Strategy and governance
ASAF AHMAD
THE growth of the Internet and the globalization of the digital economy has made a tremendous impact on the way we conduct business, both nationally and internationally. A digital revolution is on, and organizations and people want to interact and exchange content as never imagined before. Commercial organizations and government agencies are opening up to offer better customer services, easy sharing of information, and looking for feedback to improve their services. IT service providers are also taking the lead in providing the platform and services required to support this digital revolution.
The 1996 bestseller, Being Digital by Nicholas Negroponte, examines the frontiers of digital technology and its impact on the future of human social life, work, entertainment, and commerce. Negroponte talks of challenges of bit policing. Going beyond, he predicted, ‘As communication becomes increasingly digital, many of the values of a nation state will give way to those of both larger and smaller electronic communities. We will socialize in digital neighbourhoods in which physical space will be irrelevant and time will play a different role.’
Social media is playing a critical role in our commercial world as websites capture our preferences, tastes, spending habits, behaviour, mood, and so on. They also have our digital identities. Social media is now increasingly being adopted by enforcement and emergency services, municipalities, and utility agencies to communicate with their customers or communities.
The digital revolution comes at a price though; it exposes the economy and society to some extraordinary threats that can be exploited for malicious intent, including by the state. The protection of borders and critical infrastructure now needs to be looked from a digital perspective.
The latest addition to this complex issue is the introduction of IT services based on cloud technologies giving agencies an opportunity for huge savings and flexibility. The issue of data security, sovereignty and privacy are critical factors that must be assessed and governments are struggling to address these issues while seeking to benefit of adopting the cloud technology.
Cyber security is central to Australia’s national security.
1 Australia recognizes that its national security, economic prosperity and social well-being rely on the availability, integrity and confidentiality of a range of information and communications technology. It recognizes the following risks to its economy: computer intrusion and the spread of malicious code by organized crime as high; the increased scale, sophistication and perpetration of cyber crime has made it increasingly difficult to identify and defeat; the growing array of state and non-state actors who are compromising, stealing, changing or destroying information, potentially causing critical disruptions to Australian systems; and the distinction between traditional threat actors – hackers, terrorists, organized criminal networks, industrial spies and foreign intelligence services – has become increasingly blurred.Recognizing the fact that information needed for decision making is shared across agencies, the prime minister released ‘the Information Management and The Strategic Environment Roadmap 2020’.
2 To make information available involves not just a technical solution, but a holistic view of information management and security, and requires the underlying policies, legislation, governance and organizational culture that determine how organizations communicate today. In order to build confidence in the people, the government must ensure that sensitive information is safeguarded and protected from unauthorized disclosures.Privacy and security protection are key features of an improved information management environment. The roadmap, detailed in a strategic document, outlines 11 principles for the success of its objectives: information sharing; leadership and accountability; probity; consistent policy and standards; smart investment in capability, data stewardship, transparency, risk management; stakeholder engagement; effective allied relationships; and review and continual improvement.
T
he guiding principles of the Australian government’s cyber security are based on the prime minister’s national security statement. The aim of the strategy is to promote a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximizes the benefits of the digital economy.The cyber security policy objectives are: All Australians should be aware of cyber risks, secure their computers and take steps to secure their identities, privacy and finances online; to help Australian businesses to operate secure and resilient information and communication technologies to protect the integrity of their own operations and the identity and privacy of their customers; and for the Australian government to ensure that its information and communication technologies are secure and resilient.
T
he strategic priorities to achieve the objective are: Improve the detection, analysis, mitigation and response to sophisticated cyber threats, with a focus on critical government, infrastructure and other systems of national interest; educate and empower all Australians with information, confidence and practical tools to protect themselves online; partner with business to promote security and resilience in infrastructure, networks, products and services; model best practice in the protection of government ICT systems, including the systems of those transacting with government online; promote a secure, resilient, and trusted global electronic operating environment that supports Australia’s national interests; maintain an effective legal framework and enforcement capabilities to target and prosecute cyber crime; and promote the development of skilled cyber security workforce with access to research and development to develop innovative solutions.
FIGURE 1 |
There are a range of agencies that make a significant contribution to the implementation of the Australian government cyber security strategy (depicted in Figure 1). Due to the international importance of cyber security, the Australian Strategic Policy Institute is currently discussing the need for establishing a cabinet level minister for homeland security.
