ICT Support Plan - ICT and Digital Government ICT ICT Support Plan ... OPERATION 30. The ICT Incident Management Framework and Incident Management Operations

Download ICT Support Plan - ICT and Digital Government  ICT ICT Support Plan ... OPERATION 30. The ICT Incident Management Framework and Incident Management Operations

Post on 15-May-2018

214 views

Category:

Documents

2 download

TRANSCRIPT

ICT SUPPORT PLAN NOTE: This is a copy of the ICT Support Plan which has been made publicly available for reference and informational purposes only. If you require access to the official document please contact the document authors: Security and Risk Assurance Office for Digital Government Department of the Premier and Cabinet Government of South Australia Telephone: (08) 8463 4003 Email: ciso@sa.gov.au Page 1 Version 4.2 July 2015 Public Version mailto:ciso@sa.gov.au ICT Support Plan ICT Support Plan Authority Chief Executive, Department of the Premier and Cabinet & Chief Information Officer, Government of South Australia Issuing Agency Office for Digital Government, Department of the Premier and Cabinet Recent Revision History Version Revision Description Date Version 3.0 Revision Annual Update 3/12/2009 Version 4.0 Major Revision 27/03/2012 Version 4.1 Minor Revision Definition updates and new classification scheme 18/06/2013 Version 4.2 Minor Revision Definition updates and yearly review 10/07/2015 Distribution List: State Emergency Management Committee members. State Emergency Management Sub-committee members. Relevant government personnel and government suppliers. Classifications: Confidentiality Public Public Integrity [I2] Integrity 2 Availability [A1] Availability 1 State Records Act Requirements: Permanent Retention. Approval: Name Title Signature Date Mr Kym Winter-Dewhirst Chief Executive, Department of the Premier and Cabinet See Authority Page Mr Rick Seaman A/Director, Digital Government See Authority Page Page 2 Version 4.2 July 2015 Public Version ICT Support Plan AUTHORITY ICT SUPPORT PLAN This plan has been prepared pursuant to the provisions of the Emergency Management Act 2004 and the State Emergency Management Plan (version 2.13 December 2014). The document replaces all previous versions of the ICT Support Plan. All staff in the Department of the Premier and Cabinet, other government agencies, and suppliers to government must comply with the instructions contained in this plan where required. Mr Kym Winter-Dewhirst Chief Executive Department of the Premier and Cabinet Government of South Australia 10 / 7 / 2015 Mr Rick Seaman A/Director, Digital Government Office for Digital Government Department of the Premier and Cabinet Government of South Australia 10 / 2 / 2015 DISTRIBUTION: Electronic AMENDMENTS: Office for Digital Government, Department of the Premier and Cabinet Page 3 Version 4.2 July 2015 Public Version ICT Support Plan CONTENTS AUTHORITY ................................................................................................... 3 PREFACE ....................................................................................................... 5 REVIEW OF THE ICT SUPPORT PLAN ........................................................ 5 LEGAL AND ADMINISTRATIVE FRAMEWORK ........................................... 6 CONTROL AGENCY RESPONSIBILITIES .................................................... 6 CAPABILITIES REQUIRED OF THE CONTROL AGENCY .......................... 7 CAPABILITIES REQUIRED OF OTHER STAKEHOLDERS ......................... 7 RESPONSE TO AN ICT FAILURE ................................................................. 8 REPORTING ................................................................................................. 8 ACTION ......................................................................................................... 9 BUILD-UP ...................................................................................................... 9 OPERATION .................................................................................................. 9 RUNDOWN .................................................................................................. 10 DEBRIEF ..................................................................................................... 10 ANNEX A RELATIONSHIP OF ICT SUPPORT PLAN TO OTHER DOCUMENTS .....................................................................................11 ANNEX B GLOSSARY ...............................................................................12 Page 4 Version 4.2 July 2015 Public Version ICT Support Plan PREFACE 1. The ICT Support Plan outlines the means by which the Department of the Premier and Cabinet, as the Control Agency for ICT Failure, will fulfil its role under the State Emergency Management Plan (SEMP). The Office for Digital Government (ODG) fulfils the role of Control Agency for ICT Failure on behalf of the Department of the Premier and Cabinet (DPC). 2. The goal of activating the arrangements detailed in this plan is to coordinate agencies, suppliers and other stakeholders in returning ICT operations to a normal state after a failure of government ICT services. 3. The scope of this plan is limited to South Australian Government ICT systems only. 4. The SA Government Chief Information Officer (CIO), or delegate, determines when a coordinated response to an ICT Failure or threat of ICT Failure is required. 5. The ICT Support Plan relies on strong cooperative, coordinated and consultative relationships among Federal, State and Local Government agencies in addition to government suppliers. 