BACKGROUND
SA Government business undertakings are reliant on Information and Communications
Technology (ICT). Periodic and regular ongoing reviews are an essential facet of providing business assurance and confirming adherence to relevant obligations and requirements. This guideline supports implementation of ISMF Policy Statement 39.
Reviews include but are not limited to the following aspects:
External legislative, statutory or regulatory requirements pertaining to information security that are mandated by law and therefore must be complied with by agencies and third parties (such as suppliers) to avoid facing serious consequences 1
Industry standards and practices that are established by standards or industry bodies, such as the International Organization for Standardization (ISO), and selected for adoption.
The ISO 31000 risk management and ISO 27000 information technology security management standards are relevant examples in the cyber security context
Internal policies, standards, procedures and contractual obligations for security of
ICT, such as specific security controls mandated by or within the organisation.
Cyber security compliance describes the goal that agencies aspire to achieve in their efforts to ensure that own and third-party personnel are aware of and take steps to comply with relevant cyber security obligations and requirements.
It also sets the expectation that the policies and practices for maintaining compliance are clearly defined, implemented and enforced. This is fundamental to effective and accountable corporate governance of ICT. Compliance reviews assure that the relevant security obligations and requirements are being met. Periodic reviews are concerned with examining to what degree the organisation is able to demonstrate conformance, e.g. through self or third party assessments.
Such reviews also constitute a foundation of achieving continual improvement and optimisation of resources in an organisation.
1 Agencies contemplating outsourcing arrangements in any form should also consult ISMF Guideline 38 to familiarise themselves with the legislative and regulatory requirements relevant to conducting South Australian Government business with ICT.
ISMF Guideline 39
GUIDANCE
Agencies are responsible for developing and implementing procedures to ensure security compliance in accordance with the requirements of the:
Protective Security Management Framework (PSMF)
Information Security Management Framework (ISMF)
This guideline assists Business Owners and Responsible Parties (as defined in the ISMF) in developing their practices and procedures for undertaking regular reviews of their information security posture to ensure ongoing compliance to applicable security obligations and requirements.
PRE-REQUISITE DOCUMENTS
The ISMF should be read in conjunction with this guideline. Implementing the guidance in this document may assist in meeting various requirements contained in the following ISMF Policy
Statements:
ISMF Policy Statement 39 (Security policies, standards and technical reviews)
ISMF Policy Statement 16 (External (third party) service delivery management)
ISMF Policy Statement 38 (Compliance with legal requirements).
ISMF Policy Statement 3 (Information security policy)
ISMF Policy Statement 15 (Operational procedures and responsibilities)
SECURITY POLICY COMPLIANCE AND REVIEWS
An ongoing program of regular activities should be undertaken to assess the suitability and effectiveness of the Agency’s information security policy posture. It provides the basis for:
ensuring the efficacy of its overall information security position
verifying conformance to legal, regulatory and policy requirements that affect information security
ensuring that agencies are able to respond to the latest threat environment (e.g. newly emerged security threats and changed business requirements)
identifying any agency noncompliance and addressing it through mitigation and education actions
ensuring proper information security maintenance
improving the effectiveness of the ISMS.
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 2 of 12
ISMF Guideline 39
This section provides guidance on important aspects of information security reviews.
Table 1 Security policy compliance and review guidance
Applicability Guidance
Compliance review
Business Owners should instigate a review of compliance with legal and regulatory requirements that affect information security at least annually, or sooner when new or updated legislation or regulatory requirements come into effect.
References
Policy review
Business Owners should demonstrate ongoing support for information security by commitment to reviewing the agency’s ISMS policy and/or
Information Security Policy 2 on a periodic basis to ensure it continues to support delivery of the organisation’s objectives.
ISMF Standard 3
ISMF Standard
127
All
Non-compliance
Non-compliance in findings should be addressed by the Responsible
Party through:
Identifying the underlying issue
Assessing required actions to prevent recurrence of non-compliance
Establishing and implementing suitable actions for issue rectification
Reviewing the action effectiveness
Documenting and maintaining the review findings and actions, e.g. as input into independent reviews or audits
Compliance documentation
Compliance checks and reviews may require specialised software 3 to carry out and document these checks. These tools require adequate protection to safeguard the integrity and access of their data.
