Government Guideline on Cyber Security

DPC/G4.38 Government guideline on cyber security ISMF Guideline 38

Legal, regulatory and contractual compliance requirements

BACKGROUND

This guideline outlines the legislative and regulatory requirements for South Australian Government agencies and suppliers to South Australian Government agencies whose contractual requirements include the Information Security Management Framework [ISMF]. Agencies must assure themselves that they are aware of their legal requirements and obligations in cyber security. This guideline supports implementation of ISMF Policy Statement 38.

GUIDANCE

The following tables identify local and international laws, regulations and other external requirements that must be identified, recognised and complied with in addition to highlighting relevant standards and guidelines used by the Government of South Australia security and risk framework. These items are regularly reviewed for changes that may impact policy and standards implementations involving cyber security. In addition to the considerations contained in this guideline, agencies and suppliers to government must assure themselves that any relevant agency and/or industry sector laws and regulations are being observed.

PART 1: LAWS AND LEGISLATIVE CONSIDERATIONS

Reference Relevance to cyber security initiatives

South Australian Legislation

Criminal Law Consolidation Act Codifies the majority of crimes in South Australia. Operates in 1935 (SA) conjunction with the common law.

Mirrors the Commonwealth Act with some localised differences. Provides a regulatory framework to ensure that transactions conducted electronically or on paper are treated equally by law. Electronic Transactions Act Supports the development of e-commerce. It is technology neutral 2000 (SA) and does not endorse a particular signature technology, nor does it provide rules for digital or electronic signatures.

Emergency Management Act Establish strategies and processes for the management of 2004 (SA) emergencies in the State. Includes provisions for the Establishment of State Emergency Management Committee, and the Appointment Reference Relevance to cyber security initiatives

of State Co-ordinator. ICT Failure is recognised by the State Emergency Management Plan, which is enabled by this legislation. Essential Services Act 1981 Aims to protect the community against the interruption or dislocation (SA) of essential services. Responsible Parties should give consideration to critical ICT services that may underpin provision of essential services described by the Act. Evidence Act 1929 (SA) Details the requirements for evidence gathering and handling including electronic information intended to be used in judicial proceedings. In particular Part 6A specifies the requirements for admissibility of computer derived evidence. Freedom of Information Act Promotes openness in government and accountability of State 1991 (SA) Government ministers and other government agencies by providing for public access to official documents and records; to provide for the correction of public documents and records in appropriate cases. Listening and Surveillance Regulates the use of listening and surveillance devices, as part of the Devices Act 1972 (SA) South Australian criminal law.

Public Finance and Audit Act Regulates the receipt and expenditure of public money. Details the 1987 (SA) purpose, function and autonomy of the Office of the Auditor-General.

Public Sector Act 2009 (SA) Make provision for employment, management and governance matters relating to the public sector of the State.

Public Sector (Honesty and Imposes duties of honesty and accountability on public sector office Accountability) Act 1995 (SA) holders, employees and contractors.

State Records Act 1997 (SA) Governs handling of official records to ensure that records of enduring evidential or informational value are preserved for future reference. Commonwealth Legislation

Australian Security Intelligence Establishes and prescribes ASIO’s functions and powers. Includes Organisation Act 1979 (Cth) provisions for computer access warrants, security assessments, and listening and tracking devices. Crimes Act 1914 (Cth) Codifies offences against the Commonwealth. Functions alongside State legislation and is gradually superseding the Criminal Code Act 1914. Criminal Code Act 1995 (Cth) The main piece of legislation containing federal offences. Abolishes all common law offences and is gradually superseding the Crimes Act 1914.

Cybercrime Act 2001 (Cth) Codifies and amends the law relating to computer offences.

Electronic Transactions Act Provides a regulatory framework that recognises the importance of 1999 (Cth) the information economy and facilitates the use of electronic transactions.

Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.1

of 9 Reference Relevance to cyber security initiatives

Intelligence Services Act 2001 Provides a legislative basis for the Australian Secret Intelligence (Cth) Service (ASIS) and the Australian Signals Directorate (ASD). Also grants powers to Australian Security Intelligence Organisation (ASIO). National Security Information Prevents the disclosure of information in federal criminal and civil (Criminal and Civil proceedings where the disclosure is likely to prejudice national Proceedings) Act 2004 (Cth) security, except where preventing the disclosure would seriously interfere with the administration of justice.

Operates in conjunction with Common law. Defines what constitutes Privacy Act 1988 (Cth) sensitive Information (section 6). It also details the Information Privacy Principles (section 14) and contains a definition of sensitive information in section 6.

Spam Act 2003 (Cth) Regulates commercial electronic messages, address- harvesting software etc. Also describes penalties and punitive measures. Particular attention should be paid to the requirement to provide an ‘opt-out/unsubscribe’ option when using mass-mailing or similar distribution software.

Telecommunications Act 1997 Provides a regulatory framework that promotes the long-term (Cth) interests of end-users of carriage services.

Telecommunications Prohibits the interception of, and other access to, (Interception and Access) Act telecommunications except where authorised in special 1979 (Cth) circumstances.