6. This plan does not assume a particular incident or event, and is based on the All Hazards principles as endorsed by the Emergency Management Council and Emergency Management Australia. 7. The ICT Support Plan is written pursuant to the requirements of the Emergency Management Act 2004 (the Act) and the SEMP. The ICT Support Plan should be read in conjunction with the SEMP. 8. The ODG has arrangements in place that assist in the management and coordination of ICT incidents that do not meet the criteria of ICT Failure. These arrangements are detailed in the ICT Incident Management Framework and other related documents (refer Annex A for document hierarchy). REVIEW OF THE ICT SUPPORT PLAN 9. The ICT Support Plan will be updated and approved on an annual basis or as required. 10. The Security and Risk Assurance directorate within the ODG is responsible for the preparation, maintenance and on-going review of the ICT Support Plan. Enquiries can be directed to: Security and Risk Assurance Office for Digital Government Department of the Premier and Cabinet Government of South Australia Telephone: (08) 8463 4003 Email: ciso@sa.gov.au Page 5 Version 4.2 July 2015 Public Version mailto:ciso@sa.gov.au ICT Support Plan LEGAL AND ADMINISTRATIVE FRAMEWORK 11. The Act governs emergency management arrangements in South Australia. Section 20 of the Act establishes Control Agencies and states that the Control Agency assumes overall direction of emergency management activities in an emergency situation. Authority for control carries with it the responsibility for tasking and coordinating other organisations in accordance with the needs of the situation. The SEMP outlines the key responsibilities of a Control Agency. 12. The SEMP, formed under Section 9 (1) (b) of the Act, identifies the DPC as the Control Agency for ICT Failure. The ODG fulfils the role of Control Agency for ICT Failure on behalf of DPC. 13. Where possible, the ICT Support Plan aligns with the Australian Government cyber crisis management arrangements. 14. The ICT Incident Management Framework and related documents detail the operational response the ODG, as Control Agency; will take in response to an ICT Failure. 15. The relationship of the ICT Support Plan with other documents is outlined in Annex A. CONTROL AGENCY RESPONSIBILITIES 16. A description of the responsibilities of the Control Agency is listed in Paragraph 98 of the SEMP. In resolving an emergency, the Control Agency is responsible for, so far as is reasonably practicable, taking control of the response to the emergency, whilst ensuring safe systems of work. The Control Agency is to continually assess the situation, ensuring effective communication and cooperation with all involved and develop, monitor and implement plans and strategies that meet the requirements of all agencies responding to the emergency. The Control Agency is responsible for allocation of available resources, informing and warning the community, facilitating the investigation and reviewing the response, and ensuring there is a transition from response to recovery. Page 6 Version 4.2 July 2015 Public Version ICT Support Plan CAPABILITIES REQUIRED OF THE CONTROL AGENCY 17. The following capabilities have been identified in the SEMP, Hazard Plans, Functional Service Plans and other Support Plans as being required of the ODG. The table below provides an overview of how these capabilities are provided: CAPABILITY PLANS/PROCESSES TO ACHIEVE Command and Control ICT Support Plan ICT Incident Management Framework Incident Management Operations Manual Secures resilience of government ICT ICT Support Plan Operates Watch Desk Operates ICT State Control Centre ICT Incident Management Framework Incident Management Operations Manual Information Security Management Framework (and supporting Standards and Guidelines) Securing Resilience Assurance Plan StateNet Conditions of Connection Public Information Public Information Functional Service Plan ICT Incident Management Framework Incident Management Operations Manual Engineering Functional Services Plan SEC Operations Manual CAPABILITIES REQUIRED OF OTHER STAKEHOLDERS 18. The following capabilities have been identified by the ODG as being required by government agencies and suppliers: CAPABILITY DETAILS Incident Management & Reporting SA Government agencies and suppliers must report Cyber Security Events and Incidents as per ISMF Standard 140. Agencies and suppliers must familiarise themselves with the ICT Support Plan and supporting documents including any requirements contained within. Cyber Emergency Liaison Officer SA Government agencies and suppliers must have an established emergency contact point (e.g. Cyber Emergency Liaison Officer) that will assist the ICT State Control Centre as required. State Government Critical ICT Infrastructure All SA Government agencies must identify any State Government Critical ICT Infrastructure1 within their agency and provide this information to the ODG for inclusion on the State Government Critical ICT Infrastructure Register. This information is used to help prioritise the provision of resources to those areas deemed most critical during an emergency situation. 1 See ISMF Guideline 3 Critical ICT http://www.sa.gov.au/policy/ismf Page 7 Version 4.2 July 2015 Public Version http://www.sa.gov.au/policy/ismf ICT Support Plan RESPONSE TO AN ICT FAILURE 19. The ODG coordinates the response to an ICT Failure or threat of ICT Failure on behalf of the Government of South Australia. The ICT Support Plan is prepared to address all hazards that may lead to an ICT Failure. 20. Incidents affecting the security and availability of South Australian Government ICT systems will occur on a regular basis and may take many forms. This Plan focuses specifically on the highest severity or largest impact incidents (i.e. an ICT Failure or threat of ICT Failure). 