ISMF Guideline 38 – Legal, regulatory and contractual compliance

advertisement
OCIO/G4.38
Government guideline on cyber security
ISMF Guideline 38
Legal, regulatory and contractual compliance
requirements
BACKGROUND
This guideline outlines the legislative and regulatory requirements for South Australian
Government agencies and suppliers to South Australian Government agencies whose contractual
requirements include the Information Security Management Framework [ISMF]. Agencies must
assure themselves that they are aware of their legal requirements and obligations in cyber
security. This guideline supports implementation of ISMF Policy Statement 38.
GUIDANCE
The following tables identify local and international laws, regulations and other external
requirements that must be identified, recognised and complied with in addition to highlighting
relevant standards and guidelines used by the Government of South Australia security and risk
framework. These items are regularly reviewed for changes that may impact policy and standards
implementations involving cyber security. In addition to the considerations contained in this
guideline, agencies and suppliers to government must assure themselves that any relevant agency
and/or industry sector laws and regulations are being observed.
PART 1: LAWS AND LEGISLATIVE CONSIDERATIONS
Reference
Relevance to cyber security initiatives
South Australian Legislation
Criminal Law Consolidation Act
1935 (SA)
Electronic Transactions Act
2000 (SA)
Emergency Management Act
2004 (SA)
Codifies the majority of crimes in South Australia. Operates in
conjunction with the common law.
Mirrors the Commonwealth Act with some localised differences.
Provides a regulatory framework to ensure that transactions
conducted electronically or on paper are treated equally by law.
Supports the development of e-commerce. It is technology neutral
and does not endorse a particular signature technology, nor does it
provide rules for digital or electronic signatures.
Establish strategies and processes for the management of
emergencies in the State. Includes provisions for the Establishment
of State Emergency Management Committee, and the Appointment
of State Co-ordinator. ICT Failure is recognised by the State
ISMF Guideline 38
Reference
Relevance to cyber security initiatives
Emergency Management Plan, which is enabled by this legislation.
Essential Services Act 1981
(SA)
Aims to protect the community against the interruption or dislocation
of essential services. Responsible Parties should give consideration
to critical ICT services that may underpin provision of essential
services described by the Act.
Evidence Act 1929 (SA)
Details the requirements for evidence gathering and handling
including electronic information intended to be used in judicial
proceedings. In particular Part 6A specifies the requirements for
admissibility of computer derived evidence.
Freedom of Information Act
1991 (SA)
Promotes openness in government and accountability of State
Government ministers and other government agencies by providing
for public access to official documents and records; to provide for the
correction of public documents and records in appropriate cases.
Listening and Surveillance
Devices Act 1972 (SA)
Regulates the use of listening and surveillance devices, as part of the
South Australian criminal law.
Public Finance and Audit Act
1987 (SA)
Regulates the receipt and expenditure of public money. Details the
purpose, function and autonomy of the Office of the Auditor-General.
Public Sector Act 2009 (SA)
Make provision for employment, management and governance
matters relating to the public sector of the State.
Public Sector (Honesty and
Accountability) Act 1995 (SA)
Imposes duties of honesty and accountability on public sector office
holders, employees and contractors.
State Records Act 1997 (SA)
Governs handling of official records to ensure that records of
enduring evidential or informational value are preserved for future
reference.
Commonwealth Legislation
Australian Security Intelligence
Organisation Act 1979 (Cth)
Establishes and prescribes ASIO’s functions and powers. Includes
provisions for computer access warrants, security assessments, and
listening and tracking devices.
Crimes Act 1914 (Cth)
Codifies offences against the Commonwealth. Functions alongside
State legislation and is gradually superseding the Criminal Code Act
1914.
Criminal Code Act 1995 (Cth)
The main piece of legislation containing federal offences. Abolishes
all common law offences and is gradually superseding the Crimes
Act 1914.
Cybercrime Act 2001 (Cth)
Codifies and amends the law relating to computer offences.
Electronic Transactions Act
1999 (Cth)
Provides a regulatory framework that recognises the importance of
the information economy and facilitates the use of electronic
transactions.
Intelligence Services Act 2001
(Cth)
Provides a legislative basis for the Australian Secret Intelligence
Service (ASIS) and the Australian Signals Directorate (ASD). Also
grants powers to Australian Security Intelligence Organisation
(ASIO).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.0
Page 2 of 7
ISMF Guideline 38
Reference
Relevance to cyber security initiatives
National Security Information
(Criminal and Civil
Proceedings) Act 2004 (Cth)
Prevents the disclosure of information in federal criminal and civil
proceedings where the disclosure is likely to prejudice national
security, except where preventing the disclosure would seriously
interfere with the administration of justice.
Privacy Act 1988 (Cth)
Operates in conjunction with Common law. Defines what constitutes
