Security fine without standard: NSW DET
The NSW Department of Education (DET) has defended its IT security arrangements despite being in breach of baseline government-mandated standards.
(Glasses image by Matheus Almeida, CC2.0)
The agency is one of the largest of many NSW government departments to have ignored decade-old directives from the Department of Premier and Cabinet to comply with the ISO 27001 information security standard.
The department would not discuss the reasons behind its non-compliance, despite having an internal IT security department that deals "with all aspects of IT security and compliance".
It said its "current IT security measures are effective and meet the needs of students, staff and other DET officers", adding that it "is working towards compliance with the standard when the current revision of its requirements is complete".
The 27002 sister standard, which underlies parts of 27001, is under review by the International Standards Organisation and is set for release later this year.
While government staff were reticent to comment, it is understood agencies are still required to be compliant to the standard.
NSW Premier and Cabinet Director General Brendan O'Reilly has previously said that addressing the widespread lax compliance to ISO 27001 will be a focus of the government.
Not a standard fit?
Some experts have criticised whether ISO 27001, which contains 133 security controls and policies, is appropriate for agencies.
Securus Global managing director Drazen Drazic said government agencies might be getting lost in the "process" of compliance, rather than the simple technology requirements.
"With ISO 27001, you pick and choose what you will comply with — and if it fits within the basic statement, then you're compliant," Drazic said. "But it doesn't mean you're compliant."
"Agencies tend to get caught up in the process, as opposed to the technical implementations of standard."
He said the industry-enforced Payment Card Industry Data Security Standard (PCI DSS) is more specific.
HackLabs director Chris Gatford agreed. He said a modified version of the PCI DSS may be a better security reference for agencies with only basic security arrangements.
"Focusing on essentials like PCI DSS is a good starting point for organisations that are essentially starting from scratch, because it covers a lot of the basics," Gatford said.
The idea is that agencies would apply the same processes that PCI DSS uses to protect credit card data to whichever data they need to keep secure, such as tax file numbers.
A decade of denial
In 2001, the NSW Government ordered that state agencies comply with Australian Standard 17799, which preceded ISO 27001. This directive issued by the office of then Premier Bob Carr required agencies to adopt a baseline level of technology, policy and frameworks in order to protect sensitive data.
Following the directive, information security managers across NSW government agencies formed a committee, led by then Government Chief Information Office (GCIO) standards guru Nigel Evans. It was designed to help agencies handle the compliance requirements, described by some as onerous.
The group met between 2002 and 2009, and served as an important forum for cash-strapped agencies to share expertise on how to implement the security standards, penned by the GCIO, and pitch the sometimes unpopular restrictions to staff and executive bureaucrats.
"The Information Security Management in Government forum met to discuss matters of interest in the sector. It was not a formal governance body and its discussions did not form government policy," the Department of Services, Technology and Administration said in a statement when asked about the forum.
The committee ended in 2009 after its key facilitator was promoted to a position outside of the information security industry.
Despite the committee's six years of operation and several scathing state audit reports, most NSW agencies remained non-compliant with ISO 27001, according to a recent audit report. The department did not answer queries on any planned replacement due to the pending election.
The NSW auditor had previously said that the government failed to monitor compliance or even set deadlines and consequences for non-compliance.
The auditor blamed an absence of central security oversight and enforcement for the non-compliance to the premier's directive.
Those agencies certified to the standard include the NSW Ombudsman, the Independent Commission Against Corruption, the Independent Pricing and Regulatory Tribunal, the Department of Commerce, the Roads and Traffic Authority, and Railcorp.