21. An ICT Failure may be multiple incidents occurring concurrently or a single incident. These incidents are likely to involve intensive media coverage, place large demands on local resources, and impact the availability of critical services. Decision making with whole of government considerations will be required. REPORTING 22. The ODG is constantly scanning the environment for potential threats and undertaking a number of assurance activities. The ODG maintains an across government Watch Desk which assists in ensuring there is a constant awareness of any issues that have the potential to adversely impact or disrupt the delivery of ICT services. These activities help ensure maximum warning can be obtained regarding any potential incidents. 23. Upon any agency or supplier becoming aware of an incident they must report it to the ODG as per the Across Government Incident Reporting Scheme. ISMF Standard 140 and the accompanying guideline outline this process in more detail. 24. A report that can trigger activation of the ICT Support Plan may come from a number of sources. These include, but are not limited to: Across Government Incident Reporting Scheme AusCERT CERT Australia Cyber Security Operations Centre Cyber Emergency Liaison Officers Watch Desk Other emergency service organisations South Australia Police South Australian Government agencies StateNet Service Desk Suppliers Page 8 Version 4.2 July 2015 Public Version ICT Support Plan ACTION 25. The ODG will assess known information on the incident, its severity, potential impact and likely duration. This information will be used to coordinate agencies, suppliers and other stakeholders in returning ICT operations to a normal state after a failure, or threat of failure, of government ICT. 26. The CIO, or an authorised delegate, may activate the ICT State Control Centre: When an ICT Failure has occurred, or is likely to occur, that requires a coordinated response; or In response to the arrangements under the SEMP being activated; or In response to a declaration under the Emergency Management Act 2004. 27. The ICT State Control Centre may also be activated in support of another Control Agency. In this situation the ICT State Control Centre will be activated to assist the ODG function as a Support Agency. BUILD-UP 28. Upon activation, or likely activation, the CIO, or delegate, will organise for the required staff and stakeholders to be contacted as per the ICT Incident Management Plan and Incident Management Operations Manual. 29. Government agencies and Suppliers must have an established emergency contact point (e.g. Cyber Emergency Liaison Officer) who will act as the primary contact point and assist the ICT State Control Centre as required. OPERATION 30. The ICT Incident Management Framework and Incident Management Operations Manual detail the response the ODG, as Control Agency; will take in response to an ICT Failure. This includes the appointment of an Incident Controller and activation of the Incident Management Team and the ICT State Control Centre. The Incident Management Team will work out of the ICT State Control Centre in order to coordinate & monitor the response and continually: Collate information and advice from stakeholders and any other available sources. Analyse the information received. Prioritise the goals for ICT resources in consultation with stakeholders. Distribute priorities to stakeholders. 31. If the State Emergency Centre is activated, or likely to be activated, the SEMP states that the Coordinating Agency (i.e. South Australia Police) Page 9 Version 4.2 July 2015 Public Version ICT Support Plan will consult with the Control Agency and take action to facilitate the Control Agency exercising its functions or powers. 32. Where an ICT Failure has resulted from, or is related to, a terrorist act, South Australia Police, as the identified Control Agency for a terrorism incident, will fulfil the Control Agency responsibilities and the ODG will act as a Support Agency. 33. The requirements of relevant Hazard Plans will be considered and, where appropriate, the Hazard Leaders will be consulted. RUNDOWN 34. Return to normal operations occurs when the CIO, or appropriate delegate, determines that the need for a coordinated response to an ICT Failure is no longer required. This decision will be made in consultation with all relevant stakeholders. 35. All relevant stakeholders (e.g. government agencies and suppliers) will be notified of the return to normal operations. 36. In the case of a Declared Emergency, the ODG will advise the SEC, via the EFS, on matters to commence the transition to recovery. The ODG will also be a member of the operational State Recovery Committee as required by the SEMP. DEBRIEF 37. Following the announcement of a return to normal operations the members of the Incident Management Team shall be debriefed and issues for follow-up will be assigned appropriately. An internal debrief will be held that: Reviews the performance of the Incident Management Team and identify opportunities for improvement Suggests improvements to incident response plans and procedures Suggests improvements to business continuity plans Documents issues that arose from the incident Identifies areas of additional training for the Incident Management Team Identifies additional risk mitigation requirements 38. Agencies and suppliers may be required to attend and contribute to a formal debrief. Page 10 Version 4.2 July 2015 Public Version ICT Support Plan ANNEX A RELATIONSHIP OF ICT SUPPORT