Term | Definition |
---|---|
accountable authority | the person or group of persons responsible for, and with control over, the agency’s operations |
accountable material | information which requires the strictest control over its access and movement |
accreditation | the process of compiling and reviewing all applicable certifications and other deliverables to determine and accept the residual security risks |
adversary | a party with interests counter to your own (e.g. foreign government, criminal element) |
agency | as per the definition of public sector agency (as defined in section 3(1) of the Public Sector Act 2009) including administrative units, bodies corporate, statutory authorities and any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies” |
agency governance framework | the management structure used by an agency and the decision-making processes that define expectations, grant power or verify performance. (see also governance) |
agency security committee | a management group that acts as the coordinator and adviser for all security aspects in relation to the scope of the agency’s Cyber Security Program and/or Security Plan. |
agreement | see contract |
applicant(s) | the person or persons seeking employment with an agency |
arrangement | see contract |
attestation | a declaration of attesting to the truth of something |
authorised vetting agency | either the Australian Government Security Vetting Agency or another agency that has been authorised by AGSVA to undertake security vetting for its employees |
availability | allowing authorised persons to access information for authorised purposes at the time they need to do so |
biometrics | the technical term for body measurements and calculations – it refers to related human characteristics |
bot | an automated piece of software designed to perform a certain task, often imitating or replacing a real person’s user behaviour |
buffer | see risk tolerance |
business impact | the assessed impact upon business (individual, agency or government) operations from compromise of the information |
caveat | a warning that the information contained has special protections in addition to those indicated by the classification |
certification | establishing compliance with the minimum requirements of the certification authority; a certificate of conformance issued to an individual or organisation by an accredited body. |
classification | an indication of the business importance and level of protection needed by information and assets to prevent compromise (for example OFFICIAL: Sensitive) |
clearance sponsor | refers to the agency or entity who sponsors a security clearance on behalf of the applicant. Security clearances are only valid with a valid sponsor. The Department of the Premier and Cabinet sponsors all SA Government security clearances and South Australia Police (SAPOL) is an authorised vetting agency and clearance sponsor of SAPOL employees for NV1 and NV2 level security clearances |
commencement | the point in time when a person begins in a new role or changes duties |
compromise | includes, but not limited to, loss, misuse, interference, unauthorised access, unauthorised modification, unauthorised disclosure |
confidentiality | limiting of access to information to authorised persons for approved purposes |
consequence | the resulting effects that compromise of information could be expected to cause (commensurate with ‘damage or business impact) |
container | physical container (such as a lockable cabinet or safe) used to store official information, most notably for sensitive and security classified information |
contract | a formal and legally binding agreement which outlines the terms and conditions for the provision of goods or services by an external entity or third party to a South Australian Government agency which outlines how the information is to be used and what protections must be applied (same as service agreement) |
contractor | the external or third-party contracted to provide services to an agency (same as service provider and supplier and for the purposes of this policy, includes subcontractors) |
controls | see risk treatment |
critical process continuity plan | documented work-around plans for maintaining critical processes during a period of disruption at pre-determined acceptable levels |
critical infrastructure | Under the Critical Infrastructure Resilience Strategy (2015) the Australian, State and Territory governments share the following definition of critical infrastructure: ‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security’. |
critical processes | agency processes that, if not performed, would eventuate in the highest level of risk to the agency. This could include meeting critical needs of the agency or satisfying mandatory regulations and requirements |
critical service | services that, if compromised, would result in significant damage to the physical, social or economic wellbeing of the State. Critical Services are not typically ICT services, they are services that an agency delivers to the community on behalf of the State Government |
cyber security | measures relating to the confidentiality, integrity and availability of information that is processed, stored and communicated by electronic or similar means. (synonymous with ICT Security) |
cyber security program funding model | the combination of capital expenditure (CAPEX) during implementation of cyber security tasks and ongoing operational expenditure (OPEX) for ongoing maintenance and support. |
damage | the resulting effects that compromise of information could be expected to cause (see business impact) |
declassification | the process to reduce information to OFFICIAL (an unclassified state) when it no longer requires security classification access, handling and storage protections |
eligibility | where the individual has the right to work in Australia, either as a citizen, or holding a valid work visa |
employee | see personnel |
encryption | a process, which may be irreversible, of transforming information, particularly data, into an unintelligible form |
exemption | approval for exclusion from the implementation or use of a mandated document outlined in the SAPSF or SACSF |
extreme vulnerability | a security vulnerability that could facilitate remote code execution or impact critical business systems, or an exploit exists in the public domain and is being actively used and/or the system is internet-connected with no mitigating controls in place |
