INFOSEC-3: Robust technology and information systems

The INFOSEC-3: Robust technology and information systems policy and guidance will assist agencies to achieve an effective protective security outcome within the information security domain of the TAS‑PSPF. They address core requirement 9 and its supplementary requirements.

The Accountable Authority must ensure the security of technology and information assets to safeguard data, information and privacy, and to ensure continuous delivery of government business during all stages of the asset life cycle.

To achieve this, the Accountable Authority will:

1. ensure application of the Tasmanian Government Cyber Security Policy cyber security principles providing safeguarded maintenance of the confidentiality, integrity and availability of information^[1]
2. only process, store or communicate information on ICT systems that the Accountable Authority has authorised to operate, based on acceptance of residual security risk associated with its operation
3. ensure ICT systems incorporate processes for audit trails and activity logging in applications to ensure the accuracy and integrity of data captured or held
4. develop and regularly test a Business Continuity Plan to manage the assessed risks and business impact associated with loss of critical information, personnel, facilities and ICT infrastructure
5. ensure ownership of, and accountability for, information security risk in ICT systems, including cloud and outsourced services, by nominating a business risk owner for every system, who is responsible for ensuring the secure operation of their system ^[2]
6. in combination with the ‘People Core Requirements’, ensure the effectiveness of physical controls and application of secure zones at any location where storage of information (in any form) is performed
7. ensure consideration of supply chain security is applied at all stages of contracted supply.

Access to information, particularly security-classified information, requires access controls to ensure that confidentiality and the integrity of Tasmanian Government information, assets and business operations are maintained. As the business operations and environment of each agency vary, levels of access and associated controls will be based on agency‑specific security planning and risk assessments.

Limiting unintended or unauthorised access to protectively marked information relies on robust and validated technology, information and infrastructure systems, complemented by enhanced security governance.

1. Tasmanian Government Cyber Security Policy – Cyber Security Principles (PDF 354.6KB)

   [Back]

2. The business risk owner may be the same for various (or all) systems.

   [Back]

The Tasmanian Government owns, manages and delivers various technology and information infrastructure, services and systems on behalf of the Tasmanian community in order to process, store and communicate information. Protecting these systems strengthens community confidence and supports secure and continuous delivery of Tasmanian Government operations and services.

Robust technology and information systems help your agency to:

• maintain the trust and confidence of the public, clients and partners
• keep agency information safe and available to those who need it
• reduce the risks of your agency’s information being lost, damaged, or compromised
• avoid the costs of recovery after an incident, as well as costs of downtime and lost productivity
• comply with regulation and legislation.

An ICT system is the related set of hardware and software used to process, store or communicate information and data, and the governance framework in which it operates.

This policy (INFOSEC-3) requires your agency to ensure the security of technology and information assets that you operate or outsource during all stages of the asset life cycle.

The phases of an ICT system’s life cycle^[4] are outlined in the box below.

Define

• Determine the type, value and objectives for your ICT system and the information it processes, stores or communicates based on the business impact of loss or compromise.

Design

• Assess the risks to your information and supporting ICT systems within your network.
• Adopt suitable security controls which are proportionate to the identified risks and in line with your agency’s risk appetite.
• Your agency’s Responsible Executive (RE) must assess the proposed security controls for appropriateness and then accept the security design, if deemed fit-for-purpose. Should the security controls not be accepted, further risk reduction must be considered and adopted in the design.

Implement

• Implement the agreed security controls for the system and its operating environment, including supporting policies and procedures.

Assess

• Evaluate your security controls for the system and its operating environment.
• Certify – the Chief Information Officer^[3] accepts that due diligence and consideration has been given to risk, security, functionality and business requirements.

Authorise

• Authorise – the RE gives approval for the system to operate based on the acceptance of the residual security risks.
• System goes live.
• Maintain and ensure that the security controls for your operating environment are up‑to‑date. Remaining secure is crucial and requires ongoing activity to stay up‑to‑date with evolving security environments, threats, vulnerabilities and mitigations.

