ict support plan - ict and digital government · government ict ict support plan ... operation 30....

ICT SUPPORT PLAN

NOTE: This is a copy of the ICT Support Plan which has been made publicly available for reference and informational purposes only. If you require access to the official document please contact the document authors:

Security and Risk Assurance Office for Digital Government Department of the Premier and Cabinet Government of South Australia Telephone: (08) 8463 4003 Email: [email protected]

Version 4.2 – July 2015 – Public Version

mailto:[email protected]

ICT Support Plan

ICT Support Plan

Authority

Chief Executive, Department of the Premier and Cabinet & Chief Information Officer, Government of South Australia

Issuing Agency

Office for Digital Government, Department of the Premier and Cabinet

Recent Revision History Version Revision Description Date

Version 3.0 Revision – Annual Update 3/12/2009

Version 4.0 Major Revision 27/03/2012

Version 4.1 Minor Revision – Definition updates and new classification scheme

18/06/2013

Version 4.2 Minor Revision – Definition updates and yearly review 10/07/2015

Distribution List:

State Emergency Management Committee members.

State Emergency Management Sub-committee members.

Relevant government personnel and government suppliers.

Classifications:

Confidentiality Public Public

Integrity [I2] Integrity 2

Availability [A1] Availability 1

State Records Act Requirements: Permanent Retention.

Approval: Name Title Signature Date Mr Kym Winter-Dewhirst Chief Executive, Department of the

Premier and Cabinet See Authority Page

Mr Rick Seaman A/Director, Digital Government See Authority Page


ICT Support Plan

AUTHORITY

ICT SUPPORT PLAN

This plan has been prepared pursuant to the provisions of the Emergency Management Act 2004 and the State Emergency Management Plan (version 2.13 – December 2014). The document replaces all previous versions of the ICT Support Plan. All staff in the Department of the Premier and Cabinet, other government agencies, and suppliers to government must comply with the instructions contained in this plan where required. <original signed> <original signed> Mr Kym Winter-Dewhirst Chief Executive Department of the Premier and Cabinet Government of South Australia 10 / 7 / 2015

Mr Rick Seaman A/Director, Digital Government Office for Digital Government Department of the Premier and Cabinet Government of South Australia 10 / 2 / 2015

DISTRIBUTION: Electronic AMENDMENTS: Office for Digital Government, Department of the Premier and Cabinet


ICT Support Plan

CONTENTS

AUTHORITY ................................................................................................... 3

PREFACE ....................................................................................................... 5

REVIEW OF THE ICT SUPPORT PLAN ........................................................ 5

LEGAL AND ADMINISTRATIVE FRAMEWORK ........................................... 6

CONTROL AGENCY RESPONSIBILITIES .................................................... 6

CAPABILITIES REQUIRED OF THE CONTROL AGENCY .......................... 7

CAPABILITIES REQUIRED OF OTHER STAKEHOLDERS ......................... 7

RESPONSE TO AN ICT FAILURE ................................................................. 8

REPORTING ................................................................................................. 8 ACTION ......................................................................................................... 9 BUILD-UP ...................................................................................................... 9 OPERATION .................................................................................................. 9 RUNDOWN .................................................................................................. 10 DEBRIEF ..................................................................................................... 10

ANNEX A – RELATIONSHIP OF ICT SUPPORT PLAN TO OTHER DOCUMENTS .....................................................................................11

ANNEX B – GLOSSARY ...............................................................................12


ICT Support Plan

PREFACE 1. The ICT Support Plan outlines the means by which the Department of

the Premier and Cabinet, as the Control Agency for ICT Failure, will fulfil its role under the State Emergency Management Plan (SEMP). The Office for Digital Government (ODG) fulfils the role of Control Agency for ICT Failure on behalf of the Department of the Premier and Cabinet (DPC).

2. The goal of activating the arrangements detailed in this plan is to coordinate agencies, suppliers and other stakeholders in returning ICT operations to a normal state after a failure of government ICT services.

3. The scope of this plan is limited to South Australian Government ICT systems only.

4. The SA Government Chief Information Officer (CIO), or delegate, determines when a coordinated response to an ICT Failure or threat of ICT Failure is required.

5. The ICT Support Plan relies on strong cooperative, coordinated and consultative relationships among Federal, State and Local Government agencies in addition to government suppliers.

6. This plan does not assume a particular incident or event, and is based on the “All Hazards” principles as endorsed by the Emergency Management Council and Emergency Management Australia.

