By Brenton Borgman Presentation in Partial fulfilment of the requirements for the Masters of Forensic Computing and Cyber Assurance University of South Australia October 2012 Purpose Research seek to confirm that key state government strategy for the protection of data is suitably implemented. Aims to determine the adequacy of the agency procedures being adopted for the development of the Information Security Management System (ISMS). Seeks to align this South Australian initiative with Commonwealth, Other State Jurisdiction Governments and International Standards. Rational Information communication technology (ICT) underpins many of the South Australian Government’s services. Technology continues to progress and as such enables the threat of cyber breaches to escalate. South Australian government needs to better safeguard the information retained on behalf of the south Australian community through a standardised security management framework. Background – SA Government Information Security Management Framework (ISMF) ISMF Development Intent 2003 ISMF initially established to assist government agencies in implementing a set of policies, standards, guidelines and control mechanisms Framework was not mandated but rather recommended and as such was not fully embraced by all government agencies 2008 ISMF upgraded as a means to assist in establishing a set of minimum government information security standards that applied additional guidance and best practices Framework was again not mandated 2010 ISMF update aimed to align closely with the ISO 27001 for Information Security Management System (ISMS) Framework required agency to implement whatever control measures necessary to provide adequate protection for its information and associated assets. 2011 ISMF aimed to establish a set of guidelines with an emphasis on risk management policies and selective cyber security controls Agency further required to provide assurance that assets are suitably protected. The development of an ISMS was mandated. Information Security Management System Overview Research Questions • “Does the ISMS framework established by the South Australian Government, provide adequate direction to government agencies to implement mechanisms that will sufficiently align / comply with the ISO 27001 in order that retained information data is satisfactorily classified and safeguarded?” • Through the use of a risk assessment tool developed by the Trusted Information Sharing Network (TISN), assess the level of resilience that agencies presently maintain in order to mitigate potential risk specific to confidentiality, integrity and availability. Methodology Approach General Research Study Approach Literature Review Review Interstate Government Jurisdiction ISMS Experiences Case Study Questionnaire Resilience Maturity Model Assessment Tool Other Exploratory Considerations Evaluation Preliminary Inter-jurisdiction Findings Observations collected from an series of Interstate and Commonwealth Government Audit Offices reports acknowledged: A general lack of self-awareness and information security training Inadequacy in information security policies and procedures Inability to assess the level of assurance and confidentiality relating to sensitive information Lack of monitoring of agencies progress towards compliance and certification Lack of clear and concise ICT strategy direction and strong senior management commitment and leadership Lack of consistent and coordinated information security practices specific to key security infrastructure A need for the development and ongoing management of robust risk based practices. Sample Data 11 South Australian Government Agencies were interviewed using a set questionnaire and also got participants to complete a resilience maturity assessment. Data were stratified into three segments based upon their involvement in the ISMS project. Whole of Government strategic analysts Agency Security Executive Information Technology Security Advisors In total 18 interviews were undertaken across the three segments within government. General Case Study Questionnaire General questionnaire contained 20 questions covering: ISMS General Governance Risk Whole of Government Guidance Documentation Whole of Government Reporting Resourcing Awareness Certification Resilience Assessment Resilience Maturity Assessment considered: Agility Leadership Culture and Value Communications Integration Interdependency Awareness Change Research Analysis Findings - Strengths ISMS integrates asset identification, risk management security control documentation and data classification ISMS based on a gradual implementation approach which underpins key directional agency guidelines and available awareness training Encourage continual improvement and monitoring of security controls Aim to integrate with South Australian Government protective security framework and international standards Encourage state government agency ownership and reflect on degree of data sensitivity under their stewardship Reaffirm law and legislative requirements that agencies of government should consider as part of the implementation of the ISMS Regular agency supported forums undertaken to exchange thoughts on areas that prohibit or hinder the implementation of the ISMS Attempt to leverage from lessons learnt from ISMS initiates based in other state government jurisdictions Research Analysis Findings-Weaknesses By enhancing ISMF versions agencies are forced to assess and realign prior work undertaken to ensure that it remains relevant and effective. Senior agency management and associated project personnel need to increase the level of engagement and internal reporting associated with this project. Level of risk based assessments, classification of data and security documentation is not sufficiently prescriptive and lacks standardised which may lead to varying interpretations. Level of critical security documentation is in need of updating No clear and concise central leadership or direction / guidance exists at a whole of government level. Research Analysis Findings-Weaknesses (conti) No ongoing monitoring at a WOG level to determine and assess the level of progress regarding this mandated government project. Limited agency resources have been assigned for the effective and efficient completion of this mandated project. Uncertainty surrounds that adequacy and implementation / use of key projects documentation such as statement of applicability tool and classification of data schema Whilst each agency was assigned a ASE and ITSA to assist in the management of the project, with