foreign actor | a person, group of people, company, agent or government of a country other than Australia |
framework | a basic conceptual structure used to solve complex issues and/or address risks |
function | the purpose or role an agency undertakes on behalf of the Government of South Australia |
governance | system of decision-making, directing and controlling, through rules, relationships, policies, standards, systems and processes |
guideline | additional, detailed advice on how to apply a policy. |
handling | any processes for accessing, transmitting, transferring, storing or disposing of, official information |
harm | to cause injury or damage, either physically or psychologically, to another person or group of people |
identity | who a person is, or the qualities or details that make them unique from others |
incident | any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service and/or loss or corruption of information resulting in a breach or privacy or security |
information assets | any information, or asset supporting the use of the information, that has value to the agency, such as collections of data, processes, ICT, people and physical documents |
information custodian | the individual or group assigned responsibility for managing a set of information. |
information owner | the individual or group responsible and accountable for a set of information. The information owner may, at their discretion, assign responsibility for management of the information to another person or group, also known as an information custodian. |
insider threat | the risk posed to an agency from deliberate or accidental compromise to information and resources from employees or service providers (including contractors) |
integrity | assurance that information has been created, amended or deleted only by the intended authorised means and is correct and valid |
IT service recovery plan | a documented plan for restoring IT services following a disruption |
likelihood | the chance of the risk event occurring |
malicious insider | an employee, former employee, contractor or business associate with legitimate access to an agency system or data, who uses that access to steal or destroy data or sabotage systems. Knowledge of a malicious insider must be reported to the appropriate authorities |
malware | malicious software |
metadata | refers to a set of data about other data |
misconduct | a breach of a disciplinary provision of the public sector code of conduct while in employment as a public sector employee, or other misconduct while in employment as a public sector employee |
mitigation | see risk treatment |
mobile device | mobile phones, smartphones, tablets, laptops, portable electronic devices, portable storage and other portable internet-connected devices |
multi-factor | a method of authentication using separate mutually dependent credentials, typically “something you have” and “something you know” |
official information | all information created, sent and received as part of work of the South Australian Government |
ongoing assessment | describes the processes and procedures for collecting and assessing information for the purposes of determining the suitability of an agency’s employees to maintain access to South Australian Government information and resources |
originator | agency or individual that initially generated and/or is responsible for the information (also owner) |
periodic | an event or action that must occur at prescribed intervals |
personnel | all people that an agency employs (including contracted employees) |
personnel security | the policies and procedures that seek to mitigate the risk of personnel exploiting access to an agency’s information or assets for unauthorised purposes |
policy | a position or judgment with an across government focus, that describes actions or behaviours that must be followed |
portable device | a small, lightweight device that is capable of storing and transferring large volumes of data (see also mobile device) |
position of trust | a position identified by the relevant agency that may require additional screening or other pre-employment measures according to the duties the role is required to perform; also any position or role within the agency with heightened levels of access to sensitive information or otherwise have increased risk profiles |
procurement | the process of finding and agreeing to terms for the provision of goods and services |
protection | the treatments, mitigations or controls implemented to prevent or minimise the likelihood, of compromise to an agency’s people, information or assets |
protective marking | identifies the level of classification and any other handling instructions or protections the information requires |
ransomware | a type of malware designed to deny access to a computer system or data until a ransom is paid |
reclassification | the administrative decision to change the security classification of information based on a reassessment of the potential impacts of its compromise |
regular | an event or action that should occur at consistent intervals and may be determined by Standard Operating Procedures or a Security Schedule |
resources | an agency’s people, information and assets |
risk appetite | the amount of risk an agency is willing to accept |
risk-based approach | identifying and understanding the highest areas of risk and taking the appropriate mitigation measures in accordance with the level of risk |
risk capacity | the maximum amount of risk (boundary) the agency can take and remain operational |
risk profile | an outline of the risks to which an organisation, or business unit within an organisation, is exposed. Most Risk Profiles identify specific risks, associated mitigation strategies and an overall assessment or grading of each risk |
risk tolerance | the amount of level of risk an agency is comfortable taking after risk treatments have been applied to achieve and objective or manage a security risk |
risk treatment | considered, coordinated and efficient actions and resources that mitigate or lessen the likelihood or negative consequences of a security risk |
ruling | a specific application of security policy that must be adhered to by all agencies |
