Security in the
Government SectorCross-Reference to AS/NZ ISO/IEC 17799:2001
The information in "Security in the Government Sector" is based on the Joint Australian New Zealand Standard AS/NZ ISO/IEC 17799:2001, Information Technology - Code of Practice for Information Security Management.
"Security in the Government Sector" provides information in a layout that suits security responsibilities and arrangements in the New Zealand public sector. For these reasons, its layout does not exactly match the layout in the Standard. This table provides a cross-reference to the Standard, for audit purposes.
| 1. Scope | ||
| 2. Terms and Definitions | ||
| 3. Security Policy | ||
|
3.1 Information security policy Objective: To give management direction and support for information security. Management should set a clear policy direction and demonstrate support for, and commitment to, information security, by issuing and maintaining an information-security policy across the organisation. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
3.1.1 Information-security policy document |
2 |
1 - 5 |
|
3.1.2 Review and evaluation |
2 |
6 - 8 |
| 4. Organisation Security | ||
|
4.1 Information-security infrastructure Objective: To manage information security within the organisation. A management framework should be set up to initiate and control how information security is applied within the organisation. Management forums, with management leadership, should be set up to approve the information-security policy, assign security roles and co-ordinate setting up security across the organisation. If needed, a source of specialist information security advice should be made available within the organisation. Contacts with external security specialists should be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents. A multi-disciplinary approach to information security should be encouraged, so that managers, users, administrators, application designers, auditors, specialists in areas such as insurance and risk management and security staff collaborate and co-operate. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
4.1.1 Management information-security forum |
2 |
9 -10 |
|
4.1.2 Information-security co-ordination |
2 |
11 - 12 |
|
4.1.3 Allocation of information-security responsibilities |
2 |
13 - 17 |
|
4.1.4 Authorisation process for information-processing facilities |
8 |
1 - 11 |
|
4.1.5 Specialist information-security advice |
2 |
30 - 34 |
|
4.1.6 Co-operation between organisations |
1 |
7 - 8 |
|
4.1.7 Independent review of information security |
2 |
6 - 8 |
|
4.2 Security of third-party access Objective: To maintain the security of organisational information-processing facilities and information assets accessed by third parties. Access to the organisation's information-processing facilities by third parties should be controlled. Where there is a business need for such third-party access, a risk assessment should be done to decide how security is affected and what controls are needed. Controls should be agreed and defined in a contract with the third party. Third-party access may involve other participants. Contracts conferring third-party access should cover designation of other eligible participants and conditions for their access. This standard could be used as a basis for such contracts and when considering the outsourcing of information processing. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
4.2.1 Identification of risks from third-party access |
6 |
1 - 4 |
|
4.2.2 Security requirements in third-party contracts |
6 |
25 - 27 |
|
4.3 Outsourcing Objective: To maintain the security of information when the responsibility for information processing has been outsourced to another organisation. Outsourcing arrangements should address the risks, security controls and procedures for information systems, networks and/or desktop environments in the contract between the parties |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
4.3.1 Security requirements in outsourcing contracts |
6 |
22 - 24 |
| 5. Asset classification and control | ||
|
5.1 Accountability for assets Objective: To maintain appropriate protection of organisational assets. All major information assets should be accounted for and have a named owner. Accountability for assets helps to ensure that appropriate protection is maintained. All major assets should have assigned owners and people responsible for maintaining appropriate controls. Responsibility for setting up controls may be delegated. Accountability should remain with the owner of the asset. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
5.1.1 Inventory of assets |
3 |
2 |
|
5.2 Information classification Objective: To ensure that information assets receive the right protection. Information should be classified to indicate the need, priorities and degree of protection. Information has varying degrees of sensitivity and criticality. Some items may need extra protection or special handling. An information-classification system should be used to define the right protection levels, and communicate the need for special handling measures. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
5.2.1 Classification guidelines |
3 |
4-33 |
|
5.2.2 Information labelling and handling |
3 |
Annexes A-F |
|
4 |
14 - 15, 20 - 27, 39 - 41, 47, 51 - 72 |
|
|
8 |
31 |
|
| 6. Personnel security | ||
|
6.1 Security in job definition and resourcing Objective: To reduce the risks of human error, theft, fraud or misuse of facilities. Security responsibilities should be addressed at the recruitment stage, included in contracts and monitored during employment. Potential recruits should be adequately screened (see 6.1.2), especially for sensitive jobs. All employees and third-party users of information-processing facilities should sign a confidentiality (non-disclosure) agreement. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
