CYBER SECURITY READINESS IN GOVERNMENT - A CASE
STUDY APPROACH
Minor Thesis
15 November 2012
Masters of Forensic Computing and Cyber Assurance
University of South Australia
By Brenton Borgman 09602686C
65
DECLARATION
I declare that this thesis does not incorporate without acknowledgement any material previously
submitted for a degree or diploma in any university, and that to the best of my knowledge it does not
contain any materials previously published or written by another person except where due reference is
made in the text.
Brenton Borgman
15/11/2012
2
ACKNOWLEDGEMENT
My many thanks are directs to my wife and family for their support,
to my work colleagues for their encouragement and
to my mentor for her guidance and direction.
3
ABSTRACT
The development of the information security management system (ISMS) through the use of risk
assessments seek to classify data and identify suitable risk based security controls. This aims to ensure
that information data is effectively handled so as to guard against potential internal and external
vulnerabilities. This process is critical. If the ISMS development is inadequately planned, then it could
result in sensitive data remaining unclassified or incorrectly classified. The consequence could result in
the loss of credibility and potential litigation. To counter these potential risks, it is imperative that
adequate direction, guidance and support are provided to agencies as they travel down this road that
centres on self-awareness. This exploratory case study aims to validate whether existing processes and
strategic direction are sufficient to satisfactorily achieve the implementation of an ISMS and classify
data for each agency of government.
4
THESIS TABLE OF CONTENTS
PAGE
Declaration
Acknowledgement
Abstract
Table of Contents
List of Figures
List of Tables
Glossary
Table of Abbreviations
Chapter 1
Introduction
1.1
Background
1.2
Motivation
1.3
Contribution
1.4
Scope and Limitations
1.5
Research Question
Chapter 2
Literature Review
2.1
Information Data
2.1.1
Definition of information data
2.1.2
Why information classification is important?
2.1.3
What is the information security management system?
2.1.4
Why is risk assessment used to determine sensitivity of data?
2.1.5
Classifying data correctly
2.1.6
Challenges facing agencies for the implementation of the ISMS
2.1.7
Limitations that an agency may encounter
2.1.8
Comparison with Other Australian State Government Jurisdictions
Chapter 3
Methodology
3.1
Aim
3.2
Research methods
a
Qualitative construct
b
Secondary literature
i
Academic literature
ii
Other state government jurisdiction report
c
Method and Data collection
i
Interview guide
ii
Resilience Maturity Model Quick Assessment Tool
3.3
Data collection
3.4
Data analysis
3.5
Summary
Chapter 4
Analysis and discussion
4.1
Interview guide
a.
Participants
b.
ISMS implementation
c.
General Governance
d.
Risk assessment
e.
Whole of government strategic direction
f.
Security documentation
g.
Whole of government reporting
h.
Project resourcing
i.
Awareness training
j.
ISO certification
k.
Summary
4.2
Resilience maturity model quick assessment tool
a.
Leadership and culture
b.
Networks
2
3
4
5
7
7
8
9
10
11
11
12
12
14
14
14
14
15
16
18
20
21
21
23
23
23
23
23
24
24
24
24
25
26
27
28
29
29
29
31
31
33
34
35
36
37
38
40
41
42
43
44
5
4.3
Chapter 5
5.1
5.2
5.3
References
c.
Change ready
d.
Summary
Preliminary ISMS observations – Other State Government Jurisdictions
Summary
Conclusion
a.
Overview
b.
Strengths
c.
Limitations
d.
Research summary
Outcome of Study
Future Opportunities
Appendix A
Appendix B
Appendix C
Appendix D
Ethics and Compliance
Interview Guide
Resilience Maturity Model Quick Assessment Tool
Research Participant Ethics Application
General Request for Participants in a Research Project
46
47
47
48
50
50
50
50
51
51
52
53
54
59
61
65
66
68
6
LIST OF FIGURES
Figure 1:
Overview of the Data classification process
Figure 2:
ISMS Implementation and a Certification Process
Figure 3:
Risk concept relationship
Figure 4:
Resilience Maturity Model Assessment Consolidation
LIST OF TABLES
Table 1:
Participants
Table 2:
Leadership and Culture
Table 3:
Networks
Table 4:
Change ready
Table 5:
Comparison of Australian Jurisdiction Auditor-General ISMS and Data
Observations
7
GLOSSARY
GENERAL TERMS
CERT Australia
Australia’s official national computer emergency response team (CERT).
CERT Australia works to ensure that Australians and Australian
businesses have access to information on how to better protect their
information technology environment from cyber based threats and
vulnerabilities.
Cyber security:
Australian Government defines cyber security as measures relating to the
confidentially, availability and integrity of information that is processed,
stored and communicated by electronic or similar means.
International Standards
Ensures that products and services are safe, reliable and of good quality.
A standard is a document that provides requirements, specifications,
guidelines or characteristics that can be used consistently to ensure that
materials, products, processes and services are fit for their purpose
Information Security Management Framework (ISMF)
Addresses cyber security in the Government of South Australia, and
consists of 40 policies supported by 140 standards. It is a business driven
risk-based approach that is aligned with the Australian Government
Protective Security Policy Framework and the 27001 international
standards for information security management systems.
Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience
Provides an environment where business and government share vital
information on security issues relevant to the protection of our critical
infrastructure and the continuity of essential services in the face of all
hazards.
TABLE OF ABBREVIATIONS
Australian Government Defence Signals Directorate
Australian National Audit Office
Agency Security Adviser
Computer Emergency Response Team (CERT) Australia
Information Communication and Technology
Information Security Management Framework
Information Security Management System
Information Security Manual
International Organisation for Standards
`
Information Technology Security Adviser
Office of the Chief Information Officer
Protective Security Manual
South Australian Government
Trusted Information Sharing Network
(DoD)
(ANAO)
(ASE)
(CERT)
(ICT)
(ISMF)
(ISMS)
(ISM)
(ISO)
(ITSA)
(OCIO)
(PSM)
(SA Government)
(TISN)
8
CHAPTER 1
1.0
INTRODUCTION
In order to meet future cyber security challenges, entities need to ensure that effective security controls
underpin information systems and its sensitive data.
The review of the Australian Government’s use of information and communication technology as
reported in the Gershon report of 2008 recommended that agencies needed to strengthen their
governance mechanisms and move closer to standardisation within specific IT architecture. Through the
strengthening of governance mechanisms, and by locating specific controls as close to the data as
possible may assist in improving efficiency and effectiveness (Cooney 2011). Stronger controls around
the classifications of information data will also reduce the potential for information to be compromised.
Various Australian jurisdictions have gradually been strengthening their security controls through the
implementation of their own versions of an information security management system (ISMS) as a means
to safeguard information.
This will eventually establish a consolidated common security control
position across Australia based upon the International Organisation for Standard (ISO) 27001. The
South Australian Government (SA Government) has subsequently implemented an initiative for all their
agencies of government to develop a ISMS and classify information data.
The SA Government has acknowledged that mounting evidence within Australia (as provided by the
Australian Government Defence Signals Directorate) and from overseas jurisdictions suggests that
agencies are being targeted from many threat vectors and that these risks are on the rise. These threat
scenarios have initiated a reaction from Government’s throughout Australia (SA Government March
2012).
To successfully implement a ISMS, there is a need for agencies of to have a suite of policy and
procedural guidance to assist in the implementation phase of the ISMS. Without this documentation and
adequate strategic direction and planning, the potential for data to be satisfactorily protected via
classified and suitably risk assessment is critically diminished.
This exploratory case study aims to assess how the SA Government and its agencies have approached
the implementation of an ISMS and classified data based upon assessed sensitivity. The study will also
be compared with other Australian government jurisdictions in order to discuss the benefits,
consequences and challenges that the State and its agencies will need to address in order to ensure that
the data is adequately protected from internal and external vulnerabilities.
9
At the completion of the exploratory case study, it is intended that all participating agencies along with
the whole of government strategic business unit will receive a copy of the report. It is intended that
there may be an opportunity for those participants to reassess current practices in the identified areas as
highlighted in section 4.
1.1
BACKGROUND
The adoption of the Government’s implementation of an information security management framework
(ISMF) has been a gradual process. In 2003 the ISMF was initially presented as a set of policies,
standards, guidelines and control mechanisms for South Australian Government agencies to use in
strengthening their information security control capabilities.
The framework was not mandated but
rather recommended that Government agencies establish and maintain a documented information
security management system. The framework aimed to develop appropriate security controls based
upon information assets and risk assessment but was not fully embraced by all agencies of Government.
In 2008, the Government released a further revision of the ISMF which again was not mandated. The
intent at that time was to establish a set of minimum Government information security standards that
applied additional guidance and best practices on security controls that agencies can implement and use
(SA Government ISMF v3.1 2012).
In February 2011, the next version of the ISMF was released with an emphasis on a government
framework with a focus on cyber security. This was aligned closely with the ISO 27001 standard for
information security management systems (ISMS). This required an agency to implement whatever
control measures were necessary to provide adequate protection for its information and associated assets
and conforms to the principles of ISO 27001. The ISO 27001 required that agencies should also obtain
independent certification from a responsible authority. This was to confirm that they comply with the
ISO 27001 standard (SA Government ISMF v3.1 2012). Where agencies chose to certify all or part of
their ISMS against the ISO 27001, they would need to align their controls to documentation, training,
record management, internal ISMS audits, corrective action and preventative action (SA Government
ISMF v3.1 2012).
In February 2012, a whole of government strategic unit within Government established a set of
guidelines which aimed to emphasis the application of risk management principles and selective cyber
security controls (SA Government ISMF Guideline 4 2012). These guidelines were intended to assist
Agencies as they progressed in establishing overarching ISMS. Implementation of the ISMS within the
South Australian government is a three phase approach that would span a 6 year period. The aim of the
10
phased approach is to gradually progress the coverage to a point whereby approximately 100% of an
agency ICT environment will be incorporated into the ISMS (ISMF Guideline 10).
1.2
MOTIVATION
Information communication technology (ICT) underpins many of the Government’s services that protect
the lives and property of South Australian citizens. As technology progresses and cyber threats evolve,
the need to better safeguard the information held within specific agencies of government heightens
(Choo 2011).
In accordance with the introduction of the ISMF version 3, a key requirement from a prior version was
the requirement for agencies to establish overarching ISMS that is continually monitored and improved
as needed (ISMF Guideline 10). Whilst government has enacted a regime to protect this information
data there is uncertainty as to its completeness / adequacy of established practices. This exploratory case
study aims to review specific areas of security control over information data. Should the study identify
any ICT security control gaps based upon differences between established ISO standards / ISMF
guidelines and actual practices then these observations will be reported to government (Pareek 2012).
By highlighting these ICT security control gap observations to government, there is an opportunity to
initiate early remediation action and improve overall information security awareness if the observations
are regarded as significant.
Also matters emanating from prior ISMS reviews undertaken in recent years through other Australian
state government jurisdictions may assist in contributing to the implementation and general practices
within the ISMS here in South Australia.
1.3
CONTRIBUTION
Through this exploratory case study it is intended that the results will examine the adequacy of the
proposed SA Government process through its guidance and implementation by agencies of government.
The study will also strive to assess whether a standardised approach which centred upon the ISO 27001
has been consistently conveyed and applied. The results of the study will assist the South Australian
community to determine that their information data is adequately safeguarded and the implementation of
the ISMS and classification of data is progressed in an effective and efficient manner.
Areas of coverage will include:

Assessing the compliance with standards and best practice requirements.

Assessing the level of guidance and clarity provided to agencies of government in order to assist
in developing an ISMS and classifying data.
11

Consider the South Australian Government approach and compare this at a high level against
other Australian state government jurisdictions initiatives to determine adequacy.

Confirming whether senior management within government have initiated regular progress
reviews and check areas of concern that may be experienced in the course of this project.

Determining the approach agencies of government have adopted and the risk consideration
associated with development of the phased ISMS strategy transition and classification of data.

Confirming the adequacy of the statement of applicability approach and determine whether there
are any security control documentation gaps that need to be addressed.

Determining whether the level of data decomposition is sufficiently appreciated to ensure that
sensitive data is suitably classified and protected from internal and external vulnerabilities.

