A new Victorian Government Cyber Security Strategy, which is currently under development, is expected to be implemented in early 2014 and will establish a wide-reaching ICT security framework for internally-provided and outsourced systems and services.
The new Strategy follows a critical report by Victorian Auditor-General John Doyle on the whole-of-Victorian-Government Information Security Management Framework, that found shortcomings in current governance structures, coordination and risk assessment capabilities across agency security frameworks.
“I think the cyber security strategy we have will seek to do two things as an absolute minimum. It will seek to help us understand the challenges we have in the immediate future, so how do we deal with the issues the Auditor-General raised,” said Victorian Government Chief Technology Advocate Grantly Mailes at the 2013 CeBIT conference on 28 November 2013.
Mailes also indicated that the Strategy will look to address security issues emerging from the increased public sector use of cloud services.
“Cloud has proven to be, with some exceptions…by and large a very secure environment. The thing is when it breaks, it breaks big,” said Mailes.
Where agencies source ICT systems from shared service providers and third party suppliers, the Auditor-General found significantly lower levels of understanding about security risks.
“Where agencies use a shared service provider for their ICT systems, we noted significant shortcomings in the accuracy of ISMF [information security management framework] reports,” says the Auditor-General’s report. “This is because there is little sharing of information on ICT systems and applications to ensure the completeness of the reports.”
The report recommends the implementation of improved “contractual arrangements [that] provide for the required level of cooperation to accommodate ISMF requirements and commitments”.
The new policy is likely to have a broader scope than previous information security policies released in 2012 and 2005, which were only applicable to 20 “inner” Government agencies, according to the Auditor-General’s report.
In his report, Doyle highlights the need for better management and reporting requirements for the remaining Victorian Government agencies. “Outer” agencies are currently responsible for assessing their own security governance arrangements and have no obligations to develop and report on internal policies and standards.
The upcoming policy is to be the first information security policy that will be put to the government for approval prior to its release to improve central management of cyber security risks.
“The Cyber Security Strategy will set out clear lines of accountability and governance structures for cyber security within the Victorian Government,” Minister for Technology Gordon Rich-Phillips said when announcing the Strategy.
Responsibility for information security and wider “operational ICT matters including strategy” has been transferred from the Department of Treasury of Finance to DSDBI since 1 July 2013, according to the Auditor-General’s report.
However, the report is critical of governance practices both before and after July 2013, suggesting the need for a wider overhaul of long-standing security management practices.
In particular, Doyle highlights the need for improved centralisation and coordination in the management of Government-wide ICT cyber security.
“We found that there is no central view of the overall Victorian cyber threat situation nor are there arrangements in place to brief government in the event of a multi-agency or sustained cyber attack,” says the report.
“DPC has no role in coordinating a whole-of-government approach to cyber threats…[and] agencies experiencing serious cyber incidents report these to the Australian Signals Directorate but not to DSDBI or DPC.”
Some steps have already been taken to centralise threat management with the establishment of the State Crisis and Resilience Council (SCRC) in April 2013. The Council is chaired by the DPC Secretary and includes all departmental secretaries. The SCRC is briefed by DSDBI on specific matters relating to cyber security and threats, and is able to recommend briefings for ministers where needed, according to the Auditor-General’s report.
Victoria also established a new statutory office of the Victorian Privacy and Data Protection Commissioner in December 2012, responsible for overseeing existing privacy and data security regimes and implementing a whole-of-government Victorian Protective Security Policy Framework with a focus on information security.
The Victorian Government could also look towards the Federal model for managing ICT security.
“A significant difference between the policy and standards of the Victorian Government and the Australian Government is that federal agencies involved in information security have effective central coordination arrangements to oversee the threat and keep government informed.”
Greater collaboration between the Victorian Government and Federal security agencies is recommended, with the Auditor-General criticising the fact that “central agencies do not seek to be informed of external cyber incidents detected by Australian Government security agencies and do not follow up actions taken after a cyber alert is disseminated”.
For more information, please contact the Editor (02) 9955 9896.