NDIA Information Security Risk Management Policy and Procedures
Dear National Disability Insurance Agency,
Dear National Disability Insurance Agency,
Please provide a copy of the NDIA Information Security Risk Management Policy and Procedure. This includes the supporting Information Security Risk Management Plan. That is, for clarity, the documents which scoped the NDIA’s information security risk management (ISRM) requirements and the subsequent policies and procedures that deliver, manage and ensure these actions and compliance are conducted.
Context:
The Queensland Government defines information management as “"the means by which an organisation plans, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.” Security is implied. “Security risk related to the operation and use of information systems is just one of many components of organizational risk that senior leaders/executives address as part of their ongoing risk management responsibilities“ [10]. Whereas “Information security risk management (ISRM) is the process of managing risks associated with the use of information technology. It involves, identifying, assessing and treating risks to the confidentiality, integrity and availability of an organisation’s assets. The end goal of this process is to treat risks in accordance with an organisation's overall risk tolerance” [8] through a four-step process of identifying assets, identifying vulnerabilities, identifying threats and identifying controls [9]. “An information security and risk management (ISRM) strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile ‘“ [14]. It is therefore assumed that the NDIA has identified and documented these shared information security and risk management concerns through policy and procedure.
The Compliance Council of Australia (CCA) advises that “an information security management system (ISMS) is a combination of processes and policies that help you identify, management and protect valuable corporate data and information against various risks. Specifically, the ISM’s key objective is to ensure the confidential, integrity and availability of data and information is maintained” [1]. The CCA recommend ISO 27001 as ‘the internationally recognised standard that sets the requirement for ISMS’ [2]. Microsoft also cite ISO standards in complying with the Australian Government Information Security Registered Assessor Program (IRAP), which includes ‘information security risk management’ [4]. The ISO 27000 series is also prioritised and referenced as part of the Protective Security Policy Framework (PSPF) under Information Security Standards [5] for Australian Government entities, administered by the Attorney’s Generals Department. It seems clear information security risk management is a high priority for the Australian Government and providers. Furthermore, ISO 27k seems to be the professional and international standard [15], particularly in the healthcare and public health record sectors.
Australian States and Territories have seemingly placed greater importance on information security management systems and compliance. In 2013, the Western Australia Auditor General noted that “99% of the agencies review had serious gaps in their management of information security when assessed against better practice international standards. Many of the agencies are not adopting a strategic approach to identifying and assessing risks” [6], resulting in ‘unnecessary risk’ [7] to government and public information. Following on from similar observations, the Government of Victoria recently produced an Information Security Risk Management Practitioners Guide [11], which also emphasis the protection of Australian public information and data assets, including the use of the ISO 27000 suite of information security risk management standards [12], as part of a positive obligation for State entities and officers [24] . By comparison, the Queensland Government has long provided clear guidance and best practice for information risk management [16] of Whole of Government risk management of public information, data and records, declaring that “Information risk management should be incorporated into all decisions in day-to-day operations and if effectively used, can be a tool for managing information proactively rather than reactively”. The more contemporary version from the Queensland Government’s Information Security Policy (IS18:2018) expands upon these concepts considerably, including the adoption and endorsement of ISO 27000 as the framework of that state government’s Information Security Management System [19]. Which in turn links into the Attorney General’s Department and the Australian Governments Protective Security Policy Framework (PSPF) [21].
The Australian Prudential Regulation Authority (APRA) observed that “the pervasive nature of information security threats and vulnerabilities and the need for sound practices and a solid business understanding in order to maintain an information security capability commensurate with those threats and vulnerabilities. It also reflects that APRA regulated entities have developed distinct practices and disciplines to manage information security risk, information technology (IT) risk and operational risk. In APRA’s view, these are all necessary and complementary disciplines” [22]. Which stems from an extensive cross-industry consultation, following observations that “ effective information security is increasingly critical as information security attacks are increasing in frequency, sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. This was clearly evident from the results of APRA’s two cyber surveys, which indicated that incidents varied in nature, sophistication and impact” [23].
Chief Information Security Officers’ (CISO) appear very familiar with the requirements of Information Security and Risk Management (ISRM) [13]. Along with the Information Systems Audit and Control Association’s (ISACA) long-standing guidance on the development of information security and risk management strategies [14], including specific, measurable and auditable guidelines for ISRM.