ISMF Standard
128
ISMF Standard
134
Procedure and Guideline reviews
Responsible Parties should initiate at least annual reviews of all security procedures and guidance to establish that they are formulated and carried out in accordance with the relevant security policies and standards.
ISMF Standard 47
Exemption review
Responsible Parties should undertake at least annual reviews of all dispensations from security compliance requirements.
ISM, Reviewing non-compliance
2
Depending on the agency context, the information policies may be specified in a single document, a top-level information security policy with a supporting operational policy, or a top-level policy with multiple operational policies covering different control areas
3 Examples of security, risk and compliance management software tools include the Lumension Compliance and IT Risk Management,
QSEC or the CURA Information Security Risk Management tool suites.
Page 3 of 12 Government guideline on cyber security
Regular, periodic and independent reviews v1.1
ISMF Guideline 39
Applicability Guidance
[SP] Sensitive:
Personal
Responsible Parties should consider seeking further advice and guidance from the Privacy Committee of South Australia if noncompliance findings indicate a possible or actual breach of personal information.
References
Review schedule and process
Reviews may be event or change driven. Unless changes in risks and the agency’s operating environment, business or system dictate earlier reviews, security reviews should be undertaken at least annually, and according to a defined review process.
All security reviews may be captured in a regular review schedule.
ISM, section
Documentation maintenance
Review expertise
Responsible Parties should identify needs for internal and external specialist information security advice in conducting and coordinating information security reviews. Having information security reviews conducted by parties that are independent of the review target should be considered.
The SA Government’s Cyber Security Services Portal 4 may be used to engage independent review services.
ISMF Standard 11
ISMF Standard 9
4
Refer to section Additional information for further details on the Cyber Security Services Portal.
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 4 of 12
ISMF Guideline 39
SECURITY IMPLEMENTATION COMPLIANCE AND REVIEWS
Having a set of organisational security policies, standards and procedures is often considered the same as implementing them which may not be the case. New services, customer expectations and operating conditions will be a constant source of change which may lead to ineffectiveness of existing security controls.
Compliance evaluations address the process of checking that controls and practices are actually implemented and working as expected. This section provides guidance for security-relevant p rocesses for reviewing the agency’s compliance with its own internal policies as well as those imposed externally.
Table 2 – Security implementation and compliance review guidance
Applicability Guidance
All
References
Implementation assurance ISMF Standards 16,
39, 47, 133, 134
Business Owners should support Responsible Parties in undertaking assurance activities to the extent to which security procedures are carried out correctly, and security standards are implemented. This may be achieved through random checks or regular reviews that provide proof of the level to which the standards and policies are known, enforced and effective.
These activities may include:
risk-based annual reviews of how information assets comply with relevant Agency and whole-of-government security implementation standards and controls
formal review processes for the adherence to technical security implementation standards and controls prior to releasing new or changed information systems into the operating environment
Expertise ISMF Standard 134
Organisation and co-ordination of technical compliance reviews should be performed by experienced and trusted system engineers and demonstrably qualified personnel, such as Agency Security
Advisers and IT Security Advisers.
Non-compliance
The Responsible Party may be required to report certain noncompliance findings, especially if the non-compliance results in a
Notifiable Incident 5 .
ISMF Standard 140 -
Notifiable Incidents
ISMF Standard 9
ISMF Guideline 12a
5 refer to ISMF Standard 140 – Notifiable Incidents for SA Government requirements to investigate and report cyber security incidents
Page 5 of 12 Government guideline on cyber security
Regular, periodic and independent reviews v1.1
ISMF Guideline 39
Applicability Guidance References
Review priorities
A risk-based approach should be applied to the formal process of security implementation review activities. It should take into account such factors as the classification of the information asset being protected, and security standards and controls which address critical security issues or well-known implementation weaknesses.
