Information Security Policy

The Library is committed to a secure information environment that protects the confidentiality, integrity and availability of its information assets, and systems.

Version: 4.0
Last Amendment: 29 August 2017
Approved by: State Library Executive Committee
Policy owner/sponsor: Director, Digital Experience & CIO
Policy Contact Officer: Manager, Digital Strategy & Innovation & CISO
Date approved: 14/09/2019
Next review: 08/2021

Policy statement

The State Library is committed to a secure information environment that protects the confidentiality, integrity and availability of its information assets, and systems.

The purpose of this policy is to:

  • apply a consistent information security approach based on the Library’s Risk Management Policy and Framework;
  • ensure all staff, contractors, Fellows and volunteers, vendors and other partners are aware of their information security responsibilities;
  • foster a culture where cyber security risk management is an important and valued aspect of decision-making and the procedures understood and applied;
  • implement and report against the ACSC Essential 8 cyber security mitigation strategies;
  • ensure the continual improvement of the Library’s information security management system (ISMS);
  • align with ISO 27001 Information Security Management standard; and
  • meet the requirements of the NSW Cyber Security Policy

Target audience

Library staff, contractors, Fellows and volunteers, vendors, and other business partners.

This policy should be read in conjunction with the Policy on the use of State Library Information & Communication Technologies.

Context

The NSW State Library is the custodian of the State’s cultural heritage and is home to historical collections worth in total more than $2bn. It provides information resources to citizens throughout the state, which are increasingly of a digital nature.

The Library is responsible for the management and protection of sensitive data, including:

  • personal and/or health information about readers, entrants to the Library’s awards program, donors, copyright owners, staff, Fellows and volunteers;
  • activities around procuring and managing the provision of third party provided services;
  • acquisitions negotiations; and
  • funding allocation to public libraries.

As a NSW Government Agency, the Library is required to comply with relevant NSW and Commonwealth legislation and policies as defined in this policy.

The Library engages third party service providers to deliver some of its services. These include:

  • tier 1 Service Desk;
  • Library integrated collections management system;
  • web site hosting;
  • client identity management;
  • CCTV and physical access systems;
  • data storage and backup;
  • corporate productivity services including email and file shares; and
  • the Library shop ecommerce site.

Scope

The boundaries and applicability of Library’s ISMS are:

  • the Library’s collection in any form, including print, digital, video and audio;
  • administrative information about the management of the Library’s collections;
  • processes and operations that handle information assets;
  • Information and Communications Technology (ICT) infrastructure, systems; and
  • applications, and websites used to create, process, transmit, and store
  • information by the Library; and
  • information held and maintained for the Library by external parties.

Information security objectives

The objectives of this policy are to:

  • apply the principles of information security to the Library’s activities;
  • minimise the likelihood of, or contain the extent of loss or damage from, a security breach or exposure;
  • protect the integrity and security of the Library’s electronic data and information;
  • classify and label information with the appropriate level of protection;
  • ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle in all existing and new information systems or services implemented by the Library;
  • include information security controls in service provider agreements where appropriate;
  • inform all State Library personnel, other government agencies, clients and business partners who have access to State Library information of their responsibilities and obligations with respect to security under this policy.

Operational requirements

Risk assessment

The Library has a low appetite for risks associated with information security. Realisation of information security risks could adversely affect strategic outcomes and/or damage the Library’s reputation.

The Library shall perform annual organisation-wide information security risk assessments, and any necessary risk treatments implemented and monitored. Information security risks at project level, including procurement activities, shall be assessed and treated as part of the Library’s project management methodology.

The Library’s information security risk methodology is aligned with its Risk Management Policy and Framework.

Acceptable Use

Requirements for the acceptable use of information and communication technology, are defined in the Policy on the use of State Library Information & Communication Technologies. The policy includes statements on access rights, password security, email, instant messaging, remote access, and bring your own device. Staff are obliged to read and comply with this policy as part of their information security responsibilities.

