By Brenton Borgman

Presentation in Partial fulfilment of the requirements for the Masters of Forensic Computing and Cyber Assurance

University of South Australia

October 2012

Purpose

Research seek to confirm that key state government strategy for the protection of data is suitably implemented.

Aims to determine the adequacy of the agency procedures being adopted for the development of the Information Security Management System (ISMS).

Seeks to align this South Australian initiative with Commonwealth, Other State Jurisdiction Governments and International Standards.

Rational

Information communication technology (ICT) underpins many of the South Australian Government’s services.

Technology continues to progress and as such enables the threat of cyber breaches to escalate.

South Australian government needs to better safeguard the information retained on behalf of the south Australian community through a standardised security management framework.

ISMF Development Intent2003 ISMF initially established to assist

government agencies in implementing a set of policies, standards, guidelines and control mechanisms

Framework was not mandated but rather recommended and as such was not fully embraced by all government agencies

2008 ISMF upgraded as a means to assist in establishing a set of minimum government information security standards that applied additional guidance and best practices

Framework was again not mandated

2010 ISMF update aimed to align closely with the ISO 27001 for Information Security Management System (ISMS)

Framework required agency to implement whatever control measures necessary to provide adequate protection for its information and associated assets.

2011 ISMF aimed to establish a set of guidelines with an emphasis on risk management policies and selective cyber security controls

Agency further required to provide assurance that assets are suitably protected. The development of an ISMS was mandated.

Background – SA Government Information Security Management Framework (ISMF)

Information Security Management System Overview

Research Questions

• “Does the ISMS framework established by the South Australian Government, provide adequate direction to government agencies to implement mechanisms that will sufficiently align / comply with the ISO 27001 in order that retained information data is satisfactorily classified and safeguarded?”

 

• Through the use of a risk assessment tool developed by the Trusted Information Sharing Network (TISN), assess the level of resilience that agencies presently maintain in order to mitigate potential risk specific to confidentiality, integrity and availability.

Methodology Approach

General Research Study ApproachLiterature Review Review Interstate Government Jurisdiction ISMS

ExperiencesCase Study

Questionnaire Resilience Maturity Model Assessment Tool

Other Exploratory ConsiderationsEvaluation

Preliminary Inter-jurisdiction FindingsObservations collected from an series of Interstate and Commonwealth Government Audit Offices reports acknowledged:

A general lack of self-awareness and information security training

Inadequacy in information security policies and procedures Inability to assess the level of assurance and confidentiality

relating to sensitive information Lack of monitoring of agencies progress towards compliance

and certification Lack of clear and concise ICT strategy direction and strong

senior management commitment and leadership Lack of consistent and coordinated information security

practices specific to key security infrastructure A need for the development and ongoing management of robust

risk based practices.

Sample Data

11 South Australian Government Agencies were interviewed using a set questionnaire and also got participants to complete a resilience maturity assessment.

Data were stratified into three segments based upon their involvement in the ISMS project.Whole of Government strategic analystsAgency Security ExecutiveInformation Technology Security Advisors

In total 18 interviews were undertaken across the three segments within government.

General Case Study Questionnaire

General questionnaire contained 20 questions covering: ISMSGeneral GovernanceRiskWhole of Government GuidanceDocumentationWhole of Government ReportingResourcingAwarenessCertification

Resilience Assessment

Resilience Maturity Assessment considered:AgilityLeadershipCulture and ValueCommunicationsIntegrationInterdependencyAwarenessChange

Research Analysis Findings - Strengths ISMS integrates asset identification, risk management security control

documentation and data classification

ISMS based on a gradual implementation approach which underpins key directional agency guidelines and available awareness training

Encourage continual improvement and monitoring of security controls

Aim to integrate with South Australian Government protective security framework and international standards

Encourage state government agency ownership and reflect on degree of data sensitivity under their stewardship

Reaffirm law and legislative requirements that agencies of government should consider as part of the implementation of the ISMS

Regular agency supported forums undertaken to exchange thoughts on areas that prohibit or hinder the implementation of the ISMS

Attempt to leverage from lessons learnt from ISMS initiates based in other state government jurisdictions

Research Analysis Findings-Weaknesses

By enhancing ISMF versions agencies are forced to assess and realign prior work undertaken to ensure that it remains relevant and effective.

Senior agency management and associated project personnel need to increase the level of engagement and internal reporting associated with this project.

Level of risk based assessments, classification of data and security documentation is not sufficiently prescriptive and lacks standardised which may lead to varying interpretations.

Level of critical security documentation is in need of updating

No clear and concise central leadership or direction / guidance exists at a whole of government level.

Research Analysis Findings-Weaknesses (conti)No ongoing monitoring at a WOG level to determine and

assess the level of progress regarding this mandated government project.

Limited agency resources have been assigned for the effective and efficient completion of this mandated project.

Uncertainty surrounds that adequacy and implementation / use of key projects documentation such as statement of applicability tool and classification of data schema

Whilst each agency was assigned a ASE and ITSA to assist in the management of the project, with staff movements within government some of project roles have been left un attended for extended periods of time (e.g. greater than 6 months)

Research Analysis Findings-Weaknesses (conti)

Limited inter agency exchange of lessons learnt during the course of the project.

No mechanism in place to reaffirm to data business owners the significance of data sensitivity and consequences of a breach.