Ascertain the level of leadership and senior management interaction.
Alternatively the exploratory case study may contribute to identifying potential security control gaps in
the process that can be strengthened through proposed remediation strategies to further safeguard the
current information systems and data used by agencies of government.
As the study is narrow in its area of focus and is also constrained by time, there exists the potential
opportunity for future research in this area as the total phased approach for the adoption of the ISMS
framework for all agencies of the South Australian government covers a six year period up to and
including June 2017.
1.4
SCOPE AND LIMITATIONS
This exploratory case study acknowledges the transition process which covers the three phases and a
timespan of six years which is only into its second year. Whilst the implementation of the ISMS
initiative has still yet to reach completion of the first phase in most instances, it presents an opportunity
to identify emerging issues that can be rectified.
This will allow agencies of government the
opportunity to achieve the satisfactory completion of the implementation of the ISMS and classification
of data across specific information security environments, whilst maintaining the original timeframe
allocated.
1.5
RESEARCH QUESTION
This study anticipates answering the following question,

“Does the framework created by the whole of government strategic unit within Government for
the establishment of an ISMS, provide adequate direction to government agencies to implement
12
mechanisms that will sufficiently align / comply with the ISO 27001 in order that data is
satisfactorily classified and safeguarded?”
It is also anticipated that the study will assess

The level of resilience that agencies presently maintain in order to mitigate potential risk specific
to confidentiality, integrity and availability. It will demonstrate this through the use of a
resilience maturity model quick assessment tool developed by the Trusted Information Sharing
Network (TISN).
The next chapter will focus on the literature review with specific reference to the key components
associated with the implementation of the ISMS and classification of data.
13
CHAPTER 2
LITERATURE REVIEW
Given the exploratory case study question, the literature review is broken into several core aspects. The
core aspects discussed include the definition of information data, why information classification is
important, what is an ISMS, purpose of the risk assessment in determining the sensitivity of data,
classify data correctly, and the challenges and limitations that can also be experienced as part of this
overall process.
These elements will be considered as part of the validation associated with the
proposed research.
2.1
Information data
2.1.1
Definition of information data
Whilst data can be considered the raw element, information data relates to data that retains intelligible
context and meaning to respective parties. This interpretation aims to assess and determine the level of
sensitivity that may exist (Stone 2009). While the emphasis on information data is broad and includes
both electronic and physical data it also relates to the transfer of material both inbound and out (Etges &
McNeil 2009). Whilst ample researches have been performed on aspects relating to data mining, this
study seeks to look at a high level on how the information data is risk assessed and suitably classified.
2.1.2
Why information classification is required?
As the world becomes increasingly technologically focused, so too is the potential for computer threats
to occur (Fowler 2003). Systems are expected to perform more complex tasks, whilst also retaining
greater amounts of information. This explosion of technology and connectivity has provided the
opportunity for people both internally and externally to explore and exploit vulnerabilities whether that
occurs accidentally or by design (Fowler 2003). This further requires organisations to ensure that
adequate high level information security is maintained in order to protect information data.
To assist in protecting data from inappropriate use, entities need to initiate suitable security controls that
aim to restrict the level of unauthorised access (internally and externally) to sensitive material. This inturn aims to restrict such things as data leakage and prevent potential exposure to loss of credibility
(Etges & McNeil 2009).
14
Figure 1: Etges, R. & McNeil, K. (2009)
From the above diagram by Etges and McNeil, the emphasis for identifying existing IT processes
acknowledges the criticality of the retained data and requires data owners to confirm that regulatory
requirements are being satisfactorily maintained in accordance with strategic procedures and internal
controls.
As such entities need to ensure that appropriate procedures exist that can be used to determine the level
of sensitivity that exists and needs to be maintained. Failure to adequately identify data assets could
result in incorrect classification, failure to highlight all sensitive information, inadequate standardisation
of the ISMS process and potential breaches to regulatory requirements (Ernst & Young 2011). The
following section will present relevant literature relating to information security management system’s
which is of importance to this research.
2.1.3
What is the information security management system?
The ISMS is a quality management system for establishing, operating and continuously ensuring that
procedures and controls are appropriate to safeguard information assets and data against possible
security threats (NSW Information Security Guideline 2011). The ISMS is a top down strategy built
upon a managed risk based planning and operational process.
The ISMS comprised documented
procedures that are based upon properly recorded decisions and actions which are systematically aligned
with business needs including technological considerations (SA Government ISMF v3.1 2012).
Development of ISMS, as displayed below, is complex and requires a high degree of planning. As such
entities need to appreciate what is achievable based upon their available resources. Consequently a high
level of guidance is required so the potential for risk is mitigated to an acceptable level. As such a risk
assessment is essential to identify, document and classify information based upon its level of sensitivity
to the organisation (ISO 27001 - 2005).
15
Figure 2: ISMS Implementation and Certification Process
The exploratory case study will focus on the level of standardisation that has been promoted at the
whole of government level and whether this is adequate to meet the needs of the agencies of
government. The exploratory case study will also consider whether the agencies of government have
been able to suitably implement the process in an effective manner that is consistent with ISO
requirements, also meets government ISMF security control requirements and adequately addresses the
potential to mitigate risk from within an operational agency environment. This is a process that should
not be treated lightly. As a means to implement a ISMS the need to implement a risk assessment as part
of the determination of data sensitivity is discussed in the next section of the paper.
2.1.4
Why is a risk assessment used to determine sensitivity of data?
The ISMS process incorporates risk assessment of the respective information data that is retained by the
entity. This risk assessment aims through a systematic approach to identify, analyse, assess, treat and
monitor risks in an information environment. By determining these considerations this entity will seek
to determine the degree of risk that an event / information may cause should that risk arise (Standards
Australia 2004).
Elements that need to be considered as part of the overall risk assessment analysis include the degree of
controls that exist which focus on confidentiality, integrity and availability (Bozic 2012).
These
characteristics may exist along with the consequence and likelihood that a specific event may occur
16
(Standards Australia 2004). Once information data assets have been identified, they are risk assessed to
identify the factors that may affect an entity should a specific event happen to occur (Ekelhart, Fenz
2011).
The aim of a risk assessment is to better appreciate the information held and the consequences that may
arise should that information become compromised. As such the approach when analysing risks within
an information environment is to firstly conduct a high level analysis to identify critical elements. Once
these risks are fully appreciated then the business can start to further expand on the degree of coverage
and the depth as part of the overall assessment (Bozic 2012).
Figure 3:
Risk concept relationships
This process of determining the risk and the selection of compensating controls should be regularly
performed in order to reassess and confirm the adequacy of the assessment of risk. If the potential risk
exposure levels change, then consideration may need to be given to modifying the controls that exist to
assist in mitigating these risks (Ekelhart, Fenz 2011). Generally agencies of government have adopted
the qualitative approach for the assessment and determination of risk. This style of risk assessment
relies upon subjective judgement of the security risk assessment staff to determine the overall security
risk to the information security.
Whilst it is considered a simple approach which is easy to understand and will provide adequate
identification of problem areas it is never the less subjective in the way that it goes about determining
risk and can provide to be problematic when tracking improvements (Redmill 2002). Whilst some
minimal level of subjectivity is anticipated when determining risk, there also needs to be a standardised
set of checks and balances to ensure that the risk analysis process performed by the agencies adequately
mitigates the potential for risk to be incorrectly assessed (Redmill 2002).
17
Also synonymous with normal risk management is the concept of resilience that looks beyond the
effectiveness of emergency/crisis management or business continuity management. Resilience concept
is an organisational approach that embraces asset and resource protection, performance and strategic
leadership, organisational development, and a responsive and adaptive culture. These is the ability to
drill down and consider such elements as the agility of the entities, level of leadership, the culture that
underlines the entity, and aspects associated with the networks from within the entity which include
communication, integration, interdependency, awareness and the ability of change (Trusted Information
Sharing Network).
This exploratory case study intends to use a resilience assessment tool developed by the Trusted
Information Sharing Network (TISN) to assist in its data collection and analysis. The TISN represents
owners and operators of critical infrastructure and representatives of Australian, State and Territory
Governments. The TISN developed a resilience maturity assessment tool that has been shared across
the business community as a means to highlight areas of threat and vulnerability and assist in identifying
potential appropriate measures to mitigate risk and boost resilience (TISN). Whilst this model has been
widely used throughout the business community it is regarded as a supplement component to the overall
risk assessment process. As the name of the tool suggests, it is a quick assessment tool that has been
incorporated into the exploratory case study as a means to gain an increased appreciation from limited
data as to the level resilience within agencies of government.
Contained within the resilience assessment model incorporated into the data collection and analysis
process, the model maintains an underlying recommendation strategy which aims to achieve a desirable
resilience maturity. This level of data results / analysis will contain some subjective interpretation in
accordance with qualitative considerations within its findings (Redmill 2002). This data will be used to
support the data that was gained through the participant’s interview guides. A copy of this assessment
tool is included as Appendix B.
The following section of the literature review acknowledges that there is a need to ensure that
information data that has been identified is correctly classified based around its level of sensitivity and
importance to the organisation.
2.1.5
Classifying data correctly
It is essential that agencies have established controls that are operating within predictable boundaries
and within acceptable risks and compliance expectations (Rodgers 2012).
Information that is
inappropriately disclosed browsed or copied for improper or criminal purposes could be used to disrupt
18
critical government operations such as those supporting the states security, financial services, public
safety or emergency services (Rodgers 2012).
In the “Symentec Global Internet Security Threat Report – 2009” it was identified that the government
sector accounted for 13 per cent of breaches that could lead to identity theft in 2009. These data
breaches were primarily due to insecure policy. Here in Adelaide we have seen a portable storage
device with sensitive material lost. This loss contributed to damage to the reputation for the government
at a time when a contract tender was about to be decided (ABC News 2009). Another example involved
the Australian Commonwealth Defence Force where a compact disc and brief case were misplaced,
which again held sensitive material (ABC News – PM Transcript, 2006). In both instances the lack of
adequate policies and protocols attributed to a situation whereby sensitive material was left vulnerable.
Failure to adequately develop, implement and / or comply with adequate security policies are directly
attributed to data breaches. The formation of documentary procedures in accordance with the ISMS and
established security controls and set protocols may have prevented such occurrences.
Statistics have also confirmed that the majority of data breaches originate from external sources
(Verizons Business Risk Team 2009). If data was tightly controlled and classified so as to restrict
inappropriate accessibility then the potential for data to be breached would reduce.
Another
consideration is the distance the controls are from the data. Whilst establishing controls at the network
level help to provide a defence in depth strategy, placing constraints directly at the data file or document
level will further increase the level of security control and enhance the probability that inappropriate
authorisation or access is minimised for sensitive information (Collett & Gentile 2006). While the
failure to classify data will increase the potential risk for data to be inappropriately accessed there are
also concerns regarding the non-standardised approach and to ranking sensitive data based upon
incorrect interpretation of the data classification schema. With certain small entities, they may need to
apply a specialist classifications structure based upon exceptions and limited sensitive data.
When the organisation increases in size and complexity the need to move from exception to an increased
the level of planning based upon the business, its overall role and risk will need to be considered by the
business data owner and agency in consultation (Buckley 2011).
The following section acknowledges some of the certain challenges that agencies may experience as part
of the implementation of the ISMS.
19
2.1.6
Challenges facing agencies for the implementation of the ISMS
This section will provide an analysis of the constraints and challenges that apply to specific agencies of
government in their normal course of operation. By identifying these challenges and subsequently
testing their validity, the research outcome can be further verified and as such justify the proposed
research. With the implementation of an ISMS, a range of challenges need to be addressed which will
incorporate the classification of information data (Collett & Gentile 2006). All of the following aspects
may need to be considered as part of the initial risk assessment prior to determining the level of
sensitivity of the information data (Ernst and Young 2011).
Such challenges incorporate:

Appreciating the legislative implications that may arise and the potential penalties if
inappropriately breached.

Limiting the duration upon which the classification of information data should cover.

Not underestimating the level of complexity that may exist in order to satisfactorily complete the
task.

Avoiding the failure to create a solid foundation based around data classification to assist in
determining user accessibility.

Ensuring that the data classification process is adequately documented.

Ensuring that adequate senior management support and planning of the process exists.

Adequate available resources to enable that the process can be satisfactorily applied to restrict
both internal and external vulnerabilities.

Establishing some certainty as to the level of detail that the classification of data may need, in
order that all sensitive data is satisfactorily identified at its source.

Gaining confidence as to whether all data has been captured and categorised in a standardised
manner.

Reassurance as to whether agencies will ultimately embrace the ISMS certification and its
ongoing commitment.

