WA updates whole-of-government security policy

The WA government has issued updated information security guidelines, with the public release of the new Digital Security Policy (PDF) occurring in the same week as the release of a less-than-flattering report from the WA Office of the Auditor General (OAG).

The initial version of the policy was released in May 2016.

The OAG released its annual information systems audit report, which revealed that many state government agencies are still failing to implement basic IT security measures. Problems include poor password management and out of date processes to recover data and operations in the event of an incident.

It was the latest in a long string of damning assessments of WA government security from the OAG.

The Office of the Government Chief Information Officer (OGCIO) oversaw the development of the updated security guidelines, which were finalised earlier this month.

The guidelines set out key policies for agencies, including:

• The development of an information security management system (ISMS).

• Establishing governance that details decision rights, roles, and accountability for managing digital information security risks.

• Agencies must have a process that ensures assessment and appropriate treatment of digital security risks.

• Agencies must ensure that digital security arrangements include formal mechanisms for continuous improvement. Digital security arrangements must be routinely monitored, reviewed and tested

“Implementation of the Policy will be a progressive and evolving process,” the document states.

“It is not expected that agencies will immediately assume a fully mature implementation. Rather, agencies should assess their current capability and maturity, and where shortfalls are identified, develop a roadmap for achieving the requisite level of capability.”

Agencies are also subject to a number of related government policies, such as Public Sector Commissioner-issued guidance on risk management and business continuity planning.

The OGCIO is strongly encouraging agencies to implement the ISO 27001: Information technology – Security Techniques – Information security management systems – Requirements standard as the basis of their ISMS.

“For eight years, the previous Liberal National government failed to address damming auditor general reports which demonstrated many government agencies had insufficient security governance and procedures,” innovation and ICT minister Dave Kelly said.

The WA government has so far avoided being hit by WannaCry and Petya, Kelly said.

“These ongoing attacks demonstrate the seriousness of the situation and the importance of ensuring WA government agencies are on the front foot in preventing successful attacks,” the minister said. “We are committed to building a capable public sector that manages risk and delivers benefits.”

The Victorian government recently signed off on a new cyber security strategy.