ISMF Standards 23,
36, 54, 76, 80, 117
Common issues include:
Access control - the effectiveness of the access control policy to meet business and security requirements for access to information assets. It may include assessing physical and user access rights, especially related to events at which significant changes in user privileges or work situations occurred
Confidentiality - the level to which confidentiality requirements or nondisclosure agreements reflect the organization’s needs for the protection of information
Usage monitoring - procedures for monitoring the use of information processing facilities
Patching - verification that the appropriate patches are applied to operating system, device and application software
System changes - when operating systems are changed, agencies should review relevant business critical applications to ensure there is no adverse impact on agency operations or security.
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 6 of 12
ISMF Guideline 39
THIRD PARTY AND OUTSOURCED SERVICE DELIVERY
Embracing third party service delivery offerings reduces direct control of an organisation ’s security controls and architecture. This requires defining, implementing and maintaining appropriate measures to ensure that defined information security and service delivery agreements are upheld.
Table 3 - Third party and outsourced service delivery guidance
Applicability Guidance
All
References
Service delivery risk management
Business Owners should identify and manage specific risks associated with outsourcing arrangements for processing facilities and/or service delivery agreements. Typical risk considerations should include:
Third party compliance - Upholding of relevant compliance obligations for information processing and storage that may be provided by third parties
Legal jurisdiction - The legal context with regard to statutory and legislative powers that the third party, their facilities and the data may be subject to, such as international operations and off-shore data being subject to multiple legal jurisdictions
Outsourcing
Agencies contemplating outsourcing arrangements in any form should consult ISMF Guideline 6 (Cyber security in procurement activities) to familiarise themselves with fundamental cyber security considerations in procurement activities.
Service delivery expectations
Business Owners should formally agree and document third party service expectations and commitments with regards to meeting relevant cyber security requirements, obligations and service delivery levels, e.g. via Service Contracts based on Service Level
Agreements [SLAs] and Operational Level Agreements (OLAs).
The extent of agreements should include service delivery expectations for maintaining service security and continuity during any necessary service transitions or interruptions.
ISMF Standard 51
ISMF Standard 16
ISMF Standards 51 and 139
Service delivery compliance monitoring and review
Responsible Parties should supervise and monitor outsourced service delivery, and demonstrate how agreed service delivery expectations are being met.
Monitoring and review activities should include:
Compliance monitoring and assessment - Establishing a formal program of compliance assurance, including periodic assessments of the supplier’s conformance at key service delivery checkpoints or milestones
ISMF Standard 51
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 7 of 12
ISMF Guideline 39
Applicability Guidance References
Performance reviews – Undertaking periodic supplier performance reviews according to the criteria and tolerances defined within the relevant Service Contract. Independent reviews, advice and/or certification may also provide an increased level of assurance.
Service change and improvement management ISMF Standard 51
Responsible Parties should establish defined management processes for undertaking any changes to security-related service delivery aspects, such as agreed cyber security policies, procedures and controls. They should be able to ensure that changes affecting information security are not undertaken without due consideration, appropriate authorisation and in line with the criticality of service-related business processes and systems.
Responsible Parties should demonstrate a commitment to continual improvement by integrating the lessons from third-party service delivery feedback, monitoring and review activities, including:
Non-compliance findings – to highlighting weak areas that should be addressed
Exemption reviews – to derive insights from the exemptions process about any necessary changes to cyber security controls and practices that may improve the service delivery security posture.
DEVELOPMENT OF AN ASSURANCE PLAN
Assurance undertakings benefit from a well-planned approach which is appropriate for serving the assurance objectives within the resource constraints. Assurance planning provides the foundation for identifying necessary information required for regular assurance activities. It is used to determine appropriate activities, work assignment scheduling and coordination, and specification of suitable work documents.
Risk-based IT assurance planning is a best practice approach, which is supported by a number of assurance frameworks and methodologies. The following section summarises two recognised assurance frameworks which include guidance for assurance planning activities.
Control Objectives for Information and Related Technology (COBIT)
COBIT, and many of its supporting products, provides supporting guidance for IT assurance activities. It outlines a number of fundamental principles for understanding assurance and related techniques and contributory activities, and includes guidance on steps that comprise typical IT assurance engagements, including the approach to assurance planning.
