On this page

Next

Governance

Information Security

Personnel and Physical Security

Introduction

The South Australian (SA) Government is responsible for a wide range of information technology infrastructure, services and systems on behalf of the citizens of SA. To maintain trust and confidence in the SA Government’s reliable delivery of services, it is critical that SA Government agencies safeguard infrastructure, digital assets and citizen information against cyber threats.

The South Australian Cyber Security Framework (SACSF) is a Cabinet approved, whole of government policy framework that leverages international best practices for risk-based cyber security management, including but not limited to:

  • The National Institute of Standards and Technology (NIST);
  • Information Security Manual (ISM); and
  • ISO/IEC 27001 and 27002.

The SACSF applies to all SA Government agencies but is not a one-size-fits-all compliance model. Instead, it emphasises cyber security as an enabler for government, promoting a risk-based approach to manage threats according to each agency’s risk appetite.

The objectives of the SACSF are to:

  • Ensure cyber security risks are managed according to a consistent and acceptable baseline requirement.
  • Provide assurance that information entrusted to the SA Government is adequately protected.
  • Maintain the confidentiality, integrity and availability of information assets in alignment with policy, legal and regulatory requirements.
  • Maintain the reputation of individual agencies and the broader SA Government.
  • Enable cyber risk management to be included in an agency’s existing risk management framework.
  • Align with internationally recognised good practice in cyber risk management.

This approach will support responsible data sharing for social change, protect the safety and prosperity of South Australians, and enhance the SA Government’s digital engagement with the community.

Scope

The SACSF applies to South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.

The SACSF has been prepared for the use of the SA Government. Reliance upon this document by any third party is entirely at its own risk and the Crown in the right of South Australia (Crown) does not represent or warrant that the content is accurate, reliable, up-to-date, complete or that the information contained in this document is suitable for any particular purpose. The Crown does not accept any responsibility, and will not be held liable, for any reliance on this document or for any loss or damage, however caused and whether in whole or in part, which may be directly or indirectly suffered as a consequence of the use of this document.

Implementation Approach

Implementation of the SACSF requirements will require a program of work to implement security controls. This section provides guidance for agencies on how to deliver an SACSF implementation.

Implementation of the SACSF follows a sequence of activities to assign program ownership, determine the appropriate risk appetite and tier, implement the SACSF security controls, and undertake annual attestations.

CSP
Figure 1: SACSF Implementation Approach.

The following details each implementation stage of the approach. For reference information and guidelines to support the implementation of the SACSF please refer to Framework Implementation.

Cyber Security Governance

The success of any organisational change program requires ownership and financial sponsorship by the senior leaders in the organisation; cyber security is no different. The first step in implementing the SACSF is nominating key individuals to take responsibility for driving security change across the agency, specifically:

  • Agency Chief Executive: ultimately accountable for the successful implementation of the SACSF requirements.
  • Cyber Security Program (CSP) Owner: responsible for the successful operation of the cyber security program.
  • Cyber Security Coordinator: responsible for driving the operations and coordination of cyber security activities.

It is expected that the CSP Owner function will be fulfilled by the Agency Security Executive (ASE) and the Cyber Security Coordinator function be fulfilled by the Information Technology Security Adviser (ITSA), however this decision is to be based on the individual requirements of the agency.

Additional roles, responsibilities and team functions will be created throughout program implementation and covered in later sections. For guidance on general security roles and functions found within agencies please refer to Team Structure and Responsibilities.

Agency Risk Profiling

Cyber Security Risk Appetite

The agency Chief Executive is required to approve the cyber security risk appetite statement for their agency. This statement defines, at a high level, the amount of cyber security risk that an agency is willing to accept to achieve its objectives, and guides risk decision making.

At a minimum, it is expected that each agency defines their appetite toward cyber security risks that may impact the:

  • Health and safety of agency employees and the South Australian community.
  • Confidentiality and integrity of information held by the agency.
  • Strategic objectives of the agency.
  • Reputation of the agency with key stakeholders.

