Transcript Cyber Security Readiness in Government Through the Development

By Brenton Borgman
Presentation in Partial fulfilment of the requirements for the
Masters of Forensic Computing and Cyber Assurance
University of South Australia
October 2012
Purpose
 Research seek to confirm that key state government strategy for the
protection of data is suitably implemented.
 Aims to determine the adequacy of the agency procedures being adopted
for the development of the Information Security Management System
(ISMS).
 Seeks to align this South Australian initiative with Commonwealth,
Other State Jurisdiction Governments and International Standards.
Rational
 Information communication technology (ICT) underpins many of the
South Australian Government’s services.
 Technology continues to progress and as such enables the threat of
cyber breaches to escalate.
 South
Australian government needs to better safeguard the
information retained on behalf of the south Australian community
through a standardised security management framework.
Background – SA Government Information
Security Management Framework (ISMF)
ISMF Development
Intent
2003
ISMF initially established to assist government
agencies in implementing a set of policies,
standards, guidelines and control mechanisms
Framework was not mandated but rather
recommended and as such was not fully
embraced by all government agencies
2008
ISMF upgraded as a means to assist in
establishing a set of minimum government
information security standards that applied
additional guidance and best practices
Framework was again not mandated
2010
ISMF update aimed to align closely with the ISO
27001 for Information Security Management
System (ISMS)
Framework required agency to implement
whatever control measures necessary to provide
adequate protection for its information and
associated assets.
2011
ISMF aimed to establish a set of guidelines with
an emphasis on risk management policies and
selective cyber security controls
Agency further required to provide assurance
that assets are suitably protected. The
development of an ISMS was mandated.
Information Security Management System Overview
Research Questions
• “Does the ISMS framework established by the South Australian
Government, provide adequate direction to government agencies to
implement mechanisms that will sufficiently align / comply with the
ISO 27001 in order that retained information data is satisfactorily
classified and safeguarded?”
• Through the use of a risk assessment tool developed by the Trusted
Information Sharing Network (TISN), assess the level of resilience that
agencies presently maintain in order to mitigate potential risk specific
to confidentiality, integrity and availability.
Methodology Approach
 General Research Study Approach
 Literature Review
 Review Interstate Government Jurisdiction ISMS Experiences
 Case Study
Questionnaire
 Resilience Maturity Model Assessment Tool
 Other Exploratory Considerations
 Evaluation

Preliminary Inter-jurisdiction Findings
Observations collected from an series of Interstate and Commonwealth
Government Audit Offices reports acknowledged:
 A general lack of self-awareness and information security training
 Inadequacy in information security policies and procedures
 Inability to assess the level of assurance and confidentiality relating to
sensitive information
 Lack of monitoring of agencies progress towards compliance and
certification
 Lack of clear and concise ICT strategy direction and strong senior
management commitment and leadership
 Lack of consistent and coordinated information security practices
specific to key security infrastructure
 A need for the development and ongoing management of robust risk
based practices.
Sample Data
 11 South Australian Government Agencies were interviewed using a set
questionnaire and also got participants to complete a resilience maturity
assessment.
 Data were stratified into three segments based upon their involvement in
the ISMS project.
 Whole of Government strategic analysts
 Agency Security Executive
 Information Technology Security Advisors
 In total 18 interviews were undertaken across the three segments within
government.
General Case Study Questionnaire
General questionnaire contained 20 questions covering:
 ISMS
 General Governance
 Risk
 Whole of Government Guidance
 Documentation
 Whole of Government Reporting
 Resourcing
 Awareness
 Certification
Resilience Assessment
Resilience Maturity Assessment considered:
 Agility
 Leadership
 Culture and Value
 Communications
 Integration
 Interdependency
 Awareness
 Change
Research Analysis Findings - Strengths
 ISMS
integrates asset identification, risk management security control
documentation and data classification
 ISMS based on a gradual implementation approach which underpins key
directional agency guidelines and available awareness training
 Encourage continual improvement and monitoring of security controls
 Aim to integrate with South Australian Government protective security
framework and international standards
 Encourage state government agency ownership and reflect on degree of data
sensitivity under their stewardship
 Reaffirm law and legislative requirements that agencies of government should
consider as part of the implementation of the ISMS
 Regular agency supported forums undertaken to exchange thoughts on areas that
prohibit or hinder the implementation of the ISMS
 Attempt to leverage from lessons learnt from ISMS initiates based in other state
government jurisdictions
Research Analysis Findings-Weaknesses
 By enhancing ISMF versions agencies are forced to assess and realign prior
work undertaken to ensure that it remains relevant and effective.
 Senior agency management and associated project personnel need to
increase the level of engagement and internal reporting associated with
this project.
 Level of risk based assessments, classification of data and security
documentation is not sufficiently prescriptive and lacks standardised
which may lead to varying interpretations.
 Level of critical security documentation is in need of updating
 No clear and concise central leadership or direction / guidance exists at a
whole of government level.
Research Analysis Findings-Weaknesses (conti)
 No ongoing monitoring at a WOG level to determine and assess the level
of progress regarding this mandated government project.
 Limited agency resources have been assigned for the effective and efficient
completion of this mandated project.
 Uncertainty surrounds that adequacy and implementation / use of key
projects documentation such as statement of applicability tool and
classification of data schema
 Whilst each agency was assigned a ASE and ITSA to assist in the
management of the project, with staff movements within government
some of project roles have been left un attended for extended periods of
time (e.g. greater than 6 months)
Research Analysis Findings-Weaknesses (conti)
 Limited inter agency exchange of lessons learnt during the course of the
project.
 No mechanism in place to reaffirm to data business owners the
significance of data sensitivity and consequences of a breach.
 Awareness training is being developed in a reactive fashion and as key
milestones loom.
 Agencies are yet to establish at a IT strategic level whether the ISMS
initiative will attain certification.
Resilience Maturity Assessment
The resilience maturity assessment model focused on the following
characteristics - agility, leadership, culture and values, communication,
integration, interdependency and awareness.
Completion of the resilience maturity assessment model has identified
certain key outrider results.
These areas of variation could be attributed to the varying degree of
maturity associated with the transitioning to the ISMS across state
government agencies.
Research participants resilience maturity
assessment data
Resilience Maturity Assessment Findings
While agencies are at differing stages of the projects life cycle, this could
contribute to the variances of the previous table.
Resilience findings could be attributed to:
 Limited senior management and whole of government activity may affect an
agencies agility, leadership, culture and communications.
 Inadequate communications and general project awareness may restrict an
agencies ability to effectively interpret processes involved in the integration,
interdependency and overall awareness of business units and agencies
within Government.
Combined Summary of the Research Findings
 Lack of monitoring of agencies project progress at a whole of government level
 Increase senior management engagement and internal reporting mechanisms
associated with the project
 Inadequate clear and concise strategic and senior management direction and
leadership
 Failure to replace key project personnel at a agencies level in a timely manner
when staff transfer or leave specific agency of government
 Develop and management of robust risk based practices, classification of data
and security documentation is not standardised across agencies
 Inadequate assurance and confidentiality of sensitive data continues
 Level of awareness and training has not reduced degree of uncertainty in the
completion and use of specific project tools (e.g. Statement of Applicability)
Recommendation
 Lessons learnt from prior other governmental reports should be reviewed to
confirm whether they could be of assistance in progressing the ISMS
project in a effective and efficient manner.
 Whilst CEO’s of agencies acts as the data owner, there is also an onus upon
senior management at the State Government and agency to ensure that
adequate clear and concise direction and support is available to agencies.
 The state government needs to increase the level of monitoring of the
progress of the mandated government initiative.
 Whilst general guidelines have been initiated, consideration to developing
either a standard set of documents or templates covering risk, detailed
classification of sensitive data and procedural content would assist in
reducing the potential for interpretation and increase overall prescriptive
coverage specific to the target area and acknowledging risk and ownership.
 Government should re-acquaint itself with concerns raised from agencies
security feedback forums to assist in identifying general areas where
awareness training covering both multiple levels throughout an agency as
well as general security control considerations.
What I learned
This thesis has reconfirmed a number of important elements:
 Communication
 Planning
 Awareness
 Interpretation
Finally it would be remiss of me to not acknowledge that some of the
above elements are also areas that I too need to address.
References
















