Click here to load reader

Purpose - Web viewThis word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications

  • View
    212

  • Download
    0

Embed Size (px)

Text of Purpose - Web viewThis word, or the adjective "RECOMMENDED", means that there may exist...

GOVERNMENT STANDARD ON CYBER SECURITY

ISMF

Standard 140Notifiable Incidents

Across Government Cyber Security Incident Reporting Scheme

DPC/S4.5Government standard on cyber security

Version: 3.1 Date: September 2017

DPC/S4.5 Notifiable Incidents Across Government Cyber Security Incident Reporting Scheme

Coverage:

The South Australian public authorities required to adhere to this standard are defined in DPC/F4.1 Government framework on cyber security Information Security Management Framework [ISMF].

This standard is intended for use by South Australian Government agencies and suppliers to Government whose contractual obligations require them to comply with this document. Reliance upon this policy or standard by any other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or liability to the extent permissible by law for any such reliance.

DOCUMENT TERMINOLOGY AND CONVENTIONS

The terms that are used in this document are to be interpreted as described in Internet Engineering Task Force (IETF) RFC 2119 entitled Key words for use in RFCs to Indicate Requirement Levels[footnoteRef:1]. The RFC 2119 definitions are summarised in the table below. [1: www.ietf.org/rfc/rfc2119.txt?number=2119]

Term

Description

MUST

This word, or the terms "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the specification.

MUST NOT

This phrase, or the phrase SHALL NOT, means that is an absolute prohibition of the specification.

SHOULD

This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

SHOULD NOT

This phrase, or the phrase "NOT RECOMMENDED" means that there may exist valid reasons in particular circumstances when the particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label.

MAY

This word, or the adjective OPTIONAL, means that an item is truly optional.

Table of Contents

1.Purpose5

2.CONTEXT5

2.1.Background5

2.2.History6

3.Scope6

4.TERMS AND ABBREVIATIONS6

4.1.Terms6

4.2.Abbreviations7

5.Standard8

5.1.South Australian Government standard8

6.IMPLEMENTATION9

6.1.Implementation considerations9

6.2.Exemptions9

6.3.Responsibilities9

7.REFERENCES AND LINKS10

ANNEX 111

DIAGRAM: Document Hierarchy11

ANNEX 212

DIAGRAM: Overview of Cyber Security Incident Reporting Scheme12

ISMF Standard 140

ISMF Standard 140

Notifiable Incidents: Across Government Cyber Security Incident Reporting Scheme

DPC/S4.5 version 3.1

Page 11 of 12

1. Purpose

This document states the standard of the Government of South Australia with respect to reporting obligations for cyber security incidents.

2. CONTEXTBackground

The South Australian (SA) Governments ability to deliver services to the community is dependent on the availability, integrity and confidentiality of a range of ICT systems. The Department of the Premier and Cabinet [DPC] manages the across SA Government Cyber Security Incident Reporting scheme in order to gain an understanding of the current security incidents affecting the governments ICT systems and also assist all agencies to prepare for and respond to incidents when they occur.

The reporting of cyber security incidents assists in the development of a whole of government picture of the threat to the governments ICT assets. All SA Government agencies and applicable suppliers have a requirement to report cyber security events and incidents to DPC. By being adequately informed DPC can undertake a number of preventative or response measures, including:

Notifying agencies of current threats that they need to be aware of and measures they can take to mitigate these threats.

Implementing additional technical preventative measures such as additional blocking or filtering.

Coordinating and prioritising government resources to investigate or respond to multi-agency incidents.

Reporting the information to relevant national resources and intelligence services.

Providing regularly reports to relevant governance committees on quantity and type of incidents occurring.

These measures assist the SA Government as a whole to better manage the threat posed by cyber security incidents as well as supporting DPC in fulfilling its legislative obligations as the Control Agency for ICT Failure[footnoteRef:2]. [2: DPC is the Control Agency for ICT Failure under the South Australian Governments Emergency Management arrangements. Refer to http://www.safecom.sa.gov.au/site/emergency_management/emergency_management_arrangements/state_emergency_management_arrangements.jsp for additional information.]

This standard supports the requirements described in Policy Statement 12 of the Information Security Management Framework [ISMF], and the achievement of Business Continuity Planning objectives stipulated in section 16 of the ISMF. It also assists the DPC fulfil its obligations as the Control Agency for ICT Failure under the South Australian emergency management arrangements.

Annex 1 describes the relationships between this standard and other relevant cyber security and emergency management policies, standards and plans.

History

DPC/S4.5 Notifiable Incidents: Across Government Cyber Security Incident Reporting Scheme [ISMF Standard 140] (this standard) replaces ODG S/4.5 Notifiable Incidents [ISMF Standard 140]. It also supersedes, and shall be considered a full substitute for the government policy on information and communication technology, GICT/P4.4 Security Security Violations and OCIO/P4.5 Security - Notifiable Incidents Policy.

3. Scope

This standard shall apply, unless otherwise advised, to all bodies that are:

South Australian Government public sector agencies (as defined in the Public Sector Act 2009), that is, administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown. Public sector agencies are herein referred to as Agencies; OR

Suppliers to the South Australian Government or its Agencies that have contractual conditions which require compliance to the ISMF as described in section 2.1 of the ISMF.

4. TERMS AND ABBREVIATIONSTerms

Cyber Security Event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.

Cyber Security Incident is a single or a series of unwanted or unexpected cyber security events that have a significant probability of compromising business operations and threatening information security.

Responsible Party is used in two contexts within the ISMF. These are:

An Agency the internal to government body that retains ultimate responsibility for all aspects covered by the ISMF as it relates to a particular agency and its information assets.

A Supplier an external to government entity that is typically responsible for compliance with the ISMF by way of a contractual agreement that contains clauses requiring security of Agency information and the regulation of access to an Agencys information assets. The term Supplier shall be read as Suppliers who are subject to contractual conditions that require them to comply with the ISMF unless another intention is apparent.

When a Supplier has contracted with the State, the provisions of the ISMF will apply to the Supplier either:

under the terms of a Purchasing Agreement for whole of Government contracts and associated Customer Agreements; or

by way of an individual contract with an Agency whereby the Agency has specified the parts of its Information Security Management System [ISMS] for which compliance is sought.

It should be noted that Agency Chief Executives retain ultimate accountability for all security matters within their agencies. The application of the ISMF to a Supplier via a contract with the State or Agency shall not absolve the Agency from these obligations and responsibilities.

Responsible Parties includes both Agencies and Suppliers who are subject to contractual conditions that require them to comply with the ISMF. Where any ambiguity arises between these entities in relation to adherence to the ISMF, the Agency Controls implemented in the Customer Agreement shall prevail (i.e. The Agency remains the default party and the Customer Agreement is used as the vehicle for setting the scope and requirements for the Supplier to comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may also introduce additional Agency-specific controls and policies that the Supplier must comply with).

Business Owner represents the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units should own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit di

Search related