This glossary includes terms and definitions used across the South Australian Protective Security Framework (SAPSF), the South Australian Cyber Security Framework (SACSF), and the supporting documents available on this website.

Agency
South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to as 'Agencies'.

Agency governance framework
The management structure used by the agency. Security management will be embedded within the overall governance framework. 
Governance may be further described as: the decision-making processes that define requirements, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes.

Agency security committee
A management group that acts as the coordinator and adviser for all security aspects in relation to the scope of the agency’s Cyber Security Program and/or Security Plan.

Agency Security Executive (ASE)
An accountable leader able to be responsible for directing protective information security and empower agencies into steering a strong cyber security governance posture. The ASE will be able to appoint security advisors to advise on and support the delivery of, security outcomes, including sound information and communication technology (ICT) policies and procedures.

Certification
The process by which an accredited certifying body issues a certificate of conformance to a given standard to an individual or organisation.

Classification
The process by which information assets are labelled according to their business importance and sensitivity. Classification markings are used to indicate the value of the information.

Clearance sponsor
Refers to the agency or entity who sponsors a security clearance on behalf of the applicant. Security clearances are only valid with a valid sponsor. The Department of the Premier and Cabinet sponsors all SA Government security clearances and South Australia Police (SAPOL) is an authorised vetting agency and clearance sponsor of SAPOL employees for NV1 and NV2 level security clearances.

Critical process continuity plan
Documented work-around plans for maintaining critical processes during a period of disruption.

Critical processes
Agency processes that, if not performed, would eventuate in the highest level of risk to the agency. This could include meeting critical needs of the agency or satisfying mandatory regulations and requirements.

Critical Service
Services that, if compromised, would result in significant damage to the physical, social, or economic wellbeing of the State. Critical services are not typically ICT services; they are services that an agency delivers to the community on behalf of the State.

Cyber Security
Measures relating to the confidentiality, availability and integrity of information that is processed, stored, and communicated by electronic or similar means (synonymous with ICT Security).

Cyber security program funding model
The combination of capital expenditure (CAPEX) during implementation of cyber security tasks and ongoing operational expenditure (OPEX) for ongoing maintenance and support.

Damage
The resulting effects that compromise of information could be expected to cause (see business impact).

Declassification
The process to reduce information to OFFICIAL (an unclassified state) when it no longer requires security classification access, handling, and storage protections.

Eligibility
Where the individual has the right to work in Australia, either as a citizen, or holding a valid work visa.

Encryption
A process, which may be irreversible, of transforming information, particularly data, into an unintelligible form.

Exemption
Approval for exclusion from the implementation or use of a mandated document outlined in the South Australian Cyber Security Framework (SACSF).

Extreme vulnerability
A security vulnerability that could facilitate remote code execution, or impact critical business systems, or an exploit exists in the public domain and is being actively used, and/or the system is internet-connected with no mitigating controls in place.

Foreign actor
A person, group of people, company, agent, or government of a country other than Australia.

Framework
A basic conceptual structure used to solve or address complex issues.

Function
The purpose or role an agency undertakes on behalf of the Government of South Australia.

Governance
System of decision-making, directing and controlling, through rules, relationships, policies, standards, systems, and processes.

Guideline
Additional, detailed advice on how to apply a policy. A statement of desired, good, or best practice.

Guidance
See Guideline.

ICT
Information and Communication Technology.

Identity
Who a person is, or the qualities or details that make them unique from others.

Incident
Any event which is not part of the standard operation of a service, and which causes or may cause an interruption to, or a reduction in, the quality of that service and/or loss or corruption of information resulting in a breach or privacy or security.

Information assets
Any information or asset supporting the use of the information that has value to the agency, such as collections of data, processes, ICT, people, and physical documents.

Information custodian
The individual or group assigned responsibility for managing a set of information.

Information owner
The individual or group responsible and accountable for a set of information. The information owner may, at their discretion, assign responsibility for management of the information to another person or group, also known as an information custodian.

Insider threat
The risk posed to an agency from deliberate or accidental compromise to information and resources from employees or service providers (including contractors).