7. The ICT Support Plan is written pursuant to the requirements of the Emergency Management Act 2004 (the Act) and the SEMP. The ICT Support Plan should be read in conjunction with the SEMP.

8. The ODG has arrangements in place that assist in the management and coordination of ICT incidents that do not meet the criteria of ICT Failure. These arrangements are detailed in the ICT Incident Management Framework and other related documents (refer Annex A for document hierarchy).

REVIEW OF THE ICT SUPPORT PLAN 9. The ICT Support Plan will be updated and approved on an annual

basis or as required.

10. The Security and Risk Assurance directorate within the ODG is responsible for the preparation, maintenance and on-going review of the ICT Support Plan. Enquiries can be directed to:

Security and Risk Assurance Office for Digital Government Department of the Premier and Cabinet Government of South Australia Telephone: (08) 8463 4003 Email: [email protected]


mailto:[email protected]

ICT Support Plan

LEGAL AND ADMINISTRATIVE FRAMEWORK 11. The Act governs emergency management arrangements in South

Australia. Section 20 of the Act establishes Control Agencies and states that the Control Agency assumes overall direction of emergency management activities in an emergency situation. Authority for control carries with it the responsibility for tasking and coordinating other organisations in accordance with the needs of the situation. The SEMP outlines the key responsibilities of a Control Agency.

12. The SEMP, formed under Section 9 (1) (b) of the Act, identifies the DPC as the Control Agency for ICT Failure. The ODG fulfils the role of Control Agency for ICT Failure on behalf of DPC.

13. Where possible, the ICT Support Plan aligns with the Australian Government cyber crisis management arrangements.

14. The ICT Incident Management Framework and related documents detail the operational response the ODG, as Control Agency; will take in response to an ICT Failure.

15. The relationship of the ICT Support Plan with other documents is outlined in Annex A.

CONTROL AGENCY RESPONSIBILITIES 16. A description of the responsibilities of the Control Agency is listed in

Paragraph 98 of the SEMP. In resolving an emergency, the Control Agency is responsible for, so far as is reasonably practicable, taking control of the response to the emergency, whilst ensuring safe systems of work. The Control Agency is to continually assess the situation, ensuring effective communication and cooperation with all involved and develop, monitor and implement plans and strategies that meet the requirements of all agencies responding to the emergency. The Control Agency is responsible for allocation of available resources, informing and warning the community, facilitating the investigation and reviewing the response, and ensuring there is a transition from response to recovery.


ICT Support Plan

CAPABILITIES REQUIRED OF THE CONTROL AGENCY 17. The following capabilities have been identified in the SEMP, Hazard

Plans, Functional Service Plans and other Support Plans as being required of the ODG. The table below provides an overview of how these capabilities are provided:

CAPABILITY PLANS/PROCESSES TO ACHIEVE Command and Control ICT Support Plan

ICT Incident Management Framework Incident Management Operations Manual

Secures resilience of government ICT

ICT Support Plan Operates Watch Desk Operates ICT State Control Centre ICT Incident Management Framework Incident Management Operations Manual Information Security Management Framework (and supporting Standards and Guidelines) Securing Resilience Assurance Plan StateNet Conditions of Connection

Public Information Public Information Functional Service Plan ICT Incident Management Framework Incident Management Operations Manual Engineering Functional Services Plan SEC Operations Manual

CAPABILITIES REQUIRED OF OTHER STAKEHOLDERS 18. The following capabilities have been identified by the ODG as being

required by government agencies and suppliers:

CAPABILITY DETAILS Incident Management & Reporting

SA Government agencies and suppliers must report Cyber Security Events and Incidents as per ISMF Standard 140. Agencies and suppliers must familiarise themselves with the ICT Support Plan and supporting documents including any requirements contained within.

Cyber Emergency Liaison Officer

SA Government agencies and suppliers must have an established emergency contact point (e.g. Cyber Emergency Liaison Officer) that will assist the ICT State Control Centre as required.

State Government Critical ICT Infrastructure

All SA Government agencies must identify any State Government Critical ICT Infrastructure1 within their agency and provide this information to the ODG for inclusion on the State Government Critical ICT Infrastructure Register. This information is used to help prioritise the provision of resources to those areas deemed most critical during an emergency situation.

1 See ‘ISMF Guideline 3 – Critical ICT’ – http://www.sa.gov.au/policy/ismf Version 4.2 – July 2015 – Public Version

http://www.sa.gov.au/policy/ismf

ICT Support Plan

RESPONSE TO AN ICT FAILURE 19. The ODG coordinates the response to an ICT Failure or threat of ICT

Failure on behalf of the Government of South Australia. The ICT Support Plan is prepared to address all hazards that may lead to an ICT Failure.