Information Asset Identification and Classification

Agencies should identify and document the information assets and critical processes that are fundamental for the agency to deliver its core function(s). This activity should create a high-level summary of the:

  • Scale and complexity of the agency’s technology environment;
  • Systems and technology considered most critical to the agency and the impact of an outage of these systems; and
  • Highest-level classification of data stored or processed by the agency.

These information assets are to be classified for confidentiality, integrity, and availability requirements, thereby providing the agency with context for their risk profile and tier selection. Refer to SACSF Guideline 6.0 - Integrity And Availability Classification.

SACSF Tier Selection

The SACSF uses a tiering model, which is based on several factors such as agency size, risk appetite, and sensitivity of data held, to determine the set of controls the agency must comply with.

Tier One is the minimum baseline tier, with a baseline set of requirements that are required for implementation by all agencies. As the tier level increases, so do the number and complexity of the requirements. This is commensurate with the level of risk an agency may be exposed to.

Using the output from the Asset Identification and Classification activity above, agency Chief Executives are required to approve a tier level for their agency, taking into consideration factors such as the:

  • Cyber security risk appetite of the agency.
  • Classification of information held by the agency.
  • Criticality of services provided by the agency.
  • Agency’s size and resourcing capability.

Potential characteristics of agencies within each tier as described below. These characteristics are not definitive and should be used as a guide only. Tier selection is aimed at providing additional guidance to help agencies to apply controls commensurate with the complexity and criticality of their agency.

Characteristics of a Tier One agency may include:

  • Operates a simple technology environment (e.g. single site, less than 200 staff, small number of applications)
  • Having a moderate or higher appetite for cyber security risk
  • Providing services for the State of which an outage would only have a minor impact on the state for an extended period (i.e. ’best effort’ recovery)
  • Managing or maintaining information with a classification of Official

Characteristics of a Tier Two agency may include:

  • Operates a common use technology environment (e.g. multiple sites, less than 500 personnel, uses large or complex enterprise applications)
  • Having a moderate or lower appetite for cyber security risk
  • Providing services for the State of which an outage of more than one week would result in catastrophic consequences for the State
  • Managing or maintaining information with a classification of Official

Characteristics of a Tier Three agency may include:

  • Operates a complex technology environment (e.g. multiple sites, critical legacy systems, more than 500 personnel)
  • Having a low appetite for cyber security risk
  • Providing services for the State of which an outage of more than 48 hours would result in catastrophic consequences for the State
  • Providing technology services to other agencies
  • Managing or maintaining a large volume of information classified as Official: Sensitive (e.g. personally identifiable information or health records)

Characteristics of a Tier Four agency may include:

  • Operates a large highly complex technology environment (e.g. multiple sites, large number of critical legacy systems, more than 2,000 personnel)
  • Having a very low appetite for cyber security risk
  • Providing services for the State of which an outage of more than four hours would result in catastrophic consequences for the State
  • Providing technology services to other agencies
  • Managing or maintaining information with a classification of Protected or higher

Cyber Security Program Planning

Effective implementation of the SACSF requires the development of a cyber security program (CSP). The CSP aims to map out an agency’s existing cyber security posture through its gap analysis, risk assessment, strategy and/or roadmap and team structure. It helps demonstrate an agency’s ongoing commitment and approach to managing cyber security risk.

The program of work should take into consideration:

  • The strategic cyber security objectives of the agency in alignment with the SACSF.
  • The SACSF tier selected by the agency including selection justification.
  • The cyber security risk appetite of the agency.
  • The cyber security governance model to be used by the agency including the key cyber security responsibilities of functions within the agency.
  • The scope, boundaries and exclusions of the CSP.
  • The interested parties (i.e. stakeholders) that require the agency to implement robust cyber security controls.
  • Applicable legal, regulatory, and contractual requirements of the agency.

Gap Analysis

Agencies, upon selecting their tier, should perform a gap analysis of their control environment against the requirements of the SACSF. This analysis can be guided by leveraging the Implementation Toolkit to identify the degree to which the agency has met each of the requirements of the framework. Furthermore, the Implementation Toolkit provides mapping between the SACSF and industry standard security frameworks for ease of control identification.

