Welcome
Welcome to the Information Services Standards site for Mackay Regional Council.
For the MRC IS Policy, please click here.
For support, please contact the IS Service Desk or see the support system here.
Definition and Scope of IT Security
Information security is all about keeping corporate information safe. The Standards address the need to protect confidential and sensitive information from disclosure, unauthorised access, loss, corruption and interference and is relevant to information in both electronic and physical formats. Security can be defined by three things:-
-
Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes
-
Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes
-
Availability - information must be accessible and useable on demand by authorised entities
A holistic approach to security encompasses the following areas:-
-
personnel security
-
physical security
-
communications security
-
information security
-
computer security
-
technical security
What You Need to Know
As inappropriate or unauthorised use of computer systems, communications systems and networks may expose the Mackay Regional Council to security threats and a wide range of legal issues, these Standards have been designed to protect the users, stakeholders and the Mackay Regional Council from illegal or damaging actions by individuals either knowingly or unknowingly. Most of the requirements in this system are based on good old common sense and you are required to understand your obligations.
Why We Introduced the Standards
Mackay Regional Council exists in an ever changing technological world and to ensure we can continue to operate in this environment and continue to do business we must be more aware of security issues and measures that protect the Council's key assets, ie:-
-
Its people
-
Its business and the infrastructure to support the business
-
Its products and services
-
Its information
Security attacks against organisations like Mackay Regional Council are increasing all the time and we must ensure our systems can be protected against these threats. The first step in achieving this is to document the rules and guidelines around system management, operation and use. By complying with these rules and guidelines we are doing everything we can to protect our systems and our people from a security threat.
Please remember the Standards have been introduced to protect you as much as the Mackay Regional Council.
What the Standards Do
-
They provide a security and acceptable use framework for Mackay Regional Council as an organisation
-
They help protect the assets of the Council
-
They provide a uniform level of control and guidelines for management
-
They provide one IT security message to all
-
They advise you as to what the IT security and acceptable use controls and guidelines are
How the Standards are Arranged
The Standards are set out by category of user. Everyone who uses computer systems, communications systems or networks that make up the Council's computing environment should be familiar with the Standards listed under the heading User. Managers should be familiar with both the User Standards and the Management Standards and Technical staff need to be familiar with the Standards listed under Technical.
Procedural Documentation
The Standards and procedures contained within this site are concerned with what the organisation should do to protect its information and systems from significant risks. Procedures vary from business to business and where the procedural document has been developed, links can be provided beneath each requirement or under the menu heading "Procedures and Processes". Other useful documentation has been included under the menu heading "Forms, Logs and Guidelines".
Mackay Regional Council's Obligations
The ICT Steering Committee shares the responsibility for information security to ensure that:-
-
The Council's Standards, Guidelines and Procedures are approved, published, communicated, reviewed and continue to meet business needs
-
That any significant change in the exposure of information to security threats is identified and managed
-
All security incidents are monitored and reviewed
-
Major initiatives to improve information security are approved and authorised
-
Information security controls across the organisation are co-ordinated
-
Responsibilities for the protection of information and information system assets are clearly defined and allocated
-
The appropriate structure is implemented to effectively manage information security
-
Procedural documentation to support Standard requirements is developed and maintained
-
The purpose, use and implementation of any new information processing mechanism, channel or facility is approved
-
There is transparency in the decision making process to ensure accountability
-
Appropriate inter-organisation agreements relating to security requirements and common minimum standards are in place
-
Advice is sought from qualified security specialists as and when required.
-
Staff have the equipment and skills to perform their duties in accordance with the Council's Standards
-
Staff are aware of their obligations with regard to IT security
Responsibility for IT security within the Council
The scope of IT security is defined in the paragraph "Definition and Scope of IT Security". In order to facilitate a secure IT environment within the Council the following roles and committees work together and are accountable for the ongoing security of information:-
-
The Chief Information Officer has overall responsibility for ICT within the Council including the provision of infrastructure, applications and communications and the management of ICT projects however some responsibilities may be delegated to other staff. This role is responsible for the Council's compliance to the appropriate relevant information security standards and best practice guidelines and for budget management.
-
The Team Leader ICT is accountable for the deployment, use and security of technology, including IT infrastructure and applications. This position is responsible for the implementation of information security in relation to the day to day management of the computing environment.
-
The ICT Steering Committee is responsible for approving the strategic direction of ICT to ensure that it continues to meet the needs of the business. This group has ultimate oversight and funding control over technology projects.
Your Obligations
It is the responsibility of every staff member, temporary employee, contractor and third party user to ensure they are familiar with the Standards and abide by them. For systems to remain secure and information protected everyone must read, understand and comply with the Council's Standards and procedures.
Non-Compliance
As these Standards have been put in place to protect both Mackay Regional Council and the users, Mackay Regional Council has an expectation that they will be complied with. Any breach of these Standards will be handled by Human Resources in accordance with existing disciplinary procedures and may result in action up to and including dismissal.
What to do Next
To find out what each of the Standards is about look at the Summary of Standards. This document outlines the purpose of each Standard.
Check out the Top 20 Top Security Points for Users first. This is just an appetiser and lists the most important things that you, as users, need to know.
IT security is a common sense practice and the Standards tell users what to look out for and be aware of but they are not the be all and end all. Security is everyone's responsibility and we may discover additional security issues or loopholes while performing our daily tasks. If you discover anything unusual, please contact the IS Service Desk.