Confirmation at both the whole of government OCIO and agency senior management level that
regular reviews of established processes will occur.
Other matters that need to be acknowledged in the context of literature is the need to understand and
appreciate the data that is held in order to apply an appropriate classification based upon business and
security requirements (Buckley 2011).
20
The multiple challenges that face data classification relate to the fact that it is very much a people and
process problem in which technology has yet to fill the human void for classifying data. There is also a
strong need to extensively plan and address potential cultural perceptions and changes as part of such an
exercise. This concept can take a long time before management appreciates and realises the importance
of detailed planning in order to safeguard the information data (Everett 2011).
These aspects mentioned above will be further assessed as part of the structured interview guide along
with a resilience maturity model assessment tool that will be conducted within the exploratory case
study participant interviews.
2.1.7
Limitations that an agency may encounter
Certain limitations may confront the proposed exploratory case study. The proposed exploratory case
study will need to address the fact that the agencies of government that will be under review are large
and quite complex in nature. As no two agencies are the same, this could lead to information being
treated and viewed in a differing manner. As such the actual testing of information would prove to be
both arduous and quite time consuming when assessing / allowing for the numerous business units that
exist within each agency of government (Ekelhart, Fenz 2011). From the high level assessment that has
been performed, there does not seem to be any indicators that would inform an agency of areas where
high complexity or difficult may be experienced and that an increased level of care should be taken.
There is an expectation that anticipated security control gaps associated with agencies implementation
of the ISMS framework and classification of data may arise due to the varying business operations and
functions within each agency. Whilst a standardised approach is anticipated, certain customisation may
need to occur so that the process can be achieved. This customisation due to agencies uniqueness could
place constraints or distortions upon the final conclusion. Subsequently these factors need to be treated
with great care (Redmill 2002).
2.1.8
Comparison with Other Australian State Government Jurisdictions
When comparing the implementation of the ISMS in accordance with ISO 27001 to other Australian
Government jurisdictions, research has identified that there has been limited literature review work
undertaken by state governments which are available to the public. The bases upon which the research
has developed, centre around previous work undertaken by the various Auditor-Generals offices
throughout Australia.
21
A high level assessment of their work and findings has been performed. This has identified that a
number of matters raised between the various interstate auditor-general offices were of a similar nature.
These included amongst other things a lack of documentation and guidance, limited training awareness,
insufficient leadership, and inadequate risk assessment. These findings have been incorporated into the
potential aims of the research relative to the South Australian Government approach.
A fuller
explanation of the high level assessment of the other Australian jurisdictions approach can be found in
section 4.3.
The next chapter will focus on the methodology adopted with an emphasis on the methodology aim,
methods used, general data collection and data analysis construct.
22
CHAPTER 3
METHODOLOGY
The following sections of the exploratory case study aim to discuss the various aspects which have been
incorporated into the adopted research methodology. The aim of the study will be stated, followed by
the methodology approach in relation to the research method adopted. Discussion will then focus on the
data research collection method which has been spread between an interview guide and a resilience
maturity model quick assessment tool. Following the data collection method overview, the data analysis
structure is covered. In conclusion a summary of the key points surrounding the methodology will be
expressed.
3.1
Aim
The aim of this exploratory case study is to gain an appreciation into how South Australian agencies of
government are implementing their required information security management systems and classifying
information data based upon levels of sensitivity in accordance with South Australian whole of
government mandated strategic direction.
This research is an explorative case study aimed at investigating the adequacy of government direction
to agencies of government and assessing the overall approach and outcomes that agencies have
experienced as they undertaken that strategic initiative.
3.2
Research Methods
a.
Qualitative construct
The research method is to be based upon a qualitative strategy due to the small sample size available (17
participants across 11 agencies spread between Agency Security Executive and Information Technology
Security Advisors).
The main focus of the qualitative strategy is an exploratory case study which will explore the collection
of data through a series of meetings with participants whereupon interviews guide were conducted
through interaction with each participant and a resilience maturity assessment tool was also completed.
Along with this active data a series of secondary research literature was used.
b.
Secondary literature
The use of literature will be split between research literature and the other will be against reviews
conducted interstate on similar types of projects. The intent is the interstate based data literature will be
23
used to assist in designing the qualitative study and interview guide and then once the data has been
collected as a cross reference / comparison to confirm whether there are any similarities with the
observations previously acquired (Yin 2003).
i
Academic literature
In the context of this type of exploratory case study there has been limited academic literature / research
previously performed within the South Australia government which sought the alignment of key
government IT strategies and agency of government operational security performance. Based upon the
fact that limited studies in this area have been previously performed, the nature of the research has taken
on an exploratory characteristic rather than one that has been initiated to test a hypothesis. A similar
situation was highlighted in an article by De Haes & Van Grembergen (2009) where the scarcity of
available resources and research precluded hypothesis testing and directed the study towards an
exploratory methodology. Also according to Yin (2003), the use of an interview guide as a means to
support the purpose of research is consistent with this form of exploratory case study.
ii
Other State Government Jurisdiction reports
The further use of secondary literature reviews obtained from other state government jurisdiction reports
as discussed in Section 2 have assisted in gaining a general insight into the complexity of the initiative.
Collectively the incorporation of all data sources aims to provide an accurate appreciation of how South
Australian Government agencies have implemented the information security management system and
classification of data. The following is an overview of the two key data research collection methods
adopted which include an interview guide and resilience tool.
c.
Method of Data Collection
i.
Interview Guide
The first data collection method was a interview guide that was used for this case study because related
studies have proven that the use of such interview guides can be a useful means to validate and confirm
preliminary interpretations (Kaplan & Maxwell 2005). As part of case study, it has been confirmed that
interviews are considered indispensable in regard to the qualitative data collection process. It has also
been confirmed that various interview techniques do not need to be rigid in there execution but can vary
should the need arise. It is through these interview processes that interview guides are used and seen as
an important contribution to the general interview data collection method (Gillham 2000). It has also
been confirmed that the use of an interview guide can assist in providing an understanding as to the level
of participant information awareness (Kruger, Drevin & Steyn 2010).
24
The case study interview guide was developed to assess the adequacy of the implementation of the
information security management system and classification of data. The key elements contained within
the interview guide were extracted from the general ISMF guideline 13 which outlines “The roles and
responsibilities that agencies needed to consider in establishing and maintaining an ISMS”.
The interview guide comprises eight main areas which included ISMS, governance, and risk assessment,
whole of government strategic direction, security documentation, project resourcing, whole of
government reporting, awareness training and ISO certification. The completion of the interview guide
was undertaken as part of a sixty minute interview with 17 voluntary participants who are involved in
the implementation of the ISMS and classification of data across eleven of South Australia’s
government agencies. Specific details relating to data collected through the use of the interview guide
will be discussed in Section 4.1
A blank copy of the Interview guide can be found in Appendix A
ii
Resilience Maturity Model Assessment Tool
The second data collection method was through the use of a resilience maturity model quick assessment
tool which included a series of questions grouped around six key areas. The aim of the assessment was
to also gain a further appreciation as to how the individual participants saw their role within the project
and interpreting how their respective agency was embracing the project under their administration.
Each question required the participant to rate (1-5) against scenario’s specific to whether personal
experience matched the low to high resilience descriptor. The resilience tool was developed by the
Trusted Information Security Network unit within Cert Australian (2010) as a quick reference tool for
businesses that own or operate critical infrastructure and agencies of government to help and assist them
to determine their resilience capability based upon a series of questions and behaviours. The key
resilience areas addressed leadership and culture covered specific behaviours including agility,
leadership, culture and values. Also networks areas of consideration were covered via communications,
integration, and interdependency. The aspect of change ready behaviour was addressed under the areas
of awareness, and change
The resilience tool was provided to the participants at the interview. The participants were requested to
complete the document on the basis of how they saw their role in the context of the project and also how
they also saw the agency involvement in the context of the project and its progress. As such data
completion of each resilience document was performed with a focus on the agencies resilience to both
the individual and also project. Specific details relating to data collected through the use of the tool will
be discussed in Section 4.2. A blank copy of the Resilience tool can be found in Appendix B.
25
3.3
Data Collection
The collection of data was based upon qualitative research concepts covering the previously mentioned
interview guide and the resilience maturity tool. This data was collected through a series of interviews
(17). These interviews involved a broad cross-section of South Australian government agencies and
were based upon a series of open-ended questions. The interviews were audio-recorded in order to
ensure accurate interpretation and reduce the potential for a bias assessment of the interview responses.
The interviews incorporated key project staff and sought to gain a realistic representation of how the
implementation of the ISMS and classification of data was progressing.
The participants in the case study were directed at two groups of agency staff who have been assigned
specific roles within the implementation of the ISMS and the classification of data. The two groups
included Agency Security Executive (ASE) and Information technology Security Advisers (ITSA).
The role of the ASE in accordance with the South Australian Government ISMF Guideline 13 as a
position of trust is assigned to overview security performance outcomes and operations. The ASE also
strives to support stated executive outcomes and performance requirements specific to the ISMS through
their involvement in security management commitments, Agency Security Plan, Consolidation of
control documentation and overall ISO certification assessment.
The role of the ITSA is also deemed a position of trust and is appointed by the agency or organisation to
manage the security of information and ICT systems. The ITSA is involved at most stages of the ISMS
development in an advisory capacity and is to review and provide commentary and advice on risk
assessments that are undertaken by various parts of the business.
Following the interview, a transcript of the meeting was prepared from the audio recordings that were
taken. Also it allowed the researcher the increased opportunity to concentrate on the manner in which
the answers where given.
26
3.4
Data Analysis
The combination of various qualitative methods were used against the interview guide and resilience
assessment tool to assist in performing general content analysis against the data collected through the
interview and the resilience assessment. It is intended that the content analysis will be performed in
accordance with inductive principles (e.g. open code assessment of open-ended interview question
notes). Whilst it is acknowledged that this qualitative analysis can be complex and problematic due to
its lack of standardisation the participants were encouraged to respond in a manner that was not
influenced by the interview (Elo S & Kyngas H 2008). Through this uninhibited interview style there is an
opportunity to gain a better appreciation and perception as to how the implementation of the ISMS and
classification of data is evolving from within agencies of government. The context analysis will be
further conveyed as part of the chapter 4 analyses and discussion.
Also as part of the data analysis, it was found that a number of similarities and differences exist in the
areas of provided data responses. In the context of similarities it has been confirmed that a high
proportion of participants have acknowledged that there were limited senior management engagement
and unstructured project governance, no additional resources were provided, the majority of agencies
were currently in the process of implementing the ISMS, a high level of security control documentation
within agencies is still under development, no whole of government project progress reporting was
occurring and that the majority of agencies strategically had yet to determine whether they were to
proceed to ISO certification.
In regard to differences, agencies were split as to whether the level of guidance was clear and concise
and the status of project progress varied from one agency to the next as some had achieved certification,
whilst the majority were still implementing the project, with a few remaining agencies yet to commence
the project.
In the context of analysis associated within the resilience assessment tool, participants were asked to
score specific questions between 1-5. The sliding scale were graded where one representing low
resilience and five representing high resilience. Once all the assessments were completed the response
numbers were collectively incorporated where a result graph would score the response total against the
maximum score that could be attained. This would provide a percentage. Based upon that final
percentage, that would then be matched back against the questions to gauge where the general level of
response resided. Whilst some degree of subjectivity was required there were no results that averaged 3
so responses were either in the high or low side of general resilience and subsequent behavioural
characteristics.
27
3.5
Summary
In summary the explorative nature of the study justified the combined methods of data collection via the
use of a comprehensive interview guide, the use of a resilience maturity model assessment tool and
literature reviews covering a board range of material (refer section 3.2).
The use of an interview approach has provided valuable data and was consistent with similar
exploratory studies.
These interviews assisted in accurately recording participant’s thoughts and
information into their implementation of the ISMS and classification of data from across a number of
State Government agencies and via a whole of government strategic business unit.
The results and interpretation of data from the interview guide and resilience tools are detailed in the
following section. The next chapter will focus on the analysis and discussion associated with the three
modes of data. Those collected data models include an interview guide; a resilience maturity model
quick assessment tool; and details associated with collective observations from ISMS associated reviews
conducted within other state government jurisdictions.
28
CHAPTER 4
ANALYSIS AND DISCUSSION
The following section of the exploratory case study aims to analyse the data that has been collected
through a number of qualitative methods. Those methods included set interviews with respondents (17)
from a number of government agencies (11), upon which a standard set of open ended questions which
were provided in two formats. The first set of questions comprised a standard set of 22 questions and
the second method included the completion of a quick assessment document based upon the
respondent’s interpretation of their agencies current resilience based upon a series of behaviours. These
interviews were recorded to ensure that the results of the interviews were accurately interpreted and
reflected the level of responsiveness to the questions asked.
The following sections will outline the research analysis performed and will discuss the findings
specific to the interview guide and the resilience maturity model quick assessment tool.
4.1
INTERVIEW GUIDE
a.
Participants
As part of the exploratory case study, 14 government agencies were initially approached to participate,
with 3 either declining the invitation or were unavailable due to the narrow timeframe, in which the
study was conducted. The remaining 11 state government agencies participated in the research and
completed an interview guide and a resilience maturity model quick assessment tool.
To better appreciate the level of data results, a participant table was prepared to reflect the level of
participants who had undertaken the study. This also assists in acknowledging that each group plays a
separate yet connected role in the implementation of the ISMS and classification of data.
The following is a representative outline of the level of research participants interviewed in association
with the agency project.
Total Number of Agencies
Agency Security Executive
Information Technology Security Adviser
Whole of Government Strategic Advisers
Total Participant Interviews undertaken
Table 1
Participants
11
4
11
2
17
The following is a brief overview of the above participants and their role in accordance with the project
(e.g. ASE and ITSA).
29
Briefly, the Agency Security Adviser (ASE) has the responsibility of being the custodian of any
approved version of the organisation’s ISMS. Other appointed positions associated with both the
agency and the project should have access to the ASE as required to support stated executive outcomes
and performance requirements (Whole of government ISMF Guideline 13, 2012).
The Information Technology Security Adviser (ITSA) is appointed by the agency to manage the security
of information and information communication and technology systems. The ITSA is involved at most
stages of the ISMS development in an advisory capacity to business units within an agency who are to
make final determinations that may impact upon the business and its respective data. These decisions
must be addressed by the business owners and / or executive management as required. While business
units’ are require to perform specific risk assessments the ITSA is to review and provide commentary
and advice on these risk assessments (Whole of government ISMF Guideline 13, 2012). In accordance
with the above mentioned established roles, it is important to acknowledge that they play an important
role in coordinating with the business data owners a successful transition to the ISMS and subsequent
classification of information data.
As part of a pre-curser to the exploratory research, a listing of agency nominated Agency Security
Executive and the Information Technology Security Advisers was obtained from the South Australian
Government in May 2012. This identified that a number of positions had been vacant for an extended
period of time (ranging from 6-12 months) or were made vacant as part of the recent machinery of
government agency reshuffle late in 2011 and have not been reallocated. Failure to initiate replacements
for ISMS project assigned staff may restrict the development of a ISMS for that agency in accordance
with set milestones in June 2013. This potential delay may also be further accentuated where an ASE
position remains unfilled which may prohibit an agency’s ITSA progressing due to lack of direction and
seniority to make appropriate decisions. As at May 2012, 10 positions associated with the
implementation of the ISMS and classification of data across South Australian Government agencies
remained vacant.
Further considerations have been undertaken through the development of a interview guide that has been
presented to the study participants. The interview guide contains 22 questions that cover eight main
consideration elements specific to the implementation of the ISMS project. These general areas as
discussed as follows:
30
b.
ISMS IMPLEMENTATION
The ISMS aims to identify and manage policies, procedures and directioions implemented in order to
provide an environment that is aware, predictable, sound and appropriately protected and secured from
threats and risks to its information management assets (Australian Government Information Security
Manual - Principles 2012).
In the context of the implementation of the ISMS across the agencies that participated in the study, it
was found that only 2 government agencies of the 11 agencies interviewed has reached a position
whereby the ISMS was fully implemented. Of the remaining nine agencies, one agency was still yet to