As a result of the gap analysis performed, agencies will have a greater understanding of where their cyber security program should focus its attention to remediate any control gaps. This also gives agencies the opportunity to identify where there may be compensating controls to be assessed as part of their risk assessment.

Risk Assessment

To develop the CSP, a whole of agency risk assessment should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of employees throughout the agency. The gap analysis, information asset classification and agency’s risk appetite should all be considered as part of the risk assessment.

Cyber security is founded on risk management. Agencies must manage risk to reduce their likelihood and/or mitigate their business consequences, balancing the cost of security with its outcomes. Absolute security is unaffordable, often unachievable, and may impede business objectives and/or efficiencies.

Agencies are required to integrate cyber security risk management with their organisation’s risk management framework and in consideration of identified gaps or known agency risk. Agencies are to identify and evaluate their cyber security risks and determine the required risk treatment activities in line with business requirements. Where compensating controls have been applied, agencies need to be able to justify an appropriate level of risk mitigation.

Through the risk assessment process, agencies should therefore be able to identify high risk gaps that will inform where their cyber security program should initially focus. As agencies mature their cyber risk assessment procedures, risk assessments may evolve to focus on individual systems that aggregate to a whole of agency view.

Agency Strategy and Roadmap

Agencies should develop a strategy and/or implementation roadmap. This should include the gaps identified as part of their risk assessment and prioritise organisational requirements by risk. The strategy and roadmap should be pragmatic and achievable.

Team Structure and Responsibilities

The CSP must outline the relevant cyber security roles, responsibilities and functions the agency requires to deliver their CSP and be compliant with the SACSF. The size and capability of the agency’s cyber security practice will depend on several factors:

  • The agency’s size, SACSF tier and risk appetite;
  • The level of risk exposure identified by the risk assessment, and therefore the size of the CSP and volume of uplift activities required; and
  • The agency’s position within an established SA Government portfolio and subsequent access to portfolio security services.

For guidance on general roles and functions refer to Team Structure and Responsibilities.

Cyber Security Operations

As part of an agency’s cyber security operations, a cyber security calendar (also referred to as an information security calendar, information assurance calendar or similar) should be developed to support the cyber security work program and track key initiatives and ongoing operational tasks. This calendar will form a key component of the agency’s annual attestation of their current alignment to the SACSF.

Implementation

To assist with implementation of the SACSF, the Office of the Chief Information Officer (OCIO) has developed a suite of tools, templates, and guidance that agencies can refer to as needed. This includes:

Agencies should use their cyber security strategy roadmap to measure and report progress on the implementation of their work program to relevant agency governance bodies.

Annual Attestation

Each agency is to provide an annual attestation to the Department of Treasury and Finance (DTF) which details its current state of alignment to the SACSF, together with the plan to meet or maintain alignment to the requirements of the agency's selected tier level. Where agencies have implemented compensating controls in place of SACSF requirements, agencies must include these as part of their attestation.

It is expected that the attestation will be endorsed by the agency security committee, reviewed by senior leadership, and approved by the Chief Executive, however this may vary based on agency governance structures.

The purpose of each annual attestation is to demonstrate continuous improvement of an agency’s cyber security posture and provide comfort over effective management of cyber security controls.

Team structure and responsibilities

Cabinet

Cabinet is responsible for:

  • Approval of the SACSF and any updates to the principles or policy statements.
  • Noting the annual SACSF attestation report.

Senior Leadership Committee

Senior Leadership Committee (SLC) is responsible for:

  • Noting and endorsing the agency tier selection.
  • Noting the SACSF and approving its submission to Cabinet.
  • Noting the annual SACSF attestation report and approving its submission to Cabinet.
  • Driving collaborative cyber security activities within agencies and between agencies.
  • Fostering a culture to continuously improve the cyber security posture of agencies.