Monitor

• Undertake regular reviews to ensure your security controls remain fit-for-purpose.
• Identify changes in your information use, your agency or the threat environment.
• Use this information to inform improvements and return to the Define or Design phase where significant improvements are necessary.

Decommission

• Archive, destroy, repurpose or dispose of information and supporting ICT systems in an appropriately secure way when they are no longer required.

3. Or appropriate delegate, in the absence of a Chief Information Officer.

   [Back]

4. For further information, please refer to Figure 1 in the Australian Government Protective Security Policy Framework - Policy 11: Robust ICT systems (PDF).

   [Back]

The Tasmanian Government Cyber Security Policy^[5] is one of the principal documents of the Tasmanian Government Information Management Framework.^[6] It provides a consistent, risk-based approach to protecting Tasmanian Government information, systems and services from cyber security threats.

The Tasmanian Government Cyber Security Policy is based on the following principles.

5. Tasmanian Government Cyber Security Policy (PDF 216.5KB)

   [Back]

6. Tasmanian Government Information Management Framework

   [Back]

This policy (INFOSEC-3) requires each agency to authorise the ICT systems, making sure that an appropriate level of security is applied and that the relevant authority has considered and accepted residual security risks.^[7] Authorisation helps in providing confidence that your agency’s ICT system/s meet security requirements, address known security vulnerabilities, and remain secure. For more information about the authorisation of ICT systems, please refer to Annexure 1.

It is important to understand the operating environment of your agency’s ICT system/s, as risks of compromise to a system or systems increase where the operating environment is complex.

The interconnection of ICT systems creates a potential path for adversaries to target the system/s via third parties, particularly where other systems are external and outside of your agency’s control, for example, another agency’s ICT system or industry partners’ systems. For this reason, as part of your security assessment and authorisation process, it’s important to consider security risks and security protection required between the systems. This includes making sure that before any interconnection takes place, information about security risks is shared to ensure that any shared security risks are accepted by all parties.

It is a requirement that your agency’s ICT system/s be authorised to the highest assessed sensitivity or security-classified information and data it will process, store or communicate. Authorisation to operate is usually ongoing; however, during the life cycle of an ICT system, it is a requirement to review that system (as described above in Table 1 – ICT system life cycle).

Any review may require a reassessment of the system, including its capacity to continue operation, or it may be approaching time for decommissioning. Examples of events that may trigger additional risk management activities for an ICT system include:

• changes in security policies relating to the system
• detection of new or emerging cyber threats to the system or its operating environment
• the discovery that security controls for the system are not as effective as planned
• a cyber security incident involving the system
• major architectural changes to the system.

Outsourced managed services and cloud services

Your agency’s obligation to protect information doesn’t stop at its internal system/s. You are also obliged to protect any Tasmanian Government information and data which is processed, stored or communicated via outsourced managed service providers and/or cloud service providers. You can achieve this by applying the same authorisation process you apply to internal systems.

You must ensure that access to sensitive and security‑classified information and data is provided on a ‘need to know’ basis, in accordance with appropriate security clearances and briefings. This includes the use of any outsourced managed services and cloud service providers. For example, by using a service provider whose employees hold national security clearances commensurate with the information and data you require them to store, process and transmit, you reduce the risk of compromise from unauthorised access and inappropriate handling.

7. Where identified necessary, an impartial (and in some cases, independent) security assessment can be a valuable tool in authorisation decisions.

   [Back]

Your agency must ensure ICT systems incorporate an audit trail and activity logging in applications. Putting measures in place to monitor the accuracy and integrity of information and data captured or held will help you to respond to incidents and to detect unusual, unauthorised or malicious activity.

The Tasmanian Government has a suite of Cyber Security Standards, which support the Tasmanian Government Cyber Security Policy.^[8] These standards are applicable to all Tasmanian Government agencies and do include some audit and access requirements. Applying these requirements increases the likelihood of detection and appropriate response to any unusual, unauthorised or malicious activity.

