On this page

Next

SACSF Introduction, Scope and Implementation Approach

Governance

Personnel and Physical Security

Principle:

Maintain the confidentiality, integrity and availability of all agency information and systems.

2.1: Information Asset Identification and Classification

Information and data assets supporting critical processes must be identified, recorded, and classified.

Processes must be in place for labelling, storing, handling, and disposing of assets and data in alignment with their classification.

Agencies must comply with SACSF Ruling 2.1 – Offshore data storage and processing.

Tier One Requirements:

Tier Two Requirements:

As above

Tier Three Requirements:

  • An effective data life cycle management strategy is in place to ensure data is classified, retained, stored, used, archived, disposed of, backed up and monitored securely in compliance with legal and regulatory requirements.
  • Data life cycle management practices and processes must be clearly defined and adhered to, to ensure that information assets are managed adequately. Consider the Information Management Strategy and Standards of South Australia for further reference.

Tier Four Requirements:

As above

2.2: Incident Management

Cyber security incident response plans must be in place and aligned with an overarching incident management process to enable a consistent approach to the management of cyber security incidents.

Agencies must report to Cyber Security in the Office of the Chief Information Officer in line with the requirements of PC042 – Cyber Security Incident Management

Tier One Requirements:

  • Cyber security incident response is included in the agency’s incident management policy, documenting responsibility for cyber security incident management.
  • Incident management plans and processes are socialised throughout the agency periodically, and testing of such plans is included in assurance activities.
  • Post-incident review procedures are performed, and evidence relevant to cyber security incidents is recorded and retained.
  • Agencies have a formalised process for reporting cyber security events and incidents to the South Australian Government Cyber Security Watch Desk.  (Refer to SACSF Guideline 4.0 - Cyber Security Incident Reporting)

Tier Two Requirements:

  • Response plans are developed for high impact or high likelihood cyber security risks as documented in the agency's cyber security risk register.
  • Cyber security specialists are identified and obtainable for cyber security incident response through an internal capability, or arrangements with third party specialists, or through the South Australian Government Cyber Security Watch Desk.
  • Post-incident review procedures are followed that include assessment of root cause, and evidence of learnings and corrective actions performed to reduce the risk of a recurrence.

Tier Three Requirements:

  • Incident management plans include a set of pre-approved containment actions that agency staff and management can take in the event of a cyber incident.
  • Cyber security incident management is embedded in the agency’s formal business continuity management system.

Tier Four Requirements:

All the above.

2.3: Resilience and Service Continuity

Cyber security requirements must be included as part of agency business resilience planning and incorporated into periodic business continuity and service recovery testing.

Tier One Requirements:

  • Business impact assessments have been performed.
  • Cyber security requirements are included in critical process continuity plans.
  • IT service recovery plans aligned to the outage limits identified in the business impact assessments are in place.
  • IT service recovery plans are tested periodically as part of the assurance activities performed by the agency.

Tier Two Requirements:

  • A detailed business continuity plan is implemented.
  • Business continuity and IT service recovery testing includes periodic testing against cyber security scenarios.

Tier Three Requirements:

As above

Tier Four Requirements:

  • A formal business continuity management system is in place and includes:
    • Emergency and crisis management
    • Incident management
    • Business continuity
    • Business impact assessments
    • Disaster recovery
    • IT service recovery
  • Cyber security elements of the business continuity management system are tested annually at a minimum.

2.4: Access to Information

Access to agency systems, applications and information must be based on business need, authorised by the information owner or delegated custodian and be limited to the minimum required for personnel to undertake their duties.

Secure authentication mechanisms must be in place to control access to agency systems, applications, and information.

Tier One Requirements:

Access Provisioning

  • Physical or logical access to agency information assets is provided based on business need.
  • The processes to provision access to systems and applications in use within the agency are documented.

Authentication and Traceability

  • All users have unique accounts providing traceability of actions within critical systems and applications.
  • Secure virtual private networks and multi-factor authentication (MFA) are used to remotely access the agency’s IT environment.
  • Password standards (complexity, minimum length, maximum age) are documented and implemented on all systems and applications.  For further guidance refer to SACSF Guideline 10.0 - Password Management.
  • MFA is required to authenticate users to cloud-based solutions such as Microsoft 365.
  • Where an application supports MFA, it is required for all users.
  • MFA is used to authenticate customers to online customer services that process, store, or communicate sensitive customer data where available. For further guidance on MFA refer to SACSF Guideline 10.0: Password Management and SACSF Guideline 17.0 - Internet of Things (IoT) Security.

Access Reviews

  • Reviews of general user access are performed at least annually for the network and all critical applications.

Termination of Access

  • Terminated user’s access is revoked within defined timeframes.