Chief Information Officer Steering Committee

The whole of SA Government Chief Information Officer (CIO) Steering Committee is responsible for:

  • Endorsing the SACSF.
  • Noting the annual review of the SACSF and any subordinate documentation.
  • Noting the annual SACSF attestation report and approving its submission to the SLC.
  • Noting agency tier selection.

SA Government Cyber Security Advisory Group

The SA Government Cyber Security Advisory Group is responsible for:

  • Overseeing the annual review of the SACSF and any subordinate documentation.
  • Noting the annual SACSF attestation report.

Office of the Chief Information Officer, Department of Treasury and Finance

The OCIO in the DTF is responsible for:

  • Maintaining the SACSF and administering the SACSF attestation process.
  • Providing expertise and guidance to agencies regarding implementation of the SACSF.
  • Ensuring a consistent approach to the implementation of the SACSF.

Agency Chief Executives

The agency Chief Executive (or equivalent) is ultimately accountable for the successful operation of the agency’s CSP. The Chief Executive is accountable for:

  • Definition of the agency’s cyber security risk appetite.
  • Selection of the agency’s SACSF tier level.
  • Assigning ownership of the agency’s CSP.
  • Reviewing and approving the SACSF attestation.
  • Assigning suitable and sufficient cyber security resources.

Agency Senior Leadership

Senior leadership comprising the agency’s executive leadership team or equivalent is responsible for providing support and resources for the CSP and championing organisational commitment to improving the cyber security culture of the agency.

Cyber Security Program Owner

The CSP Owner is responsible for the successful operation of the CSP and is expected to:

  • Provide CSP visibility as required to senior leadership.
  • Monitor and report to senior leadership on the effectiveness of the CSP.
  • Facilitate the provision of adequate training to ensure sound cyber security practices are understood by all employees and effective cyber security controls are implemented.
  • Review and approve agency security committee recommendations on major security incidents, risks and risk treatment plans, adequacy of response and controls, security audits, and corrective actions and improvements taken.
  • Review and approve core cyber security documentation and artefacts.

Note: It is expected that the CSP Owner function will be fulfilled by the Agency Security Executive (ASE), however this decision is to be based on the individual requirements of the agency.

Cyber Security Program Coordinator

The CSP Coordinator is responsible for the operations of the CSP and coordination of cyber security activities including:

  • Responding to the direction of the CSP Owner.
  • Organising and chairing the agency security committee.
  • Ensuring the activities documented in the cyber security calendar are scheduled, updated and performed.
  • Escalating any issues, as necessary, to the CSP Owner.
  • Monitoring cyber security incident investigations and corrective actions.
  • Highlighting major cyber security incidents to the agency security committee.
  • Ensuring operational cyber security activities are performed.
  • Coordinating with external security vendors and specialists for expert advice.
  • Reporting on various aspects of the CSP including security metrics, outstanding issues, and progress of the actions in risk treatment plans.

Note: It is expected that the CSP Coordinator function will be fulfilled by the agency Information Technology Security Adviser (ITSA), however this decision is to be based on the individual requirements of the agency. Refer to SACSF Guideline 5.0 ITSA Role And Responsibilities.

Agency Security Committee

The role of the agency security committee is to act as the coordinator and adviser for all cyber security aspects in relation to the scope of the CSP, including:

  • Responding to the direction of the CSP Owner.
  • Ensuring the development and maintenance of, and adherence to, the agency’s policies, procedures, work instructions and other operational documents to ensure compliance with the CSP.
  • Reviewing security weaknesses and facilitating improvements to remediate cyber security risks identified by the agency risk management processes.
  • Monitoring changes to services or deliverables for interested parties and reassessing any associated risks.
  • Reviewing outcomes from cyber security incidents and associated corrective actions and improvements.
  • Evaluating the results of internal and external audits and facilitating the required remedial actions.
  • Communicating and providing guidance on implementation of cyber security policies, procedures, and other operational documents.

Membership may change based on operational requirements, and support and advisory groups can be invited as needed to attend agency security committee meetings.

Note: It is expected that the composition of the agency security committee will be based on the individual requirements of the agency (e.g. an agency may have an existing governance committee in place that could consider security as part of its regular meetings).