20. Incidents affecting the security and availability of South Australian Government ICT systems will occur on a regular basis and may take many forms. This Plan focuses specifically on the highest severity or largest impact incidents (i.e. an ICT Failure or threat of ICT Failure).

21. An ICT Failure may be multiple incidents occurring concurrently or a single incident. These incidents are likely to involve intensive media coverage, place large demands on local resources, and impact the availability of critical services. Decision making with whole of government considerations will be required.

REPORTING

22. The ODG is constantly scanning the environment for potential threats and undertaking a number of assurance activities. The ODG maintains an across government Watch Desk which assists in ensuring there is a constant awareness of any issues that have the potential to adversely impact or disrupt the delivery of ICT services. These activities help ensure maximum warning can be obtained regarding any potential incidents.

23. Upon any agency or supplier becoming aware of an incident they must report it to the ODG as per the Across Government Incident Reporting Scheme. ISMF Standard 140 and the accompanying guideline outline this process in more detail.

24. A report that can trigger activation of the ICT Support Plan may come from a number of sources. These include, but are not limited to:

• Across Government Incident Reporting Scheme • AusCERT • CERT Australia • Cyber Security Operations Centre • Cyber Emergency Liaison Officers • Watch Desk • Other emergency service organisations • South Australia Police • South Australian Government agencies • StateNet Service Desk • Suppliers


ICT Support Plan

ACTION

25. The ODG will assess known information on the incident, its severity, potential impact and likely duration. This information will be used to coordinate agencies, suppliers and other stakeholders in returning ICT operations to a normal state after a failure, or threat of failure, of government ICT.

26. The CIO, or an authorised delegate, may activate the ICT State Control Centre:

• When an ICT Failure has occurred, or is likely to occur, that requires a coordinated response; or

• In response to the arrangements under the SEMP being activated; or

• In response to a declaration under the Emergency Management Act 2004.

27. The ICT State Control Centre may also be activated in support of another Control Agency. In this situation the ICT State Control Centre will be activated to assist the ODG function as a Support Agency.

BUILD-UP

28. Upon activation, or likely activation, the CIO, or delegate, will organise

for the required staff and stakeholders to be contacted as per the ICT Incident Management Plan and Incident Management Operations Manual.

29. Government agencies and Suppliers must have an established emergency contact point (e.g. Cyber Emergency Liaison Officer) who will act as the primary contact point and assist the ICT State Control Centre as required.

OPERATION

30. The ICT Incident Management Framework and Incident Management Operations Manual detail the response the ODG, as Control Agency; will take in response to an ICT Failure. This includes the appointment of an Incident Controller and activation of the Incident Management Team and the ICT State Control Centre. The Incident Management Team will work out of the ICT State Control Centre in order to coordinate & monitor the response and continually:

• Collate information and advice from stakeholders and any other available sources.

• Analyse the information received. • Prioritise the goals for ICT resources in consultation with

stakeholders. • Distribute priorities to stakeholders.

31. If the State Emergency Centre is activated, or likely to be activated, the

SEMP states that the Coordinating Agency (i.e. South Australia Police)


ICT Support Plan

will consult with the Control Agency and take action to facilitate the Control Agency exercising its functions or powers.

32. Where an ICT Failure has resulted from, or is related to, a terrorist act, South Australia Police, as the identified Control Agency for a terrorism incident, will fulfil the Control Agency responsibilities and the ODG will act as a Support Agency.

33. The requirements of relevant Hazard Plans will be considered and, where appropriate, the Hazard Leaders will be consulted.

RUNDOWN

34. Return to normal operations occurs when the CIO, or appropriate delegate, determines that the need for a coordinated response to an ICT Failure is no longer required. This decision will be made in consultation with all relevant stakeholders.

35. All relevant stakeholders (e.g. government agencies and suppliers) will be notified of the return to normal operations.

36. In the case of a Declared Emergency, the ODG will advise the SEC, via the EFS, on matters to commence the transition to recovery. The ODG will also be a member of the operational State Recovery Committee as required by the SEMP.

