UNCLASSIFIED
3
Table of Contents
1 Introduction .................................................................................................................................... 6
1.1 Overview ................................................................................................................................... 6
1.2 Applicability of National Information Security Policy ................................................................. 6
1.2.1 Critical Infrastructure (CI) .................................................................................................. 6
1.2.2 Critical Information Infrastructure (CII) .............................................................................. 7
1.3 Policy Review Cycle ................................................................................................................. 7
1.4 Structure of National Information Security Policy ..................................................................... 7
1.5 Adaptation of Security Controls ................................................................................................ 7
1.6 Applicable Legislation ............................................................................................................... 7
2 Policy Context ................................................................................................................................ 8
2.1 National Information Security Strategy ..................................................................................... 8
3 Guiding Principles ......................................................................................................................... 9
3.1 Top Leadership Accountability ................................................................................................. 9
3.2 Collective Responsibility ........................................................................................................... 9
3.3 Personal Accountability ............................................................................................................ 9
3.4 Risk Management/Proportionality ............................................................................................. 9
3.5 Secure/Assured Sharing ........................................................................................................... 9
3.6 Suitable, Trustworthy and Reliable Staff .................................................................................. 9
3.7 Resilience ............................................................................................................................... 10
4 Security Governance ................................................................................................................... 12
4.1 Introduction ............................................................................................................................. 12
4.2 Policy Statement on Information Security .............................................................................. 13
4.2.1 Issue Policy Statement on Information Security .............................................................. 13
4.2.2 Articulate Information Risk Appetite ................................................................................ 13
4.3 Information Security Organisation .......................................................................................... 14
4.3.1 Responsibilities of Boards & Accounting Officers ........................................................... 14
4.3.2 Responsibilities of Information Risk Owner ..................................................................... 15
4.3.3 Responsibilities of Information Asset Owners ................................................................. 15
4.3.4 Responsibilities of Security Coordination Group ............................................................. 15
4.3.5 Responsibilities of Operational Security team ................................................................. 16
4.4 Risk Management ................................................................................................................... 16
4.5 Awareness, Education and Training ....................................................................................... 17
4.6 Business Continuity & Disaster Recovery .............................................................................. 17
4.7 Incident Management ............................................................................................................. 18
4.8 Assurance & Compliance ....................................................................................................... 19
5 Information Security .................................................................................................................... 22
5.1 Introduction ............................................................................................................................. 22
5.1.1 GoU information security commitment ............................................................................ 22
5.1.2 Applicability of information security requirements ........................................................... 22
5.1.3 Information Security and Security Governance ............................................................... 23
5.2 Information Security Policy ..................................................................................................... 23
5.3 Asset Management ................................................................................................................. 24
5.4 Secure Information Sharing .................................................................................................... 25
5.5 Supply Chain Security ............................................................................................................ 26
5.6 Access Management .............................................................................................................. 27
5.7 Network Security Controls ...................................................................................................... 28
5.8 Malicious Code Protection ...................................................................................................... 29
5.9 Portable and Removable Media Security ............................................................................... 30
5.10 Remote Access Security ..................................................................................................... 31