NSW Audit Office - Financial Reports - 2004 - Volume 4 - Compliance Review of Security of Electronic

4 pages

English

NSW Audit Office - Financial Reports - 2004 - Volume 4 - Compliance Review of Security of Electronic

Zewyor - The Audit Office Of New South Wales

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

4 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Compliance Review of Security of Electronic Information Information is an asset that must be protected to ensure its necessary confidentiality, integrity and availability. Governments gather a large amount of information as they conduct their business. They become custodians of information that may be politically, commercially and personally sensitive. Governments therefore have a duty of care to protect the information from unauthorised or accidental modification, loss or release. Information can be printed or written, stored electronically, transmitted by post or using electronic means, shown on films or spoken in conversation. CONCLUSION Our review looked at the progress made by 23 agencies towards obtaining certification of their information systems under the national standard AS/NZS 7799. The review indicated that while about one-third of those tested had made good progress, many agencies have a lot of work to do before they will be ready to seek certification. KEY FINDINGS Agency progress towards achieving the certification deadlines set by Government has been varied. At the time of the audit, in our view seven of the agencies sampled had made little progress in undertaking the formal requirements necessary to achieve certification under the national standard. Only twelve agencies in our sample had completed a full risk assessment, which is the first requirement in the overall certification process. Agencies must have in place an extensive ...

Informations

Publié par	Zewyor
Nombre de lectures	18
Langue	English

Extrait

Compliance Review of Security of Electronic Information

Information is an asset that must be protected to ensure its necessary confidentiality, integrity and availability.

Governments gather a large amount of information as they conduct their business. They become custodians of information that may be politically, commercially and personally sensitive. Governments therefore have a duty of care to protect the information from unauthorised or accidental modification, loss or release.

Information can be printed or written, stored electronically, transmitted by post or using electronic means, shown on films or spoken in conversation.

CONCLUSION Our review looked at the progress made by 23 agencies towards obtaining certification of their information systems under the national standard AS/NZS 7799. The review indicated that while about one-third of those tested had made good progress, many agencies have a lot of work to do before they will be ready to seek certification.

KEY FINDINGS Agency progress towards achieving the certification deadlines set by Government has been varied. At the time of the audit, in our view seven of the agencies sampled had made little progress in undertaking the formal requirements necessary to achieve certification under the national standard. Only twelve agencies in our sample had completed a full risk assessment, which is the first requirement in the overall certification process. Agencies must have in place an extensive range of controls if they are to achieve certification. All agencies need to improve their controls, particularly those referred to as ‘organisational and management’ baseline controls. Some State OwnedCorporations (SOCs) do not believe that the Government’s policy requirements regarding information security apply to them. The Department of Commerce is yet to report to the Cabinet Standing Committee on Information Technology on agency progress, almost three years after the project commenced.

RECOMMENDATIONS

We recommend that: the need for agencies to be working towards certification should be heightened by: àmaking CEOs directly accountable for their agency’s certification by the required deadline, by including certification as a performance requirement in each CEO’s performance agreement with their Minister àthe Department of Commerce playing an active role in monitoring agency progress Premier’s Department should determine whether SOCs are required to comply with the requirements of the government policy.

Auditor-General’s Report to Parliament 2004 Volume Four

DETAILED FINDINGS

Are SOCs Captured by the Program?

Compliance Review of Security of Electronic Information

The different forms of communication used to notify agencies of the policy and requirements for the electronic information program have caused confusion in some SOCs. Policy statements about the program have come from the Premier (memorandum) and the Premier’s Department (circulars). Generally, circulars are not applicable to SOCs.

SOCs are uncertain therefore, whether they need to follow the guidelines and adopt the measures required including ultimately obtaining certification of their IT systems.

Cabinet’s requirements were issued to Chief Executives in a Premier’s Department Circular, and therefore are not binding on SOCs, unless the Minister so directs. Premier’s Memorandum (2001-14) issued about the same time uses the words ‘all agencies, including Government Trading Enterprises’ when setting out requirements for the policy. Treasury does not currently use the term ‘Government Trading Enterprises’ when classifying agencies for the whole of Government reporting. It uses the term ‘Public Trading Enterprises’. In our view, however, the term ‘Government Trading Enterprises’ includes SOCs and thus they must undertake the measures required to protect their electronic information systems, including certification.

General Matters

The Memorandum mentioned above requires the Department of Commerce to establish arrangements to enable agencies’ progress to be monitored. All agencies were required to report their progress in achieving the requirements each quarter from 2001 until December 2002, and then annually until December 2004.

The Department was then given the responsibility for reporting agency and overall government progress to the Cabinet Standing Committee on Information Technology.

At the time of writing this report, the Department advised us that they have not yet produced that report.

