biometrics

the technical term for body measurements and calculations – it refers to related human characteristics

bot

an automated piece of software designed to perform a certain task, often imitating or replacing a real person’s user behaviour

buffer

see risk tolerance

business impact

the assessed impact upon business (individual, agency or government) operations from compromise of the information

caveat

a warning that the information contained has special protections in addition to those indicated by the classification

certification

establishing compliance with the minimum requirements of the certification authority; a certificate of conformance issued to an individual or organisation by an accredited body.

classification 

an indication of the business importance and level of protection needed by information and assets to prevent compromise (for example OFFICIAL: Sensitive)

clearance sponsor

refers to the agency or entity who sponsors a security clearance on behalf of the applicant. Security clearances are only valid with a valid sponsor. The Department of the Premier and Cabinet sponsors all SA Government security clearances and South Australia Police (SAPOL) is an authorised vetting agency and clearance sponsor of SAPOL employees for NV1 and NV2 level security clearances

commencement

the point in time when a person begins in a new role or changes duties

compromise

includes, but not limited to, loss, misuse, interference, unauthorised access, unauthorised modification, unauthorised disclosure

confidentiality 

limiting of access to information to authorised persons for approved purposes

consequence

the resulting effects that compromise of information could be expected to cause (commensurate with ‘damage or business impact)

container

physical container (such as a lockable cabinet or safe) used to store official information, most notably for sensitive and security classified information

contract

a formal and legally binding agreement which outlines the terms and conditions for the provision of goods or services by an external entity or third party to a South Australian Government agency which outlines how the information is to be used and what protections must be applied (same as service agreement)

contractor

the external or third-party contracted to provide services to an agency (same as service provider and supplier and for the purposes of this policy, includes subcontractors)

controls

see risk treatment

critical process continuity plan

documented work-around plans for maintaining critical processes during a period of disruption at pre-determined acceptable levels

critical infrastructure

critical processes

agency processes that, if not performed, would eventuate in the highest level of risk to the agency. This could include meeting critical needs of the agency or satisfying mandatory regulations and requirements

critical service

services that, if compromised, would result in significant damage to the physical, social or economic wellbeing of the State. Critical Services are not typically ICT services, they are services that an agency delivers to the community on behalf of the State Government

cyber security

measures relating to the confidentiality, integrity and availability of information that is processed, stored and communicated by electronic or similar means. (synonymous with ICT Security)

cyber security program funding model

the combination of capital expenditure (CAPEX) during implementation of cyber security tasks and ongoing operational expenditure (OPEX) for ongoing maintenance and support.

damage

the resulting effects that compromise of information could be expected to cause (see business impact)

declassification

the process to reduce information to OFFICIAL (an unclassified state) when it no longer requires security classification access, handling and storage protections

eligibility

where the individual has the right to work in Australia, either as a citizen, or holding a valid work visa

employee

see personnel

encryption

a process, which may be irreversible, of transforming information, particularly data, into an unintelligible form

exemption

approval for exclusion from the implementation or use of a mandated document outlined in the SAPSF or SACSF

extreme vulnerability 

a security vulnerability that could facilitate remote code execution or impact critical business systems, or an exploit exists in the public domain and is being actively used and/or the system is internet-connected with no mitigating controls in place

governance

system of decision-making, directing and controlling, through rules, relationships, policies, standards, systems and processes

guideline

additional, detailed advice on how to apply a policy.

handling

any processes for accessing, transmitting, transferring, storing or disposing of, official information

harm

to cause injury or damage, either physically or psychologically, to another person or group of people

malicious insider

an employee, former employee, contractor or business associate with legitimate access to an agency system or data, who uses that access to steal or destroy data or sabotage systems. Knowledge of a malicious insider must be reported to the appropriate authorities

malware

malicious software

metadata

refers to a set of data about other data

misconduct

a breach of a disciplinary provision of the public sector code of conduct while in employment as a public sector employee, or other misconduct while in employment as a public sector employee

mitigation

see risk treatment

mobile device

mobile phones, smartphones, tablets, laptops, portable electronic devices, portable storage and other portable internet-connected devices

multi-factor

a method of authentication using separate mutually dependent credentials, typically “something you have” and “something you know”

official information

all information created, sent and received as part of work of the South Australian Government

ongoing assessment

describes the processes and procedures for collecting and assessing information for the purposes of determining the suitability of an agency’s employees to maintain access to South Australian Government information and resources

originator

agency or individual that initially generated and/or is responsible for the information (also owner)

periodic

an event or action that must occur at prescribed intervals

personnel

all people that an agency employs (including contracted employees)

