Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

ISMF Guideline 37a - Department of the Premier and Cabinet

advertisement 
OCIO/G4.37a
Government guideline on cyber security
ISMF Guideline 37a
Critical Information Communications Technology
BACKGROUND
Information Communication Technology (ICT) underpins many of the Government of South
Australia’s services that protect the lives and property of citizens and support the social and
economic well being of the community. Understanding what ICT the South Australian Government
has a critical reliance on assists in decision-making that contributes to the resilience and continuity
of government services.
Any ICT infrastructure that the Government has a critical reliance on may be considered State
Government Critical ICT Infrastructure (SGCII) and must be managed appropriately. Agencies are
required to identify any SGCII and provide this information to the Office of the Chief Information
Officer (CIO).
This guideline should be read in conjunction with ISMF Ruling 1 – Security Management
Requirements for Critical ICT.
GUIDANCE
Agencies are responsible for providing the Office of the CIO with information related to the Critical
Services they provide, including any ICT that underpins it. The desired outcome of the collected
data is a single information resource that describes the relationships between the services
delivered by the Government, the related ICT services and the underpinning ICT infrastructure.
This single information resource will take the form of a SGCII Register managed by the Office of
the CIO. The identification of SGCII will assist to:



engage cost effective security controls;
communicate appropriate service requirements and risk tolerances; and
explain expectations of response and recovery to disruptive events.
This understanding aids agencies and responsible authorities, such as the Office of the CIO, in
minimising disruptions to the systems that aid the government in maintaining delivery of Essential
and Important services to the State.
The Department of the Premier and Cabinet (DPC) is the Control Agency for ICT Failure under the
State’s emergency management arrangements. The Office of the CIO fulfils this role on behalf of
DPC. The ICT Support Plan outlines how the Office of the CIO fulfils this role.
Government guideline on cyber security
Critical Information Communications Technology v1.2
Page 1 of 4
ISMF Guideline 37a
TERMS

Critical Infrastructure
The South Australian Government defines critical Infrastructure as those physical facilities,
supply chains, information technologies and communication networks which, if destroyed,
degraded or rendered unavailable for an extended period, will significantly impact on the
social or economic well-being of the State, or affect the State’s contribution to national
security or defence1.

State Government Critical ICT Infrastructure (SGCII)
SGCII is defined as ICT infrastructure upon which ‘Critical Services’ are delivered to the
community. If the confidentiality, integrity or availability of this ICT infrastructure is lost then
it could significantly impact on the social, or economic well-being of the State, the
government, commercial entities or members of the public.

Critical Services
Critical Services are those services that, if compromised, would result in significant damage
to the physical, social or economic wellbeing of the State. Critical Services are not typically
ICT services, they are services that an agency delivers to the community on behalf of the
Government.
Critical Services can be categorised as either Essential or Important:
o
Essential Services
Essential Services are those services (whether provided by a public or private
undertaking) without which the safety, health or welfare of the community or a
section of the community would be endangered or seriously prejudiced 2.
Essential Services are directly related to:



