Auditing and Security of Information Systems

Marcus (Account suspended) made this Freedom of Information request to Department of Veterans' Affairs

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Marcus (Account suspended)

Dear Department of Veterans' Affairs,

As you were the fastest to reply last time, and gave a good quality response, I wanted to ask under administrative access arrangements (not FOI, given the simple nature of the request) if you could assist with my next research topic.

The final assignment regards auditing and security of information management systems by public sector organisations, and we have been encouraged once again include Commonwealth examples to compare and contrast to our state government policies and procedures.

I’m concentrating on information security and need to know principles of system process design.

I was wondering if you had any internal policy documents or guides such as:
* ICT Conditions of Use policy
* Information System Auditing and Security policy or anything that outlines what information system capabilities that support this functioning (for example, audit logging or multiple factor authorisations) and/or
* anything else that refers to or relates to information security that you think might be useful

Basically I just need some informed overview understanding of how your agency protects its information systems from internal unauthorised misuse, and implements the IT need to know principles.

If you have anything on measures to protect against inappropriate use of IT resources (such as inappropriate web surfing on DVA resources), that would be appreciated to.

If you could provide before the end of October, that would be much appreciated.

If DVA gives specific training on information security to its general staff too, any copy you can give of any of that would be helpful too.

Yours faithfully,

Marcus

INFORMATION.ACCESS, Department of Veterans' Affairs

Good morning.

Please see to the following.

Regards.

Linda Liu
Assistant Information Access Officer
National Information Access Processing Team (NIAPT)
Department of Veterans' Affairs
Tel : (02) 9213 7629 Fax: (02) 9213 7400

show quoted sections

INFORMATION.LAW, Department of Veterans' Affairs

1 Attachment

Dear Marcus,

 

Acknowledgement of Administrative Access Request – LEX 24857

 

I refer to your request to access information held by our Department under
Administrative Access.  The Department received your request on 2 October
2018.

 

If you have any questions about your matter, please contact us using the
following details:

 

Post: Legal Services & Assurance, Department of Veterans’ Affairs

GPO Box 9998, Canberra ACT 2601

Facsimile: (02) 6289 6337

Email: [1][email address]

 

In all communications please quote reference LEX 24857.

 

Kind regards,

 

Information Law Team

 

Information Law | Legal Services & Assurance Branch

Department of Veterans’ Affairs

Gnabra House – 21 Genge Street Canberra City ACT 2601|GPO Box 9998
Canberra ACT 2601

E: [2][email address]

 

 

[3]cid:image001.png@01D0027A.1DAB84F0

 

 

 

show quoted sections

INFORMATION.LAW, Department of Veterans' Affairs

1 Attachment

Dear Marcus

 

I refer to your administrative access request to information about the
Department's Auditing and Security of Information Systems received on 2
October 2018.

Acceptable use of the Department's Information Systems is outlined in our
Security Protocol.

 

DHS Cyber Security Branch provide quarterly reports to DVA on staff access
including privileged (administrator) access. Other reports are also
provided to business unit managers on access and use of systems within
their area of responsibility for verification.

 

DHS also use Huntsman to log and monitor user access to the DVA
information environment.

 

Multi-factor authentication is currently being implemented for all
privileged account access to the DVA information environment.

 

The combination of DHS tools provide significant measure against internal
unauthorised misuse.

 

Role Based Access Controls are also in place where user groups are created
and staff are allocated access to the group that they need to do their
work on ‘a need to know’ basis with no other access to other areas.

 

DVA provides IT security training on induction and annually thereafter,
the training is on the DVA intranet so a copy cannot be provided.

 

We hope the above assists.

 

Kind regards

 

Information Law Section | Legal Services & General Counsel Branch

Department of Veterans’ Affairs

E: [1][email address]

 

[2]cid:image001.png@01D0027A.1DAB84F0

 

 

show quoted sections