6.1.1 Including security in job responsibilities |
5 |
2 |
|
6.1.2 Personnel screening and policy |
5 |
8 - 10 |
|
6.1.3 Confidentiality agreements |
5 |
6 - 7 |
|
6.1.4 Terms and conditions of employment |
5 |
4 |
|
6.2 User training Objective: To ensure that users know about information security threats and concerns, and that they can support organisational security policy as part of their work. Users should be trained in security procedures and correctly using information-processing facilities to minimise security risks. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
6.2.1 Information security education and training |
2 |
24-29 |
|
6.3 Responding to security incidents and malfunctions Objective: To minimise the damage from security incidents and malfunctions, and to monitor and learn from such incidents. Incidents affecting security should be reported through appropriate management channels as quickly as possible. All employees and contractors should know the procedures for reporting the different types of incident (security breach, threat, weakness or malfunction) that might affect the security of organisational assets. They should be required to report any observed or suspected incidents as quickly as possible to the designated contact. The organisation should establish a formal disciplinary process for dealing with employees who commit serious breaches. To address incidents properly, evidence may need to be collected as soon as possible after the event (see 12.1.7). |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
6.3.1 Reporting security incidents |
2 |
45 - 49 |
|
6.3.2 Reporting security weaknesses |
2 |
50 - 51 |
|
6.3.3 Reporting software malfunctions |
||
|
6.3.4 Learning from incidents |
2 |
52 |
|
6.3.5 Disciplinary process |
2 |
53 |
| 7. Physical and environmental security | ||
|
7.1 Secure areas Objective: To prevent unauthorised access, damage or interference to business premises and information. Critical or sensitive business information-processing facilities should be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls. They should be physically protected from unauthorised access, damage and interference. The protection should match the identified risks. A clear-desk and clear-screen policy is recommended to reduce the risk of unauthorised access or damage to papers, media or information-processing facilities. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
7.1.1 Physical security perimeter |
7 |
10 - 15 |
|
7.1.2 Physical entry controls |
7 |
32 - 33 |
|
7.1.3 Securing offices, rooms and facilities |
7 |
51 - 52 |
|
7.1.4 Working in secure areas |
4 |
16 - 19 |
|
7.1.5 Isolated delivery and loading areas |
7 |
7 - 19, 32 - 33 |
| e | ||
|
7.2 Equipment security Objective: To prevent loss, damage or compromise of assets, or interruption to business activities. Equipment should be physically protected from security threats and environmental hazards. Protection of equipment, including that used off-site, is needed to reduce the risk of unauthorised access to data and to protect against loss or damage. This should also apply to where equipment is and how it is disposed. Special controls may be needed to protect against hazards or unauthorised access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
7.2.1 Equipment siting and protection |
7 |
2 - 5 |
|
7.2.2 Power supplies |
||
|
7.2.3 Cabling security |
||
|
7.2.4 Equipment maintenance |
6 |
5 |
|
7.2.5 Security of equipment off-premises |
6 |
12 - 17 |
|
7.2.6 Secure disposal or re-use of equipment |
8 |
37 - 46 |
|
7.3 General controls Objective: To prevent compromise or theft of information or information-processing facilities. Information and information-processing facilities should be protected from disclosure to, change to or theft by unauthorised persons; and controls should be set to minimise loss or damage. Handling and storage procedures are considered in 8.6.3. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
7.3.1 Clear-desk and clear-screen policy |
4 |
39 - 41 |
|
7.3.2 Removal of property |
4 |
47 |
| 8. Communications and operations management | ||
|
8.1 Operational procedures and responsibilities Objective: To ensure the correct and secure operation of information-processing facilities. Responsibilities and procedures for managing and operating all information-processing facilities should be set. This includes developing appropriate operating instructions and incident-response procedures. Duties should be segregated (see 8.1.4), where appropriate, to reduce the risk of negligent or deliberate system misuse. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.1.1 Documented operating procedures |
8 |
12 |
|
8.1.2 Operational-change control |
8 |
8 |
|
8.1.3 Incident-management procedures |
8 |
12-20 |
|
8.1.4 Segregation of duties |
8 |
24 |
|
8.1.5 Separation of development and operational facilities |
8 |
52 |
|
8.1.6 External facilities management |
6 |
22 - 24 |
|
8.2 System planning and acceptance Objective: To minimise the risk of systems failures. Advanced planning and preparation are needed to ensure adequate capacity and resources. Projections of future capacity should be done, to reduce the risk of system overload. The operational requirements of new systems should be set up, documented and tested prior to being accepted or used. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.2.1 Capacity planning |
||
|
8.2.2 System acceptance |
8 |
5 |
|
8.3 Protection against malicious software Objective: To protect the integrity of software and information. Precautions are needed to prevent and detect the introduction of malicious software. Software and information-processing facilities are vulnerable to the introduction of malicious software, such as computer viruses, network worms, Trojan horses (see also 10.5.4) and logic bombs. Users should know about the dangers of unauthorised or malicious software; and managers should, where appropriate, use special controls to detect or prevent its introduction. In particular, precautions must be taken to detect and prevent computer viruses on personal computers. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.3.1 Controls against malicious software |