commence implementation of the ISMS. This is against a background where the implementation of the
ISMS has been encouraged within the South Australian Government Information Security Management
framework since its inception in April 2003. Up until now the implementation of the ISMS has not been
mandatory but rather encouraged and recommended should the agency decide to implement.
Consequently with the implementation of the ISMF version 3, the implementation of the ISMS was no
longer optional but mandated. The first phase of the transition is for agenies to either establish an ISMS
for information assets or establish an undertaking that emphasises the areas that are critical or highly
sensitive to the business. This is anticipated to be in place by June 2013. Again agencies are provided
with a option whereby the project is mandated but the completion of the first pase milestone is not set in
stome but rather anticipated. The consequence of allowing agencies with the option to establish a high
level ISMS by June 2013 could provide the agencies with a means postpone compliance.
Also the other phases allow agencies to gradually expand coverage upto June 2017 in anticipation that
all ICT assets will be incorporated into the scope of the new ISMS. This timeframe will assist in
covering any transition slippage. If slippage was to occur leading upto June 2013 then due to the early
stage of the project, this could be interpreted as a consequence of limited or inadequate proactive project
management and potential deficiencies in the projects top down leadership approach and planning
(Challa & Tkiouat 2012).
c.
GENERAL GOVERNANCE
In the context of a project governance framework it was identified within the UK Government that
"decision making failures" was considered as one of the top 5 causes of project failure. The other
elements included the difficulty in seperating the project governance from the organisational
governance. Also deficiencies in stakeholder management is only as strong as its project board and
composition of key resources (Garland 2008).
31
To maintain an effective project governance there is a need to underpin project success and results in
efficient and timely project decision making. Project governance provides an opportunity to identify a
single point of accountability that is service delivery focused and seperates the project from the
organisational governance structure in order that separate stakeholder management and project decision
making can be maintained (Garland 2008). The South Australian Government requires that each agency
establish an appropriate governance programme that will assist in the effective and efficient running of
the business. The South Australian Government ISMF version 3, has stipulated that Agencies must
establish governance of cyber security. It aims to demonstrate a level of commitment from the highest
levels of the organisation specific to a culture of security and appropriate information handling that is
based upon information classification. There is an intent that a governance group must establish,
maintain, review and refine strategy, policy and objectives for ICT security within an agecny.
To facilitate that requirement in accordance with the implementation of the ISMS, there is an
expectation that appropriate direction, commitment and support by senior management is available in a
clear and transparent fashion. It is this governance support structure that will assist in the successful
ISMS deployment (De Haes and Van Grembergen 2009). Key agency staff established to manage and
co-ordinate the implementation of the ISMS and classification of data were the Agency Security
Executive (ASE) and the Information Technology Security Adviser (ITSA). While the agencies in
general have a well formulated governance structure for their corporate strategic direction, research data
suggests that the governance specific to the ISMS project is less formal (SA Government ISMF
Guideline 13).
Through discussions with research participants both at the ASE and ITSA level, it was confirmed that
11 of the total 17 participants believed that deficiencies existed with potential governance structure
associated with the implementaiton of the ISMS. Participants especially the ITSA and some of the ASE
have confirmed that senior management are not sufficiently engaged at this stage with the project. It is
important that ITSA has sufficient guidance from senior management. As such meeting between ASE
and ITSA are either not currently occurring or a spasmodic. Contained within the whole of government
ISMF guideline 10 there is a reference that the ASE appointed by way of the Protective Security
Management Framework and Internal Audit have a role in keeping the Chief Executive informed of
cyber security compliance progress on a regular basis.
Consequently without sufficient general governance, the reporting and tracking of the progress of the
project and key development considerations could be delayed. As such deficiencies in general senior
management guidance and governance may place undue milestone pressures on agencies and project
staff trying to meet set transition goals (Ibrahim et.al 2011).
32
The case study also acknowledges that as the phased milestones start to loom (June 2013) then increased
engagement may result in the project as it takes on a higher focus from within agencies (Andersen et.al
2012). During the time of this study that increased focus was not reflected in participants responses.
d.
RISK ASSESSMENT
Risk assessments aims to identify, prioritize, and quantify risk to organizational operations,and
organizational assets, resulting from the loss of confidentiality, integrity, or availability of information
or information systems. This subsequently seeks to reflect the potential adverse impacts that may occur
to organizational operations, information assets, and the operation or use of information systems
(Swanson 2011).
As stipulated in the South Australian Government Protective Security Management framework, the
Chief Executive of an agency is accountable for the development and management of an Agency
Security Plan which must be developed to manage the agency’s security risks and should be based on a
security policy that supports the Agency’s goals and resources. The security risks are to be managed in
accordance with ISO 31000:2009 and the principles of the South Australian Government Risk
Management Policy Statement. Agencies are able to develop a single risk assessment mechanism that
may be used for multiple purposes within an agency and its importance cannot be understated (ISMF
Guideline 14).
From the case study, 13 of the total 17 participant have laid claim to having established risk
assessments. Of these risk assessments, the agencies have acknowledged the importance of the risk
assessment process but have confirmed that not all assessments incorporate information asset and data
as a key consideration. This is currently being readdressed in order to realign and comply with ISMS
requirements. The ITSA has also acknowledged that currently some of the agency risk assessments
under review were being realigned following the implementation of the version 3 of the ISMF ( 2011)
which incorporated additional security considerations as part of the baseline for the ISMS and
classification of data.
Of the remaining, 3 participants have confirmed that agencies are in the context of developing a risk
assessment framework specific to their agency to assist in the development and implementation of the
ISMS.
Further when assessing the respective responses from the respective ASE and ITSA, it was confirmed
that 1 of the Agency Security Executive participants who maintain a position of trust from within the
33
agency and manage the security performance outcomes and operations, was unaware or uncertain as to
whether the risk assessment specific to the implementation of the ISMS was currently in place.
The consequences of agencies failing to incorporate information data security elements within their
wider agency risk management plan is that they may result in the agency not being able manage risk in a
coordinated, consistent and comprehensive manner (Božić 2012).
e.
WHOLE OF GOVERNMENT STRATEGIC DIRECTION
The importance of developing a clear and concise strategic direction associated with the implementation
of the information security management system comes down to a simple process that is understandable
to all stakeholders across government. The key areas to consider include simplicity, adaptability, speed
of planning, communication, competencies, and general implementation. Confusing strategies and
tactics all too often keep organizations from properly implementing an effective information protection
strategy (Oksendahl, Stackpole 2010).
While the implementation of government guidelines on cyber security and the implementation of the
ISMS and classification of data has been initated at a whole of government level, the responsibility for
the implementation of that project rests with the South Australian government agencies who are the data
business owners. To assist agencies in this endeavour, a series of guidelines were prepared as a means
to assist and give some level of guidance (ISMF Guideline 4).
At least 8 of the total 17 participants of the current research have suggested that current direction byway
of guidelines, general procedures and policies were not clear and concise. The research data has
confirmed that the majority of uncertainty resides with the ITSA who have the role of managing the
security of information and ICT systems in a advisory capacity to business data owners.
This
uncertainty has resulted in a high level of anxiety across government as agencies attempt to address
these areas of confusion.
The research has also confirmed that contained at the back of each guideline is a general statement that
stipulates that the guidelines do not aim to provide the reader with all of the responsibilities and
obligations associated with set scenarios. The guidelines are intended to be merely a good practice
guideline that agencies will need to use and consider. Indirectly there is the inference that it is the
agencies that must identify the most appropriate means as it is their data and that each agency is unique
in the way that it deals with its operational business. This further confirms / idenifies the writer of the
guideline and stipulates that agencies whilst provided with a guideline, must make their own decisions
and direction, what every that may be.
34
Through establishing strategic direction and guidelines at a whole of govrnment level that fail to satisfy
agency concerns, the potential for increased inconsistency in regard to interpreting a successful outcome
continues to face agencies of government. Increased interaction with senior management to align
strategic direction between government and agency capabilities need to occur. Also senior management
need to more closely align their involvement with the project and ITSA’s so as to ensure that they are
sufficiently aware of the concerns and potential deficiences that their respective agencies are
confronting ((Al-Hatmi A 2012).
Consequences of agencies misinterpreting the whole of government strategic direction and alignment
may result in agency organisational direction or resilience of their operational strategy not aligning with
government expectation and initiatives. As such greater interaction at the whole of governmet level will
assist in minimising any misalignment (Al-Hatmi A 2012)
f.
SECURITY DOCUMENTATION
The ISO 27001 recognises the importance of information security documentation for the management
and operation of all information processing. The intent of the security documentation is to assist in
outlining the operational procedures, whilst emphasising the importance of specific key security
controls.
These elements of protection strive to segregate duties, delegation and general risk
considerations which should be available and directed to all users who may require assistance (ISO
27002 2006)
The South Australian Government mandated ISMF identifies the minimum controls required by all
government agencies regardless of the scope of their ISMS implementation(s). This control set of
policies and procedures effectively establishes the cyber security baseline driven by business
requirements and objectives across government ICT services and operations.
This also assists in
developing a statement of applicability based upon the ISO 27001 which intends to map security control
procedure documentation against set controls for their operating environment that encompasses critical
ICT information assets and associated activities (SA Government ISMF version 3.1 2011)
Within the exploratory case study, participants have acknowledged that the majority of agencies are
currently realigning there procedures to ensure that their coverage is adequate and comprehensive. A
small proportion (3) of the participant agencies have established adequate documentation to comply
with ISO 27001 requirements. 13 of the total 17 participants have acknowledged that following the
upgrade to the mandated ISMF version 3 security controls, they are still progressing the development of
security control documentation which also needs to gain senior management endorsement as to its
adequacy. The remainder of the participants had not yet commenced documenting the security controls
35
necessary to meet the requirements as part of the statement of applicability and overall certification as
part of the ISO 27001.
In the context of validation at the ASE and ITSA ISMS project implementation level, the research data
confirmed that 16 participants of the total 17 participants confirmed that the majority of documentation
and supporting procedures are going through an extensive level of realignment. It is intended that this
documentation will stipulate procedures, risk of non-compliance, level of responsibility and frequency at
which the procedure needs to be subject to further review.
A review of ISMF Guideline 12 outlines the legislative and regulatory requirements for South
Australian Government agencies which include the mandated ISMF. Agencies are required to reassure
themselves that they are aware of their legal requirements and obligations in cyber security. The tables
and supporting internet links identify regulatory requirements, Australian and State government policies
and standards which are have relevance to cyber security initiatives. Areas of coverage will include ISO
27001, Ausitalian Government ISM, PSM, and State Government ISMF, PSMF. A more exhaustive
listing can be sought from the South Australian web site which is regularly reviewed and updated as
necessary.
Failure to adequately maintain a site of appropriate and current security documentation may result in
breaches of security controls whereby general users may attempt to incorrectly / or maliciously perform
specific task which could increase to potential for breaches to occur surrounding sensitive and / or
confidential information data.
g.
WHOLE OF GOVERNMENT REPORTING
Traditional strategic planning can be a detached approach between government, agencies and senior
management when analysing data. This lack of reporting may establish areas of bias in the planning
process whereby strategy makers and strategic implementers from both sides point fingers at each other
as the cause for failure if it was to arise. By ensuring that strategic data is current and appropriate may
reduce the potential of blind spots evolving within the final strategic plan (Mendenhall E 2007).
Within each agency there is an expectation that executive management shall ensure that there is clear
direction and visible management support for information and asset security initiatives with each
agency.
In accordance with ISMS project, each project team is required to report to their respective executive
management as part of the general governance regime so as to explain the progress of the project against
key milestones (ATSEC 2007). Whilst each agency attempts to maintain their own project status and
36
progress, a consolidated reporting mechanism at a whole of government level doesn’t seem to exist that
will assist in confirming where agencies are as a collective against key project milestones.
The majority of data from the research respondees (14 of the 17 participants) has confirmed at an
agency level that no reporting to the whole of government strategic unit level presently occurs or has
been requested from government agencies.
Whilst some agencies have acknowledged that they are
frequently relating with whole of government strategic advisors (1 participant) there are also 2
participants of the total participants who were unsure / unaware as to whether the agency is providing
some information at a whole of government level.
When interviewing both ASE and ITSA, their collective responses have confirmed that reporting
beyond the agency does not occur. Whilst ITSA have regular forum meetings whereby matters are
generally discussed, there is no specific information provided or collected at the whole of government
level so as to provide WOG staff with a appreciation as to the overall level of progress across the whole
of government based upon the fact that the initiative is a mandated transition venture on behalf of the
South Autralian government.
Consequently, by not involving the whole of government in the monitoring process restricts government
from gaining an effective prospective as to how the project is tracking in its entirety. Without that high
level persoective, there is no appreciation as to how this initiative is progressing from a state position
(Crawford, Helm 2009).
h.
PROJECT RESOURCING
In order to establish suitable resourcing requirements for the implementation of an ISMS, agencies are
required to allocate adequate resources(ATSEC 2007). To assist in this matter the development of a
resource strategy plan strives to assist in creating the foundation upon which project resourcing
requirements are based. A framework should be established that provides effective information security
governance whereby adequate decision makers with a current, accurate and sufficient understanding of
the threat environment should be established. This will be based upon a risk based construct in relation
to information security which is passed and confirmed with security data owners and stakeholders (DoD
Intelligance and Security 2012). The strategic framework should also include such elements as retention
(where applicable) which should be regularly revisited to ascertain whether resources allocated to the
project and time allowed is adequate (ATSEC 2007).
At the time of the formulation of the ISMS project with South Australia, a cabinet submission was
prepared and sought approval for the project to commence. Within that submission there was an
37
expectation at the agency level that adequate staffing provisions would be made available to agencies to
assist in the ISMS implementation. Now that the project is underway, agencies have confirmed that the
resourcing for this project has been provided from within existing agency budgetary availability. 14 of
the total 17 participants in the research have confirmed that no additional resourcing provisions were
made available to agencies as a way to assist with the implemetation of the ISMS and the classification
of data.
From the analysis of the data from the respective ASE andITSA is has also been confirmed that no
additional staffing resources have been made available. The data from the collective ASE and ITSA’s
have confirmed that 14 of the those respondents were not provided with any additional resourcing to
assist with the ISMS initiative. They have acknowledged that there was an expectation that these extra
duties would be added onto their current duties.
Of the remaining 3 respondents of the total 17 participants, it was confirmed that while direct funding
was not made available to the agency from a WOG level, specific agencies have been in the fortunate
position of having some additional funds available that they were able to direct to extra staffing and / or
external expertise contracting.
As a consequence of failing to provide adequate direction and staffing may result in a deficiency in the
agencies capability to achieve effective and efficient management of the ISMS project so as to meet key
implementation milestones. Difficulties may arise where work load expectations exceed capabilities.
Senior management by increasing their level of engagement with the project will be able to monitor
progress and suitably act when required (Ibrahim et.al 2011)
i.
AWARENESS TRAINING
In the development of an ISMS, entities need to ensure that all employees are sufficiently aware of the
supporting policies and procedures that underpin information data and its overall sensitivity. Also
entities need to acknowledge that technology changes are forever occurring at increasing speed. As
such expertise from within the entity needs also to be sufficiently competent. With this in mind entities
must ensure that adequate training must also be given to the project personnel responsible for the
implementation of the ISMS and classification of data (Kritzinger, von Solms 2010).
At an agency level there is an expectation that agencies need to establish a communication process that
ensures a high level of awareness and commitment to information, particularly ICT based information,
security requirements across government. It is further intended that an awareness program will establish
38
a culture of security-awareness throughout the organisation, so that security is regarded as a part of
doing business. Through the establishment of a effective information security training and awareness
program emphasis can be placed upon regulatory requirement compliance, customer trust and
satisfactory, compliance with published policies, due diligence, corporate reputation and accountability
as an means to comply with regulatory and establsihed security controls (Kearneyb, Krugera, 2008).
This will also recognise the importance of information classification, and handling a awareness training
and induction programs that are implemented and consistently applied. This also acknoewledges the
importance that even though a comprehensive awareness program is developed at multiple levels, there
is also a need for this to be regularly reviewed in order to ensure that it remains current and effective
(Kearneyb, Krugera, 2008).
On review of the participant’s data appears that in the main, initiatives had been implemented at the
business data level as part of awareness training through a series of on-line training modules specifically
directed at general agency front line staff. From the exploratory data obtained 6 of the tot al 17
particpants believed that the level of awareness training provided by whole of government strategic
business units was adequate and sufficient so as to adequately implement the ISMS at that point in time.
A further 6 participants acknowledged that increased awareness training was required so as to assist
