Auditing and Security of Information Systems
Dear Department of Veterans' Affairs,
As you were the fastest to reply last time, and gave a good quality response, I wanted to ask under administrative access arrangements (not FOI, given the simple nature of the request) if you could assist with my next research topic.
The final assignment regards auditing and security of information management systems by public sector organisations, and we have been encouraged once again include Commonwealth examples to compare and contrast to our state government policies and procedures.
I’m concentrating on information security and need to know principles of system process design.
I was wondering if you had any internal policy documents or guides such as:
* ICT Conditions of Use policy
* Information System Auditing and Security policy or anything that outlines what information system capabilities that support this functioning (for example, audit logging or multiple factor authorisations) and/or
* anything else that refers to or relates to information security that you think might be useful
Basically I just need some informed overview understanding of how your agency protects its information systems from internal unauthorised misuse, and implements the IT need to know principles.
If you have anything on measures to protect against inappropriate use of IT resources (such as inappropriate web surfing on DVA resources), that would be appreciated to.
If you could provide before the end of October, that would be much appreciated.
If DVA gives specific training on information security to its general staff too, any copy you can give of any of that would be helpful too.
Yours faithfully,
Marcus
Good morning.
Please see to the following.
Regards.
Linda Liu
Assistant Information Access Officer
National Information Access Processing Team (NIAPT)
Department of Veterans' Affairs
Tel : (02) 9213 7629 Fax: (02) 9213 7400
-----Original Message-----
From: Marcus [mailto:[FOI #4857 email]]
Sent: Tuesday, 2 October 2018 6:26 PM
To: FOI <[email address]>
Subject: Freedom of Information request - Auditing and Security of Information Systems [TO BE CLASSIFIED]
Dear Department of Veterans' Affairs,
As you were the fastest to reply last time, and gave a good quality response, I wanted to ask under administrative access arrangements (not FOI, given the simple nature of the request) if you could assist with my next research topic.
The final assignment regards auditing and security of information management systems by public sector organisations, and we have been encouraged once again include Commonwealth examples to compare and contrast to our state government policies and procedures.
I’m concentrating on information security and need to know principles of system process design.
I was wondering if you had any internal policy documents or guides such as:
* ICT Conditions of Use policy
* Information System Auditing and Security policy or anything that outlines what information system capabilities that support this functioning (for example, audit logging or multiple factor authorisations) and/or
* anything else that refers to or relates to information security that you think might be useful
Basically I just need some informed overview understanding of how your agency protects its information systems from internal unauthorised misuse, and implements the IT need to know principles.
If you have anything on measures to protect against inappropriate use of IT resources (such as inappropriate web surfing on DVA resources), that would be appreciated to.
If you could provide before the end of October, that would be much appreciated.
If DVA gives specific training on information security to its general staff too, any copy you can give of any of that would be helpful too.
Yours faithfully,
Marcus
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #4857 email]
Is [DVA request email] the wrong address for Freedom of Information requests to Department of Veterans' Affairs? If so, please contact us using this form:
https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
______________________________________________________________________
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous publications and DVA does not consent to the receipt of commercial electronic messages.
5. To unsubscribe from emails from the Department of Veterans' Affairs (DVA) please go to
http://www.dva.gov.au/contact_us/Pages/f...
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
Dear Marcus,
Acknowledgement of Administrative Access Request – LEX 24857
I refer to your request to access information held by our Department under
Administrative Access. The Department received your request on 2 October
2018.
If you have any questions about your matter, please contact us using the
following details:
Post: Legal Services & Assurance, Department of Veterans’ Affairs
GPO Box 9998, Canberra ACT 2601
Facsimile: (02) 6289 6337
Email: [1][email address]
In all communications please quote reference LEX 24857.
Kind regards,
Information Law Team
Information Law | Legal Services & Assurance Branch
Department of Veterans’ Affairs
Gnabra House – 21 Genge Street Canberra City ACT 2601|GPO Box 9998
Canberra ACT 2601
E: [2][email address]
[3]cid:image001.png@01D0027A.1DAB84F0
-----Original Message-----
From: Liu, Linda On Behalf Of INFORMATION.ACCESS
Sent: Wednesday, 3 October 2018 9:40 AM
To: INFORMATION.LAW <[email address]>
Cc: INFORMATION.ACCESS <[email address]>;
'[FOI #4857 email]'
<[FOI #4857 email]>
Subject: FW: Freedom of Information request - Auditing and Security of
Information Systems [TO BE CLASSIFIED] [DLM=For-Official-Use-Only]
Good morning.