Awareness training is being developed in a reactive fashion and as key milestones loom.

Agencies are yet to establish at a IT strategic level whether the ISMS initiative will attain certification.

Resilience Maturity Assessment

The resilience maturity assessment model focused on the following characteristics - agility, leadership, culture and values, communication, integration, interdependency and awareness.

Completion of the resilience maturity assessment model has identified certain key outrider results.

These areas of variation could be attributed to the varying degree of maturity associated with the transitioning to the ISMS across state government agencies.

Research participants resilience maturity assessment data

Resilience Maturity Assessment Findings

While agencies are at differing stages of the projects life cycle, this could contribute to the variances of the previous table.Resilience findings could be attributed to:

Limited senior management and whole of government activity may affect an agencies agility, leadership, culture and communications.

Inadequate communications and general project awareness may restrict an agencies ability to effectively interpret processes involved in the integration, interdependency and overall awareness of business units and agencies within Government.

Lack of monitoring of agencies project progress at a whole of government level

Increase senior management engagement and internal reporting mechanisms associated with the project

Inadequate clear and concise strategic and senior management direction and leadership

Failure to replace key project personnel at a agencies level in a timely manner when staff transfer or leave specific agency of government

Develop and management of robust risk based practices, classification of data and security documentation is not standardised across agencies

Inadequate assurance and confidentiality of sensitive data continues

Level of awareness and training has not reduced degree of uncertainty in the completion and use of specific project tools (e.g. Statement of Applicability)

Combined Summary of the Research Findings

RecommendationLessons learnt from prior other governmental reports should be

reviewed to confirm whether they could be of assistance in progressing the ISMS project in a effective and efficient manner.

Whilst CEO’s of agencies acts as the data owner, there is also an onus upon senior management at the State Government and agency to ensure that adequate clear and concise direction and support is available to agencies.

The state government needs to increase the level of monitoring of the progress of the mandated government initiative.

Whilst general guidelines have been initiated, consideration to developing either a standard set of documents or templates covering risk, detailed classification of sensitive data and procedural content would assist in reducing the potential for interpretation and increase overall prescriptive coverage specific to the target area and acknowledging risk and ownership.

Government should re-acquaint itself with concerns raised from agencies security feedback forums to assist in identifying general areas where awareness training covering both multiple levels throughout an agency as well as general security control considerations.

 

What I learned

This thesis has reconfirmed a number of important elements:

CommunicationPlanningAwarenessInterpretation

Finally it would be remiss of me to not acknowledge that some of the above elements are also areas that I too need to address.

ABC News – PM Transcript, 2006, Defence Department review ordered after KOVCO disc left at airport, 2006, viewed 18 May 2006,<http://www.abc.net.au/pm/content/2006/s1642048.htm>

ABC News, 2009, Missing RAH Files Reported to Police, 2009, viewed 18 June 2009, <http://www.abc.net.au/news/2009-06-18/missing-rah-files-reported-to-police/1324758>

Auditor-General of Queensland, 2011, Information Systems Governance and Security, report to Parliament No.4, 2011, viewed 20 May 2012, <www.qao.qld.gov.au/auditor_general_reports/2011_Report_No.4.pdf> 

Australian Standards, 2004, HB 231: 2004 – Information security risk management guidelines  Etges, R. & McNeil, K. (2009) Understanding data classification based on business and security requirements, ISACA Journal

Online   Gershon, P., 2008, Review of the Australian Government’s Use of Information and Communication Technology, August 2008,

http://www.finance.gov.au/publications/ict-review/index.html Government of South Australia, 2012, Government framework on cyber security - OCIO Information Security Management

Framework version 3.1, February 2012 Government of South Australia – OCIO ISMF Guideline 10 – Transition guidance for agencies and suppliers, February 2012 International Organisation for Standardisation, 2005, Information technology -- Security techniques -- Information security

management systems – Requirements, 2007, viewed April 2012, < http://www.iso.org/iso/catalogue_detail?csnumber=42103> Kaplan, B., & Maxwell, J A., 2005, Qualitative Research Methods for Evaluating Computer Information Systems, SpringerLink, Part

I, 30-55, DOI: 10.1007/0-387-30329-4_2 <www.libreriafarmaceutica.com/cover.../4/.../9780387245584-c1.pdf>  New South Wales Auditor-General’s report, 2010, Electronic information security, October 2011, viewed 20 May 2012, <www.audit.nsw.gov.au/207_Electronic_Information_Security.pdf>  Victorian Auditor-General, 2009, Maintaining the Integrity and Confidentiality of Personal Information, November 2009, viewed 20

May 2012, <www.audit.vic.gov.au/reports__publications/reports_by_year/200910/20092511_personal_data.pdf> Western Australian Auditor General’s, 2011, Information Systems Audit Report, Report 4, June 2011, viewed 20 May 2012

<www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf>  ZDNET Australia, 2012, Vic report exposes Govt. data breaches, viewed 30/4/2012, http://www.zdnet.com.au/vic-report-exposes-

govt-data-breaches-339299715.htm Yin, R K., 2003, Case Study Research – Design and Methods, Sage Publications, Inc. Thousand Oaks California. Gillham B., 2000, Case Study – Research Methods, British Library Cataloguing-in-Publication Data, Suffolk, England

References