Purpose

This ruling provides a direction to South Australian (SA) Government agencies under SACSF Policy Statement 2.1 Information Asset Identification and Classification on the storage and processing of SA Government electronic information (data) offshore.

Scope

A SACSF Ruling is a mandatory application of a SACSF Policy Statement. Ruling 2.1 relates to the following SACSF Policy Statement:

2.1 Information Asset Identification and Classification: Information assets supporting critical processes must be identified, recorded and classified. Processes must be in place for labelling, storing, handling and disposing of assets in alignment with their classification.

Agencies must comply with SACSF Ruling 2.1 – Offshore data storage and processing.

The South Australian Government does not provide cyber security policy requirements for handling national security information, or information or systems that are classified SECRET or TOP SECRET. Agencies that need to handle this classification of information or systems should refer to the Australian Government Protective Security Policy Framework (PSPF), and the Information Security Manual (ISM).

Implementation

Agencies must implement processes to support the application of this ruling to all new ICT arrangements by 1 January 2025. Agencies must also apply this ruling to existing ICT arrangements at contract renewal or extension from 1 January 2025.

Rulings

South Australian Government information with a confidentiality classification of OFFICIAL: Sensitive or PROTECTED, or an Integrity or Availability classification of ABSOLUTE, may only be stored or processed offshore in ICT arrangements subject to:

• a risk assessment being undertaken that considers the confidentiality, integrity and availability business impacts and security threats
• the Accountable Authority for the agency documenting their acceptance of the risk assessment.

Where the data to be stored or processed offshore belongs to 2 or more government agencies, the agency that is responsible for the data must seek acceptance of the risk assessment from each impacted Accountable Authority prior to locating the data offshore. This is because different agencies may have different risk appetites, or legislative requirements, concerning the management of the data.

The Office of the Chief Information Officer recommends that agencies process and store OFFICIAL: Sensitive and PROTECTED data in Australia, as data storage and processing facilities located in Australia are more likely to align to South Australian standards and legal obligations. It is recommended that agencies also consider if service providers are owned and based in Australia, as Australian owned companies are less susceptible to extra jurisdictional control and foreign interference.

When conducting a risk assessment on offshoring the storage or processing of data, agencies should consider the following:

• if the data or system supports a service that is critical to the government or community wellbeing
• the impact of laws in the hosting country on data confidentiality and integrity
• foreign ownership, foreign interference and extrajudicial control over the data holdings
• if privacy legislation aligns to Australian legislation and South Australian privacy policy
• difficulties in reporting breaches of privacy and security requirements
• ability to detect and respond to cyber security incidents
• unauthorised access to data
• ability to vet staff located offshore with access to data
• ability to comply with legislation specific to the data or service
• maintaining ownership of the data
• resilience of the storage or processing facilities and connectivity
• ability to audit security controls and contractual compliance
• failure to comply with the State Records Act 1997.

Roles and responsibilities

Agency chief executives :
Responsible for the effective implementation of, and compliance, with this ruling within their agency.

Agency executives, directors and managers :
Responsible for ensuring the ruling is implemented and observed by staff.
Required to be consulted on and make informed, risk-based decisions on any requests for storing agency data offshore.

Agency security executives :
Responsible for ensuring that the ruling is implemented within the agency and that business processes support the ruling requirements.

Agency IT security advisor :
Responsible for providing advice on application of this ruling within the agency environment, and for providing advice on the risks to agency information and services.

Definitions

Offshore :
In a country other than Australia.

ICT arrangements :
Includes: cloud services, data processing, back-up or log storage, system monitoring, remote ICT support and maintenance (if accessing data), managed services, network services.