Please see to the following.
Regards.
Linda Liu
Assistant Information Access Officer
National Information Access Processing Team (NIAPT) Department of
Veterans' Affairs Tel : (02) 9213 7629 Fax: (02) 9213 7400
-----Original Message-----
From: Marcus [[4]mailto:[FOI #4857 email]]
Sent: Tuesday, 2 October 2018 6:26 PM
To: FOI <[5][email address]>
Subject: Freedom of Information request - Auditing and Security of
Information Systems [TO BE CLASSIFIED]
Dear Department of Veterans' Affairs,
As you were the fastest to reply last time, and gave a good quality
response, I wanted to ask under administrative access arrangements (not
FOI, given the simple nature of the request) if you could assist with my
next research topic.
The final assignment regards auditing and security of information
management systems by public sector organisations, and we have been
encouraged once again include Commonwealth examples to compare and
contrast to our state government policies and procedures.
I’m concentrating on information security and need to know principles of
system process design.
I was wondering if you had any internal policy documents or guides such
as:
* ICT Conditions of Use policy
* Information System Auditing and Security policy or anything that
outlines what information system capabilities that support this
functioning (for example, audit logging or multiple factor authorisations)
and/or
* anything else that refers to or relates to information security that you
think might be useful
Basically I just need some informed overview understanding of how your
agency protects its information systems from internal unauthorised misuse,
and implements the IT need to know principles.
If you have anything on measures to protect against inappropriate use of
IT resources (such as inappropriate web surfing on DVA resources), that
would be appreciated to.
If you could provide before the end of October, that would be much
appreciated.
If DVA gives specific training on information security to its general
staff too, any copy you can give of any of that would be helpful too.
Yours faithfully,
Marcus
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[6][FOI #4857 email]
Is [7][DVA request email] the wrong address for Freedom of Information requests
to Department of Veterans' Affairs? If so, please contact us using
this form:
[8]https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[9]https://www.righttoknow.org.au/help/offi...
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
--------------------------------------------------------------------------
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential
information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous
publications and DVA does not consent to the receipt of commercial
electronic messages.
5. To unsubscribe from emails from the Department of Veterans' Affairs
(DVA) please go to
http://www.dva.gov.au/contact_us/Pages/f...
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
References
Visible links
1. mailto:[email address]
2. mailto:[email address]
4. mailto:[FOI #4857 email]
5. mailto:[email address]
6. mailto:[FOI #4857 email]
7. mailto:[DVA request email]
8. https://www.righttoknow.org.au/change_re...
9. https://www.righttoknow.org.au/help/offi...
Dear Marcus
I refer to your administrative access request to information about the
Department's Auditing and Security of Information Systems received on 2
October 2018.
Acceptable use of the Department's Information Systems is outlined in our
Security Protocol.
DHS Cyber Security Branch provide quarterly reports to DVA on staff access
including privileged (administrator) access. Other reports are also
provided to business unit managers on access and use of systems within
their area of responsibility for verification.
DHS also use Huntsman to log and monitor user access to the DVA
information environment.
Multi-factor authentication is currently being implemented for all
privileged account access to the DVA information environment.
The combination of DHS tools provide significant measure against internal
unauthorised misuse.
Role Based Access Controls are also in place where user groups are created
and staff are allocated access to the group that they need to do their
work on ‘a need to know’ basis with no other access to other areas.
DVA provides IT security training on induction and annually thereafter,
the training is on the DVA intranet so a copy cannot be provided.
We hope the above assists.
Kind regards
Information Law Section | Legal Services & General Counsel Branch
Department of Veterans’ Affairs
E: [1][email address]
[2]cid:image001.png@01D0027A.1DAB84F0
--------------------------------------------------------------------------
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential
information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous
publications and DVA does not consent to the receipt of commercial
electronic messages.
5. To unsubscribe from emails from the Department of Veterans' Affairs
(DVA) please go to
http://www.dva.gov.au/contact_us/Pages/f...
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
References
Visible links
1. mailto:[email address]