T
he New South Wales government ICT strategy (Figure 2) provides better service and value investment and is set to improve the way ICT is used to deliver government services across the public sector with a strong governance arrangement to drive it.3
FIGURE 2 |
The ICT strategy also ensures that the NSW government is kept up to date with emerging technologies and new solutions to service challenges. Improving service quality, particularly availability and reliability, will become increasingly important as government delivers more services through electronic means and becomes more dependent on ICT.
FIGURE 3 |
Some of the security related key action items of this strategy are designed to ensure the security of information held by government through a new approach to electronic information security; establish a common approach to information management and standards across government; and establish a policy framework to transition to cloud-based services.
In alignment with the ICT Strategy, the NSW government has released the following policy and guidelines:
4 NSW Government Digital Information Security policy, 2012; NSW Government Cloud Security Policy and Guidelines, 2013;5 NSW Government Information Classification and labelling guideline.6
FIGURE 4 |
According to the NSW Government Digital Information Security Policy (DISP), all government departments, statutory bodies and shared service providers must have an information security management system (ISMS) based on ISO 27001/2 Information technology – security techniques; information security management systems – requirements/code of practice for information security management and related standards. This international standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s ISMS.
FIGURE 5 |
The ISMS is designed to ensure adequate and proportionate security controls that protect information assets and give confidence to customers and other interested parties. This can be translated into maintaining and improving competitive edge, cash flow, profitability, legal compliance and commercial image.
7Information security management is a risk-based approach, which takes into account the consequence of loss of confidentiality, integrity and availability of the asset. The DISP mandates that all government departments must have the following: internal audit and risk management system; compliance with a minimum set of ISMS control objectives and controls; certified compliance for shared service provider departments; nomination of a responsible senior officer; department attestation of compliance; department attestation by a accredited agency; and information classification based on the new classification guidelines.
The NSW government ICT strategy recognizes that a strategic approach to the use of cloud-based services will provide opportunities to achieve better value ICT investment and improve service capability. The government’s shift to a service orientation will take advantage of the increasing commoditization of ICT and the rapidly developing cloud computing industry.
8
FIGURE 6 |
NSW government agencies will evaluate cloud-based services when undertaking ICT procurements to determine the ICT delivery model that provides the best value sustainable investment, taking account of the full range of cost-benefit considerations.
All NSW public sector chief executives are accountable and responsible for ensuring that this policy is applied within their agency. It is also recommended that each agency’s risk and audit committee regularly review compliance. The NSW government ICT Board will provide oversight of the policy.
The NSW government has put in place a systematic ICT strategy, translating stakeholders needs at federal and states levels, such as: cyber security, better service, better value investment, security and assurance, and adoption of cloud services technology into specific, actionable and customized goals. COBIT 5 Goals Cascade and Strategic Planning also suggest a similar approach.
FIGURE 7 |
With an ICT strategy and its supporting policy and guidelines, the NSW government is well placed to govern and manage its ICT investments, security, privacy, information management and other considerations. Overall, the NSW government appears sufficiently equipped to transit to the next phase (business model), involving data centre consolidation, and the adoption of the cloud-services technologies. Towards this end, the NSW government, shared service providers and the departments need to ensure sustainability, transparency, and accountability in the adoption and provision of ICT strategy and services.
* The views expressed are my own and not those of FRNSW.
Notes:
1. Australian Government Cyber Security Strategy, Attorney General, 2009. http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx
2. National Security Information Environment Roadmap: 2020 Vision; Australian Government, Department of the Prime Minister and Cabinet. 2010.
3. NSW Government ICT Strategy 2012, www.services.nsw.gov.au/ict.
4. M2012-15 Digital Information Security Policy, http://www.dpc.nsw.gov.au
5. Cloud Security Policy and Guidelines, 2013, http://www.finance.nsw.gov.au/ict/
6. NSW Government information classification and labelling policy and guideline is currently under revision and due in 2013.
7. AS/NZS ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements and AS/NZS ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security management and related Standards
8. NSW Government Cloud Services Policy and Guidelines. http://www.finance.nsw. gov.au/ict