staff movements within government some of project roles have been left un attended for extended periods of time (e.g. greater than 6 months) Research Analysis Findings-Weaknesses (conti) Limited inter agency exchange of lessons learnt during the course of the project. No mechanism in place to reaffirm to data business owners the significance of data sensitivity and consequences of a breach. Awareness training is being developed in a reactive fashion and as key milestones loom. Agencies are yet to establish at a IT strategic level whether the ISMS initiative will attain certification. Resilience Maturity Assessment The resilience maturity assessment model focused on the following characteristics - agility, leadership, culture and values, communication, integration, interdependency and awareness. Completion of the resilience maturity assessment model has identified certain key outrider results. These areas of variation could be attributed to the varying degree of maturity associated with the transitioning to the ISMS across state government agencies. Research participants resilience maturity assessment data Resilience Maturity Assessment Findings While agencies are at differing stages of the projects life cycle, this could contribute to the variances of the previous table. Resilience findings could be attributed to: Limited senior management and whole of government activity may affect an agencies agility, leadership, culture and communications. Inadequate communications and general project awareness may restrict an agencies ability to effectively interpret processes involved in the integration, interdependency and overall awareness of business units and agencies within Government. Combined Summary of the Research Findings Lack of monitoring of agencies project progress at a whole of government level Increase senior management engagement and internal reporting mechanisms associated with the project Inadequate clear and concise strategic and senior management direction and leadership Failure to replace key project personnel at a agencies level in a timely manner when staff transfer or leave specific agency of government Develop and management of robust risk based practices, classification of data and security documentation is not standardised across agencies Inadequate assurance and confidentiality of sensitive data continues Level of awareness and training has not reduced degree of uncertainty in the completion and use of specific project tools (e.g. Statement of Applicability) Recommendation Lessons learnt from prior other governmental reports should be reviewed to confirm whether they could be of assistance in progressing the ISMS project in a effective and efficient manner. Whilst CEO’s of agencies acts as the data owner, there is also an onus upon senior management at the State Government and agency to ensure that adequate clear and concise direction and support is available to agencies. The state government needs to increase the level of monitoring of the progress of the mandated government initiative. Whilst general guidelines have been initiated, consideration to developing either a standard set of documents or templates covering risk, detailed classification of sensitive data and procedural content would assist in reducing the potential for interpretation and increase overall prescriptive coverage specific to the target area and acknowledging risk and ownership. Government should re-acquaint itself with concerns raised from agencies security feedback forums to assist in identifying general areas where awareness training covering both multiple levels throughout an agency as well as general security control considerations. What I learned This thesis has reconfirmed a number of important elements: Communication Planning Awareness Interpretation Finally it would be remiss of me to not acknowledge that some of the above elements are also areas that I too need to address. References ABC News – PM Transcript, 2006, Defence Department review ordered after KOVCO disc left at airport, 2006, viewed 18 May 2006,<http://www.abc.net.au/pm/content/2006/s1642048.htm> ABC News, 2009, Missing RAH Files Reported to Police, 2009, viewed 18 June 2009, <http://www.abc.net.au/news/2009-06-18/missing-rah-files-reportedto-police/1324758> Auditor-General of Queensland, 2011, Information Systems Governance and Security, report to Parliament No.4, 2011, viewed 20 May 2012, <www.qao.qld.gov.au/auditor_general_reports/2011_Report_No.4.pdf> Australian Standards, 2004, HB 231: 2004 – Information security risk management guidelines Etges, R. & McNeil, K. (2009) Understanding data classification based on business and security requirements, ISACA Journal Online Gershon, P., 2008, Review of the Australian Government’s Use of Information and Communication Technology, August 2008, http://www.finance.gov.au/publications/ict-review/index.html Government of South Australia, 2012, Government framework on cyber security - OCIO Information Security Management Framework version 3.1, February 2012 Government of South Australia – OCIO ISMF Guideline 10 – Transition guidance for agencies and suppliers, February 2012 International Organisation for Standardisation, 2005, Information technology -- Security techniques -- Information security management systems – Requirements, 2007, viewed April 2012, < http://www.iso.org/iso/catalogue_detail?csnumber=42103> Kaplan, B., & Maxwell, J A., 2005, Qualitative Research Methods for Evaluating Computer Information Systems, SpringerLink, Part I, 30-55, DOI: 10.1007/0-387-30329-4_2 <www.libreriafarmaceutica.com/cover.../4/.../9780387245584-c1.pdf> New South Wales Auditor-General’s report, 2010, Electronic information security, October 2011, viewed 20 May 2012, <www.audit.nsw.gov.au/207_Electronic_Information_Security.pdf> Victorian Auditor-General, 2009, Maintaining the Integrity and Confidentiality of Personal Information, November 2009, viewed 20 May 2012, <www.audit.vic.gov.au/reports__publications/reports_by_year/200910/20092511_personal_data.pdf> Western Australian Auditor General’s, 2011, Information Systems Audit Report, Report 4, June 2011, viewed 20 May 2012 <www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf> ZDNET Australia, 2012, Vic report exposes Govt. data breaches, viewed 30/4/2012, http://www.zdnet.com.au/vic-report-exposes-govt-data-breaches339299715.htm Yin, R K., 2003, Case Study Research – Design and Methods, Sage Publications, Inc. Thousand Oaks California. Gillham B., 2000, Case Study – Research Methods, British Library Cataloguing-in-Publication Data, Suffolk, England