1 / 26

Department of Police and Emergency Management Information Security

Department of Police and Emergency Management Information Security. Overview. DPEM Framework Governance and Information Security Information Security Classification in Recordkeeping systems. DPEM Framework. Information Security Policy Manual Acceptable Use Reference Guide. DPEM Framework.

beagle
Télécharger la présentation

Department of Police and Emergency Management Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of Police and Emergency Management Information Security

  2. Overview DPEM Framework Governance and Information Security Information Security Classification in Recordkeeping systems

  3. DPEM Framework Information Security Policy Manual Acceptable Use Reference Guide

  4. DPEM Framework Information Security Manual A suite of twenty-one policies Acceptable User reference Guide

  5. Implementation Plan Acceptable Use Reference Guide informs the implementation plan in DPEM Gap analysis matching policies to the Tasmanian Government Information Security Manual

  6. The governance policy identifies reponsibilities for

  7. Implementation Plan This will ensure compliance with the Tasmanian Government Information Security Manual and personnel have a basic understanding of responsibilities

  8. Information Security Governance The Information Security Governance policy and guidelines defines information security roles and responsibilities within the Department of Police and Emergency Management.

  9. Information Security Classification Identify Information assets Business Systems Owner and Custodian for each system Classify each system

  10. Types of information use din DPEM Ready Reference for Information Security Classification Information Used in the Department of Police and Emergency Management Public InformationInformation authorised for unlimited public access such as department websites. The integrity of public domain information must be ensured before its release.Examples:PublicationsAnnual ReportsCommunity Alerts Non-public Information Unclassified InformationInformation that is not in the public domain, but does not need to be classified.Examples:Procedure manuals, departmental memos to general staff, policy documents Security Classified Information Non-National National* HIGHLY PROTECTEDWitness/VIP Protection IDM TOP SECRET PROTECTED (& CABINET-IN-CONFIDENCE)Investigation/ prosecution files SECRET CONFIDENTIAL X-IN-CONFIDENCEPersonnel files, Tender evaluations, complaints and allegations PROTECTED *National Security Classified Information based on the Commonwealth Protective Security Policy Framework (PSPF). The Counter Terrorism Unit has been assigned responsibility for National security information handled and processed within DPEM.

  11. Impact Assessment Matrix

  12. Information Security Classification Policy and Guidelines Applies to all DPEM information, paper-based, electronic and includes information held in databases Observes the “need-to-know” principle Includes procedures for manual handling disclosure and circulation of information and guidelines for courier services Classification criteria and examples of information in each information security category

  13. Information Security Classification In practice the default classification will be UNCLASSIFIED UNCLASSIFIED documents / records will be labeled as such to indicate that they have been security classified Records classes identified in the disposal schedule provide a framework for setting security classification

  14. Information Security in Recordkeeping Systems Physical Records - Security Classification will be applied at file level and all documents will inherit this classification Electronic Records - Information security classification may be applied at file or document level

  15. Information Security in Recordkeeping Systems Default information security classification will also be applied for certain domains HR documents - staff in confidence Procurement – commercial –in-confidence Other areas may routinely produce information with a Law enforcement-in-confidence or Public Classification

  16. Responsibility for setting classification Records staff will apply appropriate information security classification when creating a file in TRIM, and all documents / records will inherit the information security classification from file End users will be required to select an information security classification when registering a document in record keeping systems other than TRIM

  17. Protective Marking System In TRIM – A TRIM word add-in has been trialled. This automatically populate templates with TRIM metadata and the security classification be automatically populated onto documents when they are assigned to a file in TRIM Security on documents is inherited from the file Hence the importance of completing the TRIM audit

  18. Other Systems Develop procedures for marking information/documents generated from or in other systems Include a reporting template with the protective marking system labels on all system development and enhancements in future Label documents from legacy systems manually eg with stamps for all Protected and Highly Protected information conduct a risk assessments

  19. Handling Standards for Manual TransmissionIn-Confidence – Protected - Highly Protected Develop detailed procedures/check lists for records staff for the management of mail and physical documents These procedures should also apply to files that are being sent to other agencies eg. the courts or the DPP Procedures for the physical receipt of Security Classified Information should also developed

  20. Receiving Security Classified Information Ensure the document or package was transmitted in accordance with the manual handling standards Report any signs of tampering Sign and Return receipt accompanying the documents/file to the originator or Receipt in the relevant system by changing the assignee or intended destination

  21. Acceptable Use Guidelines Prioritise policies for implementation Governance Policy Risk Management Information Security Classification Physical Security Incident Management What is the minimum level that will meet the mandatory requirements Document and mitigate risks

  22. So Far … DPEM Information security policies developed Established the DPEM Information Security Committee Information Security Review completed and risks documented Gap analysis completed Policies prioritised for implementation Business Systems Owner and Custodians Register (Asset Register) collated Audit of TRIM objects underway Trialed word add-in for the protective marking system Awareness raising presentations with staff underway

  23. Issues Generally information security is not embedded in work practices Classification level and access review required Nationally classified information Over-classification Audit trails for classified documents / files

  24. Angela Males Department of Police and Emergency Management Telephone: 6230 2218 email: angela.males@police.tas.gov.au

More Related