Sensitive”.
1.5.6 The compliance assessment findings must be classified as follows:
Finding Type Remediation Action* Examples
Observations To be assessed as per the risk
process
Observations which are not classified as non- conformities but should be considered to enhance control improvement
Findings To be assessed as per the risk
process
Findings should be considered as a means to further strengthen the security control environment and improve the existing process
*Aligned with the risk rating of each finding.
Information Security Risk and Compliance Management Standard – ITSS_17 Version 1.0 Effective 7 June 2016
Page 3 of 5
1.5.7 A detailed preventive and corrective action plan must be also documented and accompany each audit finding.
1.6 Compliance with the Legal and Regulatory Framework 1.6.1 All applicable legal regulations must be documented and defined by the UNSW Legal
Department. The appropriate UNSW Division and Faculty is responsible for implementing appropriate ISMS security controls based on the regulatory framework or research grant conditions. It is the Division’s and Faculty’s responsibility to ensure compliance to the identified regulations.
The UNSW IT Risk Management and Legal Department are responsible for identifying regulatory compliance requirements for data protection, privacy, and information security.
1.6.2 A UNSW Privacy or Data Protection Officer must be assigned to ensure compliance to
all legal regulations regarding Personal Identifiable Information (PII). 1.6.3 All software used by UNSW must be appropriately licensed and in compliance with
software copyright agreements. 1.6.4 UNSW must ensure standards for record retention, storage, handling, and disposal are
implemented for all information covered under legal or regulatory statutes. 1.6.5 The retention schedule of information must be defined and disseminated. The retention
schedule must contain, but is not limited to:
a) Type of information.
b) Inventory of sources for this type of information.
c) Record retention time periods.
It is the responsibility of information owners to work with the Legal Department to determine proper record retention schedules and procedures, and work with IT Risk Management to meet any security related regulatory requirements.
2. Control Exceptions All exemption requests must be reviewed assessed, and approved by the relevant business stakeholder. Please refer to the ISMS Base Document for more detail.
3. ISMS Mapping with Industry Standards The table below maps the ITSS_17 Information Security Risk and Compliance Management Standard with the security domains of ISO27001:2013 Security Standard and the Principles of Australian Government Information Security Manual.
ISO27001:2013 Information Security Manual 18 Compliance Information Security Risk Management
4. Document Review, Approval & History This section details the initial review, approval and ongoing revision history of the standard. Post initial review the standard will be presented to the ISSG recommending the formal UNSW policy consultation and approval process commence.
A review of this standard will be managed by the Chief Digital Officer on an annual basis.
4.1 Quality Assurance This document was designed and created by external and internal consultants in consultation with internal key technical subject matter experts, business and academic stakeholders.
4.2 Sign Off
Endorsement Date ISSG -– Information Security Steering Group 30 July 2015 ITC – Information Technology Committee 27 August 2015 CDO – Chief Digital Officer 7 June 2016 Information Security Risk and Compliance Management Standard – ITSS_17 Version 1.0 Effective 7 June 2016
Page 5 of 5
Accountabilities
Responsible Officer
Chief Digital Officer
Contact Officer
Supporting Information Parent Document (Policy) IT Security Policy
Supporting Documents Nil
Related Documents
Data Classification Standard Data Handling Guidelines ISMS Base Document ITSS_08 IT Asset Management Standard
Superseded Documents Nil
UNSW Statute and / or Regulation
Nil
Relevant State / Federal Legislation
Nil
File Number 2016/16925 [ITSS_17] Definitions and Acronyms
No terms have been defined
Revision History Version Approved by Approval date Effective date Sections modified
1.0 Vice-President, Finance and
Operations
7 June 2016
7 June 2016
This is a new document
Information Security Risk and Compliance Management Standard – ITSS_17 Version 1.0 Effective 7 June 2016
Page 5 of 5
