ACT Auditor-General’s Report 3/2020: Data Security

Below is the Government’s response to the Report: ACT Auditor-General’s Report 3/2020: Data Security

Table 45 - Government response: ACT Auditor-General’s Report 3/2020

Recommendation No. and Summary

Action

Status

Recommendation 1

Shared Services (Chief Minister, Treasury and Economic Development Directorate) and the Security and Emergency Management Branch (Justice and Community Safety Directorate) should develop a whole‐of‐government data security risk assessment. The whole‐of‐government data security risk assessment should be reviewed and updated at scheduled intervals.

Agreed

A Whole of Government Threat and Risk Assessment (TRA) was commenced in November 2020 and is expected to be finalised by November 2021.  

 

In progress

Recommendation 3a

The Security and Emergency Management Branch (Justice and Community Safety Directorate), Shared Services (Chief Minister, Treasury and Economic Development Directorate) and the Office of the Chief Digital Officer (Chief Minister, Treasury and Economic Development Directorate), through the auspices of the Security and Emergency Management Senior Officials Group should review and update the CYBERSEC requirements of the ACT Protective Security Policy Framework to reflect the most important system security measures from the ICT Security Policy (August 2019). These measures should be targeted at the areas of agency responsibility and able to be reported in dashboard form.

Agreed

The draft updated Protective Security Policy Framework is being packaged for consideration by Government in early 2022.

In progress

Recommendation 3b

The Security and Emergency Management Branch (Justice and Community Safety Directorate), Shared Services (Chief Minister, Treasury and Economic Development Directorate) and the Office of the Chief Digital Officer (Chief Minister, Treasury and Economic Development Directorate), through the auspices of the Security and Emergency Management Senior Officials Group should require agencies to report on the implementation of these measures in their ICT systems as part of the GOVSEC 4 reporting process of the ACT Protective Security Policy Framework, in order to provide reasonable assurance that data security risks are being effectively managed.

Agreed

The draft updated Protective Security Policy Framework is being packaged for consideration by Government in early 2022.

In progress

Recommendation 4a

The Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) and Security and Emergency Management Branch (Justice and Community Safety Directorate), in partnership with ACT Government agencies, should document and agree a whole of government data security strategy and plan. This document should identify the role and responsibilities of governance bodies and agencies responsible for managing and improving data security across ACT Government.

Agreed

The ACT Data Governance and Management Framework was endorsed by Strategic Board in August 2020.

Complete

Recommendation 4b

The Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) and Security and Emergency Management Branch (Justice and Community Safety Directorate), in partnership with ACT Government agencies, should document and agree a whole of government data security strategy and plan. This document should identify any related whole‐of‐government plans for addressing specific data security issues, such as the planned Cyber Security Incident Emergency Sub‐plan to the ACT Emergency Plan.

Agreed

The Cyber Emergency Sub-Plan has been agreed to by the Security and Emergency Management Senior Officials Group (SEMSOG).  The Sub-Plan will be provided to the Chair of SEMSOG and the Emergency Services Agency Commissioner for approval and the final Sub-Plan made available through the Sub-Plans portal.

Complete

Recommendation 4c

The Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) and Security and Emergency Management Branch (Justice and Community Safety Directorate), in partnership with ACT Government agencies, should document and agree a whole of government data security strategy and plan. This document should identify activities and resources to improve data security for ACT Government

Agreed

The Cyber Emergency Sub-Plan has been agreed to by the Security and Emergency Management Senior Officials Group (SEMSOG).  The Sub-Plan will be provided to the Chair of SEMSOG and the Emergency Services Agency Commissioner for approval and the final Sub-Plan made available through the Sub-Plans portal.

 

Complete

Recommendation 4d

The Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) and Security and Emergency Management Branch (Justice and Community Safety Directorate), in partnership with ACT Government agencies, should document and agree a whole of government data security strategy and plan. This document should identify the Chief Digital Officer as the responsible senior executive for implementing the strategy to improve data security across ACT Government.

Agree in principle.

This recommendation will be progressed when the Threat Risk Assessment (Recommendation 1) has been completed.

In progress

Recommendation 6a

The Security and Emergency Management Branch (Justice and Community Safety Directorate) and Shared Services (Chief Minister, Treasury and Economic Development Directorate) should, in conjunction with Recommendation 3, require ACT Government agencies to report on the currency of their system security risk management plans using a common authoritative list of critical systems

Agree in principle.

The status of Security Risk Management Plans is included as a standing item in the ICT Security Report that is presented to each meeting of SEMSOG.

 

Complete

Recommendation 6b

The Security and Emergency Management Branch (Justice and Community Safety Directorate) and Shared Services (Chief Minister, Treasury and Economic Development Directorate) should, in conjunction with Recommendation 1, develop a process to capture common risks and treatments from ACT Government agencies’ system security risk management plans to inform the whole of government data security risk assessment.

Agreed

This recommendation is being addressed through Recommendation 1.

Complete

Recommendation 8

The Security and Emergency Management Branch (Justice and Community Safety Directorate), the Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) should complete all agreed actions from the March 2019 Security and Emergency Management Senior Officials Group meeting to improve the data breach response processes.

Agreed

The Cyber Emergency Sub-Plan has been agreed to by the Security and Emergency Management Senior Officials Group (SEMSOG).  The Sub-Plan will be provided to the Chair of SEMSOG and the Emergency Services Agency Commissioner for approval and the final Sub-Plan made available through the Sub-Plans portal.

Complete

Recommendation 9

In conjunction with Recommendation 3, the Security and Emergency Management Branch (Justice and Community Safety Directorate), the Office of the Chief Digital Officer and Shared Services (Chief Minister, Treasury and Economic Development Directorate) should require ACT Government agencies to provide assurance through GOVSEC 4 reporting that appropriate levels of data recovery and system availability are in place for their critical ICT systems. The GOVSEC 4 reporting process could focus on the proportion of critical systems for which agencies have recently reviewed and tested their assurance in the event of the loss of availability of these systems.

Agree in principle.

Digital, Data and Technology Solutions (DDTS) has added a section into the Security Risk Management Plans that requires critical systems owners to review the effectiveness of systems resilience and backup.

Complete