personnel security 

the policies and procedures that seek to mitigate the risk of personnel exploiting access to an agency’s information or assets for unauthorised purposes

policy

a position or judgment with an across government focus, that describes actions or behaviours that must be followed

portable device

a small, lightweight device that is capable of storing and transferring large volumes of data (see also mobile device)

position of trust

a position identified by the relevant agency that may require additional screening or other pre-employment measures according to the duties the role is required to perform; also any position or role within the agency with heightened levels of access to sensitive information or otherwise have increased risk profiles

procurement

the process of finding and agreeing to terms for the provision of goods and services

protection

the treatments, mitigations or controls implemented to prevent or minimise the likelihood, of compromise to an agency’s people, information or assets

protective marking

identifies the level of classification and any other handling instructions or protections the information requires

ransomware

a type of malware designed to deny access to a computer system or data until a ransom is paid

reclassification

the administrative decision to change the security classification of information based on a reassessment of the potential impacts of its compromise

regular

an event or action that should occur at consistent intervals and may be determined by Standard Operating Procedures or a Security Schedule

resources

an agency’s people, information and assets

risk appetite

the amount of risk an agency is willing to accept

risk-based approach

identifying and understanding the highest areas of risk and taking the appropriate mitigation measures in accordance with the level of risk

risk capacity

the maximum amount of risk (boundary) the agency can take and remain operational

risk profile

an outline of the risks to which an organisation, or business unit within an organisation, is exposed. Most Risk Profiles identify specific risks, associated mitigation strategies and an overall assessment or grading of each risk

risk tolerance

the amount of level of risk an agency is comfortable taking after risk treatments have been applied to achieve and objective or manage a security risk

risk treatment

considered, coordinated and efficient actions and resources that mitigate or lessen the likelihood or negative consequences of a security risk

ruling

a specific application of security policy that must be adhered to by all agencies

screening

the processes associated with investigating the background of potential employees to determine their suitability to hold and undertaken the responsibilities of a position

security advisers

employees appointed within an agency to undertake specific responsibilities for security, such as Agency Security Advisors (ASA) and Information Technology Security Advisors (ITSA)

security assessor

reviews the system architecture, including security documentation, and assesses the implementation and effectiveness of security controls; typically an Information Security Registered Assessors Program (IRAP) assessor or entity personnel with the appropriate capability

security classified

indicates the information holds a classification of PROTECTED, SECRET or TOP SECRET and must be protected against compromise. Access to the information must be controlled and accessed by appropriately security cleared staff

security domains

the areas to which protective security requirements apply: governance, information, personnel, physical and cyber.

security maturity

a measure of an agency’s security position within its risk environment and risk tolerances, while acknowledging progression toward security outcomes

security plan

how an agency articulates how its security risks have been identified, prioritised and will be managed in line with the agency’s objectives

security risk

something that can result in compromise, loss, unavailability or damage to an agency’s resources, including causing harm to people

security zone

a scalable physical security measure to protect the resources or assets within an agency’s facilities

senior leadership

generic term that may encompass the Agency Board, Senior Executive Members, Chief Executive, Agency Security Executive or equivalent

sensitive

indicates information requires some level of protection but is not security classified

separation

the process where employees permanently or temporarily leave their employment with an agency

service agreement

see contract

service provider

see contractor

shared risk

security risks that emerge from a single source and extend across multiple agencies and/or their premises, that impact the community, industry and international or interstate jurisdictions or partners

social engineering

deceiving or manipulating people into divulging confidential or personal information that may be used for fraudulent purposes

spam

an unsolicited or undesired electronic message

stakeholder

a person, group or agency with an interest in the security of an individual or entity

standard

a formal document that provides a set of rules to support compliance with a policy

strategy

a plan of action, or direction, designed to achieve a particular goal

subcontractor

a person or entity that undertakes work or duties on behalf of a contractor

suitability

the combination of eligibility and fit for the role, assessment of integrity and ability to meet the assessment criteria or other requirements

supplier

any individual, contractor, business partner, or agent not directly employed by a South Australian Government agency (see also contractor)

supplier access

any local or remote access made by a supplier to Government IT assets, as defined in contracts and/or service level agreements

threat

a declared intent to inflict harm on personnel or property

user

anything that accesses ICT resources, including persons and computer systems

value

the assessed importance of the information based upon the potential consequences of compromise – (including but not limited to, monetary value)

visitor

any person who is not an agency employee with ongoing access to agency facilities

vulnerability

the degree of susceptibility and resilience of an agency to risks and threats

zone

the physical entities and workspaces in which official information is produce, accessed, handled and stored (see also security zone and zoning)

zoning

the process for determining the appropriate security zone and implementing required control elements