Access Control and User Access Management

Users shall only be provided with access to network and network services that they have been specifically authorised to use. Access to the Library’s information and information systems:

  • is restricted to authorised users on a need to know basis;
  • is based on job functions and responsibilities;
  • must be authorised in advance and documented; and
  • restricted through user identification and authentication controls, with each user being uniquely identifiable;
  • removed upon termination of employment, contract or agreement.

Any account not logged into for 60 days or longer will be suspended, and the account owner’s people leader contacted to verify its ongoing need.

The Library conducts biannual reviews of user access privileges to verify the ongoing legitimacy of access.

Supplier security

All contracts and interactions between the Library and third-party suppliers shall include requirements to protect Library data. Suppliers’ access to the Library’s information assets shall be agreed and documented during the procurement process. Third-party suppliers should provide a written statement acknowledging responsibility for the security of Library information that they hold or have access.

Requirements shall be documented in service level agreements and monitored throughout the life-cycle of the contract.

Information Classification, labelling and handling

Information created and held by the Library is mostly of low sensitivity. Therefore, the Library has adapted the NSW Government Information Classification, Labelling and Handling Guidelines in line with its risk profile.

All staff are responsible for assessing the information they create for sensitivity. Information may be regarded as sensitive where:

  • its compromise could damage the reputation of the Library, State or national interest or individuals; or
  • it requires protection under NSW or Commonwealth legislation.

There is no information created by the Library which requires a level of protection beyond the use of four dissemination limiting markers (DLMs):

  • Sensitive: NSW Government • Sensitive: Personal
  • Sensitive: Health Information • Sensitive: Legal

Only the State Library Executive have the authority to allocate a higher level of protection if warranted.

Documents carrying a DLM should be limited to those who need to use or access them to perform their duties. Staff must not prepare, read or discuss sensitive information in public where it may be observed by those without authorisation.

Documentation carrying the DLM of Sensitive: Personal or Sensitive: Health Information must not be left unattended on desks or other places where they may be observed by those without authorisation.

TRIM files marked ‘Sensitive’ must be secured and protected appropriately.

Training

Information security training and awareness compliance training is provided during staff induction, and annually on a Library-wide basis. Staff are required to attend and/or participate in training as initiatives are made available to them.

Incident Management

The Library has an incident management plan as documented in ICT Services Management. The Library shall test the plan annually to ensure its validity and to identify opportunities for improvement.

Staff should report identified or suspected information security events or incidents, or information security weaknesses to ICT Services as soon as possible.

Examples of weaknesses, incidents and events include:

  • breaches of confidentiality, integrity or availability of information; • social engineering (i.e.: phishing attacks);
  • poor password management behaviour;
  • unusual system activity; and
  • malfunctions of hardware or software.

Reporting

The Library shall provide an attestation on cyber security in annual reports as outlined in section 4 of the NSW Cyber Security Policy. The report shall state that the Library:

  • has assessed its cyber security risks;
  • addresses cyber security at Library governance forums (Executive, Library Council, Audit and Risk Committee);
  • has a cyber incident response plan that has been tested over the previous twelve months; and
  • has an ISMS in place which is subject to independent review.

The Library will provide a copy of attestation to Cyber Security NSW report annually by 31 August each year, along with:

  • an assessment of the Library’s compliance against mandatory requirements in the CSP for the previous financial year, including a maturity assessment against the Australian Cyber Security Centre (ACSC) Essential 8;
  • cyber security risks with a residual rating of high or extreme; and
  • a list of the Library’s most valuable or operationally vital systems or information (‘crown jewels’).

ISMS Performance evaluation

An annual full external review of the ISMS shall be conducted to ensure its effectiveness. Findings will be used to inform any necessary corrective actions and identify areas for continual improvement of the ISMS.