Need Some Help?
If you are unsure what something means, try the Glossary which will provide a definition. If you need help or have any questions or issues please contact the IS Service Desk.
Can't Find What You're Looking For?
If you're interested in a particular topic then you might want to try the Topic Index which lists series of topics in alphabetical order.
Limitations of Use
The IT Standards and Procedures in this site have been developed by Protocol Policy Systems Limited under copyright. Protocol Policy Systems Limited gives consent to the Council to reproduce, store and transmit the documents for internal use only. They may not be published on any site external to the Council, sold, copied in English or any other language or provided to any third party without the permission of Protocol Policy Systems Limited. These documents will not be used in whole or in part for any purpose other than the purpose for which they were provided. Under no circumstances shall Protocol Policy Systems Limited be liable to anyone for direct, special, incidental, collateral or consequential damages arising out of the use of this material.
Compliance
The Standards included in the Information Services Standards have been fully referenced to international standards. This allows our clients to determine whether their organisation meets internal compliance objectives and adheres to best practice cyber security standards.
The Standards also assist in complying with the following examples of international codes, standards, regulations, frameworks and guidelines:
- GDPR
- Data privacy protection requirements in UK & ANZ
- PSN Public Sector NetworkCyber Essentials Plus
- Australian Signals Directorate Essential 8
- APRA recommendations
- NERC
- Cobit
- ITIL
- ISO 9000
- NZ Health Information Security Framework
- HIPAA - The Health Insurance Portability and Accountability Act
- GLBA - The Gramm, Leach, Bliley Act
Compliance with ISO 27002 Standard
Adopted by many countries around the world, (including the UK, AU and NZ), ISO 27002 is used to develop organisational security standards. ISO 27002 lays out a set of criteria which will achieve best practice security management.
Complying with the criteria set by the ISO 27002 Standard indicates that your organisation (in particular, your management), takes security seriously. This allows you to achieve best practice certification, meaning all trading partners, shareholders and stakeholders can have confidence that your organisation is acting responsibly and protecting itself against the risk of a security breach that could affect probability and reputation.
Compliance with ISO 22313 Standard
The ISO 22313 Standard is designed to help organisations prepare, respond and recover from disruptive incidents. It helps organisations to plan, implement, review and continually improve their documented security management system.
ISO 22313 Code of practice for BCM is generic and can be applied to organisations of all sizes. An organisation should design BCM Standard which is appropriate to the needs of all stakeholders.
Compliance with ISO 27017 Standard
The ISO 27017 Standard creates guidelines around the use of cloud based technologies. Leveraging many of the controls outlined in ISO 27002, the ISO 27017 standard provides cloud-specific implementation guidance which address cloud-specific security threats.
Compliance with ISO 29151 Standard
The ISO 29151 Standard safeguards requirements that arise from the processing of Personally Identifiable Information (PII). An addition to the ISO 27002 Standard, the ISO 29151 Standard provides a set of PII protection-specific controls. These 12 additional PII protection controls include:- consent and choice
- purpose, legitimacy and specification
- collection limitation
- data minimisation
- use, retention and disclosure limitation
- accuracy and quality
- openness, transparency and notice
- individual participation and access
- accountability
- information security
- privacy compliance
Compliance with ASD Essential Eight - Maturity Level 3 - for Australian customers
The Australian Signals Directorate introduced these eight strategies to further assist the mitigation of cyber security threats. The Strategy consists of three maturity levels for organisations to align their practices. The mappings in this system are aligned with maturity level 3 "fully aligned with intent of mitigation strategy".
Regulatory Framework
A range of Legislation, Statutes, Codes of Practice and Standards are applicable to the operations of the Council. This may include, but is not limited to:-
| Copyright Act 1968 (Commonwealth) | Ombudsman Act 2001 |
| Copyright Amendment (Digital Agenda) Act 2000 | Public Health Act 2005 |
| Electronic Transactions Act 2001 | Public Service Act 2008 |
| Information Privacy Act 2009 | Public Interest Disclosures Act 2010 |
| Local Government Act 2009 | Public Records Act 2002 |
| Local Government Regulation 2012 (QLD) | Spam Act 2003 |
| Right to Information Act 2009 |
Monitoring and Review
The ICT Standards will be regularly monitored and reviewed to ensure that they remain relevant to Mackay Regional Council's business aims and objectives and in the event of the introduction of new or upgraded technology. A review of Standards may also be instigated in the event a security incident is experienced in order to prevent a similar occurrence.
The Team Leader ICT will monitor staff compliance to the Standards, associated standards and procedures on an ongoing basis. Training needs will be identified and continuous offending will be escalated to Program Managers and above.
The Information Services Standards have been reviewed and updated as follows:-
|
Description |
Date Created |
Date of Next Review |
| Information Services Standards 20 | 4 December 2020 | 31 December 2021 |
| Information Services Standards 19 | 30 August 2019 | 31 August 2020 |
| Information Services Standards 18.1 | 17 February 2019 | 29 February 2020 |
| Information Services Policies 17 | 20 May 2017 | 31 May 2018 |
Please Give Us Your Feedback
It is important that the Standards remain relevant to you, as the computer user. Please pass on any feedback to the Chief Information Officer.
Authorisation
Chief Executive Officer
Date: 31 May 2017