Skip to primary navigation | Skip to secondary navigation | Skip to content | Skip to footer |
Problems viewing this site

2.2 Information security

Policy

This policy sets out the basic security requirements to which you need to be aware and must comply. Detailed IT security policies and procedures are in place in the Department of the Premier and Cabinet and apply to the Ministerial network except where they conflict with policies and procedures detailed in the Ministerial
Handbook.

Due to the nature of work carried out in Ministerial Offices, a great deal of information is of a confidential nature. This confidentiality requires that all staff using the Ministerial computer network must maintain awareness of, and agree to, all information security policies detailed below.

Policy Principles

  1. IT systems are provided for officially approved purposes only.
  2. Your use of IT systems must be able to survive public scrutiny and/or disclosure, and comply with applicable laws, regulations and agency policies.
  3. You have a responsibility to be ethical and efficient in your use of IT systems. You may be called upon to explain your use of IT systems. Use of your IT systems will be monitored.
  4. All staff must complete an "Information Technology Conditions of Use" form, on commencing employment (see Appendix 8). This will be a prerequisite to obtaining access to the Ministerial computer network.
  5. Passwords are required for network access and must be specific to the individual and are not to be shared.
  6. Generic accounts are not to be used with the exception for temporary staff hired for periods of time not exceeding two weeks. Use of generic accounts within a Ministerial Office must be maintained in a register within the office.
  7. Ministerial Services must be advised of any suspected security breaches or potential security problems within Ministerial Offices in so far as they relate to the Ministerial computer network.

Security Practices

  1. A monthly password change cycle will be implemented.
  2. Passwords must be at least 6 characters in length.
  3. Passwords must not be written down.
  4. Physical access to servers and network equipment including patch panels, hubs and routers is to be restricted to authorised personnel only.
  5. After 10 minutes of inactivity a password-protected screen saver will be enforced.
  6. On cessation of employment of a staff member in a Ministerial office, the facilities manager shall be notified by the Office Manager or Ministerial Services and shall terminate all access privileges for the employee.
  7. Remote access to the network must use SecurID two-factor security.
  8. Daily backups of all data are stored centrally. Weekly, monthly and yearly backup tapes are retained in a secure locked location off-site for disaster recovery purposes in accordance with backup procedures.
  9. Service staff who require access to the Ministerial computer network or machinery attached to the Ministerial computer network should be vetted prior to their being granted access. (eg. Check the identification of service personnel - all service companies should require their authorised staff to carry official identification. If unauthorised access is attempted or the authenticity of the person is in doubt, contact Ministerial Services immediately.
  10. All computer equipment must be disposed of through the facilities manager or Ministerial Services. This equipment may house confidential information and disposal by any other means may put sensitive information at risk. (Computers often save information to temporary files that users may not be aware existed).
  11. The use of floppy disks, CDs, DVDs, and other portable storage devices such as memory sticks should be undertaken with caution:
    i. These disk drives are easy to misplace, therefore they must be carefully managed by the user. Disk drives should be encrypted or password protected if possible.
    ii. Neither Ministerial Services or Facilities Management can be held responsible for data stored on these devices.
    iii. Manual backups of these devices should be performed regularly by the Ministerial Office as it is not possible to back up these media during standard system backups.
  12. The use of non-standard software requires the approval of the Director, Ministerial Services.

Remote Access

A secure remote access facility is provided for Ministers and staff. Remote access must use two factor authentication tokens in order to protect against the increased risk of unauthorised access.

Remote access (such as Webmail or Citrix via the Internet) may be via a non-ministerial asset. The Service Desk will normally provide limited support only (general advice) for Citrix or Webmail issues related to home or external computers.

Personal Digital Assistants

The current Standard of Personal Digital Assistant supported on the network is the Blackberry. The support of any other device connected to the network must be approved by the Executive Director Ministerial Services. Unless exceptional circumstances exist, privately owned PDA devices will not be connected to the Ministerial network, due to security, licencing and support issues.

Blackberries can contain sensitive information. Data security for Blackberries is commensurate with network security. Passwords and inactivity timeouts will apply to these devices. A lost Blackberry must be reported immediately to the service desk where the device can be remotely disabled and securely erased.

See Appendix 8 - Information Technologies Conditions of Use (PDF, 12 KB)

Was the information on this page useful?

Your comments:

Last reviewed: 17 July, 2009

Last updated: 22 July, 2009

^ to top