8 |
21-22 |
|
8.4 Housekeeping Objective: To maintain the integrity and availability of information-processing and communication services. Routine procedures should be set up to carry out the agreed back-up strategy (see 11.1), taking back-up copies of data, rehearsing their timely restoration, logging events and faults and monitoring the equipment environment where appropriate. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.4.1 Information back-up |
8 |
36 |
|
8.4.2 Operator logs |
||
|
8.4.3 Fault logging |
||
|
8.5 Network management Objective: To safeguard information in networks and protect the supporting infrastructure. Attention must be given to managing the security of networks that may span organisational boundaries. Additional controls may also be needed to protect sensitive data passing over public networks. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.5.1 Network controls |
8 |
23-25 |
|
8.6 Media handling and security Objective: To prevent damage to assets and interruptions to business activities. Media should be controlled and physically protected. Appropriate operating procedures should be set up to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft or unauthorised access. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.6.1 Management of removable computer media |
8 |
26-30 |
|
8.6.2 Disposal of media |
8 |
38-42 |
|
8.6.3 Information-handling procedures |
4 8 |
36-103 51 - 103 |
|
8.6.4 Security of system documentation |
8 |
47 |
|
8.7 Exchanges of information and software Objective: To prevent loss, modification or misuse of information exchanged between organisations. Exchanges of information and software between organisations should be controlled and compliant with any relevant legislation (see Clause 12). Exchanges should be carried out on the basis of agreements. Procedures and standards to protect information and media in transit should be set up. The business and security implications of electronic-data interchange, electronic commerce and electronic mail and the requirements for controls should be considered. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
8.7.1 Information and software exchange agreements |
8 |
55 |
|
8.7.2 Security of media in transit |
8 |
32-35 |
|
8.7.3 Electronic commerce security |
||
|
8.7.4 Security of electronic mail |
3 |
Annexes A-F |
|
8 |
55-63 |
|
|
8.7.5 Security of electronic office systems |
4 |
73 - 77 |
|
8 |
87 - 89 |
|
|
8.7.6 Publicly available systems |
8 |
58-63 |
|
8.7.7 Other forms of information exchange |
4 8 |
32, 53 - 62, 75-77, 87, 55-56 |
|
9.1 Business requirement for access control Objective: To control access to information. Controls on access to information and business processes should be based on business and security needs. These controls should meet information-dissemination and authorisation policies. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
| 9. Access control | ||
|
9.1.1 Access-control policy |
7 |
32-50 |
|
9 |
1-13 |
|
|
9.2 User access management Objective: To prevent unauthorised access to information systems. Formal procedures should control the allocation of access rights to information systems and services. These procedures should cover all stages in the lifecycle of user access, from registering new users to de-registering users who no longer need access. Special attention should be given, where appropriate, to privileged access rights which allow users to override system controls. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.2.1 User registration |
9 |
16 - 18 |
|
9.2.2 Privilege management |
9 |
1 - 10 |
|
9.2.3 User password management |
9 |
25-31 |
|
9.2.4 Review of user-access rights |
9 |
14 |
|
9.3 User responsibilities Objective: To prevent unauthorised user access. The co-operation of authorised users is essential for effective security. Users should know their responsibilities for maintaining effective access controls, particularly regarding passwords and the security of user equipment. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.3.1 Password use |
9 |
15, 25-27 |
|
9.3.2 Unattended user equipment |
9 |
33 |
|
9.4 Network access control Objective: Protecting network access. Access to both internal and external networked services should be controlled. Controls are needed so that users who have access to networks and network services do not compromise the security of these network services; this includes: appropriate interfaces between the organisation's network and public networks or those owned by other organisations appropriate authentication mechanisms for users and equipment control of user access to information services. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.4.1 Policy on use of network services |
8 |
23-25 |
|
9.4.2 Enforced path |
||
|
9.4.3 User authentication for external connections |
9 |
56 |
|
9.4.4 Node authentication |
9 |
56 |
|
9.4.5 Remote diagnostic port protection |
8 |
80 |
|
9.4.6 Segregation in networks |
9 |
49 |
|
9.4.7 Network connection control |
||
|
9.4.8 Network routing control |
||
|
9.4.9 Security of network services |
||
|
9.5 Operating-system access control Objective: To prevent unauthorised computer access. Security facilities at the operating-system level should restrict access to computer resources. These facilities should: identify each authorised user, and if necessary their terminal or location record both successful and failed system accesses authenticate users, with quality passwords if using a password-management system (see 9.3.1 d) where appropriate, restrict connection times. Other access-control methods, such as challenge-response, may be justified by business risk. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.5.1 Automatic terminal identification |