In sum, the NDIA seems to collect, manage and ‘secure’ a significant amount of public information. Therefore, it seems reasonable that the NDIA has a well developed, mature and consistent approach to information security risk management, supported by accompanying policy and procedures, which make up the focus of this request.
Thank you for your assistance.
Yours faithfully,
Shirley
References:
1. Compliance Council of Australia (2012) What is an information security management system?, Available at: <https://www.compliancecouncil.com.au/sta...>. Accessed [8 Jul 21]
2. Ibid
3. Microsoft (2012) Australian Government Information Security Registered Assessor Program (IRAP), Available at: < https://docs.microsoft.com/en-us/complia...>. Access [8 Jul 21]
4. Ibid
5. Attorney General’s Department (2021) Relevant Australian and International Standards: Information Security Standards, Available at: < https://web.archive.org/web/202104011652...>. Accessed [8 Jul 21]
6. Western Australia Auditor General (2013) Information Systems Audit Report, 11, Western Australia Government, Available at: < https://audit.wa.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
7. Ibid
8. Rapid 7 (2021) Information Security Risk Management: Identify and achieve an acceptable level of risk, Available at: < https://www.rapid7.com/fundamentals/info...>. Accessed [8 Jul 21]
9. Ibid
10. NIST (2011) Information Security, National Institute of Standards and Technology, U.S Department of Commerce, Available at: < https://nvlpubs.nist.gov/nistpubs/Legacy...>, Accessed [8 Jul 21]
11. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: < https://ovic.vic.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
12. Ibid
13. CISO Portal (2021) Information Security Risk Management: What and How?, Available at: https://www.ciso-portal.com/information-...>. Accessed [8 Jul 21]
14. ISACA (2010) Developing an Information Security and Risk Management Strategy, Available at: , https://www.isaca.org/resources/isaca-jo...> .
15. Dashti, S., Giorgini, P. And Paja, E. (2017) Information Security Management, Conference Paper, IFIP Working Conference on the Practice of Enterprise Modeling, Available at: ,https://hal.inria.fr/hal-01765266/file/4...>. Accessed [8 Jul 21]
16. Queensland Government (2002) Queensland Government Information Architecture: Best Practice Guide, Information Risk Management, Available at < https://www.qgcio.qld.gov.au/__data/asse...>. Accessed [8 Jul 21]
17. Ibid. Page 5
18. Queensland Government (2019) Queensland Government Enterprise Architecture: Information Security Policy, Available at: < https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
19. Ibid
20. Queensland Government (2021) Queensland Government Enterprise Architecture: How should I manage my information?, Available at: < https://www.qgcio.qld.gov.au/information...>. Accessed [8 Jul 21]
21. Queensland Government (2020) Queensland Government Enterprise Architecture: Information Security Classification Framework, Available at: ,https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
22. APRA (2019) Prudential Practice Guide: CPG 234 Information Security, Australian Prudential Regulation Authority, Australian Government, Available at: <https://www.apra.gov.au/sites/default/fi...>. Accessed [8 Jul 21]
23. APRA (2018) Information Security Management: A new cross-industry prudential standard, Discussion Paper, Australian Prudential Regulation Authority, Australian Government, Available at: < https://www.apra.gov.au/sites/default/fi...> . Accessed [8 Jul 21]
24. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: <https://ovic.vic.gov.au/data-protection/...>. Accessed [8 Jul 21]
Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
Reduced Activity Period
The NDIA have a Reduced Activity Period from Saturday 23 December 2023 to
Monday 1 January 2024.
Therefore, any enquiries received between these dates will be responded to
after Tuesday 2 January 2024.
Please note: due to a high volume of requests, our ability to respond to
you in a timely manner may be affected.
We will action your request as soon as possible and will endeavour to
process your matter within the legislative deadlines. We may need to seek
your agreement to an extension of time. We appreciate your understanding
if this is required.
Participant Information
Did you know the NDIA has other ways to access the documents and
information that we hold?
Participants, Guardians and Nominees can obtain copies of some participant
information through our National Contact Centre (NCC). For more
information about what’s available through the NCC, please contact 1800
800 110.
Please visit our [1]Access to Information webpage to find out more about
accessing information through:
* The [2]Participant Information Access (PIA) scheme
* The [3]Information Publication Scheme (IPS)
* The [4]myplace portal for participants
* The [5]myplace portal for providers
Access to Data
You can also request data and statistics. Please visit our [6]Data and
insights webpage page for further information.