screening | the processes associated with investigating the background of potential employees to determine their suitability to hold and undertaken the responsibilities of a position |
security advisers | employees appointed within an agency to undertake specific responsibilities for security, such as Agency Security Advisors (ASA) and Information Technology Security Advisors (ITSA) |
security assessor | reviews the system architecture, including security documentation, and assesses the implementation and effectiveness of security controls; typically an Information Security Registered Assessors Program (IRAP) assessor or entity personnel with the appropriate capability |
security classified | indicates the information holds a classification of PROTECTED, SECRET or TOP SECRET and must be protected against compromise. Access to the information must be controlled and accessed by appropriately security cleared staff |
security domains | the areas to which protective security requirements apply: governance, information, personnel, physical and cyber. |
security maturity | a measure of an agency’s security position within its risk environment and risk tolerances, while acknowledging progression toward security outcomes |
security plan | how an agency articulates how its security risks have been identified, prioritised and will be managed in line with the agency’s objectives |
security risk | something that can result in compromise, loss, unavailability or damage to an agency’s resources, including causing harm to people |
security zone | a scalable physical security measure to protect the resources or assets within an agency’s facilities |
senior leadership | generic term that may encompass the Agency Board, Senior Executive Members, Chief Executive, Agency Security Executive or equivalent |
sensitive | indicates information requires some level of protection but is not security classified |
separation | the process where employees permanently or temporarily leave their employment with an agency |
service agreement | see contract |
service provider | see contractor |
shared risk | security risks that emerge from a single source and extend across multiple agencies and/or their premises, that impact the community, industry and international or interstate jurisdictions or partners |
social engineering | deceiving or manipulating people into divulging confidential or personal information that may be used for fraudulent purposes |
spam | an unsolicited or undesired electronic message |
stakeholder | a person, group or agency with an interest in the security of an individual or entity |
standard | a formal document that provides a set of rules to support compliance with a policy |
strategy | a plan of action, or direction, designed to achieve a particular goal |
subcontractor | a person or entity that undertakes work or duties on behalf of a contractor |
suitability | the combination of eligibility and fit for the role, assessment of integrity and ability to meet the assessment criteria or other requirements |
supplier | any individual, contractor, business partner, or agent not directly employed by a South Australian Government agency (see also contractor) |
supplier access | any local or remote access made by a supplier to Government IT assets, as defined in contracts and/or service level agreements |
threat | a declared intent to inflict harm on personnel or property |
user | anything that accesses ICT resources, including persons and computer systems |
value | the assessed importance of the information based upon the potential consequences of compromise – (including but not limited to, monetary value) |
visitor | any person who is not an agency employee with ongoing access to agency facilities |
vulnerability | the degree of susceptibility and resilience of an agency to risks and threats |
zone | the physical entities and workspaces in which official information is produce, accessed, handled and stored (see also security zone and zoning) |
zoning | the process for determining the appropriate security zone and implementing required control elements |
Acronym | Term |
---|---|
AFP | Australian Federal Police |
AGD | Attorney-General’s Department |
AGSVA | Australian Government Security Vetting Agency |
ASA | Agency Security Adviser |
ASD | Australian Signals Directorate |
ASE | Agency Security Executive |
ASIO | Australian Security Intelligence Organisation |
ASIO-T4 | ASIO Protective Security capability |
BIL | Business Impact Level |
CCTV | Closed Circuit Television |
CI-HR | Critical Infrastructure High-Risk |
DHS | Department of Human Services |
DLM | Dissemination limiting marker |
DPC | Department of the Premier and Cabinet |
DTF | Department of Treasury and Finance |
DVS | Document Verification Service |
EACS | Electronic Access Control System |
ICS | South Australian Information Classification System |
ICT | Information and Communication Technology |
IMM | Information Management Marker |
IPPS | Department of the Premier and Cabinet Circular PC012 – Information Privacy Principles Instruction |
IRAP | Information Security Registered Assessors Program |
ISM | Australian Government Information Security Manual |
ISMF | Information Security Management Framework |
ITSA | Information Technology Security Adviser |
LSA | Lead Security Agency |
MFA | Multi-factor Authentication |
NTK | Need-to-know principle |
PC012 | Premier and Cabinet Circular 012 – Information Privacy Principles 012 (see IPPS) |
PC030 | Premier and Cabinet Circular 030 – Protective Security in the Government of South Australia |
PC042 | Premier and Cabinet Circular 042 – Cyber Security Incident Management |
PIDS | Perimeter Intrusion Detection System |
PSO | Protective Security Officer |
PSPF | Protective Security Policy Framework (Commonwealth) |
PSSB | Police Security Services Branch |
SACSF | South Australian Cyber Security Framework |
SAES | South Australian Executive Service |
SAPOL | South Australia Police |
SAPSF | South Australian Protective Security Framework |
SAS | Security Alarm System |
SCC | State Crisis Centre (South Australia) |
SCEC | Security Construction and Equipment Committee (Commonwealth) |
SCIF | Sensitive Compartmented Information Facility |
SEC | State Emergency Centre (South Australia) |
SEEPL | Security Equipment Evaluated Product List |
SMSMP | Sensitive Material Security Management Protocol |
TCSM | Technical Counter Surveillance Measures |
VEVO | Visa Entitlement Verification Online |