Individual Agency Progress

The intention of our review was to report on the progress of agencies towards obtaining certification to the national standard AS/NZS 7799. Smaller agencies are required to obtain full certification by 30 September 2005 and larger agencies to achieve pilot certification by that date. Larger agencies have until 30 June 2006 to be fully certified. The Premier’s Department did not provide a definition of ‘small’ and ‘large’ in its policy statements. Many of the recommended controls contained in the guideline document referred to later in this report (see ‘Background’), are standard controls that any well-managed computer environment would have in place. The guidelines, however, also contain a number of critical requirements that an agency must have in place in order to achieve certification. These requirements are described in the Premier’s Department Circular and they include: a framework document that describes the scope of the information-related operations, including people, places and services that are included in the framework, and indicates risk, tolerance and priorities an Information Security Policy a Threat and Risk Assessment. Our reviews were undertaken in the period June to September 2004. The table below summarises our assessment of the progress the sampled agencies have made from 2001 in addressing the critical requirements described above, as well as meeting the guidelines set by the department. For simplicity, we have categorised the agencies as having made ‘limited progress’, ‘reasonable progress’ or ‘good progress’. Auditor-General’s Report to Parliament 2004 Volume Four15

Compliance Review of Security of Electronic Information

Limited ProgressReasonable ProgressGood Progress Department of CorrectiveBuilding and Construction IndustryCountry Energy * Services LongService Leave Corporation Land and Housing CorporationDepartment of Community ServicesDelta Electricity Newcastle Ports CorporationDepartment of Juvenile JusticeDepartment of Lands Public TrusteeNSW Police *Eraring Energy * Rural Assistance AuthorityState Records Authority *Macquarie Generation Waterways Authority‡ SydneyRegistry of Births, Deaths andPorts Corporation Marriages Workcover AuthoritySydney Water Corporation *Roads and Traffic Authority SuperannuationAdministration TreasuryCorporation * Corporation * These agencies have most of the baseline controls in place to protect their electronic information ‡From 1 September 2004, the Waterways Authority became NSW Maritime Authority

Only four agencies in our sample had not prepared an information security policy statement based on the Department of Commerce guidelines and distributed it to their staff. They are: Newcastle Ports Corporation; Rural Assistance Authority; State Records Authority; and Waterways Authority. Newcastle Ports Corporation do have a number of policy documents addressing aspects of information security. The State Records policy document was close to being finalised.

A formal risk assessment would normally be undertaken as an initial stage in preparing for certification. While some agencies have not completed the assessment or their assessment is deficient or incomplete in its content, it is still possible that the agency may have adequate controls in place to protect its electronic information. The issue is that without a formal risk assessment, the agency cannot be comfortable that it has the controls necessary to cover all risks. The following agencies have yet to complete a full risk assessment:

Country Energy

Department of Corrective Services

Eraring Energy

Land and Housing Corporation

Newcastle Ports Corporation

New South Wales Police

Public Trustee

Rural Assistance Authority

Sydney Water

Waterways Authority

Workcover Authority

We looked at whether agencies had in place the baseline controls suggested in the guidelines. Most of the controls that are missing in agencies come from the group referred to as ‘Organisational and Management Controls’. These controls deal with the management of information security, planning and the assignment of responsibilities. They require the existence of procedures and guidelines for staff to follow; infrastructure security; asset classification; personnel practices that address information security; security awareness and training; business continuity plans and much more.

We will be advising individual agencies of any relevant controls that we feel need to be considered by them as part of their readiness for certification.

BACKGROUND The Department of Commerce has produced a document titledInformation Security Guideline for NSW Governmentto assist agencies achieve best practice in information security management. The three-part guideline addresses risk management issues, examples of threats and vulnerabilities and finally, controls to protect the agency’s information.

Auditor-General’s Report to Parliament 2004 Volume Four

Compliance Review of Security of Electronic Information

In 2001, the Premier’s Department issued a circular (No. 2001-46) to all Chief Executives in the public service. The circular set out measures agencies must take to protect their electronic information. Cabinet directed agencies to undertake the following measures: develop and implement policies and plans for information security management by 2002 assign responsibility for IT security to a nominated officer ensure their staff, including contractors and consultants, understand their responsibilities for information security achieve certification of their IT systems to the national standard. Cabinet also required the Department of Commerce to establish a program for external penetration testing of agencies’ IT systems.

In Premier’s Memorandum No. 2001–14, issued to Ministers and Chief Executives, a timetable for on-line self-reporting by agencies to the Department of Commerce was put in place to commence in late 2001. It was proposed that the first survey (as at October 2001) would act as a baseline against which progress was to be assessed. Reporting was to be quarterly in 2002 and then annually, concluding in late 2004.

In Premier’s Department Circular No. 2004-06, agencies were directed to work towards certification to the national standard AS/ANZ 7799. All agencies are required to establish their security framework for initial certification and to have a plan for achieving certification internally approved by 31December 2004. Small agencies are to be fully certified by 30 September 2005 and larger agencies are required to achieve pilot certification by that time and full certification by 30 June 2006.

With less then twelve months to go before the first certification deadline, we decided that it was appropriate for us to report the progress made by agencies. The 23 agencies we reviewed are shown in the ‘progress’ table on the preceding page.

PREMIER’S DEPARTMENT RESPONSE

Compliance and accountability for agency certification are best achieved through the existing channels of issuing Circulars and Memorandum that provide background to the issue and detail information required, the most recent being issued on 3 March 2004.

It is therefore not considered that inclusion of this issue in CEO Performance Agreements would be adequate in achieving greater compliance or provide the necessary detail that agencies require to achieve certification. The Premier’s Department will work in consultation with Department of Commerce in issuing further Circulars/Memoranda to agencies as milestones draw near or as required.

Cabinet’s requirements, as outlined on Premier’s Memorandum 2001-14 include SOCs and thus they must undertake the measures required to protest their electronic information systems, including certification, if the Portfolio Minister so directs.

It is therefore considered that SOCs are required to comply with this policy at the direction of their Portfolio Minister.

Auditor-General’s Report to Parliament 2004 Volume Four