Upload
nora-creasey
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
By Brenton Borgman
Presentation in Partial fulfilment of the requirements for the Masters of Forensic Computing and Cyber Assurance
University of South Australia
October 2012
Purpose
Research seek to confirm that key state government strategy for the protection of data is suitably implemented.
Aims to determine the adequacy of the agency procedures being adopted for the development of the Information Security Management System (ISMS).
Seeks to align this South Australian initiative with Commonwealth, Other State Jurisdiction Governments and International Standards.
Rational
Information communication technology (ICT) underpins many of the South Australian Government’s services.
Technology continues to progress and as such enables the threat of cyber breaches to escalate.
South Australian government needs to better safeguard the information retained on behalf of the south Australian community through a standardised security management framework.
ISMF Development Intent2003 ISMF initially established to assist
government agencies in implementing a set of policies, standards, guidelines and control mechanisms
Framework was not mandated but rather recommended and as such was not fully embraced by all government agencies
2008 ISMF upgraded as a means to assist in establishing a set of minimum government information security standards that applied additional guidance and best practices
Framework was again not mandated
2010 ISMF update aimed to align closely with the ISO 27001 for Information Security Management System (ISMS)
Framework required agency to implement whatever control measures necessary to provide adequate protection for its information and associated assets.
2011 ISMF aimed to establish a set of guidelines with an emphasis on risk management policies and selective cyber security controls
Agency further required to provide assurance that assets are suitably protected. The development of an ISMS was mandated.
Background – SA Government Information Security Management Framework (ISMF)
Information Security Management System Overview
Research Questions
• “Does the ISMS framework established by the South Australian Government, provide adequate direction to government agencies to implement mechanisms that will sufficiently align / comply with the ISO 27001 in order that retained information data is satisfactorily classified and safeguarded?”
• Through the use of a risk assessment tool developed by the Trusted Information Sharing Network (TISN), assess the level of resilience that agencies presently maintain in order to mitigate potential risk specific to confidentiality, integrity and availability.
Methodology Approach
General Research Study ApproachLiterature Review Review Interstate Government Jurisdiction ISMS
ExperiencesCase Study
Questionnaire Resilience Maturity Model Assessment Tool
Other Exploratory ConsiderationsEvaluation
Preliminary Inter-jurisdiction FindingsObservations collected from an series of Interstate and Commonwealth Government Audit Offices reports acknowledged:
A general lack of self-awareness and information security training
Inadequacy in information security policies and procedures Inability to assess the level of assurance and confidentiality
relating to sensitive information Lack of monitoring of agencies progress towards compliance
and certification Lack of clear and concise ICT strategy direction and strong
senior management commitment and leadership Lack of consistent and coordinated information security
practices specific to key security infrastructure A need for the development and ongoing management of robust
risk based practices.
Sample Data
11 South Australian Government Agencies were interviewed using a set questionnaire and also got participants to complete a resilience maturity assessment.
Data were stratified into three segments based upon their involvement in the ISMS project.Whole of Government strategic analystsAgency Security ExecutiveInformation Technology Security Advisors
In total 18 interviews were undertaken across the three segments within government.
General Case Study Questionnaire
General questionnaire contained 20 questions covering: ISMSGeneral GovernanceRiskWhole of Government GuidanceDocumentationWhole of Government ReportingResourcingAwarenessCertification
Resilience Assessment
Resilience Maturity Assessment considered:AgilityLeadershipCulture and ValueCommunicationsIntegrationInterdependencyAwarenessChange
Research Analysis Findings - Strengths ISMS integrates asset identification, risk management security control
documentation and data classification
ISMS based on a gradual implementation approach which underpins key directional agency guidelines and available awareness training
Encourage continual improvement and monitoring of security controls
Aim to integrate with South Australian Government protective security framework and international standards
Encourage state government agency ownership and reflect on degree of data sensitivity under their stewardship
Reaffirm law and legislative requirements that agencies of government should consider as part of the implementation of the ISMS
Regular agency supported forums undertaken to exchange thoughts on areas that prohibit or hinder the implementation of the ISMS
Attempt to leverage from lessons learnt from ISMS initiates based in other state government jurisdictions
Research Analysis Findings-Weaknesses
By enhancing ISMF versions agencies are forced to assess and realign prior work undertaken to ensure that it remains relevant and effective.
Senior agency management and associated project personnel need to increase the level of engagement and internal reporting associated with this project.
Level of risk based assessments, classification of data and security documentation is not sufficiently prescriptive and lacks standardised which may lead to varying interpretations.
Level of critical security documentation is in need of updating
No clear and concise central leadership or direction / guidance exists at a whole of government level.
Research Analysis Findings-Weaknesses (conti)No ongoing monitoring at a WOG level to determine and
assess the level of progress regarding this mandated government project.
Limited agency resources have been assigned for the effective and efficient completion of this mandated project.
Uncertainty surrounds that adequacy and implementation / use of key projects documentation such as statement of applicability tool and classification of data schema
Whilst each agency was assigned a ASE and ITSA to assist in the management of the project, with staff movements within government some of project roles have been left un attended for extended periods of time (e.g. greater than 6 months)
Research Analysis Findings-Weaknesses (conti)
Limited inter agency exchange of lessons learnt during the course of the project.