Tier Two Requirements:

Authentication and Traceability

  • Certificate based authentication is implemented to identify authorised workstations connected to the agency’s network.

Tier Three Requirements:

Termination of Access

  • Access of terminated personnel is revoked immediately upon departure.

Tier Four Requirements:

As above

2.5: Administrative Access

Administrative access to agency systems, applications and information must be restricted to personnel with a specific business need which is validated on a periodic basis.

Tier One Requirements:

Access Provisioning

  • Users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access.
  • Documented policies restrict the use of privileged accounts from reading emails, accessing the internet, and obtaining files via online services.
  • Local administrative privileges on workstations are removed.

Access Reviews

  • Reviews of privileged user access are performed at least every six months.

Authentication and Traceability

  • Privileged account actions deemed high risk by the agency are logged and monitored for unusual activity.
  • Password standards (complexity, minimum length, maximum age) for privileged accounts are documented and implemented on all systems and applications.  For further guidance refer to SACSF Guideline 10.0 Password Management.

Termination of Access

Privileged access is revoked immediately once there is no longer a specific business need for it.

Tier Two Requirements:

Authentication and Traceability

MFA is required to authenticate privileged users. For further guidance refer to SACSF Guideline 16.0 -  Privileged Access Management.

Tier Three Requirements:

Access Reviews

  • Privileged user access reviews are performed at least every three months.
  • Technical controls are in place to restrict the use of privileged accounts from reading emails, accessing the internet, and obtaining files via online services.

Tier Four Requirements:

Access Provisioning

  • A process exists such that there is formal request and approval of access associated with tasks requiring privileged actions, and privileged access is revoked upon completion of the task.

2.6: Robust ICT Systems and Operations

Standard operating procedures and technical controls must be in place to provide a consistent and secure approach to system administration, maintenance, and configuration activities.

Tier One Requirements:

Standard Operating Procedures

  • Standard operating procedures have been developed for all primary cyber security functions performed by agency personnel.

Change Management

  • A change management process is developed and implemented that includes:
    • Identification and documentation of changes to be made,
    • Approval required for changes to be made,
    • Implementation and testing of approved changes, and
    • Any actions to be taken before and after approved changes are made.

Backups

  • Backup, restoration, and preservation strategies are developed and implemented as part of business continuity, disaster recovery and data lifecycle management.
  • Backups of important information, software and configuration settings are performed at least daily and stored for at least three months.
  • Backup and restoration processes are tested annually and include verifying the integrity of backups to ensure they are tested against information asset, software, and configuration settings in accordance with data lifecycle management practices. Refer to 2.3 Resilience and Service Continuity- business continuity and periodic testing.
  • Backups are securely stored offline, or online in a non-rewritable and non-erasable manner.

System Configuration and Hardening

  • Macro settings within Microsoft Office are as follows:
    • Only signed Microsoft Office macros can execute,
    • Microsoft Office macros in documents originating from the Internet are blocked, and
    • Microsoft Office macro security settings cannot be changed by users.
  • Web browsers are configured to block or disable support for Flash content, web advertisements and Java from the Internet.
  • Technical controls are in place to restrict non-privileged users from installing software.

Tier Two Requirements:

Backups

  • Full back up and restoration processes are tested when fundamental IT infrastructure changes occur.

System Configuration and Hardening

  • Application whitelisting is implemented on all workstations and servers to restrict the execution of executables and software libraries to an approved set.

Event Logging and Monitoring

  • An event logging strategy is developed and implemented covering events to be logged, logging facilities to be used, event log retention periods and how event logs will be protected.
  • A centralised logging facility is implemented, and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs.
  • An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events.
  • Threat intelligence is integrated into event logging and monitoring systems and processes. For further guidance, refer to SACSF Guideline 15.0 Logging and Monitoring.

System Redundancy

  • Redundancy is built into systems commensurate with the system availability requirements identified as part of the business impact assessments.

Tier Three Requirements:

System Configuration and Hardening

  • Application control is implemented on all workstations and servers to restrict the execution of executables, software libraries, scripts, and installers to an approved set.

Tier Four Requirements:

System Configuration and Hardening

  • Controls are in place to isolate critical systems.
  • Critical system isolation is tested periodically.

2.7: Vulnerability Management

Security vulnerabilities in agency ICT equipment, systems and applications must be identified and managed.

Tier One Requirements:

  • Security vulnerabilities in applications and operating systems are patched or mitigated within one month of release for all workstations, servers, and network devices.
  • Security vulnerabilities in applications and operating systems that are assessed as critical by the vendor are patched or mitigated within 48 hours of release for all workstations, servers, and network devices.
  • There is a documented process for managing the risks associated with non-vendor supported applications and operating systems where they are required for a specific purpose. For further guidance, refer to the SA Government Vulnerability Disclosure Policy.
  • A mechanism is in place to ensure compliance to patching requirements. Expected patching compliance rates are documented.
  • Vulnerability remediation processes align with the Change Management requirements outlined under SACSF Policy Statement 2.6: Robust ICT Systems and Operations. For further guidance, refer to SACSF Guideline 11.0 – Vulnerability Management and Patching.
  • Malware detection and prevention tools are in place on workstations and servers.