PLAN TO OTHER DOCUMENTS EMERGENCY MANAGEMENT ACT (2004)STATE EMERGENCY MANAGEMENT PLAN [SEMP]ICT SUPPORT PLAN(This Document)ICT Incident Management FrameworkPROTECTIVE SECURITY MANAGEMENT FRAMEWORK [PSMF]INFORMATION SECURITY MANAGEMENT FRAMEWORK [ISMF]ACROSS GOVERNMENT INCIDENT REPORTING SCHEME (ISMF Standard 140)Incident Management Operations Manual Page 11 Version 4.2 July 2015 Public Version ICT Support Plan ANNEX B GLOSSARY This glossary should be read in conjunction with the glossary in the SEMP. CIO Chief Information Officer (CIO). The person being appointed to, or acting in the role of, the across South Australian Government Chief Information Officer. The CIO also fulfils the role of the Chief Technology Officer (CTO). The CIO has cabinet mandate to plan and manage ICT security and service continuity standards across government to ensure service delivery is not disrupted. The CIO is also tasked with discharging all responsibilities as required of a Control Agency under the State Emergency Management Plan. The CIO can, without the need of a declaration under the Emergency Management Act, undertake response and recovery operations as detailed in the ICT Incident Management Framework and Incident Management Operations Manual and ICT Support Plan. The CIO role is currently fulfilled by the Director, Digital Government within the Department of the Premier and Cabinet. CTO Chief Technology Officer. A role fulfilled by the CIO (see CIO). Cyber Emergency Liaison Officer An emergency contact point within each government agency who will act as the primary contact for the ODG in an emergency and will assist the ICT State Control Centre as required. The Cyber Emergency Liaison Officer should be someone at the Executive level as they may be required to make decisions and take action on behalf of their agency during an ICT Failure. Cyber Security Measures relating to the confidentiality, availability and integrity of information that is processed stored and communicated by electronic or similar means (synonymous with ICT Security). Cyber Security Event An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant. Cyber Security Incident A single or a series of unwanted or unexpected Cyber Security Events that have a significant probability of compromising business operations and threatening information security (synonymous with ICT Incident) DPC The Department of the Premier and Cabinet. DPC is the Control Agency for ICT Failure under the State Emergency Management Plan. EFS Engineering Functional Service. EFS coordinate several engineering support services, including ICT services, within the SEC. The EFS role is to restore and maintain essential services and to provide engineering assistance once control agency and functional service capacity has been exceeded. The EFS is able to provide support to the Chief Information Officer in relation to information communication technology (ICT) issues. The EFS has a close working relationship with ODG to enable this function to be achieved. The EFS Plan outlines the role it plays and its responsibilities in accordance with the SEMP. ICT Information and Communication Technology. ICT Incident See Cyber Security Incident Page 12 Version 4.2 July 2015 Public Version ICT Support Plan ICT Failure An ICT Failure is a Significant ICT Incident which, due to its potential scope, impact, complexity or unpredictability, the Chief Information Officer, or delegate, has determined requires activation of the ICT State Control Centre. ICT Security See Cyber Security. ISMF The South Australian Government Information Security Management Framework. The ISMF is a set of policies, with supporting standards, which address the security of ICT assets within the Government of South Australia. The ISMF applies to all South Australian Government agencies and suppliers whose contractual requirements include it. Significant ICT Incident An ICT Incident that the Chief Information Officer, or delegate, has determined requires a coordinated response. Significant ICT Incidents require a higher level of interagency coordination than lower level, business as usual type incidents. Decision making with whole of government considerations will most likely be required. Supplier A company that is a current or potential future provider of services to government. This includes: a) Responsible Parties that are suppliers (as defined in the Information Security Management Framework); and b) Performing Suppliers which are defined as groups or organisations that are contracted formally or informally to supply goods or services to the State or its agencies. SGCII State Government Critical ICT Infrastructure is defined as ICT infrastructure upon which Critical Services are delivered to the community. If the confidentiality, integrity or availability of this ICT infrastructure is lost then it could significantly impact on the social, or economic well-being of the State, the government, commercial entities or members of the public. Page 13 Version 4.2 July 2015 Public Version AuthorityPREFACEREVIEW OF THE ICT SUPPORT PLANLEGAL AND ADMINISTRATIVE FRAMEWORKCONTROL AGENCY RESPONSIBILITIESCapabilities required of the CONTROL AGENCYCapabilities required of other stakeholdersResponse to an ICT FailureREPORTINGACTIONBUILD-UPOPERATIONRUNDOWNDEBRIEFANNEX A Relationship of ICT support plan to other documentsANNEX B GLOSSARYa) Responsible Parties that are suppliers (as defined in the Information Security Management Framework); andb) Performing Suppliers which are defined as groups or organisations that are contracted formally or informally to supply goods or services to the State or its agencies.

Recommended

View more >