||
|
9.5.2 Terminal log-on procedures |
9 |
7 - 11 |
|
9.5.3 User identification and authentication |
9 |
15 |
|
9.5.4 Password-management system |
9 |
25-31 |
|
9.5.5 Use of system utilities |
8 |
17 |
|
9.5.6 Duress alarm to safeguard users |
||
|
9.5.7 Terminal time out |
9 |
22 |
|
9.5.8 Limitation of connection time |
9 |
23 |
|
9.6 Application access control Objective: To prevent unauthorised access to information in information systems. Security facilities should restrict access to application systems. Logical access to software and information should be limited to authorised users. Application systems should: control user access to information and application system functions, per a defined, business, access-control policy prevent unauthorised access to any utility or operating-system software that can override system or application controls not compromise the security of other systems with which information resources are shared allow access to only the owner of information, or to other authorised users or groups. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.6.1 Information-access restriction |
9 |
48 |
|
9.6.2 Sensitive system isolation |
9 |
49 |
|
9.7 Monitoring system access and use Objective: To detect unauthorised access. Systems should be monitored to detect deviation from access-control policy, and to record monitorable events, for use as evidence in case of security incidents. System monitoring verifies whether controls work and conform to an access-policy model (see 9.1). |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.7.1 Event logging |
8 |
17 |
|
9.7.2 Monitoring system use |
8 |
12 |
|
9.7.3 Clock synchronisation |
8 |
13 |
|
9.8 Mobile computing and teleworking Objective: To ensure information security when using mobile-computing and teleworking facilities. Protection should match the risks from these specific ways of working. With mobile computing, the risks of working in an unprotected environment should be considered and appropriate protection applied. With teleworking, the organisation should apply protection to the teleworking site and ensure that suitable arrangements are in place for this way of working. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
9.8.1 Mobile computing |
9 |
53-60 |
|
9.8.2 Teleworking |
4 |
49 |
|
9 |
53-60 |
|
| 10. System development and maintenance | ||
|
10.1 Security requirements of systems Objective: To ensure that security is built into information systems. Requirements apply to infrastructure, business applications and user-developed applications. The design and implementation of the business process supporting the application or service can be crucial for security. Security requirements should be identified and agreed before developing information systems. All security requirements, including the need for fallback arrangements, should be identified at the requirements phase of the project and justified, agreed and documented as part of the overall business case for an information system. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
10.1.1 Security requirements analysis and specification |
9 |
1-4 |
|
10.2 Security in application systems Objective: To prevent loss, modification or misuse of user data in application systems. Appropriate controls and audit trails or activity logs should be designed into application systems, including user-written applications. These should include the validation of input data, internal processing and output data. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
10.2.1 Input-data validation |
8 |
48 - 49 |
|
10.2.2 Control of internal processing |
8 |
49 |
|
10.2.3 Message authentication |
||
|
10.2.4 Output-data validation |
||
|
10.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information. Cryptographic systems and techniques should protect information that is considered at risk and not adequately protected by other controls. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
10.3.1 Policy on the use of cryptographic controls |
8 |
98-107 |
|
10.3.2 Encryption |
8 |
98-107 |
|
10.3.3 Digital signatures |
9 |
28-30 |
|
10.3.4 Non-repudiation services |
8 |
100 |
|
10.3.5 Key management |
8 |
106 |
|
10.4 Security of system files Objective: To ensure that IT projects and support services are conducted in a secure manner. Access to system files should be controlled. Maintaining system integrity should be the responsibility of the user, function or development group that owns the application system or software. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
10.4.1 Control of operational software |
8 |
10 |
|
10.4.2 Protection of system test data |
8 |
52 - 54 |
|
10.4.3 Access control to programme source library |
8 |
53 |
|
10.5 Security in development and support process Objective: To maintain the security of application system software and information. Project and support environments should be strictly controlled. Managers responsible for application systems should also be responsible for the security of the project or support environment. They should ensure that all proposed system changes are reviewed against compromise of the security of either the system or the operating environment. |
||
|
AS/NZ ISO/IEC 1779:2001 Reference |
Security in the Government Sector Reference |
|
|
Chapter |
Paragraph |
|
|
10.5.1 Change-control procedures |
8 |
8 - 11 |
|
10.5.2 Technical review of operating-system changes |
8 |
10 |
|
10.5.3 Restrictions on changes to software packages |
8 |
50-51 |
|
10.5.4 Covert channels and Trojan code |
8 |
21 |
|
10.5.5 Outsourced software development |
6 |
22-24 |
[ Previous | Next ]
