IFM-PR-006: Maintaining the Security of Department Information and Systems

• Financial Administration and Audit Act 1977 (Qld) ss. 46L(3), 84 http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_F.htm
• Financial Mangement Standard 1997 (Qld) ss. 56(2)(a), 70 http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_F.htm
• Public Service Act 1996 (Qld) Sections 87-92 http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm
• Public Sector Ethics Act 1994 ss. 4(2), 7-11 http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm
• Electronic Transactions Act 1999 (Cth) Part 2, s. 8 http://www.comlaw.gov.au/comlaw/legislation/actcompilation1.nsf/0/0258AF6450DC213ECA2570450023A032/$file/ElectronicTrans1999.pdf
• Spam Act 2003 (Cth) Schedule 1, Clauses 3, 4 http://www.comlaw.gov.au/comlaw/legislation/actcompilation1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/SpamAct03WD02.pdf
• Security Legisation Amendment (Terrorism) Act 2002 (Cth) s. 2(e) http://www.comlaw.gov.au/ComLaw/Legislation/Act1.nsf/0/54D2F367E3C457ABCA256F72000F02E8/$file/0652002.pdf

• Information Security (IS18) http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Use of ICT Facilities and Devices (IS38) http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Intellectual Property (IS25) http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Use of Internet and Electronic Mail Policy and PRinciples Statement 2005 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Privacy (IS42) http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Code of Conduct http://education.qld.gov.au/corporate/codeofconduct/index.html

• ICT-PR-004: Using the Department's Corporate ICT Network /strategic/eppr/ict/ictpr004/

Statement of intent

Maintaining the Security of Department Information and Systems is intended to inform staff - permanent, temporary, seconded or contracted staff and consultants, and volunteers who assist staff with their professional duties - of the Department of Education and Training (the Department) of the requirements to protect and secure the Department's information and computer systems.

Its purpose is to ensure that:

• key items of information are protected from unauthorised access, amendment or disclosure;
• information is protected by levels of physical and environmental security relevant to the information's business importance, sensitivity and confidentiality;
• staff responsible for the operation of information systems safeguard the accuracy, completeness and security of information;
• information handled, created or received (in electronic or paper-based formats) is assigned a security classification that matches the information's business importance, sensitivity and confidentiality;
• major information assets, systems and processes have an "owner" who is accountable for the availability, integrity and confidentiality of that information, and a "custodian" who maintains the security of that information;
• privacy requirements are considered in information security planning and system implementations;
• processes for the recruitment, supervision and separation of staff, contractors or consultants, give appropriate consideration to information security;
• users of Department information and systems receive induction training, regular security awareness messages and training to cover their role in securing Department information;
• information systems have sufficient security controls in place to protect government information assets and computer networks;
• business continuity planning and risk management requirements are addressed.

It applies to:

• users of information that is collected, held or managed by the Department, including all staff (in school and non-school settings), enrolled students, their parents and other community members;
• staff accountable for the management of information resources, or for the supervision of staff accessing those resources;
• persons providing, supplying, managing or supporting information services for the Department, including employees, contractors and consultants;
• persons purchasing, developing or modifying systems for the storage and processing of information within the Department.

This document and the Department's information security management framework and its security controls are reviewed periodically, internally and externally, as provided for in Information Standard IS18 Information Security in order to ensure that the prescribed security measures continue to be effective in the light of changing government, business and information requirements.

Breaches of the information security policy and associated standards may result in and unsatisfactory rating in audit and employee reports and may lead to Departmental disciplinary action (including dismissal) and/or action by relevant regulatory authorities.

Responsibilities

• approve the Information Security Policy

• recommend, to the Assistant Director-General, Strategic Information and Technologies, approval of the Department's Information Security procedural policy;
• oversee the establishment, implementation and on-going operation of an information security management framework;
• review reports of the results of monitoring of the performance of Department units and staff regarding information security;
• advise on security, management and implementation of the information security management framework and reports to the Department's Information Steering Committee, independently of any operational staff.
  

Manager, Information Security:

• prepare and maintains the information security management framework;
• provide advice on security, management and implementation of the Information Security Management Framework to the Information Steering Committee;
• monitor compliance with the Department's information security management framework and related policies;
• report on compliance with the Department's information security management framework and related policies, to the Director, Information Management Services;
• receive reports from local information security officers unable to resolve security issues within their work units;
• advise Directors of Workforce Standards and Performance, Legal and Administrative Law, Information Management Services and Internal Audit Branches of any significant information security breaches;
• investigates or co-ordinates investigation of information security breaches;
• report to senior management on enforcement of the State government's legislative requirements for information security, including the meeting of relevant industry standards.
• co-ordinate ICT Business Continuity planning activities on behalf of the Department.
  

• assist with design, implementation, management and review of Department information security policies and procedures
• assist with testing and monitoring of information security measures.

• ensure that information and systems under their control are being administered and operated in a secure manner
• accept responsibility for availability, integrity and confidentiality of information in their systems
• define level of security required for systems, after assessing the information's business value and identified risk;
• liaise with the Manager, Information Security to ensure that any implemented security measures meet legislative and Departmental requirements
• authorise the updating, disposal or destruction of any information on their computer systems.

• provide expert advice to system owners on relevant information security policy, controls and operational processes;
• maintain day-to-day control of the implementation of the agreed technical and procedural measures for securing the system under the owner's delegated authority;
• monitor and log system performance to enable timely detection of attacks or other potential breaches;
  

• provide advice on security issues to operational or development teams
• monitor security practices within the individual work unit or project team
• conduct security awareness programs (induction and refresher programs) for staff and advise on security component of other staff training
• advise their Principal, business or unit Manager or Branch Director on information security policy, management and implementation issues
• report on incidents and compliance issues to the Manager, Information Security.

• ensure that information and systems under their control are being administered and operated in a secure fashion;
• define information handling responsibilities of each position within the school or business unit, and incorporate these into position descriptions;
• determine requirements for access to information for each role within their school or business unit;
• ensure provision of appropriate induction and on-going security training for users;
• ensure that an annual internal review of security practices, including a risk assessment, is undertaken;
• conduct investigations and initiate disciplinary processes, in the case of security violations.
  

• accept personal accountability for their individual actions in the handling of information for official purposes;
• ensure that any Department information they create, handle and store is protected from unauthorised access or amendment.
  

Forms

• Not Applicable

• Not applicable

Other relevant documents

• Commonwealth Government Protective Security Manual (PSM) http://www.ag.gov.au/www/protectivesecurityhome.nsf/0/3ABEF2858B90B6D3CA256BB3001AE07C?OpenDocument
• Australian Govnerment Information and Communications Technology Security Manual (ACSI 33) http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_u.pdf
• Information Standard 18 Information Security - Best Practice Supplement http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard IS 42 Information Privacy Guidelines http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Risk Management - Best Practices Guidelines http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx

Contacts

For information about maintaining the security of department information and systems contact:

• IFM-PR-006: Maintaining the Security of Department Information and Systems - Version: 1.0, 2.0