agencies in the implementation of the ISMS and classification of data as they further progressed the
project at a agency level. One of the participants responded that they believed that the level of training
was inadequate and needed to be provided in greater detail. A further 3 of the total 17 respondents were
unsure as to the level of awareness training that agencies on a whole had undertaken.
In general the participants believe that training areas of a more technical level were specifically required
in areas associated with risk management, security documentation and classification of data.
The participants held concerns that there interpretation of set requirements could be seen as inconsistent
with that of other agencies. Consequently there were suggestions that further assistance and guidance in
this area could be of benefit (Chen et.al 2009).
Consequently a key element in this ISMS initiative revolves around the need for satisfactory awareness
which is required at multiple levels (senior management down to general staff). This emphasis on
awareness training is critical in gaining sufficient commitmant from all levels as a means to contribute
towards the safeguarding of data. Failure to provide support when required may inhibit the initiatives
implementation through uncertainty as to the correct approach to adopt.
As such awareness through
increased clarity and direction from the whole of government strategic business unit may assist in
working through certain areas where uncertainty may exist.
39
j.
ISO CERTIFICATION
Accreditation is regarded as the process by which formal recognition and acceptance of specific residual
security risks are appropriate for the classification of information data. This accreditation provides
agencies with the level of assurance that either sufficient security measures have been put in place or
that deficiences in such measures have been accepted by the appropriate accreditation entity (DoD
Intelligence and Security 2012).
As part of the mandated South Australian Government ISMS initiative, government agencies must
develop or have in place an ISMS (processes, systems, and geographic locations) that is documented,
mapped and aligned to controls as part of the ISMS Statement of Applicability process (ISMF Guideline
13 2012). For those agencies that choose not to pursue full certification, they must satisfy themselves
through a comprehensive risk assessment that information security measures are adequate and fully
documented.
From the data provided by the research respondents it was acknowledged that 2 of the 11 participants
agencies had established certification in accordance with the ISO, while 8 agencies
where still
undecided as to whether they would seek certification through their senior management. The remaining
1 agency of the total 11 agencies had acknoweledged that they had already made a decision even though
they were still in the process of implementing the ISMS, that they would not be seeking certification in
accordance with the ISO 27001. The main argument surrounding the certification of the project focuses
on the fact that agencies at this point in time could not justify the certification in accordance with their
agencies operational needs based upon future levels of cost and resources that would be required to
regularly maintain the certification once the agency was compliant.
The consequences of gaining ISO certification, provides the participating agencies with the opportunity
to publicise the achievement. This may provide some level of comfort to the South Australian
community that security practices are being maintained at an international level. By failing to attain
certification may also send a message to the general public. It may be misconstrued that the agency
lacked direction and long term vision guideline does not constitute an absolute or mandatory method for
managing risk or maintaining an Information Security Management System. It is merely a good practice
guideline applied to the protective security policy position and operating characteristics of the
Government of South Australia at the time of writing. The individual requirements and operational
characteristics of agencies will have direct bearing on what measures are implemented to mitigate
identified risk(s) and how such outcomes are achieved. through its inability to fund and resource such
an exercise. Also inadequate planning may suggest that insufficient critical information is held, but at
40
this point in time, few agencies have the luxury of not maintaining sensitive information within their day
to day operations.
Whilst the majority of participants believe that they may seek certification that commitment had yet to
be determined.
Whilst not all agencies will ultimately gain certification based upon size and
complexity, the size of the participating agencies to the study in general were of a size and complexity
that would suggest that the level of data held was either critical in nature and or sensitive (AbuSaad,
et.al 2011).
SUMMARY
From the analysis performed and discussions a number of observations were made.
It was identified that 9 of the 11 agencies reviewed were still yet to implement a general ISMS. Whilst
government has endeavoured for several years to engage government agency to implement information
security management systems only a small proportion have taken this initiative. The exploratory case
study has confirmed that these agencies that are still to implement an ISMS are looking to progressively
role the project out over the full 6 year timeframe.
The participants of the study have also acknowledged that 11 of the total 17 participants had general
concerns regarding the governance structure within agencies of government specific to this project. The
data gained has confirmed that a high level of agencies have not gained senior management engagement
with the project at this point in time. Whilst the level of engagement is gradually increasing, the
expected key milestone date is also quickly looming (30 June 2013).
It was also identified that whilst 13 of the total 17 participants of agencies have a risk framework in
place, two key considerations were worthy of mention. Firstly 8 of the 13 participants are currently
realigning there risk assessments to incorporate information data rather than at a corporate level. These
agencies tend to utilise the risk assessment at a corporate level and only acknowledges information
security matters as they currently arise through incident management. This is subsequently being
addressed as agencies move to comply with ISMF version 3 and also develop there respective agency
strategic security plans in accordance with mandated South Australian PSMF requirements. Also 7 of
the total 13 exploratory case study participants realigning there risk assessments have suggested that
increased whole of government guidance in this area would be beneficial so as to gain a increased level
of standardisation between government agencies and also minimise the potential for interpretation of
general common risks.
41
The exploratory case study has also identified that 8 of the 17 participants considered that the general
level of guidance from a whole of government level to government agencies is not regarded as clear and
concise. Agencies would like some degree of standardisation / template developed so as to assist in the
implementation of risk assessment, classification of data and general development of policies and
procedures.
From the exploratory case study, 13 of the total 17 participants regarding the majority of policy and
procedural documentation specific to the ISMS and classification of data have acknowledged that they
are still under review and yet to gain senior management endorsement.
In the context of ongoing monitoring of the progress of the ISMS and classification of data it was
identified that 14 of the total 17 participants do not report to a whole of government level any specifics
progress details of the government’s mandated information project initiative.
By failing to gain an
update as to the progress of the implementation of the mandated transition, the government has not clear
understanding as to the status of this initiative as the first key milestone of June 2013 approaches.
In the context of project resources, 14 of the total 17 participants have confirmed that no additional
resources were provided by the agency or through whole of government initiative to assist with the
ISMS initiative. Existing duties have been added to the ongoing security requirementsa of their normal
duties.
The research data has also acknowledge that 7 of the 17 participants consider that the level of awareness
training specific to technical considerations and concerns could stilll be enhanced based upon the needs
of the agencies and as the project gradually unfolds. Whilst at a whole of government level the conduct
of training has been ongoing for a number of years, it is only now that agencies are idemntifying areas
where uncertainty exists. Continual engagement and training where required is still encouraged.
From the exploratory data obtained, it has been identified that 8 of the participating 11 agencies have
still yet to determine from a strategic direction whether they are to seek certification in accordance with
ISO 27001. By restricting the level of strategic direction that currently encapsultes this project may not
send the right message to project staff as to where this project is heading from a agency perspective.
4.2
RESILIENCE MATURITY MODEL QUICK ASSESSMENT
Resilience is about creating more resilient critical infrastructure through initiating procedures that assist
in developing better adaptability to change, having reduced exposure to risk, and improving capability to
bounce back from any type of hazard including accidents, negligence, criminal activity and terrorist
attack which may be regarded as both expected and unexpected.
42
The following table is a representation of the data provided by respective participants for each of the key
characteristics synonymous with resilience and risk assessment.
35
30
25
20
15
10
5
0
1
2
3
4
5
6
7
8
9
Figure 4:
Resilience Maturity Model Assessment Consolidation
It is important to note that no individual observation is to be taken in isolation as the results need to be
collectively assessed in order to gain a clear picture.
Leadership and Culture
%
100
80
67
65
71
60
Agility
Leadership
40
Culture & values
20
0
Agility
2:
Leadership
Culture & values
Table
Leadership and Culture
In the context of leadership and culture, key characteristics include an entities ability to be agile, emit
specific leadership and cultural values.
In the context of this analysis agility strives to reflect an entities ability to develop operational practices
which are regularly tested and reflect aspects of intuitiveness which will aim to address potential threats
as they arise. With the data relating to an agencies agility, the participants believed that their respective
agency’s agility was approximately 67% of optimum. As such the agency’s ability to deal with
problems, seek opportunities, capitalise on incidents and retain lessons learnt were being developed and
built.
At present agencies are still developing its capability to comply with the expectations of ISO 27001.
43
Those expectations seek to identify those data assets under its control, the level of risk associated with
those specific assets, develop and align security control documentation and classify the identified data
based upon its degree of sensitivity. By going down this path, it could be argued that those agencies
were moving to a position where by they would beperceived to be more agile and able to respond to
customer needs. This in turn should assist in reducing cost through efficiencies derived through
understanding their business in greater detail (Farr et.al 2007).
Regarding leadership the data from the participants believed that agencies were approximately 65% of
optimum. As such the agencies consider that there senior management were not as responsive in
dealing with crisis, lacks clear direction and were yet to develop programs that would adequately
address the protection of sensitive data from internal and external threats.
The consequence of leadership not being as responsive as it could may suggest that they were fearful of
a crisis and do not provide clear direction as supported by project personnel when required. As such
without clear and concise direction key decisions are not able to be made in a efficient manner and could
contribute to delays in the ISMS transitin project. By establishing clear lines of communication will all
for more decision leadership and decision making (D’Amato and Roome 2009).
In the context of culture and values, agencies felt that there ability to act in the best interest of the
agencies mission statement was 71% of the optimum score. It was seen that agencies in general where
increasingly receptive to change based upon a close relationship between the ITSA and the data business
owners.
This relationship had assisted agencies in creating a situation were data owners were
increasingly becoming aware of the impoortance of protecting data on behalf of the agency.
Networks
%
100
80
70
70
61
60
Communications
Integration
40
Interdependency
20
0
Communications
Table 3:
Integration
Interdependency
Networks
In the context of networks, key characteristics include an entities ability to communicate, integrate and
generally establsih a level of interdependency between business data owners and units.
44
From the particpants research data, the level of communication from within an agency was assessed at
70% suggesting that the ability to break through inflexible business units that operate in a silo
environment rather than communicating as a a consolidated unit were still gradually being addressed. As
these are gradually improved, the ability to convey clear and conside messages and strategic direction
will improve. To achieve this, the gradual development of governance committees will increasingly
improve and assist in engaging senior management.
Communication considerations would appear to be strengthen as the agencies gradually move way from
silo management structures to management which in flat and covers all areas of the business.
The consequences of this is that the business can become more responsive to business needs rather than
being in isolation.
The research data based upon integration was assessed at 61%. This is consistent with the fact that a
large proportion of agencies were still moving towards the implementation of the ISMS and
classification of data. Once that had further developed, it is assumed that risk assessmemts and the level
of documentation based upon security controls will improve which will assist in better appreciating the
information data held and the relationship that this data has between business owners and user groups.
This increased understanding of the data held will also assist in improving the level of governance that
will need to exist within an agency so that a better, effective and efficient operational structure is
maintained (Dawson et.l 2010).
Consequences in this area are that at present agencies are still moving towards integration across the
business wheeby elements of duplication and inefficiency is gradually being identified and changed as
part of the overall process of better understanding its respective business and developing appropriate
security control documentation which is based upona risk based approach.
Failure to adequately
integrate business environments may create situations whereby data through inefficient processes may
be leaked or lost (Dawson et.l 2010).
When considering agencies interdependency, the particpants research data was assessed at 70%. As
such the participants believed that as key information data is identified and better understood from a
data business owner perspective, the level of documentaiton will increase which will gradually reduce
the dependencies on key personnel. This will better place the decision making / risk process back closer
to where the data resides.
Consequences associated with interdependency acknowledged that current data stored within an agency
may be used for multiple purposes. It is for this reason that it is important that data is securely retained.
Failure to adequately appreciate all data access points may increase the opportunity for data leakage. As
45
such detailed planning is essential. It is again here were increased leadership and communications are
required (Kim, Wang 2009).
The identified consequences in this area are that as the business gained a better appreciation of its
operation, then efficiencies and stronger relationships across the business can be established.
Change Ready
%
100
80
69
68
60
Awareness
40
Change
20
0
Awareness
Table 4:
Change
Change Ready
In the context of change ready, key characteristics include an entities general awareness and change to
events as they occur.
By considering the data from participants specific to agency awareness, it was assesed 69%. The
agencies level of awareness is gradually evolving based upon its self-awareness of the criticality of the
data held. As awareness increases so too will its engagement with senior management as it strives to
better protect the data under its stewardship.
Agencies are increasing aware o the expectation and consequences attach with the need for adequate
training as a means to protect data. With community expectation of the increase so too is the level of
training available. Business data owners within respective agencies are making their staff aware of their
responsibility to safeguard data. Their role is at multiple levels ranging from complying with regulatory
requirements to day to day functions. This and the need to ensure that this level of training is reglarly
maintained and updated. The failure to adequately comply with the consideration will result in loss of
public confidence, potential monetary penalties and disruption to the business (Schiller 2003).
Data associated with the change within the agency has been assessed at 68%. It was been assessed that
through increased understanding of the data held will assist the agency in increasing its capability to
protect data through more efficient processed and also increase the opportunity to expand the general
business coverage. As the implementation of the ISMS continues to evolve, then general change within
business units will further be enhanced.
46
With change now a part of of the implementation of the ISMS, the business and data owners are striving
to change existing practices, through risk assessment, documentation and classification of data
sensitivity. The consequences of this development is that continual review and monitoring of practices
and risks will be regularly performed under the new regime.
d.
SUMMARY
In the context of the resiliance maturity model quick assessment tool completed by the 17 participants, it
was identified that whilst the range of agencies were at differing stages of the project life cycle there
were some elements that contributed to the variances in general findings.
General vaiations of the resilience assessment suggest that the level of leadership was low which may
support the premise that participants believed that senior management engagement was deficient within
bith the project and general governance.
Also it was identified that the general level of communication and general project awarenes were
inadequate which may restrict an agencies ability to effectively interpret processes involved in the
integration, interdependency and overall awareness of business units and agencies within Government.
4.3
PRELIMINARY REVIEW – OTHER STATE GOVERNMENT JURISDICTIONAL
OBSERVATIONS
From 2008 various Interstate Governments jurisdictions have commenced implementing ISMS and
moved towards classifying data in order to address deficiencies in ICT policies and procedures, and the
coordination monitoring of whole of government ICT strategy and investment.
Following each
initiative, the Auditor-General in each of those respective states would perform a compliance review to
determine the adequacy of the process undertaken.
As part of this exploratory case study specific to the implementation of the South Australian
Government ISMS and classification of data, a high level comparison has been performed to identify
observations that were made and identify areas of similarity against each of the other Australian
interstate jurisdictions performed. The key observations raised by the respective Auditor-General’s in
each Australian State were summarised in the following table.
Australian Jurisdiction Auditor-General Observations
Australian
National
Audit Office
 Inadequate protection of confidentiality of sensitive information
 Inadequate level risk assessment providing insufficient information security in
depth, incomplete and were out of date
47
(ANAO)
NSW
AuditorGeneral
Victorian
AuditorGeneral
AuditorGeneral of
Queensland
Western
Australian
AuditorGeneral
 Inadequate user access which exceeded security clearances or no record were
regularly maintained
 General lack of self-awareness and training
 Level of information security policies and procedures could be improved
 Inadequate policies exist
 Inadequate assessment of sensitive information
 Lack of project progress monitoring
 Lack of ICT strategic direction and strong leadership
based around accountability and secure data
 Lack of confidential personal information
 Inadequate consistent leadership
 Lack of consistent and coordinated information security practices
 Inadequate staff training in good security practices
 Need for a robust risk management practice
 Ineffective governance framework for ICT strategic direction
 Improve leadership and organisational structure
 Improve level of information safeguards
 Improve senior management commitment
 Inadequate communication to staff
 Inadequate vulnerability management
 Inadequate control over network infrastructure
 Need to improve level of security practices and compliance with policy
 Failed to adopt risk-based approach
 Inadequate information security practice guidelines and interpretation of
standards
 Inadequate risk assessment, risk management framework and information
security awareness training
Ta
ble
5:
Co
mp
ari
son
of
Au
str
alia
n
Jur
isdi
ctio
n
Au
dit
orGe
ner
al
ISMS and Data Observations
Whilst the project completion times varied from 12 to 24 months all systems have been implemented
but the researcher is of the belief that no interstate government has gained ISO certification across one
of the respective states.
Whilst the South Australian venture is 18 months into a 6 year venture, the researcher is of the believe
that following the implementation of the ISMS in June 2017, the State will commence a separate
initiative to have all states ISO certified if they are not already there.
SUMMARY
Based upon the above table, the main observation relating to the general assessments of the ISMS
performed by respective interstate auditor-general of each state include:
48