Information Technology Security Adviser (ITSA)
ITSA is a role appointed by an agency or organisation to manage the security of information and ICT systems. SACSF G5.0 Guideline on ITSA role and responsibilities provides information about this role, including guidance on the selection of suitable persons to fill the role.

Legacy System
An Information Technology product (i.e. hardware, software, services, protocols and/or system) is considered ‘legacy’ when it meets one or more of the criteria in both Category A and Category B below:

• Category A
  • Out of support and extended support from the manufacturer, vendor, or developer.
  • Considered an end-of-life product, or
• Category B
  • Impractical to update or support within the agency, or
  • No longer cost effective, or
  • Considered to be above the current acceptable risk threshold, or
  • Offers diminishing business utility, or
  • Prevents or obstructs fulfilment of the agency’s IT strategies.

Likelihood
The chance of the risk event occurring.

Malicious insider
An employee, former employee, contractor, or business associate with legitimate access to an agency system or data, who uses that access to steal or destroy data or sabotage systems. Knowledge of a malicious insider must be reported to the appropriate authorities.

Malware
Malicious software.

Metadata
Refers to a set of data about other data.

Misconduct
A breach of a disciplinary provision of the public sector code of conduct while in employment as a public sector employee, or other misconduct while in employment as a public sector employee.

Mobile device
Mobile phones, smartphones, tablets, laptops, portable electronic devices, portable storage, and other portable internet-connected devices.

Multi-factor
A method of authentication using separate mutually dependent credentials, typically ‘something you have’ and ’something you know'.

Online services
Services accessed by users over the internet (also known as internet-facing services).

Online customer services
Online customer services are a subset of online services that are designed specifically for interaction between organisations and their customers. For example, the mySAGOV web portal and app.

Periodic (periodically)
An event or action that must occur at prescribed intervals.

Policy
A statement of principles and/or values that mandate or constrain the performance of activities used in achieving institutional goals.

Portable device (electronic, storage and/or internet-connected portable device)
A small, lightweight, portable, easy to use device, which is capable of storing, and transferring large volumes of data.

Position of trust
Any position or role within the agency with heightened levels of access to sensitive information or otherwise have increased risk profiles; also, a position identified by the agency that may require additional screening or other preemployment measures according to the duties the role is required to perform.

Regular (regularly)
An event or action that should occur at consistent intervals and is typically determined by Standard Operating Procedures or a Security Calendar.

Resources
An agency’s people, information, and assets.

Risk appetite
The level of risk the agency is willing to accept. Agencies will need to define what level of management response is required for each risk level, for example:

• Extreme/High Risk – Senior leadership response.
• Moderate Risk – Agency Security Committee response.
• Low Risk – Security management response.

Risk capacity
The maximum amount of risk (boundary) the agency can take and remain operational.

Risk Profile
An outline of the risks to which an organisation, or business unit within an organisation, is exposed. Most risk profiles identify specific risks, associated mitigation strategies and an overall assessment or grading of each risk.

Ruling
A specific application of security policy that must be adhered to by all agencies.

Senior leadership
Generic term that may encompass the Agency Board, Senior Executive Members, Chief Executive, Agency Security Executive or equivalent.

Social engineering
Deceiving or manipulating people into divulging confidential or personal information that may be used for fraudulent purposes.

Standard
A formal document that establishes uniform criteria, methods, protocols, processes, and practices to meet policy requirements.

Strategy
A long-term plan of action designed to achieve a particular goal.

Supplier
Suppliers are defined as any individual, contractor, business partner, or agent not directly employed by a South Australian Government agency.

Supplier access
Supplier access is defined as any local or remote access made by a supplier to Government IT assets. In terms of arrangements with suppliers, the scope extends to the various service delivery interfaces with those suppliers, as defined in contracts and/or service level agreements. It includes auditing of security services implemented by suppliers that have a material impact on the security of information managed by the agency but otherwise excludes the suppliers’ internal processes.

Suppliers handling data
Suppliers are handling data where the State’s data is provided by the government to the supplier, or where data is stored, processed, generated, accessed, or produced by the supplier on behalf of the government.

Threat
A declared intent to inflict harm on personnel or property.

User
Anything, including persons and computer systems that access ICT resources.