Home | Information security and sharing | Information Security Policy Manual | The Tasmanian Government Information Security Policy

The Tasmanian Government Information Security Policy

1. Purpose

The purpose of the Policy is to provide a consistent approach to managing information security risks across Government.

2. Scope

This Policy applies to Tasmanian Government agencies as custodians of information on behalf of the Crown.

3. Policy Principles

This Policy is based upon the following information security policy principles:

Availability:  information is accessible and usable to authorised entities.

Integrity:  the accuracy and completeness of information is protected.

Confidentiality:  information is not made available or disclosed to unauthorised individuals, entities or processes.

Proportionality:  measures to protect information are relative to the risk of loss or failure of availability, integrity and confidentiality.

4. Tasmanian Government Information Security Policy

Agencies MUST apply this Policy in accordance with the Policy Principles. The Policy is mandatory and is to be applied across the following seven areas:

1. Information Security Governance and Management

The Head of each agency MUST convene an Information Security Committee composed of senior management, or assign the role to an existing senior management committee.  This Committee is responsible for ensuring the Policy is applied.

2. Risk Management

Each agency MUST conduct regular information security risk assessments and implement appropriate risk management strategies that are proportionate to the level of identified risk.

3. Resource Management

Each agency MUST maintain and apply appropriate protective policies and procedures for  resources including:

  • protecting records of business activities,
  • applying information security classifications where applicable,
  • controlling physical access to information assets, and
  • controlling the use of information and communications technology.

4. Identity and Access Management

Each agency MUST ensure authorised access and prevent unauthorised access to information assets.

Each agency MUST ensure that the identities of employees and others who wish to access agency services are assessed using the Tasmanian Government Identity and Access Management Toolkit in accordance with the National Identity Security Strategy that was endorsed by COAG in April 2007. 

5. Personnel and Awareness

To minimise the risk of information misuse, each agency MUST ensure staff understand the information security roles and responsibilities assigned to them. Agencies MUST also ensure that these roles and responsibilities are appropriate for level of duties performed by the staff member.

6. Incident Management

Each agency MUST have a structured approach to managing information security incidents and events that have potential to breach information security policy or compromise operations.

7. Business Continuity Management

Each agency MUST have a structured approach, based on an information security risk assessment, to managing business continuity to ensure the uninterrupted availability of all resources that support essential business activities.

5.  Application of the Policy

The Tasmanian Government Information Security Policy Manual contains Procedures that provide detail on how the Policy is to be applied including mandatory and recommended requirements.

6.  Responsibilities

Authorisation of the Policy:

Premier of Tasmania

Authorisation of the Procedures and Resources:

Tasmanian Government ICT Policy Board

Implementation of the Policy and Procedures:

Heads of each Tasmanian Government agency

Updating and maintaining the Manual:

Secretary of the Department of Premier and Cabinet

 


Document key
 HTML page
 Link to external site
 PDF file
 MS Word
 MS Powerpoint
 MS Excel
 File