DPC/S4.5Government standard on cyber security

Version: 3.1 Date: September 2017

ISMFStandard 140

Notifiable IncidentsAcross Government Cyber Security Incident Reporting Scheme

ISMF Standard 140

GOVERNMENT STANDARD ON CYBER SECURITYDPC/S4.5 Notifiable Incidents – Across Government Cyber Security Incident Reporting Scheme

Coverage:The South Australian public authorities required to adhere to this standard are defined in DPC/F4.1 Government framework on cyber security – Information Security Management Framework [ISMF].

This standard is intended for use by South Australian Government agencies and suppliers to Government whose contractual obligations require them to comply with this document. Reliance upon this policy or standard by any other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or liability to the extent permissible by law for any such reliance.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 2 of 12

ISMF Standard 140

ISMF Standard 140

DOCUMENT TERMINOLOGY AND CONVENTIONS

The terms that are used in this document are to be interpreted as described in Internet Engineering Task Force (IETF) RFC 2119 entitled “Key words for use in RFCs to Indicate Requirement Levels”1. The RFC 2119 definitions are summarised in the table below.

Term Description

MUST This word, or the terms "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the specification.

MUST NOT This phrase, or the phrase “SHALL NOT”, means that is an absolute prohibition of the specification.

SHOULDThis word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

SHOULD NOT

This phrase, or the phrase "NOT RECOMMENDED" means that there may exist valid reasons in particular circumstances when the particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label.

MAY This word, or the adjective “OPTIONAL”, means that an item is truly optional.

1 www.ietf.org/rfc/rfc2119.txt?number=2119 Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 3 of 12

ISMF Standard 140

ISMF Standard 140

TABLE OF CONTENTS

1. PURPOSE..........................................................................5

2. CONTEXT..........................................................................52.1. Background.....................................................................52.2. History............................................................................6

3. SCOPE..............................................................................6

4. TERMS AND ABBREVIATIONS..............................................64.1. Terms..............................................................................64.2. Abbreviations...................................................................7

5. STANDARD........................................................................85.1. South Australian Government standard.............................8

6. IMPLEMENTATION.............................................................96.1. Implementation considerations.........................................96.2. Exemptions......................................................................96.3. Responsibilities................................................................9

7. REFERENCES AND LINKS..................................................10

ANNEX 1.................................................................................11DIAGRAM: Document Hierarchy................................................11

ANNEX 2.................................................................................12DIAGRAM: Overview of Cyber Security Incident Reporting Scheme12

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 4 of 12

ISMF Standard 140

1. PURPOSE

This document states the standard of the Government of South Australia with respect to reporting obligations for cyber security incidents.

2. CONTEXT

2.1. Background

The South Australian (SA) Government’s ability to deliver services to the community is dependent on the availability, integrity and confidentiality of a range of ICT systems. The Department of the Premier and Cabinet [DPC] manages the across SA Government Cyber Security Incident Reporting scheme in order to gain an understanding of the current security incidents affecting the government’s ICT systems and also assist all agencies to prepare for and respond to incidents when they occur.

The reporting of cyber security incidents assists in the development of a whole of government picture of the threat to the government’s ICT assets. All SA Government agencies and applicable suppliers have a requirement to report cyber security events and incidents to DPC. By being adequately informed DPC can undertake a number of preventative or response measures, including:

Notifying agencies of current threats that they need to be aware of and measures they can take to mitigate these threats.

Implementing additional technical preventative measures such as additional blocking or filtering.

Coordinating and prioritising government resources to investigate or respond to multi-agency incidents.

Reporting the information to relevant national resources and intelligence services. Providing regularly reports to relevant governance committees on quantity and type of

incidents occurring.

These measures assist the SA Government as a whole to better manage the threat posed by cyber security incidents as well as supporting DPC in fulfilling its legislative obligations as the Control Agency for ICT Failure2.

This standard supports the requirements described in Policy Statement 12 of the Information Security Management Framework [ISMF], and the achievement of Business Continuity Planning objectives stipulated in section 16 of the ISMF. It also assists the DPC fulfil its obligations as the Control Agency for ICT Failure under the South Australian emergency management arrangements.

Annex 1 describes the relationships between this standard and other relevant cyber security and emergency management policies, standards and plans.

2 DPC is the Control Agency for ICT Failure under the South Australian Government’s Emergency Management arrangements. Refer to http://www.safecom.sa.gov.au/site/emergency_management/emergency_management_arrangements/state_emergency_management_arrangements.jsp for additional information.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 5 of 12

ISMF Standard 140

2.2. History

DPC/S4.5 Notifiable Incidents: Across Government Cyber Security Incident Reporting Scheme [ISMF Standard 140] (“this standard”) replaces ODG S/4.5 Notifiable Incidents [ISMF Standard 140]. It also supersedes, and shall be considered a full substitute for the government policy on information and communication technology, GICT/P4.4 Security – Security Violations and OCIO/P4.5 Security - Notifiable Incidents Policy.

3. SCOPE

This standard shall apply, unless otherwise advised, to all bodies that are:

South Australian Government public sector agencies (as defined in the Public Sector Act 2009), that is, administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown. Public sector agencies are herein referred to as “Agencies”; OR

Suppliers to the South Australian Government or its Agencies that have contractual conditions which require compliance to the ISMF as described in section 2.1 of the ISMF.

4. TERMS AND ABBREVIATIONS

4.1. Terms

“Cyber Security Event” is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.

