Dear National Disability Insurance Agency,

Please provide a copy of the NDIA Information Security Risk Management Policy and Procedure. This includes the supporting Information Security Risk Management Plan. That is, for clarity, the documents which scoped the NDIA’s information security risk management (ISRM) requirements and the subsequent policies and procedures that deliver, manage and ensure these actions and compliance are conducted.

Context:

The Queensland Government defines information management as “"the means by which an organisation plans, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.” Security is implied. “Security risk related to the operation and use of information systems is just one of many components of organizational risk that senior leaders/executives address as part of their ongoing risk management responsibilities“ [10]. Whereas “Information security risk management (ISRM) is the process of managing risks associated with the use of information technology. It involves, identifying, assessing and treating risks to the confidentiality, integrity and availability of an organisation’s assets. The end goal of this process is to treat risks in accordance with an organisation's overall risk tolerance” [8] through a four-step process of identifying assets, identifying vulnerabilities, identifying threats and identifying controls [9]. “An information security and risk management (ISRM) strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile ‘“ [14]. It is therefore assumed that the NDIA has identified and documented these shared information security and risk management concerns through policy and procedure.

The Compliance Council of Australia (CCA) advises that “an information security management system (ISMS) is a combination of processes and policies that help you identify, management and protect valuable corporate data and information against various risks. Specifically, the ISM’s key objective is to ensure the confidential, integrity and availability of data and information is maintained” [1]. The CCA recommend ISO 27001 as ‘the internationally recognised standard that sets the requirement for ISMS’ [2]. Microsoft also cite ISO standards in complying with the Australian Government Information Security Registered Assessor Program (IRAP), which includes ‘information security risk management’ [4]. The ISO 27000 series is also prioritised and referenced as part of the Protective Security Policy Framework (PSPF) under Information Security Standards [5] for Australian Government entities, administered by the Attorney’s Generals Department. It seems clear information security risk management is a high priority for the Australian Government and providers. Furthermore, ISO 27k seems to be the professional and international standard [15], particularly in the healthcare and public health record sectors.

Australian States and Territories have seemingly placed greater importance on information security management systems and compliance. In 2013, the Western Australia Auditor General noted that “99% of the agencies review had serious gaps in their management of information security when assessed against better practice international standards. Many of the agencies are not adopting a strategic approach to identifying and assessing risks” [6], resulting in ‘unnecessary risk’ [7] to government and public information. Following on from similar observations, the Government of Victoria recently produced an Information Security Risk Management Practitioners Guide [11], which also emphasis the protection of Australian public information and data assets, including the use of the ISO 27000 suite of information security risk management standards [12], as part of a positive obligation for State entities and officers [24] . By comparison, the Queensland Government has long provided clear guidance and best practice for information risk management [16] of Whole of Government risk management of public information, data and records, declaring that “Information risk management should be incorporated into all decisions in day-to-day operations and if effectively used, can be a tool for managing information proactively rather than reactively”. The more contemporary version from the Queensland Government’s Information Security Policy (IS18:2018) expands upon these concepts considerably, including the adoption and endorsement of ISO 27000 as the framework of that state government’s Information Security Management System [19]. Which in turn links into the Attorney General’s Department and the Australian Governments Protective Security Policy Framework (PSPF) [21].

The Australian Prudential Regulation Authority (APRA) observed that “the pervasive nature of information security threats and vulnerabilities and the need for sound practices and a solid business understanding in order to maintain an information security capability commensurate with those threats and vulnerabilities. It also reflects that APRA regulated entities have developed distinct practices and disciplines to manage information security risk, information technology (IT) risk and operational risk. In APRA’s view, these are all necessary and complementary disciplines” [22]. Which stems from an extensive cross-industry consultation, following observations that “ effective information security is increasingly critical as information security attacks are increasing in frequency, sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. This was clearly evident from the results of APRA’s two cyber surveys, which indicated that incidents varied in nature, sophistication and impact” [23].

Chief Information Security Officers’ (CISO) appear very familiar with the requirements of Information Security and Risk Management (ISRM) [13]. Along with the Information Systems Audit and Control Association’s (ISACA) long-standing guidance on the development of information security and risk management strategies [14], including specific, measurable and auditable guidelines for ISRM.

In sum, the NDIA seems to collect, manage and ‘secure’ a significant amount of public information. Therefore, it seems reasonable that the NDIA has a well developed, mature and consistent approach to information security risk management, supported by accompanying policy and procedures, which make up the focus of this request.

Thank you for your assistance.

Yours faithfully,

Shirley

References:

1. Compliance Council of Australia (2012) What is an information security management system?, Available at: <https://www.compliancecouncil.com.au/sta...>. Accessed [8 Jul 21]
2. Ibid
3. Microsoft (2012) Australian Government Information Security Registered Assessor Program (IRAP), Available at: < https://docs.microsoft.com/en-us/complia...>. Access [8 Jul 21]
4. Ibid
5. Attorney General’s Department (2021) Relevant Australian and International Standards: Information Security Standards, Available at: < https://web.archive.org/web/202104011652...>. Accessed [8 Jul 21]
6. Western Australia Auditor General (2013) Information Systems Audit Report, 11, Western Australia Government, Available at: < https://audit.wa.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
7. Ibid
8. Rapid 7 (2021) Information Security Risk Management: Identify and achieve an acceptable level of risk, Available at: < https://www.rapid7.com/fundamentals/info...>. Accessed [8 Jul 21]
9. Ibid
10. NIST (2011) Information Security, National Institute of Standards and Technology, U.S Department of Commerce, Available at: < https://nvlpubs.nist.gov/nistpubs/Legacy...>, Accessed [8 Jul 21]
11. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: < https://ovic.vic.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
12. Ibid
13. CISO Portal (2021) Information Security Risk Management: What and How?, Available at: https://www.ciso-portal.com/information-...>. Accessed [8 Jul 21]
14. ISACA (2010) Developing an Information Security and Risk Management Strategy, Available at: , https://www.isaca.org/resources/isaca-jo...> .
15. Dashti, S., Giorgini, P. And Paja, E. (2017) Information Security Management, Conference Paper, IFIP Working Conference on the Practice of Enterprise Modeling, Available at: ,https://hal.inria.fr/hal-01765266/file/4...>. Accessed [8 Jul 21]
16. Queensland Government (2002) Queensland Government Information Architecture: Best Practice Guide, Information Risk Management, Available at < https://www.qgcio.qld.gov.au/__data/asse...>. Accessed [8 Jul 21]
17. Ibid. Page 5
18. Queensland Government (2019) Queensland Government Enterprise Architecture: Information Security Policy, Available at: < https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
19. Ibid
20. Queensland Government (2021) Queensland Government Enterprise Architecture: How should I manage my information?, Available at: < https://www.qgcio.qld.gov.au/information...>. Accessed [8 Jul 21]
21. Queensland Government (2020) Queensland Government Enterprise Architecture: Information Security Classification Framework, Available at: ,https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
22. APRA (2019) Prudential Practice Guide: CPG 234 Information Security, Australian Prudential Regulation Authority, Australian Government, Available at: <https://www.apra.gov.au/sites/default/fi...>. Accessed [8 Jul 21]
23. APRA (2018) Information Security Management: A new cross-industry prudential standard, Discussion Paper, Australian Prudential Regulation Authority, Australian Government, Available at: < https://www.apra.gov.au/sites/default/fi...> . Accessed [8 Jul 21]
24. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: <https://ovic.vic.gov.au/data-protection/...>. Accessed [8 Jul 21]