The following requirements are taken from the suite of standards:

• Any action taken to create, delete, remove or update a user account is logged for auditing purposes and the logs are maintained in accordance with the agency disposal schedules^[9]
  • A record is to be maintained that contains the approvals to perform the logged actions.
• Audit logs are maintained in accordance with agency disposal schedule for all system or application authentication.
  • Logs are to include successful and unsuccessful authentications.
• Additions, modifications or removals of privileged and highly privileged accounts and/or the associated permissions are to be reviewed monthly.
• Anonymous access to systems is to be logged and the following access information logged at a minimum:
  • information accessed
  • time and date of access
  • connection source of access.

The Australian Government Information Security Manual includes Guidelines for System Monitoring^[10] which detail the process for event logging and monitoring. According to these guidelines, when you are determining the audit and activity logging capacity of your agency’s ICT systems, you should consider the details of events to be logged, event logging facilities to be used, how event logs will be monitored and how long to retain event logs. Doing this will also assist you when you’re developing policy/ies regarding auditing and activity logging.

The Australian Government Information Security Manual also includes Guidelines for System Hardening^[11] which suggest that you log the following events:

• application and operating system crashes and error messages
• changes to security policies and system configurations
• successful user logons and logoffs, failed user logons and account lockouts
• failures, restarts and changes to important processes and services
• requests to access internet resources
• security product-related events
• system startups and shutdowns.

Logging these details of operating systems will add an additional layer to your agency’s ability to monitor and understand activities within your ICT system/s. You should record all of your monitoring and auditing activities and store these details in a centrally available location to increase the visibility and identification of events which might trigger investigation.

8. For further information, please visit the Department of Premier and Cabinet website.

   [Back]

9. For further information, please refer to TAS-PSPF policy: Protecting official information (INFOSEC-2).

   [Back]

10. For further information, please visit the Australian Cyber Security Centre Guidelines for System Monitoring.

    [Back]

11. For further information, please refer to the Australian Cyber Security Centre Guidelines for System Hardening.

    [Back]

You can enhance your agency’s resilience and strengthen your security measures with a business continuity plan. Business continuity is the ability of your agency to continue delivering services at acceptable operating levels in the event of a security incident or other disruption to your agency. A disruption is anything that interrupts your business-as-usual operations. Disruptions can occur at any time, for any reason and their impact varies.

Maintaining a business continuity plan is crucial in ensuring your agency’s critical functions can continue to operate to the fullest extent possible during, and post, a security incident or disruption. You must plan for continuity of the resources that support your agency’s critical functions.

Before developing a business continuity plan, it is important that you understand the critical functions your agency performs and the assets which support these functions.^[12] When you identify your agency’s critical functions and relevant assets and/or services, you are supporting your criticality assessment by identifying and understanding what you need to protect.

The Tasmanian Government Incident Management Cybersecurity Standard^[13] requires you to maintain a register of critical business information regarding assets and/or services, which will support you to achieve the requirements of this policy (INFOSEC-3).

Having a business continuity plan can help your agency manage the impact of security incidents or disruptions, regardless of the cause. However, simply planning does not represent successful business continuity.

It is recommended your agency implements a business continuity program which includes continual planning and improvements, exercising/testing your business continuity plan to ensure you are prepared for security or disruptive incidents, and embedding business continuity into your agency’s culture.

Ensuring your agency can provide access to information on a ‘need to know’ basis during a security or disruptive incident, while protecting it from unauthorised access, is crucial. The integrity of your ICT systems and associated services should be included in your business continuity planning and programs. Ensuring you have system and service recovery procedures will enhance your agency’s ability to recover more broadly from any security or disruptive incidents.

For further information and assistance with business continuity plans and programs, please refer to ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements.

12. Refer to TAS-PSPF policy: Security planning (GOVSEC-5) for further information on criticality assessments.

    [Back]

13. Available via the Department of Premier and Cabinet website (PDF 272.8KB).

    [Back]

All systems must have a business risk owner (system owner) to ensure ownership of and accountability for information security risk in ICT systems. As mentioned previously, it’s important to remember that ‘systems’, in this context, include those operated by outsourced managed services and cloud service providers that process, store or communicate Tasmanian Government information and data. The system owner is responsible for ICT governance processes, ensuring secure operation and that business requirements are met. The owner may be the same for external systems utilised by your agency and for various (or all) internal systems.