sensitive Information (section 6). It also details the Information
Privacy Principles (section 14) and contains a definition of sensitive
information in section 6.
Spam Act 2003 (Cth)
Regulates commercial electronic messages, address- harvesting
software etc. Also describes penalties and punitive measures.
Particular attention should be paid to the requirement to provide an
‘opt-out/unsubscribe’ option when using mass-mailing or similar
distribution software.
Telecommunications Act 1997
(Cth)
Provides a regulatory framework that promotes the long‑term
interests of end‑users of carriage services.
Telecommunications
(Interception and Access) Act
1979 (Cth)
Prohibits the interception of, and other access to,
telecommunications except where authorised in special
circumstances.
United States Legislation
USA PATRIOT Act 2001
Has repercussions for government information being hosted or
communicated via ICT equipment located in the US and its
possessions. Information may be accessed or collected by
authorised agencies. Additionally US based companies operating in
foreign jurisdictions are also subject to many provisions within this
Act.
The definition of a “protected computer” has implications to ICT
systems used outside of the US, specifically:
Computer Fraud and Abuse
Act 1986
Federal Information Security
Management Act 2002
(B) which is used in interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or foreign
commerce or communication of the United States;
Recognises the importance of information security to the economic
and national security interests of the United States. The Act requires
each US federal agency to develop, document, and implement an
agency-wide program to provide information security for the
information and information systems that support the operations and
assets of the agency, including those provided or managed by
another agency, contractor, or other source. Useful for tracking
changes and emerging trends in information security legislation.
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.0
Page 3 of 7
ISMF Guideline 38
PART 2: POLICIES AND STANDARDS
A comprehensive listing of relevant information security policies and standards is contained in the
Information Security Management Framework [ISMF].
Australian Government policy and standards
Reference
Relevance to cyber security
Australian Government
Protective Security Policy
Framework [PSPF]
The PSPF is a reflection of the requirements of contemporary Government
and private-sector partnership, agile procedural change and the dynamic
landscape of information security, particularly in light of constantly evolving
ICT technologies and services delivery capabilities. The PSPF is designed
to progressively replace the PSM over a period of time.
Australian Government
Information Security
Manual, [ISM]
The ISM (formerly known as ACSI 33) is a standard that forms part of a
suite produced by ASD relating to information security. Its role is to
promote a consistent approach to information security across all Australian
Government, State and Territory agencies and bodies. It provides a
security risk assessment for information that is processed, stored or
communicated by government systems with corresponding risk treatments
to reduce the level of security risk to an acceptable level.
South Australian Government circulars and instructions
Reference
Relevance to cyber security initiatives
Treasurer’s Instruction 2
Financial management policies, stipulates obligations and expectations on
how South Australian Government entities manage risk management
requirements (such as major ICT projects and initiatives).
Financial Management
Framework, section 2
Retired. Replaced by Treasurer’s Instruction 28. Refer to link for
Treasurer’s Instruction 2.
Premier and Cabinet
Circular 12 (PC012)
[IPPS]
Information Privacy Principles Instruction
Premier and Cabinet
Circular 30 (PC030)
[PSMF]
Protective Security Management Framework for SA Government. This
document is the foundation document that calls into requirement, the
State’s ISMF and the usage of the Australian Government PSPF.
CTO Notifications &
Bulletins
Various: Several items are relevant to security, risk, continuity, information
privacy and service assurance. Some are provided by the Security and
Risk Assurance [SRA] directorate but all notifications are tracked.
Available to SA Government personnel only (via Intranet access).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.0
Page 4 of 7
ISMF Guideline 38
South Australian Government policies and standards
Reference
Relevance to cyber security initiatives
Government of South
Australia Risk
Management Policy
Statement
Policy Statement issued by the Premier and Treasurer citing requirement
for Agencies to develop standards and practices in conformance to the
AS/NZS ISO 31000 standard.
Code of Ethics for the
South Australian Public
Sector
Encompasses topics such as: Handling Official Information, Public
Comment, Use of Government Resources and Conflicts of Interest
South Australian
Recordkeeping Metadata
Standard
This Standard outlines the basic core set of metadata elements required to
manage records in accordance with best practice.
Information for
Parliamentary Records
Custodians
Guideline dealing with the documentation, conservation and care, storage
and security, and de-accession and disposal of parliamentarian records
transferred to the custody of State Records.
Intellectual Property
Policy
Information Security
Management Framework
[ISMF]
This policy provides an enabling and overarching framework to create a
supportive environment to:

achieve best practice in IP management in Government;

where appropriate, to facilitate effectiveness of knowledge
transfer by Government agencies to the public and private
sectors; and

achieve effective and timely protection of Government IP and,
where appropriate, its commercialisation.
South Australian security framework describing 40 policies, 140 standards
and numerous controls in support of cyber security. It is closely aligned to
ISO 27001.
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.0
Page 5 of 7
ISMF Guideline 38
Australian and International industry standards
Reference
Relevance to cyber security initiatives
AS/NZS ISO/IEC 27001
ISO 27001 stipulates the ISMS requirements and is referenced for SA
Government specific implementations of policy as described by the ISMF
AS/NZS ISO/IEC 27002
Code of practice for Information Security Controls
AS ISO/IEC 20000
IT Service Management reflecting best practice guidance contained in ITIL
(Information Technology Infrastructure Library) and COBIT (Control
Objectives for Information and related Technology)
AS 8018
Australian Standard AS8018 ICT Service Management (ITIL)
AS/NZS ISO 31000
International Risk Management Standard.
ISO/IEC 13888
Non-Repudiation
PCI-DSS
Payment Card Industry (PCI) Data Security Standard
ADDITIONAL CONSIDERATIONS
This guideline does not aim to provide the reader with all legislative and regulatory requirements
for cyber security initiatives. It is merely an overview of the laws, legislation, policies, standards
and guidelines adhered to across the South Australian Government. It is highly recommended that
agencies review these documents in their entirety and assess other relevant legislation and
regulations that may apply in their specific industry sector or circumstances. The individual
requirements of agencies will have direct bearing on what measures are implemented to mitigate
identified risk(s).
Government guideline on cyber security
External legal, regulatory and contractual compliance requirements v2.0
Page 6 of 7
ISMF Guideline 38
REFERENCES, LINKS & ADDITIONAL INFORMATION






South Australian Government - Attorney General's Department South Australian Legislation
Australian Government - Commonwealth Law
AS/NZS ISO/IEC 27001
OCIO/F4.1 Information Security Management Framework [ISMF]
PC030 Protective Security Management Framework [PSMF]
Australian Government Protective Security Policy Framework [PSPF]
ID
OCIO_G4.38
Classification/DLM
PUBLIC-I1-A1
Issued
February 2014 (re-designated as ISMF Guideline 38, formerly ISMF Guideline 12)
Authority
State Chief Information Security Officer
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\ISMFguidelines\ISMFguideline38(legislation)
Records management
File Folder: 2011/15123/01 - Document number: 8332557
Managed & maintained by
Office of the Chief Information Officer
Author(s)
Michael Ashforth, Project Officer
Reviewer
Jason Caley MACS (CP), IP3P, CISM, CRISC, CEA
Principal Policy Adviser, Cyber Security and Risk Assurance
Compliance
Discretionary
Next Review date
June 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 38.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Download