If you are able to obtain your information from a source listed above, you
can withdraw your FOI request by emailing [7][NDIA request email]
Further Information
Information about how to make an FOI request can be found on our website:
[8]Freedom of Information
Should you have a query unrelated to FOI, please contact the Agency by
email at [9][email address] or via webchat at [10]ndis.gov.au.
Alternatively, you can also contact us by phoning 1800 800 110.
Kind regards
Freedom of Information Team
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [NDIA request email]
References
Visible links
1. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
2. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
3. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
4. https://www.ndis.gov.au/participants/usi...
https://www.ndis.gov.au/participants/usi...
5. https://www.ndis.gov.au/providers/workin...
https://www.ndis.gov.au/providers/workin...
6. https://data.ndis.gov.au/
https://data.ndis.gov.au/
7. mailto:[NDIA request email]
mailto:[NDIA request email]
8. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
9. mailto:[email address]
mailto:[email address]
10. https://www.ndis.gov.au/
https://www.ndis.gov.au/
Dear National Disability Insurance Agency,
It seems the response to my request has been delayed. By law, the NDIA should normally have responded promptly and by February 19, 2024 (30 days). Could you please acknowledge receipt of this notification and provide an update.
Yours faithfully,
Shirley
Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
Please note: due to a high volume of requests, our ability to respond to
you in a timely manner may be affected. We will action your request as
soon as possible and will endeavour to process your matter within the
legislative deadlines. We may need to seek your agreement to an extension
of time. We appreciate your understanding if this is required.
Participant Information
Did you know the NDIA has other ways to access the documents and
information that we hold?
Participants, Guardians and Nominees can obtain copies of some participant
information through our National Contact Centre (NCC). For more
information about what’s available through the NCC, please contact 1800
800 110.
Please visit our [1]Access to Information webpage to find out more about
accessing information through:
* The [2]Participant Information Access (PIA) scheme
* The [3]Information Publication Scheme (IPS)
* The [4]myplace portal for participants
* The [5]myplace portal for providers
Access to Data
You can also request data and statistics. Please visit our [6]Data and
insights webpage page for further information.
If you are able to obtain your information from a source listed above, you
can withdraw your FOI request by emailing [7][NDIA request email]
Further Information
Information about how to make an FOI request can be found on our website:
[8]Freedom of Information
Should you have a query unrelated to FOI, please contact the Agency by
email at [9][email address] or via webchat at [10]ndis.gov.au.
Alternatively, you can also contact us by phoning 1800 800 110.
Kind regards
Freedom of Information Team
Complaints Management & FOI Branch
General Counsel Division
National Disability Insurance Agency
E [11][NDIA request email]
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
References
Visible links
1. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
2. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
3. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
4. https://www.ndis.gov.au/participants/usi...
https://www.ndis.gov.au/participants/usi...
5. https://www.ndis.gov.au/providers/workin...
https://www.ndis.gov.au/providers/workin...
6. https://data.ndis.gov.au/
https://data.ndis.gov.au/
7. mailto:[NDIA request email]
mailto:[NDIA request email]
8. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
9. mailto:[email address]
mailto:[email address]
10. https://www.ndis.gov.au/
https://www.ndis.gov.au/
11. mailto:[NDIA request email]
Dear Shirley
Thank you for your Freedom of Information request. Your request has been
registered under FOI 23/24-0804
We endeavour to process requests within 30 days, however, due to a large
increase in FOI requests over recent months this time frame has been
unachievable.
We apologise in advance if it takes us longer than expected to provide you
with information. We appreciate your patience and understanding.
Once your matter is allocated to a staff member a decision maker or admin
officer will contact you to advise the matter has progressed and next
steps if appropriate.
If you would like to discuss your request, please contact us at
[1][NDIA request email] and advise of a suitable time to call.
Kind regards
Rachael
Freedom of Information Team
General Counsel Division
National Disability Insurance Agency
E [2][NDIA request email]
[3]NDIA logo
Dear foi,
It has been sometime since my request, without update or acknowledgement of receipt and submission. Can you please provide an update and forecast for completion?