Lack of clear and concise ICT strategy direction and strong senior management commitment and
leadership.

A need for the development and ongoing management of robust risk based practices.

Inability to assess the level of assurance and confidentiality relating to sensitive information.

Inadequacy in information security policies and procedures.

Lack of consistent and coordinated information security practices specific to key security
infrastructure.

A general lack of self-awareness and information security training.

Lack of monitoring of agencies progress towards compliance and certification.
The next chapter will focus on the conclusion and summarisation of observations made as part of the
exploratory case study. This will also incorporate the strengths that have been identified as being
associated with the ISMS initiative. Also the weaknesses will be outlines along with a high level
summary.
49
CHAPTER 5
5.1
CONCLUSION
a.
Overview
The scope of the exploratory case study was to assess the adequacy of the South Australian
government’s implementation of the ISMS and classification of data. The study used data collected
from a number of areas, expressed in chapter 2 and 4, which includes an interview guide undertaken by
each participant, the completion of a resilience maturity model quick assessment tool, literature reviews
and the comparison of other state government jurisdiction reviews of the implementation of their ISMS
and classification data.
The study sought to assess the level of compliance of the project with the ISO standard and determine
whether the level of clarity specific to the government guidance. The study also sought to determine the
level of senior management interaction and involvement within the project specific to general
governance, leadership and communication to other staff. Other areas of consideration included
adequacy of risk assessment and level of security documentation specific to the statement of
applicability. Further consideration surrounded the interaction between government and agencies of
government, resource availability, level of awareness training and degree of agencies that have and
anticipate seeking ISO certification.
The results of that study are summarised in the following section based upon positive observation and
the limitations associated with the ISMS initiative.
b.
Strengths
With the implementation of the ISMS and classification of data initiative, the exploratory case study has
acknowledged that with the development of a robust information security program a number of positive
outcomes within agencies of government have occurred. The South Australian government initiative
has aligned the state of South Australia with the Commonwealth and other Australian state jurisdictions
as they collectively seek to combat cyber threats on a daily basis through the identification of security
vulnerabilities. This will assist in ensuring that newly established principles will also remain consistent
with existing laws, regulations, and international standards. Further the initiative has sort greater state
agency ownership as a means to identify and protect sensitive data held under its control.
50
This initiative on its completion in 2017 will have provided South Australian agencies of governments
with an opportunity to be better positioned in the context of asset identification, risk assessment,
security documentation and classification of information data. This initiative has also provided this state
with the opportunity to leverage from work previously performed in other states government
jurisdictions byway of a series of high level guidelines as a means to minimise previously raised
security control vulnerabilities.
To get to that position, the opportunity for agencies to gradually implement the initiative which permits
an opportunity for greater levels of planning, and an opportunity to increase the current level of selfawareness. This is further enhanced by the initiation of continual improvement of not only security
controls during the implementation stage but as part of its ongoing certification lifecycle.
c.
Limitations
The exploratory case study has identified instances where senior agency management and associated
project personnel may need to increase the level of engagement and internal reporting associated with
this project. This may also extend to general areas of project governance and its integration into the
agency corporate strategic direction.
At this point in time a large proportion of agencies undertaking the implementation of the ISMS and
classification of data have not yet determined there strategic position as to whether they intend to seek
ISO certification. By failing to strategically declare whether an agency is seeking certification may
submit unclear messages to project staff as to the agencies commitment to this endeavour.
At a whole of government level there are also opportunities to provide greater involvement through
ongoing monitoring of the level of progress associated with this mandated state government initiative.
Also participating study agencies have suggested that an increased level of guidance at a whole of
government level may assist in providing a clearer and more concise direction. This may incorporate
the development of key projects template documentation surrounding risk assessment, general security
documentation and further explanation and direction relating to the general classification of data.
This may further assist in developing adequate awareness at multiple levels throughout government and
agencies.
The exploratory case study has also identified instances whereby lessons learnt from prior exercises
undertaken by other Australian state jurisdictions may be repeating themselves in this same type of
initiative. Such instances include a lack of project progress monitoring, limited leadership and
communication and limited standardisation of key documentation with an emphasis on risk and security
control.
51
Finally the study has identified that whilst each agency was assigned specific project to assist in the
management of the project, with staff movements within government some of project roles have been
left unattended for extended periods of time (e.g. greater than 6 months). This aspect and the fact that
limited agency resources have been assigned for the effective and efficient completion of the mandated
project may contribute to missing key project milestones.
d.
Research Summary
In conclusion the exploratory case study has acknowledged that key areas that agencies may need to
consider as part of the implementation of the ISMS and classification of data surround:

Increased levels of engagement and general project governance by senior management.

Further development as part of the ongoing awareness training pitched at multiple levels
throughout agencies.

Continues review of project resourcing levels to ensure that key project milestones are achieved.

Increased monitoring of agencies progress at a whole of government.

Increased develop and management of robust risk based practices and assessments, classification
of data and security documentation that are more standardised across agencies.