Continuity of executive government
Directly combating identified threats
Physical survival of the community
o Important Services
Important Services are those services that are directly related to the social, physical
or economic safety and security of the State.
1
2
Government of South Australia Protective Security Policy
South Australian Essential Services Act 1981
Government guideline on cyber security
State Government Critical ICT Infrastructure v1.2
Page 2 of 4
ISMF Guideline 37a
IDENTIFYING STATE GOVERNMENT CRITICAL ICT INFRASTRUCTURE
Agencies have a responsibility to provide the Office of the CIO with information for inclusion in the
SGCII Register. The workflow diagram below is designed to assist agencies in providing the
relevant information to the Office of the CIO.
STEP 1: IDENTIFY SERVICE - Identify a service that the agency delivers to the community on behalf of the
Government. This is not likely to be an ICT service.
(Agency Personnel Involved: Business Owner and Agency Security Executive)
STEP 2A: ESSENTIAL SERVICE? - Is the service related to either continuity of executive government, directly
combating identified threats, or the physical survival of the community?
(Agency Personnel Involved: Business Owner and Agency Security Executive)
YES
NO
STEP 2B: IMPORTANT SERVICE? - Is the service related to
This service does meet the
criteria of a Critical Service. Go
to Step 3.
the social, physical or economic safety and security of the State.
YES
(Agency Personnel Involved: Business Owner and Agency Security
Executive)
NO
This service does not meet the criteria of a Critical Service. Return
to Step 1.
STEP 3: IDENTIFY CRITICAL ICT – Identify the application, system or ICT infrastructure that is relied upon to
deliver the Critical Service (e.g. platform, location, contact person, suppliers). There may be multiple instances of
ICT infrastructure per service and each piece of ICT infrastructure may also be used for multiple services.
(Agency Personnel Involved: Business Owner, Agency Security Executive and IT Security Adviser)
STEP 4: COMPLETE & SUBMIT REGISTER TEMPLATE - Complete the SGCII Register template (Click
Here) including all relevant information and submit the template to the Office of the Chief Information Officer.
Review submission annually, or an on event driven basis, and notify the Office of the CIO of any amendments.
Contact: Security and Risk Assurance
Phone: (08) 8463 4003
Government guideline on cyber security
State Government Critical ICT Infrastructure v1.2
Page 3 of 4
ISMF Guideline 37a
ADDITIONAL CONSIDERATIONS
Registration of ICT as SGCII sets a baseline requirement against the Protective Security
Management Framework and Information Security Management Framework (ISMF) for assurance
activities. Further information on this can be found in ISMF Ruling 1 – Security Management
Requirements for Critical ICT.
Any ICT that is registered as SGCII may also need to be registered as State Critical Infrastructure.
Management of State Critical Infrastructure is overseen by the Critical Infrastructure Support
Group in South Australia Police (SAPOL). The Office of the CIO may provide information from the
SGCII Register to SAPOL if it is deemed necessary.
Registration of ICT as SGCII does not have an effect on any requirements for agencies to maintain
their own business continuity management arrangements and business continuity plans.
REFERENCES, LINKS & ADDITIONAL INFORMATION

PC030 Government of South Australia Protective Security Management Framework [PSMF]

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

OCIO/R4.1 ISMF Ruling 1 – Critical ICT Security Management Requirements

State Emergency Management Plan
This guideline does not aim to provide the reader with all of the responsibilities and obligations associated
with Critical ICT. It is highly recommended that agencies review all related documents in their entirety. The
individual requirements of agencies will have direct bearing on what measures are implemented to mitigate
identified risk(s).
ID
OCIO_G4.37a
Classification/DLM
PUBLIC-I2-A1
Issued
June 2012 (re-issued as ISMF Guideline 37a from Guideline 3 – February 2014)
Authority
Security and Risk Steering Committee
Master document location
Q:\SecurityRiskAssurance\Risk and ICT Infrastructure Protection\CIP\SGCII Guideline
Records management
File Folder: 2011/15123/01 - Document number: 5817495
Managed & maintained by
Office of the Chief Information Officer
Author
Will Luker, Analyst
Reviewer
Sarah Mason CISM, CRISC
Principal Risk Adviser, Security & Risk Assurance
Compliance
Discretionary
Review date
June 2015
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 37a.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Related documents
School ICT Policy
School ICT Policy
ICT in Art and Design work
ICT in Art and Design work
Evolving ICT into Computing Secondary
Evolving ICT into Computing Secondary
Viviki Platform
Viviki Platform
Innovative use of ICT in home economics
Innovative use of ICT in home economics
ict strategy and imp..
ict strategy and imp..
Business Stakeholder Expectations
Business Stakeholder Expectations
ISMF Guideline 4b - Role and responsibilities of the ITSA
ISMF Guideline 4b - Role and responsibilities of the ITSA
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 25 - User Access Management
ISMF Guideline 25 - User Access Management
ISMF Standard 141 - Endpoint protection
ISMF Standard 141 - Endpoint protection
Download
advertisement