Tier Two Requirements:

  • A vulnerability management strategy is in place that includes:
    • Conducting vulnerability assessments and penetration tests for systems throughout their lifecycle to identify security vulnerabilities.
    • Analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost, and existing security controls.
    • Using a risk-based approach to prioritise the implementation of identified mitigations or treatments.
    • Using threat intelligence feeds to monitor new or updated security vulnerabilities in operating systems, software and ICT equipment used by the agency as well as other elements which may adversely impact the security of a system.
  • Vulnerability scanning is performed at least on a fortnightly basis to identify vulnerabilities within internet-facing services, including supporting operating systems and network devices.
  • Security vulnerabilities in applications and operating systems are patched or mitigated within two weeks of release for all workstations and servers.

Tier Three Requirements:

  • Patching compliance reports are generated and provided to the agency by all relevant third parties.

Tier Four Requirements:

As above

2.8: Network Communications

Network communications must be secured, ensuring agency information traversing internal and external networks is appropriately protected based on its classification and can only be accessed by authorised parties.

Tier One Requirements:

  • The agency’s network architecture is documented showing the internal network structure with clearly defined network zones and incoming/outgoing egress points.
  • Information flows associated with critical processes are documented listing:
    • The type of information,
    • The classification of the information,
    • Who the information is being exchanged with, and
    • The controls in place to protect the information

Tier Two Requirements:

  • Risk assessments are performed for all information flows associated with critical processes, and appropriate controls applied.

Tier Three Requirements:

  • Network segregation is implemented through the agency’s network.

Tier Four Requirements:

  • Information flow risk assessments are reviewed annually.

2.9: Secure Software Development

Procedures for secure software development must be embedded into the software development lifecycle.

Tier One Requirements:

  • Software development, testing and production environments are segregated.
  • Secure coding practices are documented and followed.
  • Outsourced software development is supervised.
  • Security functionality testing occurs throughout development and prior to implementation.
  • Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before systems are deployed, after significant changes have occurred, and at least annually or as specified by the system owner.
  • A secure configuration process for web services is established and documented to guide the configuration and hardening of all web services. For further guidance refer to SACSF Standard 4.16 Secure Web Service Standard.
  • Newly commissioned web services must maintain processes to manage the identification and reporting of vulnerabilities in alignment with the SA Government Vulnerability Disclosure Policy.

Tier Two Requirements:

  • Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, and validating all inputs.
  • Code reviews are performed by suitably skilled personnel prior to implementation.
  • Software developers are provided additional training relating to secure software development.
  • Workstations and accounts used for software development are managed in line with privileged access management procedures.

Tier Three Requirements:

As above

Tier Four Requirements:

As above

2.10: Mobile Device Management and Remote Working

Technical and procedural controls must be in place to address the risks associated with the use of mobile devices including smartphones, tablets, laptops, portable electronic devices, portable storage and other portable internet-connected devices.

Additionally, secure practices for remote working must be established and understood by agency employees, with technical controls implemented to enable secure remote access to agency information.

Agencies must comply with SACSF Ruling 3 – Tik Tok use on government devices.

Tier One Requirements:

Mobile Device Management

  • Procedural controls have been established, outlining the mechanisms for protecting agency information stored on or accessed from all mobile devices, including laptops, tablets, smartphones and removable storage devices.
  • Processes exist for requesting and authorising the use of personal mobile devices to access agency information such as emails.
  • Passphrases and/or PIN codes are in place on laptops and mobile devices used for accessing agency information.
  • Secure virtual private networks and MFA are used to remotely access the agency’s IT environment.
  • MFA is required when configuring mobile devices to access agency email accounts on initial set up and each time the user’s account password is changed.
  • Encryption of storage is enabled for all laptops, mobile devices, and removable storage devices.

Remote Working

  • Remote working procedures are established and socialised with agency employees working offsite.
  • Travel devices are provisioned to agency personnel for international travel in alignment with the risks associated with the destination country/countries.  See SACSF Guideline 13.0 - Cyber security when travelling overseas.
  • Technical controls are implemented to enable secure remote access to agency information assets.

Tier Two Requirements:

  • A mobile device management solution is in place to ensure that appropriate controls are applied to all mobile devices, including personal phones used for work.
  • Remote wipe functionality is enabled for all agency laptops and mobile devices used for work.

Tier Three Requirements:

As above

Tier Four Requirements:

As above