Direction and guidance on ensuring information is fit for purpose, secure, available, accessible, complies with applicable laws and regulations, enables staff to make everyday decisions and helps the department to realise its strategic objectives.
Changes since previous version
2022 Mar 15 - updated Payment Card Industry Data Security link in policy statement.
2022 Oct 31 - Cyber Security email contact address updated.
2022 Feb 28 - updated policy statement to include the department's requirement to comply with the Payment Card Industry Data Security Standard whenever credit card payments are processed (including within schools).
2021 Dec 07 - update to policy statement - updated contact details.
2020 Dec 01 - rescinded implementation document: Information Security Policy Guidelines.
2020 Sep - minor policy update. Change in responsibility and delegation in line with the creation of the Chief Information Security Officer.
2020 Apr - minor updates to text and contact details.
This policy replaces the rescinded Information Security Policy PD/2013/0453.
- Policy statement
- The department is committed to ensuring an appropriate level of security that protects the confidentiality, integrity and availability of its information, and the safety of the people to whom that information relates.
- All departmental information assets, in electronic, paper, audio or video form, whether located in schools, corporate units or other locations, must be secured according to the level of sensitivity, criticality and risk of the information. These assets may include:
- data as described in the Enterprise Data policy
- information the department holds and maintains for, or on behalf of, other government agencies or private entities
- information that external parties hold and maintain for the department
- information and communications technology (ICT) infrastructure that the department owns or leases and any ICT connecting to, or residing on, the department's ICT infrastructure.
- The department protects its information assets by:
- identifying critical and/or sensitive information assets and classifying them in accordance with the security classification framework, to comply with the NSW Information classification, labelling and handling guidelines
- performing risk assessments in accordance with the Enterprise Risk Management policy
- applying appropriate information security controls to reduce risks to an acceptable level. Controls will be described in various information security standards, procedures and guidelines
- continually improving the Information Security Management System including information security processes, techniques and controls.
- The department's information assets must be protected in the design, development and implementation of its processes and business operations. This requirement applies to locations where departmental information is stored temporarily or permanently. This includes but is not restricted to schools and other departmental worksites; and non-departmental sites and private residences (only in relation to any departmental information assets at those locations).
- Audience and applicability
- All staff, including contractors, and parties that access or use the department's information assets.
- Information that is fit for purpose, secure, available, and accessible, and complies with applicable laws and regulations, enables staff to make everyday decisions and assists the department to realise its strategic objectives.
- This policy supports the Department of Customer Service directive that all agencies appropriately protect information by establishing an Information Security Management System (ISMS). An ISMS is a framework and methodology used to manage information security risks. The department's ISMS meets the following Standards for Information Security:
- ISO/IEC 27001 ISMS Requirements
- ISO/IEC 27002 ISMS Code of Practice.
- Implementing an information security policy and ISMS, along with effective governance, enables the department to identify, manage and achieve its information security objectives.
- This policy is guided by the following legislation, memoranda, circulars and departmental policies:
- NSW State Records Act 1998
- NSW Privacy and Personal Information Protection Act 1998
- NSW Health Records and Information Privacy Act 2002
- NSW Workplace Surveillance Act 2005
- NSW Cyber Security policy
- NSW Government Information Classification, Labelling and Handling Guidelines 2015
- Code of Conduct policy
- Enterprise Data policy
- Enterprise Risk Management policy
- Business Continuity Management policy
- Privacy Management Plan
- Privacy Code of Practice
- Digital Devices and Online Services Staff Use
- Payment Card Industry Data Security Standard.
- Responsibilities and delegations
- The Secretary:
- establishes auditable governance and management accountabilities for the Information Security Management System and related activities
- establishes appropriate monitoring and auditing measures to ensure these accountabilities are discharged effectively.
- Chief Information and Data Officer (CIDO):
- manages and maintains the infrastructure on which the department's enterprise data and metadata resides
- ensures the department's data is managed securely in line with the department's Information Security policy.
- Chief Information Security Officer (CISO):
- defines and implements an information security plan for protecting the department's information and systems
- manages and maintains the Information Security Management System.
- All managers, including principals:
- ensure this policy and associated standards and procedures are effectively communicated and implemented throughout all their areas of control.
- All staff:
- comply with the Information Security policy and the relevant standards and procedures
- exercise a duty of care to protect information assets
- report suspected breaches in accordance with the department's Data breach response plan.
- The Secretary:
- Monitoring and review
- The Chief Information Security Officer monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.
Cyber Security Unit
1300 32 32 32 (select 5)