Assurance planning covers the establishment of the range of activities that comprise the area of IT assurance responsibility. It is typically based on a high-level structure that classifies and relates concerned entities, including the IT processes and activities, functions, structures and resources as well as risks and controls which collectively contribute to the achievement of cyber security
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 8 of 12
ISMF Guideline 39 objectives. The objective of assurance planning is to create a viable and comprehensive cyber security assurance plan (usually annual) that combines the audit, compliance and vulnerability assurance concerns with an appropriate IT control framework.
COBIT also highlights the importance to obtain executive level approval for the plan and communication throughout the organisation in order to clearly set out the objectives, authority, and responsibilities for conducting any assurance assignments.
Further information is available in the ISACA publications COBIT 5 for Assurance and the IT
Assurance Guide: Using COBIT .
Sherwood Applied Business Security Architecture (SABSA)
SABSA is a framework and methodology that includes developing risk-driven enterprise information assurance architectures. It’s Assurance Framework and related components offer:
principles and practice of assurance management
an approach to planning the implementation and management of assurance programmes based on best-practice methods, standards and tools
a practical risk-based approach to assuring business processes and systems through monitoring, measuring, benchmarking, testing and continuous improvement
The assurance planning guidance provided through the SABSA framework extends to the planning and development of information assurance and information risk management strategies and programs, which apply risk management techniques and methods. It also covers the implementation and management aspects of risk-based information security reviews and assurance audits. Further information on this approach is available via the SABSA web site .
Outline of an assurance plan
The following outline captures suggested components of an assurance plan that can guide assurance undertakings in a well-planned approach for serving the assurance objectives and scope within the given assurance environment and constraints: 6
Context - Engagement nature, engagement-specific issues and assurance principles that underpin the assurance undertaking
Subject - High level objectives, scope (including any concerned organizational or functional units and processes) and assurance criteria used as a reference.
Approach – The extent of assurance methods and procedures used to complete the engagement, such as the risk-based approach used or the extent to which sampling is needed to obtain sufficient evidence and the design of the sampling plan, if applicable. It may also include compliance considerations with applicable laws, professional auditing standards and any other reference documents, and any specific measures to be taken to address the effect of uncertainty on achieving the assurance objectives.
Assurance Activity Roadmap – the assurance activities to be undertaken, including their locations, dates, expected time and duration as well as resource requirements for the assurance engagement such as the assurance roles and responsibilities, including guides and observers.
Reporting – documentation, reporting and other assurance deliverable requirements
6 It is consistent with the provisions of ISO 19011:2011 Guidelines for auditing management systems
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 9 of 12
ISMF Guideline 39
ADDITIONAL INFORMATION
Cyber Security Self-assessment
Cyber security self-assessment is a tool available to evaluate the current status and efficacy of an organisation’s cyber security resources, including policies, staff, processes, practices and controls.
It can be a precursor to more formal assessments, e.g. audits, which can identify strengths, gaps and/or risks to help improve the information security posture.
Questionnaire-based self-assessment may be adopted as a suitable good practice approach. The
National Institute of Standards and Technology’s Security Self-Assessment Guide for Information
Technology Systems 7 or the Canadian Government’s Cyber Security Self-Assessment Guidance 8 provide reference guidance for using a questionnaire-based self-assessment approach which could be tailored to address the requirements of the South Australian information security context.
Benchmarking
Evaluation by comparison against the standards of peer organisations is another opportunity for assessing an organisation’s security posture. It facilitates integration of applied learnings and findings from like organisations, such as cluster agencies within the South Australian Government, or comparable agencies in other Australian jurisdictions. Since peer organisations are likely to face common cybe r security issues, they can quickly identify each other’s strengths and weaknesses.
This may assist in reducing any security exposures through improvement suggestions that are highly relevant to the peer organisation.