Continued review of the project scope to ensure that expectations are appropriate and achievable
in accordance with ISO 27001.
5.2
OUTCOME OF STUDY
This case study, whilst constrained by time which had an effect upon overall scope, has examined the
adequacy of the proposed SA Government implementation of the ISMS and classification of data. This
was undertaken through the use of a number of various qualitative methods including interview guides,
resilience maturity model assessment models and specific literature research which has also
incorporated reports issued by other interstate government jurisdictions.
The study aimed to assess whether a standardised approach based upon ISO 27001 was being
consistently applied in order to adequately safeguard information data held. This was compared against
ISMS implementation initiatives that were performed through other Australian state government
jurisdictions in the context of lessons learnt. The study also sought to determine the level of guidance,
level of senior management engagement, level of project progress monitoring, and adequacy of risk
assessment, and awareness training.
52
Whilst a general standardised guideline approach has been developed at a whole of government level,
the effective implementation approach rests with the agencies of government. As such each agency has
generally initiated the ISMS project specific to their agencies needs and resources. Interviews have
confirmed that senior management engagement at this point in time is limited, with no project
monitoring occurring at a whole of government level. These observations are consistent with ISMS
implementation report findings synonymous with other state government jurisdictions. Also at a project
level staff has expressed some interest in gaining additional awareness training and direction in the area
of specific documentation including risk assessment and classification of data.
On conclusion of the case study, the findings are to be made available to both the participant agencies of
the study and also to the South Australian Government whole of government business unit to assess and
take appropriate action where applicable and necessary. It is hoped that the findings from the study can
be used to further assist in the implementation project which has a further 5 years to run. Whilst it is
still too early to make comment upon the security of the information data held on behalf of the South
Australian Community, there are still opportunities to ensure that the project is successfully
administered in accordance with general project initiative in order that key milestones are successfully
achieved.
5.3
FUTURE OPPORTUNITIES
It is also important to note that as a consequence of the timelines associated with the minor thesis, this
has placed certain constriction on the level of research that can be performed. These constraints relate
to time, data coverage which may have the potential to distortion conclusions based upon interpretations
in the results of the qualitative data obtained through the use of a small sample size.
As a result of these constraints, there is the potential for further research to be performed in the future.
This future research could incorporate a larger sample of the total population in order to gain a more
comprehensive analysis. Also future research opportunities could also be based upon such aspects as
the innovation and developments into data classification. Consequently this could incorporate such
aspects as data mining, data analysis, data clustering and overlapping of data group.
53
REFERENCES
ABC News – PM Transcript, 2006, Defence Department review ordered after KOVCO disc left at
airport, 2006, viewed 18 May 2006, http://www.abc.net.au/pm/content/2006/s1642048.htm
ABC News, 2009, Missing RAH Files Reported to Police, 2009, viewed 18 June 2009,
http://www.abc.net.au/news/2009-06-18/missing-rah-files-reported-to-police/1324758
AbuSaad B, Alghathbar K, Khan B, Saeed FA 2011,” Implementation of ISO 27001 in Saudi Arabia –
Obstacles, motivations, outcomes, and lessons learned”, Edith Cowan University Research Online
Al-Hatmi A, 2012, “Analysis of ICT Strategic Alignment in a Public Organisation”
Bond University, http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1107&context=theses
Andersen B, Klakegg OJ , Magnussen O M, Walker D, Williams T, 2012, “Identifying and Acting on
Early Warning Signs in Complex Projects”, Project Management Journal, Vol. 43, No. 2, 37–53
Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/pmj.21259,
http://onlinelibrary.wiley.com/doi/10.1002/pmj.21259/full
ATSEC information security corporation, 2007, “ISMS Implementation Guide:, 2007
Auditor-General of Queensland, 2011, Information Systems Governance and Security, report to
Parliament No.4, 2011, viewed 20 May 2012,
www.qao.qld.gov.au/auditor_general_reports/2011_Report_No.4.pdf
Australian Government, 2011, Protective security policy framework – securing government business,
version 1.2, January 2011, viewed 12 March 2012,
http://www.protectivesecurity.gov.au/pspf/Pages/default.aspx
Australian Government, 2011, Protective security governance guidelines – Agency security adviser and
IT security adviser functions and competencies, version 1, 13 September 2011,
Australian Government Department of Defence, 2012, Intelligence and Security, 2012,
Australia Standards 2006, ‘AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques
– Code of Practice for information security management’
Australian Standards, 2004, HB 231: 2004 – Information security risk management guidelines
Božić V, 2012,“Risk Management in Informatization”,Central European Conference on Information and
Intelligent Systems Pg. 337-493
http://www.ceciis.foi.hr/app/public/conferences/1/papers2012/iss7.pdf
Buckley S., 2011, Data Classification, The Institute of Internal Auditor, March 2011, viewed 10 May
2012, www.theiia.org/intAuditor/itaudit/2011-articles/data-classification/
Challa A, Tkiouat M, 2012, “Identification of the Causes of Deadline Slippage in Construction Projects:
State of the Art and Application”, Journal of Service Science and Management, 2012, 5, 151-159
http://www.scirp.org/journal/PaperDownload.aspx?FileName=JSSM20120200007_95646273.pdf&pape
rID=19202
54
Chen C, Harris A, Huang H, Shaw R.S, 2009, “The impact of information richness on information
security awareness training effectiveness” Computers & Education 52 (2009) 92–100
http://www.sciencedirect.com/science/article/pii/S0360131508001012
Choo, K-K R., 2011 “The cyber threat landscape: challenges and future research directions”, Computer
and Security, Vol. 30 Issue 8 Nov 2011 Pgs. 719-731,
http://wwwscuencedirect.com.ezlibproxy.unisa.edu.au/10.1016/j.cose.2011.08.004
Collette, R., & Gentile, ZM. 2010, Overcoming Obstacles to Data Classification, computer economic
report, ISSN 0739-0874, April 2006, Vol. 28 Issue 4 pg. 8, viewed 5 April 2012,
http://www.computereconomics.com/article.cfm?id=1117
Cooney, M., 2011, In face of massive cyber security threat, government security dwindles, GAO
website – www.networld.com
Crawford LH, Helm J 2009 “Government and Governance: -The Value of Project Management in the
Public Sector”, March 2009, Project Management Journal, Vol. 40, No. 1, 73–87 Published online in
Wiley
InterScience
DOI:
10.1002/pmj.20107
http://unisa.summon.serialssolutions.com/link/0/eLvHCXMwVZ3LDQIxDERzoAU400CkrJHzOSNWF
LBbQDy2-y8BR-IAPVieebL0nNK9rJZbhFqU9c4z8BqskfS9u0wn
bve_2zz_ZrO_XU83_n7ByBjqWAyAGOYfSI8jZUXF1BldALNkM10mosPCb53JbCrtIwcLB6a8tZdku
XYGn7AJyRJM4
D’Amato A, Roome, N, 2009,” Leadership of organizational change Toward an integrated model of
leadership for corporate responsibility and sustainable development: a process model of corporate
responsibility beyond management innovation” Corporate Governance VOL. 9 NO. 4 2009, pp. 421434, Q Emerald Group Publishing Limited, ISSN 1472-0701, DOI 10.1108/14720700910984972
http://www.emeraldinsight.com/journals.htm?articleid=1810888&show=abstract
Dawson Shane, Heathcote Liz, Poole Gary, 2010, “Harnessing ICT potential: The adoption and analysis
of ICT systems for enhancing the student learning experience”, 2010, International Journal of Educational
Management, Vol. 24 Iss: 2 pp.116 – 128, http://dx.doi.org/10.1108/09513541011020936
De Haes, S, Van Grembergen, W, 2009, “An Exploratory case study into IT Governance
Implementation and its Impact on Business/ IT Alignment”, Information Systems Management, vol. 26,
no. 2, pgs. 123-137
Ekelhart A, Fenz S, 2011, “Verification, validation and evaluation in information security risk
management”, March/April 2011, co-published by the IEEE computer and reliability societie,
www.sba-research.org/wp-content/uploads/.../stefan_f4_2012.pdf
Elo S. & Kynga S H., 2008, “The qualitative content analysis process”, Journal of Advanced Nursing
Vol. 62(1), 107–115, Blackwell Publishing Ltd, http://onlinelibrary.wiley.com/doi/10.1111/j.14682958.2004.tb00738.x/abstract
Ernst & Young, 2011, “Data loss prevention – Keeping your sensitive data out of the public domain”.
2011, www.ey.com/Publication/.../Data_loss...en/.../Data-loss-prevention.pd...
Etges, R. & McNeil, K. (2009) Understanding data classification based on business and security
requirements, ISACA Journal Online
55
Everett, C. (2011) Building solid foundations: the case for data classification, Computer fraud and
Security, June 2011,< www.scis.ulster.ac.uk/~kevin/dataclassification.pdf>
Farr J, Ganguly A, Nilchiani R, 2007, “Evaluating agility in corporate enterprises”, Int. J. Production
Economics 118 (2009) 410–423, http://www.sciencedirect.com/science/article/pii/S092552730800385X
Fowler, S., 2003, SANS Institute InfoSec Reading Room, GIAC Security Essentials Certification
(GSEC) – Information Classification – Who, Why and How, February 2003
Gershon, P., 2008, Review of the Australian Government’s Use of Information and Communication
Technology, August 2008, http://www.finance.gov.au/publications/ict-review/index.html
Gillham B., 2000, “Case Study Research Methods”, 2000 British Library Cataloguing-in-Publication
Data, Wellington House London
Garland R, 2008, “developing a project governance framework”,
www.aipm.com.au/.../GARLAND_Project_Governance_Paper.pdf
Government of South Australia – New Information Classification Scheme for Confidentiality, Chief
Information Officer, March 2012
Government of South Australia, 2012, Government framework on cyber security - OCIO Information
Security Management Framework version 3.1, February 2012
Government of South Australia – OCIO ISMF Guideline 4 – Developing cyber security standards, plans
and guidelines, February 2012
Government of South Australia – OCIO ISMF Guideline 10 – Transition guidance for agencies and
suppliers, February 2012
Government of South Australia – OCIO ISMF Guideline 13 – Roles and responsibilities in establishing
and maintaining an information security management system, February 2012
Ibrahim O, Nawi A, Rahman A, Sutan H , 2011, “Government’s ICT Project Failure Factors: A
Revisit”, International Conference on Research and Innovation in Information Systems, 2011, ISBN
9781612842950,
pp.
1
–
6,
http://unisa.summon.serialssolutions.com/link/0/eLvHCXMwY2BQSE42NU0yMTVNtTRKSUkCXZV
mkpxkYZxqnmZpmJSINnuPVJq7iTKouLmGOHvogu45iSAHLcQbwBuyJiZWBiaG5snGpsbijGwALv
GqQAuEBl0
ISACA, Data Leak Prevention, 2010, ISACA White Paper, viewed 23 March 2012,
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Data-Leak-Prevention.aspx
International Organisation for Standardisation, 2005, Information technology -- Security techniques -Information security management systems – Requirements, 2007, viewed April 2012, <
http://www.iso.org/iso/catalogue_detail?csnumber=42103>
Kaplan, B., & Maxwell, J A., 2005, Qualitative Research Methods for Evaluating Computer Information
Systems, SpringerLink, Part I, 30-55, DOI: 10.1007/0-387-30329-4_2
www.libreriafarmaceutica.com/cover.../4/.../9780387245584-c1.pdf
56
Kearneyb, W.D, Krugera, H.A, 2010, “Consensus ranking – An ICT security awareness case study”,
2010, computers & security 27 (2008) 254–259,
http://dx.doi.org.ezlibproxy.unisa.edu.au/10.1016/j.cose.2008.07.001
Kim, S. H. Wang, Q. H.,(2009, June) “ Cyber attacks: Cross-country interdependence and
enforcement”,Eighth Workshop on the Economics of Information Security (WEIS 2009)
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.153.7997&rep=rep1&type=pdf
Kritzinger E, von Solms S.H, 2010, “Cyber security for home users: A new way of protection
through awareness enforcement”, Computers &amp; Security, Volume 29, Issue 8, November 2010,
Pages 840–847
http://www.sciencedirect.com.ezlibproxy.unisa.edu.au/science/article/pii/S0167404808000448
Landoll DJ., 2006, “A complete guide for performing security risk assessment”, Auerbach Publication,
http://www.google.com.au/#hl=en&output=search&sclient=psyab&q=the+security+risk+assessment+ha
ndbook+pdf&oq=The+Security+Risk+Assessment+Handbook%EF%BB%BF&gs_l=hp.1.1.0i22l2.3746
.3746.0.7235.1.1.0.0.0.0.394.394.31.1.0.les%3B..0.0...1c.N9wUasZnI_M&pbx=1&bav=on.2,or.r_gc.r_
pw.r_qf.&fp=be8304172aae4a7d&bpcl=38093640&biw=1093&bih=538&safe=images
Mendenhall ME, 2007, “Strategic Planning Failure”, Encyclopaedia of Business, 2nd ed.
http://www.referenceforbusiness.com/management/Sc-Str/StrategicPlanningFailure.html#ixzz2C7SkMa27
New South Wales Auditor-General’s report, 2010, Electronic information security, October 2011,
viewed 20 May 2012,
www.audit.nsw.gov.au/207_Electronic_Information_Security.pdf
New South Wales Government, Information Security guideline, version 1.3 June 2011
Oksendahl E, Stackpole B, 2010 “Security Strategy: From Requirements to Reality”,
Auerbach Publications - 346 Pages, http://www.lavoisier.fr/livre/notice.asp?ouvrage=2634519
Pareek M., 2012, “using scenario analysis for managing technology risk”, ISACA journal, Vol. 6, 2012,
Http://www.ISACA.org/Journal/Past-Issues/2012/Volume-6/Pages/default.aspx
Redmill F, 2002, “Risk analysis a subjective process”, April 2002, Engineering Management Journal,
http://unisa.summon.serialssolutions.com/link/0/eLvHCXMwY2BQSEkxTEk1NjNJS0k2SbVMTDE2T
TEyS04yNzZNTEw0SExDmb1HKs3dRBm03VxDnD10YTVEfAHkyIV48FSpiWV8ai7o3kRghx1YD
YkxsAB7yKkAYIEdSA
Rodgers, C.,”Data Classification – Why is it important for information security?” Viewed 5 April 2012,
http://www.infosecisland.com/blogview/20881-Data-Classification-Why-it-is-Important-forInformation-Security.html
Schiller J, 2003, “Working with ICT: Perceptions of Australian principals:, 2003, Journal of Educational
Administration, http://dx.doi.org/10.1108/09578230310464675
Shaw, M., 2002, What makes good research in software engineering? 2002, International Journal of
Software Tools for technology Transfer (STTT), vol.4, pp. 1-7, www.cs.cmu.edu/~Compose/ftp/shawfin-etaps.pdf
57
Standards Australia, 2004, Information security risk management guidelines – HB 231:2004, viewed 28
March 2012, http://infostore.saiglobal.com/store/Details.aspx?productid=568847
Stone, M., 2009, Data discovery and classification in five easy steps, Trend Micro, June 2009
Swanson M, 2001, National Institute of Standards and Technology, Computer Security, U.S.
Government Printing Office Washington USA
Symantec Global Internet Security Threat Report, Trends for 2009, viewed 5 April 2012,
www.symantex.com/whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
Verizon Business Risk Team - 2009 Data Breach Investigations Report, viewed 31 March 2012,
www.verizonbusiness.com/resources/reports/2009_databreach_rp.pdf
Victorian Auditor-General, 2009, Maintaining the Integrity and Confidentiality of Personal Information,
November 2009, viewed 20 May 2012,
www.audit.vic.gov.au/reports__publications/reports_by_year/200910/20092511_personal_data.pdf
Western Australian Auditor General’s, 2011, Information Systems Audit Report, Report 4, June 2011,
viewed 20 May 2012 www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf
Wildemuth, B.M. & Zhang, Y., (2009), Qualitative analysis of content, Applications of Social Research
Methods to Questions in Information and Library Science (pgs. 308-319). Westport, CT: Libraries
Unlimited, www.ischool.utexas.edu/~yanz/Content_analysis.pdf
Yin R, 2003, “Case Study Research-Design and Methods” 3rd edition, 2003, Sage Publishing Inc.
Thousand Oaks, California USA
ZDNET Australia, 2012, Vic report exposes Govt data breaches,
http://www.zdnet.com.au/vic-report-exposes-govt-data-breaches-339299715.htm