DEBRIEF

37. Following the announcement of a return to normal operations the members of the Incident Management Team shall be debriefed and issues for follow-up will be assigned appropriately. An internal debrief will be held that:

• Reviews the performance of the Incident Management Team and identify opportunities for improvement

• Suggests improvements to incident response plans and procedures

• Suggests improvements to business continuity plans • Documents issues that arose from the incident • Identifies areas of additional training for the Incident

Management Team • Identifies additional risk mitigation requirements

38. Agencies and suppliers may be required to attend and contribute to a

formal debrief.


ICT Support Plan

ANNEX A – RELATIONSHIP OF ICT SUPPORT PLAN TO OTHER DOCUMENTS

EMERGENCY MANAGEMENT ACT

(2004)

STATE EMERGENCY MANAGEMENT PLAN

[SEMP]

ICT SUPPORT PLAN(This Document)

ICT Incident Management Framework

PROTECTIVE SECURITY

MANAGEMENT FRAMEWORK [PSMF]

INFORMATION SECURITY

MANAGEMENT FRAMEWORK [ISMF]

ACROSS GOVERNMENT INCIDENT REPORTING

SCHEME (ISMF Standard 140)

Incident Management Operations Manual


ICT Support Plan

ANNEX B – GLOSSARY This glossary should be read in conjunction with the glossary in the SEMP.

CIO Chief Information Officer (CIO). The person being appointed to, or acting in the role

of, the across South Australian Government Chief Information Officer.

The CIO also fulfils the role of the Chief Technology Officer (CTO).

The CIO has cabinet mandate to plan and manage ICT security and service continuity standards across government to ensure service delivery is not disrupted. The CIO is also tasked with discharging all responsibilities as required of a Control Agency under the State Emergency Management Plan.

The CIO can, without the need of a declaration under the Emergency Management Act, undertake response and recovery operations as detailed in the ICT Incident Management Framework and Incident Management Operations Manual and ICT Support Plan.

The CIO role is currently fulfilled by the Director, Digital Government within the Department of the Premier and Cabinet.

CTO Chief Technology Officer. A role fulfilled by the CIO (see CIO).

Cyber Emergency Liaison Officer

An emergency contact point within each government agency who will act as the primary contact for the ODG in an emergency and will assist the ICT State Control Centre as required. The Cyber Emergency Liaison Officer should be someone at the Executive level as they may be required to make decisions and take action on behalf of their agency during an ICT Failure.

Cyber Security Measures relating to the confidentiality, availability and integrity of information that is processed stored and communicated by electronic or similar means (synonymous with ICT Security).

Cyber Security Event

An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.

Cyber Security Incident

A single or a series of unwanted or unexpected Cyber Security Events that have a significant probability of compromising business operations and threatening information security (synonymous with ICT Incident)

DPC The Department of the Premier and Cabinet. DPC is the Control Agency for ICT Failure under the State Emergency Management Plan.

EFS Engineering Functional Service. EFS coordinate several engineering support services, including ICT services, within the SEC. The EFS role is to restore and maintain essential services and to provide engineering assistance once control agency and functional service capacity has been exceeded. The EFS is able to provide support to the Chief Information Officer in relation to information communication technology (ICT) issues. The EFS has a close working relationship with ODG to enable this function to be achieved. The EFS Plan outlines the role it plays and its responsibilities in accordance with the SEMP.

ICT Information and Communication Technology.

ICT Incident See Cyber Security Incident


ICT Support Plan

ICT Failure An ICT Failure is a Significant ICT Incident which, due to its potential scope, impact, complexity or unpredictability, the Chief Information Officer, or delegate, has determined requires activation of the ICT State Control Centre.

ICT Security See Cyber Security.

ISMF The South Australian Government Information Security Management Framework. The ISMF is a set of policies, with supporting standards, which address the security of ICT assets within the Government of South Australia. The ISMF applies to all South Australian Government agencies and suppliers whose contractual requirements include it.

Significant ICT Incident

An ICT Incident that the Chief Information Officer, or delegate, has determined requires a coordinated response. Significant ICT Incidents require a higher level of interagency coordination than lower level, business as usual type incidents. Decision making with whole of government considerations will most likely be required.

Supplier A company that is a current or potential future provider of services to government. This includes:

a) Responsible Parties that are suppliers (as defined in the Information Security Management Framework); and

b) Performing Suppliers which are defined as groups or organisations that are contracted formally or informally to supply goods or services to the State or its agencies.

SGCII State Government Critical ICT Infrastructure is defined as ICT infrastructure upon which ‘Critical Services’ are delivered to the community. If the confidentiality, integrity or availability of this ICT infrastructure is lost then it could significantly impact on the social, or economic well-being of the State, the government, commercial entities or members of the public.
