What is information security?
Information security is ‘the preservation of the confidentiality, integrity and availability of information'. [1]
- Confidentiality involves ensuring that information is accessible only to those authorised to have access.
- Integrity involves safeguarding the accuracy, completeness and authenticity of information and processing methods.
- Availability involves ensuring that authorised users have access to information and associated assets when required. [2]
What is the difference between information security and cyber security?
Information security applies to all forms of information (digital, paper-based or other) and includes the management of the software and/or communications technology systems and networks for storing, processing, communicating and disposal of information.
In essence, managing information security involves protecting your information assets by implementing controls including policies, procedures, organisational structures, infrastructure and software and hardware functions and regularly reviewing these. [3]
Cyber security on the other hand covers the controls organisations must put in place to protect information stored in networks and systems. It includes responding to evolving threats such as viruses/malware, hacktivism or phishing attempts.
Back to topWhy is information security or cyber security important?
Information is one of your organisation's most valuable assets: it needs to be protected. Security threats and breaches can affect your organisation’s ability to protect personal safety or privacy, to safeguard infrastructure or to comply with its legal and other obligations. Breaches of security can have significant impacts on business, including damage to its reputation and competitive edge.
Back to topWhat are the requirements for information security or cyber security?
Recordkeeping standards
The Standard on records management establishes requirements relating to vital (i.e. business critical), high risk and high value records and information (see minimum compliance requirements 2.2, 2.3 and 3.4).
Specifically, agencies must:
- identify vital records, information, data, and systems
- identify high risk and high value records, information, data, and systems
- identify level of protection needed based on sensitivity, confidentiality and value
- assign roles and responsibilities for the management of vital, high value and high risk records and information
- put in place controls according to their classification and relevant laws and regulations.
The Standard on the physical storage of State records also establishes requirements relating to all records in all formats, including security classified records or records which contain sensitive information (see minimum compliance requirements under Principle 6: Records are protected against theft, misuse, unauthorised access or modification.)
Information collated regarding the above requirements can be used to meet some of the reporting requirements of the NSW Government Cyber Security Policy.
Agencies that hold or access Commonwealth security classified information (e.g. protected, secret, top secret) need to put in place controls according to the Australian Government's Protective Security Policy Framework.
The NSW Government Cyber Security Policy
The NSW Government Cyber Security Policy applies to all NSW government departments and agencies. State owned corporations, local councils and universities can adopt this policy.
The policy establishes mandatory requirements such as:
- identification of an agency’s most valuable or operationally vital systems or information
- implementation of regular cyber security education for employees, contractors and outsourced service providers
- implementation and maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents
- reporting cyber security incidents to the Government Chief Information Security Officer
What is AS/NZS ISO/IEC 27002: 2006?
This standard establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organisation. It contains best practice guidance concerning a number of areas of information security management. [4]
Many organisations seek to or have achieved compliance with AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management. Compliance to this standard is one of the mandatory requirements set by the NSW Government Cyber Security Policy.
Back to topWho is responsible for information security or cyber security?
Information security is not just an ‘IT problem'. Technical measures need to be designed to meet real business requirements and supported by appropriate training, business rules and assigned responsibilities.
Information security, by necessity, requires a number of stakeholders. The Australian Standard recommends that a governance framework should be established to initiate and control the implementation of information security. This includes establishing management accountabilities, assigning roles, establishing necessary external liaisons and monitoring industry trends. A multi-disciplinary risk based approach is encouraged.
Examples of accountabilities
Some of the positions with accountabilities for information security may include:
- Business managers who need to ensure security responsibilities are addressed at the recruitment stage and monitored during an individual’s employment, ensure staff are trained and updated in security policy and procedures and act on incidents affecting security
- Contract managers who need to deal with in-confidence material
- Corporate records manager who need to determine the application of security classifications/DLMs to records based on the business context of the record, establish security and access controls within records systems and monitor these systems
- Human resource management staff who need to manage personal information.
- ICT staff who need to establish security controls in systems and protect ICT equipment from threats.
- Risk management staff who need to identify and manage the organisation's risks
- Users of the information service who need to report observed or suspected weaknesses in security or threats to systems or services.
- Facilities staff who need to maintain the physical and environmental security of the building and particular secure areas. [5]
Your organisation’s information security policy should outline the roles and responsibilities of different personnel.
Back to topHow can records and information management professionals assist in achieving information and cyber security outcomes?
Records and information management team can assist by:
- contributing their knowledge on the high risk business areas of the organisation to the relevant team/staff (e.g. IT, information security, risk, governance, etc.)
- providing information on the organisation's vital or business critical, high risk and high value records and information to the relevant team/staff
- advising on issues relating to using cloud services for security classified records and information, or sensitive records that require additional controls
- establishing and managing disposal programs to ensure that records and information are destroyed according to relevant retention and disposal authorities.
See How records and information management techniques and skills can contribute to information security objectives for further advice.
Footnotes
[1] Standards Australia/Standards New Zealand, AS/NZS ISO/IEC 27002:2006, Information technology – Security techniques – Code of practice for information security management, second edition, 2.5 Terms and definitions.
[2] Wikipedia. ISO/IEC 27002, available at: https://en.wikipedia.org/wiki/ISO/IEC_27002
[3] AS/NZS ISO/IEC 27002:2006, Introduction, p.vii.
[4] AS/NZS ISO/IEC 27002:2006, 6.1 Internal organisation
[5] AS/NZS ISO/IEC 27002:2006, 6.1 Internal organisation; 7.1 Responsibility for assets
Published 2011 / Revised April 2014/July 2015/ February 2019
Back to top