Information security

Information security is the preservation of the confidentiality, integrity and availability of information.

Confidentiality involves ensuring that information is accessible only to those authorised to have access. Integrity involves safeguarding the accuracy, completeness and authenticity of information and processing methods. Availability involves ensuring that authorised users have access to information and associated assets when required.

Information is one of your organisation's most valuable assets: it needs to be protected. Security threats and breaches can affect your organisation’s ability to protect personal safety or privacy, to safeguard infrastructure or to comply with its legal and other obligations.

Breaches of security can have significant impacts on business, including damage to its reputation and competitive edge. The Mandatory Notification of Data Breach (MNDB) Scheme (MNDB Scheme) impacts the responsibilities of agencies under the Privacy and Personal Information Protection Act 1998 (PPIP Act). It requires agencies to notify the Privacy Commissioner and provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act.

Information security applies to all forms of information (digital, paper-based or other) and includes the management of the software and/or communications technology systems and networks used for storing, processing, communicating and disposal of information.

In essence, managing information security involves protecting your information assets by implementing controls including policies, procedures, organisational structures, infrastructure and software and hardware functions. It also involves regularly reviewing these.

Cyber security covers the controls organisations must put in place to protect information stored in networks, systems and cloud storage against unauthorised access and attacks. It includes responding to evolving threats such as viruses/malware, hacktivism or phishing attempts. See Cyber Security Awareness Resources | Digital NSW for more information on cybersecurity for NSW public offices.

The Standard on records management establishes requirements relating to vital (that is, business critical), high risk and high value records and information (see minimum compliance requirements 2.2, 2.3 and 3.4).

Specifically, agencies must:

• identify vital records, information, data, and systems
• identify high risk and high value records, information, data, and systems
• identify level of protection needed based on sensitivity, confidentiality and value
• assign roles and responsibilities for the management of vital, high value and high-risk records and information
• put in place controls according to their classification and relevant laws and regulations.

The Standard on the physical storage of State records also establishes requirements relating to all records in physical formats, including security classified records or records which contain sensitive information (see minimum compliance requirements under Principle 6: Records are protected against theft, misuse, unauthorised access or modification).

Information collated regarding the above requirements can be used to meet some of the reporting requirements of the NSW Government Cyber Security Policy.

Local government councils are encouraged to follow the Office of Local Government’s Cyber Security Guidelines for NSW Local Government.

Agencies that hold or access Commonwealth security classified information (for example, protected, secret, top secret) need to put in place controls according to the Australian Government's Protective Security Policy Framework.

The NSW Government Cyber Security Policy applies to all NSW Government departments and agencies. State-owned corporations, local councils and universities can adopt this policy. Local government councils are also encouraged to follow the Office of Local Government’s Cyber Security Guidelines for NSW Local Government.

The policy establishes mandatory requirements such as:

• identification of an agency’s most valuable or operationally vital systems or information
• implementation of regular cyber security education for employees, contractors and outsourced service providers
• implementation and maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents
• reporting cyber security incidents to the Government Chief Information Security Officer.

This standard establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organisation. It contains best practice guidance concerning a number of areas of information security management.

Many organisations seek to or have achieved compliance with AS ISO/IEC 27002: 2015, Information technology - Security techniques - Code of practice for information security controls. Compliance to this standard is one of the mandatory requirements set by the NSW Government Cyber Security Policy.

Information security is not just an ‘IT problem'. Technical measures need to be designed to meet real business requirements and supported by appropriate training, business rules and assigned responsibilities.

Information security, by necessity, requires a number of stakeholders. The Australian Standard ??? recommends that a governance framework should be established to initiate and control the implementation of information security. See the mandatory requirements 'govern and identify' of the NSW Cyber Security Policy for more information.

This includes establishing management accountabilities, assigning roles, establishing necessary external liaisons and monitoring industry trends. A multi-disciplinary risk-based approach is encouraged.

Examples of accountabilities

Some of the positions with accountabilities for information security may include:

• Business managers who need to ensure security responsibilities are addressed at the recruitment stage and monitored during an individual’s employment, ensure staff are trained and updated in security policy and procedures and act on incidents affecting security
• Contract managers who need to deal with in-confidence material
• Corporate records managers who need to determine the application of security classifications/DLMs to records based on the business context of the record, establish security and access controls within records systems and monitor these systems
• Human resource management staff who need to manage personal information.
• ICT staff who need to establish security controls in systems and protect ICT equipment from threats.
• Risk management staff who need to identify and manage the organisation's risks
• Users of the information service who need to report observed or suspected weaknesses in security or threats to systems or services.
• Facilities staff who need to maintain the physical and environmental security of the building and particular secure areas.

Your organisation’s information security policy should outline the roles and responsibilities of different personnel.

As a recordkeeping professional, you are required to work closely with staff to increase their awareness of risks and threats, and to help equip them with the tools necessary to responsibly conduct their work.

Ensuring that all staff, including contractors, are trained, updated and fully aware of their responsibilities will influence organisational culture and contribute to the implementation of good information security behaviours.

These behaviours can be applied or reinforced in collaboration with information security teams via:

• induction and education/training programs (including cyber security awareness training)
• business rules and procedures for the classification, handling and destruction of records, information and data
• official communications (including emails, newsletters or team meetings)
• awareness campaigns
• participation in whole-of-government/NSW Government initiatives and forums.

All training initiatives should be established in line with the organisation’s information security policy.

From targeted cyber-attacks to raging floods and fires, business continuity management is imperative to:

• counteract interruptions to business activities
• protect critical business processes from the effects of information system failures and outages
• protect or salvage records, information and data from incidental disclosure
• protect or salvage records, information and data from loss or damage.

It is crucial that you work closely with the organisation’s information security teams to:

• keep disaster management plans and procedures current, accessible and familiar to all staff
• assign responsibilities to staff in the event or aftermath of a disaster
• conduct periodic disaster response training
• integrate cyber security requirements with the organisation’s business continuity arrangements.

More information: Disaster management overview

Continuous monitoring of records, recordkeeping and records and information management may assist the organisation’s information security teams in proactively identifying and responding to security threats and vulnerabilities.

Monitoring may include:

• regular review of the organisation’s recordkeeping systems and security controls
• evaluating information from security incidents
• undertaking a compliance audit using internal or external auditors
• staying informed on developments in technology and the organisation’s digital landscape
• investigating changes or breaches to relevant legislation or regulations
• checking against security requirements for metadata.

More information: Monitoring recordkeeping performance guidelines