It is recommended that system owners for large or critical systems are part of your agency’s senior executive team or hold an equivalent management position.

System owners have an important role in the ongoing operation and monitoring of your agency’s ICT system/s. Any monitoring activities should be conducted as specified by the system owner, which may include vulnerability assessments and penetration tests.

A system owner’s responsibilities

System owners are responsible for the overall operation and maintenance of an ICT system, including the monitoring phase in the system’s life cycle (as described above in Table 1 – ICT system life cycle). This includes any related support service or outsourced service, such as a cloud service.

System owners may delegate the day-to-day management and operation of the system to a system manager.

Operating the system and maintaining authorisation

It is recommended that system owners are responsible for ongoing compliance with your RE’s authorisation, in accordance with your agency’s operational requirements. This includes ensuring any system modifications are made correctly, in line with the system’s controls and risk environment. Where necessary, due to modifications or ongoing monitoring activities, the system owner must ensure appropriate re-authorisation occurs.

Supporting documentation

System owners are also responsible for the development of documentation supporting the safe operation of the system. This documentation may include a security risk management plan and standard operating procedures. System owners must ensure the developed documentation remains current.

When developing any such documentation, the system owner should include the ASA to ensure a holistic understanding of both the agency’s, and the system’s, operational environment and security risks.

Protecting the confidentiality, integrity and availability of your agency information requires a layered approach to security measures, as no singular approach is a fully effective security measure. By adopting a layered approach, you reduce the likelihood of successful unauthorised or malicious attacks. In support of this policy, your agency must ensure effective physical controls and application of secure zones at any location where information (in any form) is stored.

Information, in any form, is valuable and must be protected according to its sensitivity or security classification. To achieve this, the system owner and the information originator must ensure the appropriate classification has been applied. This will then dictate how that system or information is to be stored, handled and transferred.

The TAS-PSPF supports risk-based decision‑making, with the exception of required protections for sensitive and security classified information. However, your agency should apply sound risk management to the security of all technology and information assets, finding a balance between the extent of security measures and effective operation.

Please refer to TAS-PSPF policy: Protecting assets (PHYSEC-1) and TAS-PSPF policy: Agency facilities (PHYSEC-2) for detailed guidance on best practice physical security measures, including security zoning of work areas.

Security risks can arise through the procurement of goods and services and effective risk management is required to reduce the likelihood and consequence of security issues or incidents. During procurement processes, your agency may engage multiple contractors, or a contractor may engage multiple subcontractors as part of the supply chain.

A supply chain is the network of developers, manufacturers, distribution centres and delivery means involved in the supply of goods and services to an agency, including ICT systems, cloud‑based and outsourced services. Supply chains can be large and complex, involving many suppliers doing many different things. They may also span the globe, with goods potentially transiting many countries and being handled by multiple people before reaching your agency.

The more parties involved in a procurement or service provision, the greater or more complex the risk becomes. In addition, transparency of (and control over) operations is more challenging the further down a supply chain it is from government. For example, arrangements where resources are made, held or serviced outside of Australia (by the contractor or a subcontractor) may have additional risks because visibility is lower.

This policy (INFOSEC-3) requires your agency to ensure supply chain security is considered at all stages of contracted supply.

When procuring goods and services, it is recommended that you:

• consider the security risks of each service provider independently and holistically across their contracted and subcontracted partners
• reduce vulnerabilities and ensure security continuity to manage risks along the entire supply chain.

Understanding risks, threats or vulnerabilities in the supply chain

Identifying relevant threats and vulnerabilities associated with a procurement helps you to identify suitable security mitigations.

In conducting a supply chain risk assessment, it is recommended that you:

• identify the suppliers who make up the supply chain – check that the suppliers can articulate who and what they are connected to, and what dependencies they have
• determine the value and classification of the information that the supplier and their subcontractors will have access to
• identify vulnerabilities or recognise where they could be introduced and exploited.

If you do not conduct a risk assessment or understand the risks, threats or vulnerabilities associated with a procurement, you will be unable to identify appropriate risk mitigations.