Yours sincerely,
Shirley
Dear National Disability Insurance Agency,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of National Disability Insurance Agency's handling of my FOI request 'NDIA Information Security Risk Management Policy and Procedures'.
It has been over two months since my submission and application for information. This is well outside the legal statute for FOI requests. Please review and provide information on the status and failure to date.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/n...
Yours faithfully,
Shirley
Dear Shirley
Thank you for your request for an Internal Review of matter FOI
23/24-0804.
Because the matter is still being processed, we cannot action your request
for an Internal Review.
The FOI Act gives you the right to apply to the Office of the Australian
Information Commissioner (OAIC) to seek a review of this decision.
If you wish to have the decision reviewed by the OAIC, you may apply for
the review, in writing, or by using the online merits review form
available on the OAIC’s website at [1]www.oaic.gov.au, within 60 days of
receipt of this letter.
Applications for review can be lodged with the OAIC in the following ways:
Online: [2]www.oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001
Email: [3][email address]
Phone: 1300 363 992 (local call charge)
Complaints to the Office of the Australian Information Commissioner or the
Commonwealth Ombudsman
You may complain to either the Commonwealth Ombudsman or the OAIC about
actions taken by the NDIA in relation to your request. The Ombudsman will
consult with the OAIC before investigating a complaint about the handling
of an FOI request.
Your complaint to the OAIC can be directed to the contact details
identified above. Your complaint to the Ombudsman can be directed to:
Phone: 1300 362 072 (local call charge)
Email: [4][email address]
Your complaint should be in writing and should set out the grounds on
which it is considered that the actions taken in relation to the request
should be investigated.
Rachael
Freedom of Information Team
General Counsel Division
National Disability Insurance Agency
E [5][NDIA request email]
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
Dear Shirley,
Thank you for your request of 19 January 2024, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).
I sincerely apologise for the delay in processing your matter. This
request has recently been allocated to me and I am working on it as a
matter of priority.
Scope revision
For clarity, and to assist with the document search process, I suggest a
revision of scope for the following documents:
o Security Risk Management Procedure
o Security Risk Management Policy
Please reply to this email and let me know if you agree with the above by
17 May 2024.
Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant).
Disclosure Log
Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.
If you have any concerns about the publication of information you have
requested, please contact us.
Please contact us at [1][NDIA request email] if you have any questions or need
help.
Kind regards
Karla
Freedom of Information Officer
Complaints Management & FOI Branch
General Counsel Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
[4]LGBTIQA+ rainbow graphic
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
[5]Aboriginal and Torres Strait Islander flags graphic
Dear foi,
Thank you for the update Karla.
If the NDIA full and complete information security and information security risk management guidance and specific terms of reference are contained within:
- Security Risk Management Procedure
- Security Risk Management Policy
Then I agree to the revised scope.
Yours sincerely,
Shirley
Dear Shirley,
Thank you for your prompt response. I apologise for the delay in my
response.
The Security Risk Management Policy is part of the agency's overall Risk
Management Framework and describes how the Agency will manage security
risks, as part of the Agency’s compliance with the Protective Security
Policy Framework (PSPF).
This policy largely outlines how the Agency will manage security risks and
touches on security goals and strategic objectives; threats, risks and
vulnerabilities; tolerance to security risks; capability to manage
security risks as well as strategies to implement security risk
management.
The Security Risk Management Procedure sits under and is to be read in
conjunction with the Security Risk Management Policy.
This procedure describes how the Agency manages risks across all areas of
security (governance, information, personnel and physical) to determine
sources of threat and risk (and potential events) that could affect
government or entity business.
It also touches on Security risk assessments and treatments as well as the
Risk Committee.
If you are happy with the proposed scope according to the description of
the documents above, please let me know by 24 May 2024.
Please note that a scope revision will not restrict your ability to
request documents in the future, and you can email [1][NDIA request email]
after you receive the documents if you wish to request further
information.
Kind regards
Karla
Senior Freedom of Information Officer
Complaints Management & FOI Branch
General Counsel Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
[4]Aboriginal and Torres Strait Islander flags graphic
Dear Shirley
Thank you for your request for information.
Please find attached correspondence and documents in relation to your
request. If you require these in a different format, please let us know.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Thank you.
Kind regards
Karla (KCL656)
Senior Freedom of Information Officer
Complaints Management & FOI Branch
General Counsel Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
[4]Aboriginal and Torres Strait Islander flags graphic