Add to collection(s) Add to saved
  1. Business
  2. Economics
  3. Macroeconomics

ISMF Ruling 1– Security management requirements for critical ICT

advertisement 
OCIO/R4.1
Government ruling on cyber security
ISMF Ruling 1
Security Management Requirements for Critical
Information and Communication Technology
BACKGROUND
This ruling is issued for application of the South Australian Government Information Security
Management Framework (ISMF) to critical information communications technology (ICT). It is an
official interpretive statement applicable to South Australian Government agencies and suppliers
whose contractual requirements include it.
The ISMF applies to all Official Information, and all information of which the South Australian
Government or any of its Agencies has custody, where that information is processed, stored or
communicated by ICT equipment.
This ruling is issued and published by the Office of the Chief Information Officer (CIO) and
authorised by the ICT Board.
This ruling should be read in conjunction with ISMF Guideline 37a.
PURPOSE
What this ruling is about:
1. It defines the criterion that constitutes State Government Critical ICT Infrastructure (SGCII).
2. It describes how SGCII shall be registered.
3. It explains how the standards and provisions of the ISMF shall be applied to information
infrastructure classified as State Government Critical ICT Infrastructure.
4. It explains how the waiver (exemption) provision of the ISMF applies to SGCII.
5. It reminds agencies of the timeline for the establishment of an Information Security
Management System (ISMS) and corresponding statement of applicability that
encompasses SGCII.
RULING
Agencies are responsible for providing the Office of the CIO with information related to the Critical
Services they provide, including any ICT that underpins it. The desired outcome of the collected
data is a single information resource that describes the relationships between the services
delivered by the Government, the related ICT services and the underpinning ICT infrastructure.
This single information resource will take the form of a SGCII Register managed by the Office of
the CIO.
What constitutes State Government Critical ICT Infrastructure?
State Government Critical ICT Infrastructure (SGCII)
SGCII is defined as ICT infrastructure upon which ‘Critical Services’ are delivered to the
community. If the confidentiality, integrity or availability of this ICT infrastructure is lost then it could
significantly impact on the social, or economic well-being of the State, the government, commercial
entities or members of the public.
Critical Services
Critical Services are those services that, if compromised, would result in significant damage to the
physical, social or economic wellbeing of the State. Critical Services are not typically ICT services,
they are services that an agency delivers to the community on behalf of the Government.
Critical Services can be categorised as either Essential or Important:
o
Essential Services
Essential Services are those services (whether provided by a public or private
undertaking) without which the safety, health or welfare of the community or a
section of the community would be endangered or seriously prejudiced 1.
Essential Services are directly related to:



Continuity of executive government
Directly combating identified threats
Physical survival of the community
o Important Services
Important Services are those services that are directly related to the social, physical
or economic safety and security of the State.
Registration of State Government Critical ICT Infrastructure
Responsible Parties are to identify any SGCII in their agency and inform the Office of the CIO for
recording in the SGCII Register. Responsible Parties should describe the relationships between
the Critical Services delivered by the agency, their supporting ICT services and underpinning ICT
infrastructure.
Responsible parties shall review their submission annually or on an event driven basis and inform
the Office of the CIO of amendments. The Agency Chief Executive, or appropriate delegate (e.g.
Agency Security Executive), should sign off on any agency asset being registered as SGCII.
Application of the standards and provisions of the ISMF to SGCII
The ISMF identifies the minimum controls required by all Agencies and Suppliers regardless of the
scope of their ISMS implementation(s). This control set effectively establishes the cyber security
baseline for across government ICT services and operations.
In addition to the baseline cyber security control set, the standards and provisions of ISMF version
3, in its entirety will apply to SGCII. Application of the additional standards and provisions will be
selected based upon the outcome of a risk assessment.
1
South Australian Essential Services Act 1981
Government ruling on cyber security
Security Management Requirements for Critical ICT v1.1
Page 2 of 3
Waiver of the ISMF provisions for SGCII
ISMF version 3 introduces the ability for an Agency to seek an exemption from select standards or
provisions issued under the ISMF.
Information infrastructure classified as SGCII is not eligible for an exemption or waiver using the
Office of the CIO exemptions process. Instead, any Agency seeking an exemption for any assets
classified as SGCII should follow the waivers process listed in section 5.8 of the Protective
Security Management Framework.
Timeline for the establishment of an ISMS
Agencies have until June 30 2013 to establish an ISMS and develop a statement of applicability for
their operating environment that encompasses critical ICT information assets and associated
activities. Agencies must have 100% of the ICT component of State Government Critical
Infrastructure and business critical assets accounted for in their management system by this date.
For further information on the timeline refer to ISMF Guideline 1a – Transition Guidance for
Agencies and Suppliers
REFERENCES, LINKS & ADDITIONAL INFORMATION

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

ISMF Guideline 37a – Critical Information and Communication Technology

ISMF Guideline 1a – Transition Guidance for Agencies and Suppliers
ID
OCIO/R4.1
Classification/DLM
PUBLIC-I2-A1
Issued
June 2012
Authority
ICT Board
Master document location
Q:\SecurityRiskAssurance\Risk and ICT Infrastructure Protection\CIP\SGCII Ruling
Records management
File Folder: 2010/24801/02 - Document number: 6370382
Managed & maintained by
Office of the Chief Information Officer
Author
Sarah Mason, CISM, CRISC
Principal Risk Adviser, Security & Risk Assurance
Reviewer
Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES
Director, Security and Risk Assurance
Compliance
Mandatory
Review date
June 2014
To attribute this material, cite
the Office of the Chief
Information Officer,
Government of South
Australia, ISMF Ruling 1
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2012. Disclaimer
Government ruling on cyber security
Security Management Requirements for Critical ICT v1.1
Page 3 of 3
Related documents
School ICT Policy
School ICT Policy
ICT in Art and Design work
ICT in Art and Design work
Evolving ICT into Computing Secondary
Evolving ICT into Computing Secondary
Viviki Platform
Viviki Platform
Innovative use of ICT in home economics
Innovative use of ICT in home economics
ict strategy and imp..
ict strategy and imp..
Wednesday, November 4 th 7:30 pm, Mamaroneck High School
Wednesday, November 4 th 7:30 pm, Mamaroneck High School
ISMF Guideline 21 – Media handling
ISMF Guideline 21 – Media handling
ISMF Guideline 4b - Role and responsibilities of the ITSA
ISMF Guideline 4b - Role and responsibilities of the ITSA
ISMF Guideline 8a
ISMF Guideline 8a
ISMF Guideline 25 - User Access Management
ISMF Guideline 25 - User Access Management
ISMF Guideline 8b – New classification scheme for confidentiality of
ISMF Guideline 8b – New classification scheme for confidentiality of
Download
advertisement