OCIO/G4.38 Government guideline on cyber security ISMF Guideline 38 Legal, regulatory and contractual compliance requirements BACKGROUND This guideline outlines the legislative and regulatory requirements for South Australian Government agencies and suppliers to South Australian Government agencies whose contractual requirements include the Information Security Management Framework [ISMF]. Agencies must assure themselves that they are aware of their legal requirements and obligations in cyber security. This guideline supports implementation of ISMF Policy Statement 38. GUIDANCE The following tables identify local and international laws, regulations and other external requirements that must be identified, recognised and complied with in addition to highlighting relevant standards and guidelines used by the Government of South Australia security and risk framework. These items are regularly reviewed for changes that may impact policy and standards implementations involving cyber security. In addition to the considerations contained in this guideline, agencies and suppliers to government must assure themselves that any relevant agency and/or industry sector laws and regulations are being observed. PART 1: LAWS AND LEGISLATIVE CONSIDERATIONS Reference Relevance to cyber security initiatives South Australian Legislation Criminal Law Consolidation Act 1935 (SA) Electronic Transactions Act 2000 (SA) Emergency Management Act 2004 (SA) Codifies the majority of crimes in South Australia. Operates in conjunction with the common law. Mirrors the Commonwealth Act with some localised differences. Provides a regulatory framework to ensure that transactions conducted electronically or on paper are treated equally by law. Supports the development of e-commerce. It is technology neutral and does not endorse a particular signature technology, nor does it provide rules for digital or electronic signatures. Establish strategies and processes for the management of emergencies in the State. Includes provisions for the Establishment of State Emergency Management Committee, and the Appointment of State Co-ordinator. ICT Failure is recognised by the State ISMF Guideline 38 Reference Relevance to cyber security initiatives Emergency Management Plan, which is enabled by this legislation. Essential Services Act 1981 (SA) Aims to protect the community against the interruption or dislocation of essential services. Responsible Parties should give consideration to critical ICT services that may underpin provision of essential services described by the Act. Evidence Act 1929 (SA) Details the requirements for evidence gathering and handling including electronic information intended to be used in judicial proceedings. In particular Part 6A specifies the requirements for admissibility of computer derived evidence. Freedom of Information Act 1991 (SA) Promotes openness in government and accountability of State Government ministers and other government agencies by providing for public access to official documents and records; to provide for the correction of public documents and records in appropriate cases. Listening and Surveillance Devices Act 1972 (SA) Regulates the use of listening and surveillance devices, as part of the South Australian criminal law. Public Finance and Audit Act 1987 (SA) Regulates the receipt and expenditure of public money. Details the purpose, function and autonomy of the Office of the Auditor-General. Public Sector Act 2009 (SA) Make provision for employment, management and governance matters relating to the public sector of the State. Public Sector (Honesty and Accountability) Act 1995 (SA) Imposes duties of honesty and accountability on public sector office holders, employees and contractors. State Records Act 1997 (SA) Governs handling of official records to ensure that records of enduring evidential or informational value are preserved for future reference. Commonwealth Legislation Australian Security Intelligence Organisation Act 1979 (Cth) Establishes and prescribes ASIO’s functions and powers. Includes provisions for computer access warrants, security assessments, and listening and tracking devices. Crimes Act 1914 (Cth) Codifies offences against the Commonwealth. Functions alongside State legislation and is gradually superseding the Criminal Code Act 1914. Criminal Code Act 1995 (Cth) The main piece of legislation containing federal offences. Abolishes all common law offences and is gradually superseding the Crimes Act 1914. Cybercrime Act 2001 (Cth) Codifies and amends the law relating to computer offences. Electronic Transactions Act 1999 (Cth) Provides a regulatory framework that recognises the importance of the information economy and facilitates the use of electronic transactions. Intelligence Services Act 2001 (Cth) Provides a legislative basis for the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD). Also grants powers to Australian Security Intelligence Organisation (ASIO). Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.0 Page 2 of 7 ISMF Guideline 38 Reference Relevance to cyber security initiatives National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth) Prevents the disclosure of information in federal criminal and civil proceedings where the disclosure is likely to prejudice national security, except where preventing the disclosure would seriously interfere with the administration of justice. Privacy Act 1988 (Cth) Operates in conjunction with Common law. Defines what constitutes sensitive Information (section 6). It also details the Information Privacy Principles (section 14) and contains a definition of sensitive information in section 6. Spam Act 2003 (Cth) Regulates commercial electronic messages, address- harvesting software etc. Also describes penalties and punitive measures. Particular attention should be paid to the requirement to provide an ‘opt-out/unsubscribe’ option when using mass-mailing or similar distribution software. Telecommunications Act 1997 (Cth) Provides a regulatory framework that promotes the long‑term interests of end‑users of carriage services. Telecommunications (Interception and Access) Act 1979 (Cth) Prohibits the interception of, and other access to, telecommunications except where authorised in special circumstances. United States Legislation USA PATRIOT Act 2001 Has repercussions for government information being hosted or communicated via ICT equipment located in the US and its possessions. Information may be accessed or collected by authorised agencies. Additionally US based companies operating in foreign jurisdictions are also subject to many provisions within this Act. The definition of a “protected computer” has implications to ICT systems used outside of the US, specifically: Computer Fraud and Abuse Act 1986 Federal Information Security Management Act 2002 (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; Recognises the importance of information security to the economic and national security interests of the United States. The Act requires each US federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Useful for tracking changes and emerging trends in information security legislation. Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.0 Page 3 of 7 ISMF Guideline 38 PART 2: POLICIES AND STANDARDS A comprehensive listing of relevant information security policies and standards is contained in the Information Security Management Framework [ISMF]. Australian Government policy and standards Reference Relevance to cyber security Australian Government Protective Security Policy Framework [PSPF] The PSPF is a reflection of the requirements of contemporary Government and private-sector partnership, agile procedural change and the dynamic landscape of information security, particularly in light of constantly evolving ICT technologies and services delivery capabilities. The PSPF is designed to progressively replace the PSM over a period of time. Australian Government Information Security Manual, [ISM] The ISM (formerly known as ACSI 33) is a standard that forms part of a suite produced by ASD relating to information security. Its role is to promote a consistent approach to information security across all Australian Government, State and Territory agencies and bodies. It provides a security risk assessment for information that is processed, stored or communicated by government systems with corresponding risk treatments to reduce the level of security risk to an acceptable level. South Australian Government circulars and instructions Reference Relevance to cyber security initiatives Treasurer’s Instruction 2 Financial management policies, stipulates obligations and expectations on how South Australian Government entities manage risk management requirements (such as major ICT projects and initiatives). Financial Management Framework, section 2 Retired. Replaced by Treasurer’s Instruction 28. Refer to link for Treasurer’s Instruction 2. Premier and Cabinet Circular 12 (PC012) [IPPS] Information Privacy Principles Instruction Premier and Cabinet Circular 30 (PC030) [PSMF] Protective Security Management Framework for SA Government. This document is the foundation document that calls into requirement, the State’s ISMF and the usage of the Australian Government PSPF. CTO Notifications & Bulletins Various: Several items are relevant to security, risk, continuity, information privacy and service assurance. Some are provided by the Security and Risk Assurance [SRA] directorate but all notifications are tracked. Available to SA Government personnel only (via Intranet access). Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.0 Page 4 of 7 ISMF Guideline 38 South Australian Government policies and standards Reference Relevance to cyber security initiatives Government of South Australia Risk Management Policy Statement Policy Statement issued by the Premier and Treasurer citing requirement for Agencies to develop standards and practices in conformance to the AS/NZS ISO 31000 standard. Code of Ethics for the South Australian Public Sector Encompasses topics such as: Handling Official Information, Public Comment, Use of Government Resources and Conflicts of Interest South Australian Recordkeeping Metadata Standard This Standard outlines the basic core set of metadata elements required to manage records in accordance with best practice. Information for Parliamentary Records Custodians Guideline dealing with the documentation, conservation and care, storage and security, and de-accession and disposal of parliamentarian records transferred to the custody of State Records. Intellectual Property Policy Information Security Management Framework [ISMF] This policy provides an enabling and overarching framework to create a supportive environment to: achieve best practice in IP management in Government; where appropriate, to facilitate effectiveness of knowledge transfer by Government agencies to the public and private sectors; and achieve effective and timely protection of Government IP and, where appropriate, its commercialisation. South Australian security framework describing 40 policies, 140 standards and numerous controls in support of cyber security. It is closely aligned to ISO 27001. Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.0 Page 5 of 7 ISMF Guideline 38 Australian and International industry standards Reference Relevance to cyber security initiatives AS/NZS ISO/IEC 27001 ISO 27001 stipulates the ISMS requirements and is referenced for SA Government specific implementations of policy as described by the ISMF AS/NZS ISO/IEC 27002 Code of practice for Information Security Controls AS ISO/IEC 20000 IT Service Management reflecting best practice guidance contained in ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and related Technology) AS 8018 Australian Standard AS8018 ICT Service Management (ITIL) AS/NZS ISO 31000 International Risk Management Standard. ISO/IEC 13888 Non-Repudiation PCI-DSS Payment Card Industry (PCI) Data Security Standard ADDITIONAL CONSIDERATIONS This guideline does not aim to provide the reader with all legislative and regulatory requirements for cyber security initiatives. It is merely an overview of the laws, legislation, policies, standards and guidelines adhered to across the South Australian Government. It is highly recommended that agencies review these documents in their entirety and assess other relevant legislation and regulations that may apply in their specific industry sector or circumstances. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s). Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.0 Page 6 of 7 ISMF Guideline 38 REFERENCES, LINKS & ADDITIONAL INFORMATION South Australian Government - Attorney General's Department South Australian Legislation Australian Government - Commonwealth Law AS/NZS ISO/IEC 27001 OCIO/F4.1 Information Security Management Framework [ISMF] PC030 Protective Security Management Framework [PSMF] Australian Government Protective Security Policy Framework [PSPF] ID OCIO_G4.38 Classification/DLM PUBLIC-I1-A1 Issued February 2014 (re-designated as ISMF Guideline 38, formerly ISMF Guideline 12) Authority State Chief Information Security Officer Master document location Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\ISMFguidelines\ISMFguideline38(legislation) Records management File Folder: 2011/15123/01 - Document number: 8332557 Managed & maintained by Office of the Chief Information Officer Author(s) Michael Ashforth, Project Officer Reviewer Jason Caley MACS (CP), IP3P, CISM, CRISC, CEA Principal Policy Adviser, Cyber Security and Risk Assurance Compliance Discretionary Next Review date June 2016 To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Guideline 38. This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright © South Australian Government, 2014. Disclaimer