Legislative and Policy Framework

Most relevant legislation

  • NSW Cyber Security Policy
  • Copyright Act 1968 (Cth)
  • Government Information (Public Access) Act 2009 (NSW)
  • Government Sector Employment Act 2013 (NSW)
  • Health Records and Information Privacy Act 2002 (NSW)
  • Privacy and Personal Information Protection Act 1998 (NSW) • State Records Act 1998 (NSW)
  • Workplace Surveillance Act 2005 (NSW)
  • NSW Classification and Labelling Guidelines
  • AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines
  • AS/NZS ISO/IEC 27001 2007 (ISO27001 ISO 27001) ISMS Requirements
  • AS/NZS ISO/IEC 27002:2007 Information technology – Security techniques – Code of practice for information security management 2007
  • NSW Department of Finance and Services: Information Security Guidelines 2011
  • NSW Government Digital Information Security Policy v2.0, April 2015
  • NSW Government Information Classification and Labelling Guidelines, October 2013
  • NSW Government ICT Strategy
  • NSW Treasury Policy & Guidelines Paper TPP09-05 – Internal Audit and Risk Management Policy for the NSW Public Sector
  • Payment Card Industry Data Security Standards

Definitions and acronyms

Information Security: preservation of confidentiality, integrity and availability of information.

Information Security Event: an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of
controls, or a previously unknown situation that may be security relevant.

Information Security Incident: a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

Information Security Management System: an organisational approach to identifying and managing information security risks. Defined by ISO 27001 Information technology - Security techniques - Information security management systems - Requirements.

Responsibilities

Director, Digital Experience & CIO is responsible for:

  • monitoring the suitability, adequacy and effectiveness of the Library’s ISMS;
  • ownership of this policy;
  • ensuring that this policy is reviewed every two years;
  • leading the implementation of this policy; and
  • assessing and acting on serious breaches of this policy, including tabling serious breaches to the Executive Committee.

Executive Committee is responsible for:

  • endorsement of this policy;
  • approving amendments to this policy;
  • monitoring the suitability, adequacy and effectiveness of the Library’s ISMS; and
  • reviewing serious breaches of this policy and determining plan of action or recourse.

The Audit and Risk Committee is responsible for:

  • monitoring the suitability, adequacy and effectiveness of the Library’s ISMS.

Manager, Digital Strategy & Innovation is responsible for:

  • monitoring the suitability, adequacy and effectiveness of the Library’s ISMS;
  • implementing and maintaining of the Library’s Classification and Handling framework; and
  • review of this policy every 3 years, or as necessary when there are changes to the Library’s ISMS.

Manager, ICT Services is responsible for:

  • implementing reviews and procedures to ensure protection, auditing and monitoring of ICT infrastructure and systems security comply with this policy;
  • ensuring breaches are escalated to the Director, Digital Experience & CIO
  • promptly for assessment and possible further action;
  • documenting and reporting incidents to the Information Security Management System Working Group.

Manager Digital Libraries Systems & Services is responsible for:

  • implementing reviews and procedures to ensure protection, auditing and monitoring of Library systems comply with this policy;
  • ensuring code development and application changes comply with this policy.

Managers and supervisors are accountable for:

  • ensuring this policy is effectively communicated on an ongoing basis to staff;
  • ensuring all reports of breaches of this policy are raised as soon as possible with their Executive member; and ensuring the Privacy Contact Officer is informed of any breach of privacy.

Project Managers and Sponsors are responsible for:

  • ensuring this policy is applied to all information management related projects and procurement activities.

Privacy Contact Officer is responsible for:

  • managing privacy issues and applications for internal review, which may result from a breach of this policy, in accordance with the State Library’s Privacy Management Plan.

All Library staff are responsible for:

  • understanding and complying with this policy;
  • participating in information security awareness training.

Procedures

This policy is underpinned by the following procedural documents:

  • Classification and Labelling Standards and Guidelines;
  • ICT Services Management Plan.