viewed
30/4/2012,
58
APPENDIX A: INTERVIEW GUIDE
No.
Demographics
1
Question
Provide a general overview of your project responsibility / demographics
ISMS Implementation
2
What was the general approach adopted in classifying security information data in accordance with the South
Australian Government Information Security Management Framework (ISMF) and Australian Government
Information Security Manual (ISM) for National Security information?
General Governance
3
What is the governance structure that has been established by the OCIO and recommended to agencies? Does
the OCIO review the progress of work performed relating to the development of the ISMS and classification
process?
Risk Assessment
4
Was the risk assessment process adopted simple and straight forward? Were there any lessons learnt that could
be on-forward to other agencies of government who may not have performed this task yet? Has the agency
initiated a risk assessment process to assist in identifying the level of risk that exists and the cyber security
controls and protection mechanisms required to achieve an acceptable level of risk?
5
How has the respective agencies assessed the security measures required to protect the integrity, confidentiality
and availability of information data? Has this been performed for all information retained on systems stored or
processing?
6
How has your agency identified the different treatments that need to be applied when dealing with hard and
electronic information data?
7
When performing the risk assessment did it incorporate the development of a risk assessment policy for the
whole of the organisation and did this also apply to the information security? Was the degree of risk that the
organisation is prepared to accept clearly outlined?
8
How has the agency safeguarded against the risk of incorrect classification of information data? What risk
procedures exist and are they clear and concise? Has an integrated security plan been developed to ensure all
sensitive information is classified and protected on an ongoing basis?
9
How does the agency deal with the aggregation and dissemination of information risk and how may it affect
potential information classification based upon sensitivity?
Whole of Government Strategic Direction
10
Has the whole of government strategic business unit provided guidance for the classifying of information data?
Is it clear and concise? What is its structure and how does this guidance occur in your organisation?
Security Documentation
11
Are their satisfactory procedures in place that ensure that all information data has been sufficiently classified,
labelled and handled to comply with the requirements of the OCIO and 27001 guidelines (Including labelling)?
Are these formally documented and endorsed by senior management?
12
How has an agency dealt with official information and information assets that are not in the public domain?
13
Have assessments been performed to determine the consequences of damages that may arise from unauthorised
compromise or misuse of information? Do you see this as an important aspect that agencies need to consider?
14
How does an agency deal with electronic and paper-based security classified documents, maps, diagrams and
presentations etc.? How do we treat sensitive information received from other organisations or individuals?
How are these documents suitably marked?
15
How has the information data been mapped when classifying this data in accordance with ISMF and intended
policies and procedures?
16
Has agency taken reasonable steps to ensure that security classified information is used and stored in physical
environments that provide appropriate levels of protective security? If so, how does this occur?
17
Has agency taken appropriate steps and precautions to ensure that only people with appropriate access
59
authorisation can gain access to security information data? Is so, how was this access authorisation determined
and was this a factor of the risk assessment process?
Whole of Government Reporting
18
What is the appropriate reporting structure? Does this include the OCIO, and CEO etc.?
Project Resourcing
19
How has resources been assigned to assist in the development and implementation of classifying information
data? (e.g. IT Agency Security Advisor and who else)
Awareness Training
20
Has the agency provided suitable awareness training to personnel who may have access to secure information
data?
21
How has the agency accommodate non-government contractors who may require access to systems that may
retain security information data?
ISO Certification
22
Does the agency apply caveats / exceptions on specific information? If so how has this been determined and who
has authorised? Has OCIO approved this action?
60
APPENDIX B: RESILIENCE MATURITY MODEL QUICK ASSESSMENT TOOL
Behaviour
Instructions
Agility
Leadership
Low Resilience Descriptors
For each row / descriptor please rank
your department / organisation from 1
(low) to 5 (high) and place the result in
the answer cell.
Low
1
2
Answer
3
4
High
5
ANSWER
High Resilience Descriptors
Refer to the Sample Sheet for a guide how to
complete the assessment tool
Reactive, maintains status quo, does not
recognise need for change to normal
management structures during response and
recovery operations
Builds active, flexible, agile, adaptive thinking and actions
during response and recovery operations
Top down decision making
Solutions to problems encouraged at all levels in the
organisation. Rapid adaptive behaviour
Does not identify opportunity in adversity
Seeks opportunity during adversity
Preparation for adversity seen as a waste of
effort
Preparation for adversity is a priority
Rigid teams around disciplines
Utilises teams with diverse skill sets
Regrets and hides incidents
Capitalises on incidents
Quickly deletes failure from corporate memory
Retains lessons from past failures for future learning
Fearful of crisis
Empowered by crisis
Indecision in crisis
Clear direction in crisis
Sense of confusion and fear
Sense of hope and optimism in response and recovery
61
Culture and Values
Communications
Integration
Unclear objectives and goals. Different
agendas
Clear objectives and goals in response and recovery
Go it alone
Partnerships - working with others
Low staff morale
Strategy to boost staff morale in times of adversity
Centralised and controlled decision making
Empowered devolved decision making
Values are not aligned and shared
Values are aligned, shared and believed
Little unity of purpose
Strong unity of purpose
Wary of challenge
Enthusiasm for challenge
No understanding of social capital
Strong development of social capital
Scared to commit
One in all in. Pull together in adversity
Disruptions are feared
Disruptions are recognised as an opportunity for
improvement and to build strengths
Silos with little informal communication across
the organisation
Diverse constant communications across the organisation
Little communication with key internal or
external stakeholders
Regular trusted communication with stakeholders
Limited networks to tap knowledge
Extensive & established networks to acquire & refine
knowledge
Unreliable sources of information
Sentinels within organisation that act as hubs of
information
Separate silo based risk management functions
Aligned risk management objectives across functional
groups
62
Resilience Governance silo based
Resilience governance strongly integrated
Governance process focused
Governance outcome focused
Limited communication across functions
Tightly coupled communication across all functions
No responsibility taken for end to end process
Functions seen as integral components of the end to end
process
Significant key person dependency
Strong succession planning and redundancy
Operates in silos hostile to each other and not
used to working together
One in all in approach. Business units unite to achieve
objectives in times of adversity
Supply chain vulnerabilities unknown
Supply chain vulnerability understood and planned for
No links to industry peers
Mutual aid plans with industry peers
No links to key stakeholders
Trusted relationships with key stakeholders
Regulators suspicious of organisation
Strong partnership with regulators
Staff are not motivated to support the
organisation during adversity
Staff are willing and able to support the organisation in
times of adversity
Disinterested in emerging threats
Anticipates and understands emerging threats
Little understanding of organisational
vulnerabilities and breaking points
Knows organisational vulnerabilities and breaking points
No interest in staff vulnerability
Understands and mitigates staff vulnerability
No interest in community vulnerability
Understands community vulnerability
Interdependency
Awareness
63
Change
Limited networks to tap knowledge
Extensive & established networks to acquire & refine
knowledge
Reactive to change
Fully embraces change
Commitment to status quo
Foresees changes and leverages opportunity
Finds ways not to change
Commitment to the future not the past
Change implemented carelessly
Change is managed with care and control
Disruptions result from change
Improvements result from change
Fear to change due to bad previous experience
Continuous change oriented
64
APPENDIX C: RESEARCH PARTICIPANTS ETHICS APPLICATION
Use this consent form when taped materials, photographs or original works are to be retained
This project has been approved by the University of South Australia’s Human Research Ethics Committee. If you have
any ethical concerns about the project or questions about your rights as a participant please contact
the Executive Officer of this Committee, Tel: +61 8 8302 3118; Email: Vicki.Allen@unisa.edu.au
SECTION 1: CONTACT AND PROJECT DETAILS
Researcher’s Full Name:
Contact Details:
08 8226 7933, bborgman@audit.sa.gov.au
Supervisor’s Full Name:
Dr Sameera Mubarak
School of Computer and Information Science
08 80325363, sameera.mubarak@unisa.edu.au
Contact Details:
Protocol Number:
Project Title:
Brenton Borgman
0000030364
Cyber Security Readiness in Government through the development of an Information Security
Management System and the classification of data
SECTION 2: CERTIFICATION
Participant Certification
In signing this form, I confirm that:
I have read the Participant Information Sheet and the nature and purpose of the research project has been
explained to me. I understand and agree to take part.
I understand the purpose of the research project and my involvement in it.
I understand that I may withdraw from the research project at any stage and that this will not affect my status now
or in the future.
I understand that while information gained during the study may be published, I will not be identified and my
personal results will remain confidential. If other arrangements have been agreed in relation to identification of
research participants this point will require amendment to accurately reflect those arrangements.
I agree to maintain confidentiality of focus group discussions and preserve the identification of focus group
participants.
I understand that a tape will be used to assist in the recording of discussions will be retained by the researcher in a
secure location which has limited access as a means to protect the privacy of participants.
I understand that I will be audiotaped during the interview.
Participants under the age of 18 normally require parental consent to be involved in research. The consent form should
allow for those under the age of 18 to agree to their involvement and for a parent to give consent.
Participant Signature
Printed Name
Date
Researcher Certification
I have explained the study to subject and consider that he/she understands what is involved.
Researcher Signature
Printed Name
Date
65
APPENDIX D: GENERAL REQUEST FOR PARTICIPANTS IN A RESEARCH PROJECT
Dear Research Participant,
As a precursor to our meeting on xx/xx/xxxx, I have enclosed some details that will provide some
greater understanding as to the aim of the research and the need to sign a consent form as part of the
underlying ethics requirement.
Once the initial meeting has been held, I would also be seeking possible ASE involvement.
As such I would also be seeking the ASE consideration to participate but in both instances this is
voluntary.
General Overview is as follows:
To Whom It May Concern,
My name is Brenton Borgman and I am a South Australian Government employee and student with the
University of South Australia.
I am in my final year of a Masters in Cyber Assurance and Forensic Computing.
As part of my final year, I am required to write a Research Thesis.
I am seeking agency participation from within the South Australian government.
The area of interest to me centres on forensic readiness and how it is currently being addressed by the
South Australian Government.
As the South Australian Government is currently implementing the development of an information
security management system (ISMS)and classification of data for its respective agencies, I am
focusing on this project and how it can be used to assist in mitigating insider and external threats.
I appreciate the potential sensitivity associated with this pending government initiative. I wish to
confirm that the information that is being sought is high level and generally revolves around
governance matters associated with the management of implementation of the project.
This will not involve specific computer based information of a technology nature.
To assist in preserving the integrity and confidentiality of the information provided by willing
participants, the University of South Australia through its Human Research Ethics Committee require
that formal consent forms are established.
Whilst participation is voluntary and parties may withdraw at any stage, it is envisaged that the results
from the information collected could be released to participants to assist in providing future direction
as part of the ongoing agency transition to the ISMS.
The information session is anticipated to take approximately 45-60 minutes and would comprise a mix
of risk assessment and general questions revolving around data classification and your agencies
transition towards the governments ISMS.
66
For the ASE and ASA the length of the meeting could be shortened, dependent upon project
involvement.
I have enclosed a copy of the consent form, and high level participant information sheet which provide
a general overview.
Please give me a ring on Ph 82267933 if you have any queries or seek further explanation as to the
finer points of the research and the benefits that could be gained through participation.
Whilst I look forward to hearing from you on the 20 September 2012, as a formality, if you choose to
participate prior to the meeting, could you arrange the completion and return of the respective consent
forms.
Kind Regards
67
ETHICS AND COMPLIANCE
The University of South Australia is bound by the Australian Code for Responsible Conduct of
Research and the National Statement on Ethical Conduct in Human Research.
Based upon the need to interact with people in the context of the study, an application was submitted
to the University’s Human Research Ethics Committee seeking their approval to engage a number of
voluntary participants in the research study. Consequently approval was given by the committee for
the research to commence with voluntary human participants ensuring that subsequent insurance
surrounding the research project was in place.
As the research would involve a series of government agencies and subsequent staff associated with
the implementation of the ISMS and classification of data, an initial meeting was held with all
participants on a one-on-one basis to highlight the intent of the research and gain there approval to
participate.
Data collected from the participants was through a number of structured interviews whereby a series of
questions were asked and the responses were recorded. Those questions are incorporated in the
interview guide and resilient maturity model assessment tool outlined in appendix A and B.
The following documentations contained within Appendix C and D acknowledged that ethical research
requirements are to be complied with this project and sought there personal acceptance and signature
prior to the collection of any data Also a general high level overview of the research was submitted to
each participant prior to commencement of any data collection.
68