ABC News – PM Transcript, 2006, Defence Department review ordered after KOVCO disc left at airport, 2006, viewed 18 May
2006,<http://www.abc.net.au/pm/content/2006/s1642048.htm>
ABC News, 2009, Missing RAH Files Reported to Police, 2009, viewed 18 June 2009, <http://www.abc.net.au/news/2009-06-18/missing-rah-files-reportedto-police/1324758>
Auditor-General of Queensland, 2011, Information Systems Governance and Security, report to Parliament No.4, 2011, viewed 20 May 2012,
<www.qao.qld.gov.au/auditor_general_reports/2011_Report_No.4.pdf>
Australian Standards, 2004, HB 231: 2004 – Information security risk management guidelines
Etges, R. & McNeil, K. (2009) Understanding data classification based on business and security requirements, ISACA Journal Online
Gershon, P., 2008, Review of the Australian Government’s Use of Information and Communication Technology, August 2008,
http://www.finance.gov.au/publications/ict-review/index.html
Government of South Australia, 2012, Government framework on cyber security - OCIO Information Security Management Framework version 3.1,
February 2012
Government of South Australia – OCIO ISMF Guideline 10 – Transition guidance for agencies and suppliers, February 2012
International Organisation for Standardisation, 2005, Information technology -- Security techniques -- Information security management systems –
Requirements, 2007, viewed April 2012, < http://www.iso.org/iso/catalogue_detail?csnumber=42103>
Kaplan, B., & Maxwell, J A., 2005, Qualitative Research Methods for Evaluating Computer Information Systems, SpringerLink, Part I, 30-55, DOI:
10.1007/0-387-30329-4_2 <www.libreriafarmaceutica.com/cover.../4/.../9780387245584-c1.pdf>
New South Wales Auditor-General’s report, 2010, Electronic information security, October 2011, viewed 20 May 2012,
<www.audit.nsw.gov.au/207_Electronic_Information_Security.pdf>
Victorian Auditor-General, 2009, Maintaining the Integrity and Confidentiality of Personal Information, November 2009, viewed 20 May 2012,
<www.audit.vic.gov.au/reports__publications/reports_by_year/200910/20092511_personal_data.pdf>
Western Australian Auditor General’s, 2011, Information Systems Audit Report, Report 4, June 2011, viewed 20 May 2012
<www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf>
ZDNET Australia, 2012, Vic report exposes Govt. data breaches, viewed 30/4/2012, http://www.zdnet.com.au/vic-report-exposes-govt-data-breaches339299715.htm
Yin, R K., 2003, Case Study Research – Design and Methods, Sage Publications, Inc. Thousand Oaks California.
Gillham B., 2000, Case Study – Research Methods, British Library Cataloguing-in-Publication Data, Suffolk, England