When undertaking a procurement risk assessment, you should consider and seek to identify security risks that could affect or be caused by:

• the state or national interest
• critical infrastructure (agency-specific, Tasmanian and national critical infrastructure)
• people transacting with the agency via a contractor (or subcontractor)
• the ability to maintain control of information or resources in an outsourced, offshore or supply chain arrangement with potentially changing legal frameworks
• foreign involvement
• insider threat
• Tasmanian Government agencies or other entities
• agency security plans.

It is recommended that your agency consult experienced subject matter experts as part of assessing risk and designing mitigation strategies when the scale, scope and nature of the risk warrants it.

Reducing supply chain vulnerabilities and managing risks

Contract documentation

Relevant security provisions and associated protections should be included in procurement documents such as requests for tender, contracts, or service agreements. The benefit of ensuring security terms and conditions are identified is that they are then legally enforceable.

Where possible, you should include terms and conditions in procurement documents relating to:

• imposing appropriate information, physical and people security requirements
• identified security risks relevant to the procurement
• ongoing management of security risks and any proposed risk treatments.

It is recommended that you establish robust governance and assurance processes so that contracted providers implement applicable protective security requirements. These may include:

• identifying who is accountable for each security treatment or control in the contract
• establishing governance arrangements to manage ongoing protective security requirements (during the contract and at the completion or termination of the contract). This includes permission for your agency to:
  • amend (or terminate) a contract where issues of state or national interest arise (e.g. procedures to address actual or suspected security incidents or breaches, or when there is a change of ownership of supplier that is not approved)
  • monitor ongoing contracts (e.g. access to premises, records and equipment) through all levels of the supply chain/s, including subcontractors
  • manage changes to the provision of goods or services
  • approve or reject the engagement of individual subcontractors
  • terminate the contract if the provider fails to comply with provisions in the contract, including where there is unwillingness or inability to remedy or mitigate security incident/s.
• applying relevant information‑handling controls and storage arrangements to protect sensitive or security-classified information (requiring contracted goods and service providers to protect Tasmanian Government information and assets in the same manner as your agency would)
• applying relevant people security provisions such as pre-employment screening and security clearance vetting requirements for people accessing security-classified Tasmanian Government information and assets (applying the same security measures to the contracted providers people as your agency would to its people)
• applying relevant physical security measures at facilities where Tasmanian Government information and assets are held and where goods are prepared for Tasmanian Government use
• addressing all hazards your agency may face in the protection of its information, people and assets (including requiring contracted goods and service providers to apply protections against threats to state and national security).

Common use contracts

Common-use contracts are established where a common requirement for goods or services across government agencies has been identified. The Tasmanian Government has established common-use contracts which must be used by agencies when procuring specific goods and services.

Using common-use contracts can help you reduce supply chain risk because the security and capability of the contracted supplier/s has already been scoped. A list of common-use contracts is available on the Tasmanian Government’s purchasing website.^[14] Even when using common-use contracts, keep in mind that you still have a responsibility to perform due diligence, validation, and acceptance for supply chain services.

14. Tasmanian Government purchasing website

    [Back]

15. The authorisation package includes the ICT system’s system security plan, incident response plan, continuous monitoring plan, security assessment report, and plan of action and milestones.

    [Back]

• Australian Government, System Monitoring Guidelines
• Australian Government, System Hardening Guidelines
• New Zealand Government, Protective Security Requirements, Supply chain security
• New Zealand Government, Protective Security Requirements, System ownership
• New Zealand Government, Protective Security Requirements, Outsourcing, offshoring and supply chains
• Tasmanian Government, Cyber Security Policy (PDF 354.6KB)
• Tasmanian Government, Information Management Framework
• Tasmanian Government, Common use contracts
• UK Government, Logging and protective monitoring

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

• V1.0 April 2023
  • Policy issued
• V2.0 February 2024
  • Definition: ‘core requirement’ updated
  • Definition: ‘originator’ updated
  • Definition: ‘protected information’ removed and replaced with ‘security classified’
  • Definition: ‘Responsible Executive’ added
  • Definition: ‘supplementary requirement’ updated
  • Original supplementary requirement ‘k’ removed - (duplication of requirements)