No mechanism in place to reaffirm to data business owners the significance of data sensitivity and consequences of a breach.
Awareness training is being developed in a reactive fashion and as key milestones loom.
Agencies are yet to establish at a IT strategic level whether the ISMS initiative will attain certification.
Resilience Maturity Assessment
The resilience maturity assessment model focused on the following characteristics - agility, leadership, culture and values, communication, integration, interdependency and awareness.
Completion of the resilience maturity assessment model has identified certain key outrider results.
These areas of variation could be attributed to the varying degree of maturity associated with the transitioning to the ISMS across state government agencies.
Research participants resilience maturity assessment data
Resilience Maturity Assessment Findings
While agencies are at differing stages of the projects life cycle, this could contribute to the variances of the previous table.Resilience findings could be attributed to:
Limited senior management and whole of government activity may affect an agencies agility, leadership, culture and communications.
Inadequate communications and general project awareness may restrict an agencies ability to effectively interpret processes involved in the integration, interdependency and overall awareness of business units and agencies within Government.
Lack of monitoring of agencies project progress at a whole of government level
Increase senior management engagement and internal reporting mechanisms associated with the project
Inadequate clear and concise strategic and senior management direction and leadership
Failure to replace key project personnel at a agencies level in a timely manner when staff transfer or leave specific agency of government
Develop and management of robust risk based practices, classification of data and security documentation is not standardised across agencies
Inadequate assurance and confidentiality of sensitive data continues
Level of awareness and training has not reduced degree of uncertainty in the completion and use of specific project tools (e.g. Statement of Applicability)
Combined Summary of the Research Findings
RecommendationLessons learnt from prior other governmental reports should be
reviewed to confirm whether they could be of assistance in progressing the ISMS project in a effective and efficient manner.
Whilst CEO’s of agencies acts as the data owner, there is also an onus upon senior management at the State Government and agency to ensure that adequate clear and concise direction and support is available to agencies.
The state government needs to increase the level of monitoring of the progress of the mandated government initiative.
Whilst general guidelines have been initiated, consideration to developing either a standard set of documents or templates covering risk, detailed classification of sensitive data and procedural content would assist in reducing the potential for interpretation and increase overall prescriptive coverage specific to the target area and acknowledging risk and ownership.
Government should re-acquaint itself with concerns raised from agencies security feedback forums to assist in identifying general areas where awareness training covering both multiple levels throughout an agency as well as general security control considerations.
What I learned
This thesis has reconfirmed a number of important elements:
CommunicationPlanningAwarenessInterpretation
Finally it would be remiss of me to not acknowledge that some of the above elements are also areas that I too need to address.
ABC News – PM Transcript, 2006, Defence Department review ordered after KOVCO disc left at airport, 2006, viewed 18 May 2006,<http://www.abc.net.au/pm/content/2006/s1642048.htm>
ABC News, 2009, Missing RAH Files Reported to Police, 2009, viewed 18 June 2009, <http://www.abc.net.au/news/2009-06-18/missing-rah-files-reported-to-police/1324758>
Auditor-General of Queensland, 2011, Information Systems Governance and Security, report to Parliament No.4, 2011, viewed 20 May 2012, <www.qao.qld.gov.au/auditor_general_reports/2011_Report_No.4.pdf>
Australian Standards, 2004, HB 231: 2004 – Information security risk management guidelines Etges, R. & McNeil, K. (2009) Understanding data classification based on business and security requirements, ISACA Journal
Online Gershon, P., 2008, Review of the Australian Government’s Use of Information and Communication Technology, August 2008,
http://www.finance.gov.au/publications/ict-review/index.html Government of South Australia, 2012, Government framework on cyber security - OCIO Information Security Management
Framework version 3.1, February 2012 Government of South Australia – OCIO ISMF Guideline 10 – Transition guidance for agencies and suppliers, February 2012 International Organisation for Standardisation, 2005, Information technology -- Security techniques -- Information security
management systems – Requirements, 2007, viewed April 2012, < http://www.iso.org/iso/catalogue_detail?csnumber=42103> Kaplan, B., & Maxwell, J A., 2005, Qualitative Research Methods for Evaluating Computer Information Systems, SpringerLink, Part
I, 30-55, DOI: 10.1007/0-387-30329-4_2 <www.libreriafarmaceutica.com/cover.../4/.../9780387245584-c1.pdf> New South Wales Auditor-General’s report, 2010, Electronic information security, October 2011, viewed 20 May 2012, <www.audit.nsw.gov.au/207_Electronic_Information_Security.pdf> Victorian Auditor-General, 2009, Maintaining the Integrity and Confidentiality of Personal Information, November 2009, viewed 20
May 2012, <www.audit.vic.gov.au/reports__publications/reports_by_year/200910/20092511_personal_data.pdf> Western Australian Auditor General’s, 2011, Information Systems Audit Report, Report 4, June 2011, viewed 20 May 2012
<www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf> ZDNET Australia, 2012, Vic report exposes Govt. data breaches, viewed 30/4/2012, http://www.zdnet.com.au/vic-report-exposes-
govt-data-breaches-339299715.htm Yin, R K., 2003, Case Study Research – Design and Methods, Sage Publications, Inc. Thousand Oaks California. Gillham B., 2000, Case Study – Research Methods, British Library Cataloguing-in-Publication Data, Suffolk, England
References