Internal Audit
In addition to self-assessment, internal audit provides independent and objective assurance that assists in improving an organisation’s security posture. It provides a systematic, disciplined and impartial approach to evaluating and improving the effectiveness of cyber security management, control, and governance processes by delivering unbiased and evidence-based analysis insights and recommendations.
Independent review via the Cyber Security Services Portal
The Cyber Security Services Portal is an open portal of qualified and suitably screened private sector organisations that can provide external cyber security services to SA Government, including independent assessment and review. It is operates as a dedicated portal under the broader eProjects panel of the Government of South Australia.
The portal provides a mechanism for agencies to efficiently procure cyber security services from a panel of industry providers and practitioners. Portal suppliers have been pre-qualified to determine that they are capable and adequately qualified to assist agencies in meeting their responsibilities and obligations for ICT/cyber security as described in both the PSMF and ISMF. A secondary objective of the portal is to assist agencies in the implementation of an Information Security
Management System [ISMS] and to ensure that the capability and maturity of our suppliers is in alignment (‘lock step’) with the capability and maturity expectations placed on agencies in all matters pertaining to cyber security.
7 Security Self-Assessment Guide for Information Technology Systems , National Institute of Standards and Technology (NIST) or the
Cyber Security Self-Assessment Guidance
8 Cyber Security Self-Assessment Guidance , Government of Canada
Page 10 of 12 Government guideline on cyber security
Regular, periodic and independent reviews v1.1
ISMF Guideline 39
Further good practice guidance
Additional good practice guidance and further resources are available from cyber security industry, standards or other authoritative bodies, such as the:
Information Systems Audit and Control Association (ISACA)
Corporate Executive Board’s Information Risk Executive Council (IREC)
Australian Computer Emergency Response Team (AusCERT)
International Information Systems Security Certification Consortium (ISC ²)
Australian Computer Society (ACS)
This guideline is good practice applied to the protective security policy position and operating characteristics of the Government of South Australia at the time of writing. The individual requirements and operational characteristics of agencies will have direct bearing on what procedures and protocols are implemented and used for SA Government business.
Government guideline on cyber security
Regular, periodic and independent reviews v1.1
Page 11 of 12
ISMF Guideline 39
REFERENCES, LINKS & ADDITIONAL INFORMATION
1. OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] , Government of South Australia, Adelaide
2. PC030 Government of South Australia Protective Security Management Framework [PSMF] , Department of the Premier and Cabinet, Government of South Australia, Adelaide
3. Australian Government Protective Security Policy Framework [PSPF] , AttorneyGeneral’s Department,
Australian Government, Canberra.
4. Australian Government Information Security Manual , Australian Signals Directorate, Australian Government,
Canberra.
5. ISO/IEC 38500:2008, Corporate governance of information technology, International Organization for
Standardization / International Electro-technical Commission
6. AS 8000-2003 Corporate governance - Good governance principles, Standards Australia International
7. AS 3806-2006 Compliance Programs, Standards Australia International
8. ISO 19011:2011 Guidelines for auditing management systems, International Organization for Standardization/
International Electro-technical Commission
9. Security Self-Assessment Guide for Information Technology Systems , National Institute of Standards and
Technology (NIST)
10. Cyber Security Self-Assessment Guidance , Government of Canada
11. IT Assurance Guide: Using COBIT , IT Governance Institute
12. COBIT 5 for Assurance , ISACA
13. Enterprise Security Architecture - SABSA White Paper , SABSA institute
14. ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 2nd Edition , ISACA
ID
Classification/DLM
Issued
Authority
Master document location
Records management
Managed & maintained by
Author
Reviewer
Compliance
Review date
OCIO_G4.39
PUBLIC-I1-A1
March 2014
State Chief Information Security Officer
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\v3.2\ISMFguidelines\ISMFguideline39(reviews).docx
File Folder: 2011/15123/01 - Document number: 8295442
Office of the Chief Information Officer
Christian Bertram
CEA, MSIT,
Enterprise Architect
Jason Caley
CISM, MACS (CP), IP3P, CRISC, CEA
, Principal Policy Adviser
Discretionary
February 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 39.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright
© South Australian Government,
2014.
Disclaimer