United States Legislation Has repercussions for government information being hosted or communicated via ICT equipment located in the US and its USA PATRIOT Act 2001 possessions. Information may be accessed or collected by authorised agencies. Additionally US based companies operating in foreign jurisdictions are also subject to many provisions within this Act.

The definition of a “protected computer” has implications to ICT systems used outside of the US, specifically: Computer Fraud and Abuse (B) which is used in interstate or foreign commerce or Act 1986 communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Recognises the importance of information security to the economic and national security interests of the United States. The Act requires each US federal agency to develop, document, and implement an Federal Information Security agency-wide program to provide information security for the Management Act 2002 information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Useful for tracking changes and emerging trends in information security legislation.

of 9 Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.1

of 9 PART 2: POLICIES AND STANDARDS

A comprehensive listing of relevant information security policies and standards is contained in the Information Security Management Framework [ISMF].

Australian Government policy and standards

Reference Relevance to cyber security

Australian Government The PSPF is a reflection of the requirements of contemporary Government Protective Security Policy and private-sector partnership, agile procedural change and the dynamic Framework [PSPF] landscape of information security, particularly in light of constantly evolving ICT technologies and services delivery capabilities. The PSPF is designed to progressively replace the PSM over a period of time.

Australian Government The ISM (formerly known as ACSI 33) is a standard that forms part of a Information Security suite produced by ASD relating to information security. Its role is to Manual, [ISM] promote a consistent approach to information security across all Australian Government, State and Territory agencies and bodies. It provides a security risk assessment for information that is processed, stored or communicated by government systems with corresponding risk treatments to reduce the level of security risk to an acceptable level.

South Australian Government circulars and instructions

Treasurer’s Instruction 2 Financial management policies, stipulates obligations and expectations on how South Australian Government entities manage risk management requirements (such as major ICT projects and initiatives).

Financial Management Retired. Replaced by Treasurer’s Instruction 28. Refer to link for Framework, section 2 Treasurer’s Instruction 2.

Premier and Cabinet Information Privacy Principles Instruction Circular 12 (PC012) [IPPS]

Premier and Cabinet Protective Security Management Framework for SA Government. This Circular 30 (PC030) document is the foundation document that calls into requirement, the [PSMF] State’s ISMF and the usage of the Australian Government PSPF.

Notifications Various: Several items are relevant to security, risk, continuity, information privacy and service assurance. Some are provided by the Cyber Security and Risk Assurance Group (DPC) but all notifications are tracked. Available to SA Government personnel only (via Intranet access).

of 9 Government guideline on cyber security External legal, regulatory and contractual compliance requirements v2.1

of 9 South Australian Government policies and standards

Code of Ethics for the Encompasses topics such as: Handling Official Information, Public South Australian Public Comment, Use of Government Resources and Conflicts of Interest Sector

South Australian This Standard outlines the basic core set of metadata elements required to Recordkeeping Metadata manage records in accordance with best practice. Standard

Intellectual Property This policy provides an enabling and overarching framework to create a Policy supportive environment to:  achieve best practice in IP management in Government;  where appropriate, to facilitate effectiveness of knowledge transfer by Government agencies to the public and private sectors; and  achieve effective and timely protection of Government IP and, where appropriate, its commercialisation.

Information Security South Australian security framework describing 40 policies, 140 standards Management Framework and numerous controls in support of cyber security. It is closely aligned to [ISMF] ISO 27001.

of 9 Australian and International industry standards

AS/NZS ISO/IEC 27001 ISO 27001 stipulates the ISMS requirements and is referenced for SA Government specific implementations of policy as described by the ISMF

AS/NZS ISO/IEC 27002 Code of practice for Information Security Controls

AS ISO/IEC 20000 IT Service Management reflecting best practice guidance contained in ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and related Technology) AS 8018 Australian Standard AS8018 ICT Service Management (ITIL)

AS/NZS ISO 31000 International Risk Management Standard.

ISO/IEC 13888 Non-Repudiation

PCI-DSS Payment Card Industry (PCI) Data Security Standard

ADDITIONAL CONSIDERATIONS

This guideline does not aim to provide the reader with all legislative and regulatory requirements for cyber security initiatives. It is merely an overview of the laws, legislation, policies, standards and guidelines adhered to across the South Australian Government. It is highly recommended that agencies review these documents in their entirety and assess other relevant legislation and regulations that may apply in their specific industry sector or circumstances. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).

of 9 REFERENCES, LINKS & ADDITIONAL INFORMATION

 South Australian Government - Attorney General's Department South Australian Legislation  Australian Government - Commonwealth Law  AS/NZS ISO/IEC 27001  DPC/F4.1 Information Security Management Framework [ISMF]  PC030 Protective Security Management Framework [PSMF]  Australian Government Protective Security Policy Framework [PSPF]

Document Control

ID DPC/G4.38 Version 2.1 Classification/DLM PUBLIC-I1-A1 Compliance Discretionary Original authorisation date February 2014 Last approval date September 2017 Next Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.