“Cyber Security Incident” is a single or a series of unwanted or unexpected cyber security events that have a significant probability of compromising business operations and threatening information security.

“Responsible Party” is used in two contexts within the ISMF. These are:

o An Agency – the internal to government body that retains ultimate responsibility for all aspects covered by the ISMF as it relates to a particular agency and its information assets.

o A Supplier – an external to government entity that is typically responsible for compliance with the ISMF by way of a contractual agreement that contains clauses requiring security of Agency information and the regulation of access to an Agency’s information assets. The term “Supplier” shall be read as “Suppliers who are subject to contractual conditions that require them to comply with the ISMF” unless another intention is apparent.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 6 of 12

ISMF Standard 140

When a Supplier has contracted with the State, the provisions of the ISMF will apply to the Supplier either:

o under the terms of a Purchasing Agreement for whole of Government contracts and associated Customer Agreements; or

o by way of an individual contract with an Agency whereby the Agency has specified the parts of its Information Security Management System [ISMS] for which compliance is sought.

It should be noted that Agency Chief Executives retain ultimate accountability for all security matters within their agencies. The application of the ISMF to a Supplier via a contract with the State or Agency shall not absolve the Agency from these obligations and responsibilities.

“Responsible Parties” includes both Agencies and Suppliers who are subject to contractual conditions that require them to comply with the ISMF. Where any ambiguity arises between these entities in relation to adherence to the ISMF, the Agency Controls implemented in the Customer Agreement shall prevail (i.e. The Agency remains the default party and the Customer Agreement is used as the vehicle for setting the scope and requirements for the Supplier to comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may also introduce additional Agency-specific controls and policies that the Supplier must comply with).

“Business Owner” represents the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units should own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner. A Business Owner or group of Business Owners must be identified for each information asset.

4.2. Abbreviations

CIO Chief Information OfficerICT Information Communication TechnologyISMF Information Security Management FrameworkPSMF Protective Security Management FrameworkSEMP State Emergency Management Plan

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 7 of 12

ISMF Standard 140

5. STANDARD

5.1. South Australian Government standard

o Responsible Parties must report cyber security events to the DPC. An assessment will then be made by the DPC, in consultation with the Responsible Party, on whether the event constitutes an incident. If it is assessed as an event then nothing further will be required of the agency.

e.g. A single phishing e-mail being received by a finance area in one department may seem minor and would not necessarily be classified an incident, however, if multiple finance areas have received phishing e-mails it may be an indication of government finance departments being specifically targeted which would require an additional level of investigation.

o If, after an assessment by DPC and the reporting agency, it is determined that an event constitutes a cyber security incident then an additional level of action will be taken by the Responsible Party in conjunction with DPC including the submission of a formal incident report form.

e.g. A successful virus infection in one agency is investigated by the reporting agency, indicators of compromise are found to be present in multiple other agencies. DPC puts technical controls in place at the whole of government level and a security bulletin is sent to all agency IT Security Advisers providing them with information to mitigate the threat and clean it up if it is present.

o If it is determined that a cyber security incident has occurred then Responsible Parties should, as soon as practicable, submit a Cyber Security Incident Report Form. ISMF Guideline 12a provides a copy of this form and additional information on completing it.

o The Cyber Security Incident Reporting Scheme will work in parallel with all Responsible Party’s own internal processes for incident handling and response and shall not be considered a substitute for internal incident management responsibilities.

o Responsible Party’s internal plans should outline the requirement for, and method of, informing DPC of cyber security events and cyber security incidents.

o Personnel from DPC may contact Agency and/or Supplier staff for follow-up investigative and remedial concerns upon receipt of a completed Cyber Security Incident Report Form.

o Annex 2 provides a diagram which gives an overview of this process.

o ISMF Guideline 12a provides further advice which may be of assistance for agencies.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 8 of 12

ISMF Standard 140

6. IMPLEMENTATION

6.1. Implementation considerations

SA Government agencies must implement the requirements of this standard. ISMF Guideline 12a provides agencies with some guidance that may assist with implementing the requirements of this standard.

6.2. Exemptions

None.

6.3. Responsibilities

Chief executives have ultimate accountability for all security matters within their agencies. Such accountability is derived from Cabinet Circular No. 30, the Protective Security Management Framework [PSMF]).

Treasurer's instruction 2, ‘Financial Management Policies’ establishes certain obligations and expectations on how entities of the South Australian Government manage risk including those pertaining to ICT projects. On the issue of information security management, it is required that the entity implements whatever control measures are necessary to provide adequate protection for its information and that, where applicable, the entity shall comply with the instructions detailed in the PSMF.

7.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 9 of 12

ISMF Standard 140

7. REFERENCES AND LINKS

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF]

Government of South Australia, State Emergency Management Plan State ICT Support Plan Protective Security Management Framework Information Privacy Principles Instruction , issued as Premier and Cabinet Circular No.12.

Document Control

ID DPC/S4.5Version 3.1Classification/DLM PUBLIC-I2-A1Compliance MandatoryOriginal authorisation date 4 November 2008Last approval date September 2017Review date In Review

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 10 of 12

ISMF Standard 140

ANNEX 1DIAGRAM: Document Hierarchy

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 11 of 12

ISMF Standard 140

ANNEX 2DIAGRAM: Overview of Cyber Security Incident Reporting Scheme

Notifiable Incidents: Across Government Cyber Security Incident Reporting SchemeDPC/S4.5 version 3.1 Page 12 of 12

ISMF Standard 140