NDIA Information Security Risk Management Policy and Procedures

The request was partially successful.

Dear National Disability Insurance Agency,

Dear National Disability Insurance Agency,

Please provide a copy of the NDIA Information Security Risk Management Policy and Procedure. This includes the supporting Information Security Risk Management Plan. That is, for clarity, the documents which scoped the NDIA’s information security risk management (ISRM) requirements and the subsequent policies and procedures that deliver, manage and ensure these actions and compliance are conducted.

Context:

The Queensland Government defines information management as “"the means by which an organisation plans, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.” Security is implied. “Security risk related to the operation and use of information systems is just one of many components of organizational risk that senior leaders/executives address as part of their ongoing risk management responsibilities“ [10]. Whereas “Information security risk management (ISRM) is the process of managing risks associated with the use of information technology. It involves, identifying, assessing and treating risks to the confidentiality, integrity and availability of an organisation’s assets. The end goal of this process is to treat risks in accordance with an organisation's overall risk tolerance” [8] through a four-step process of identifying assets, identifying vulnerabilities, identifying threats and identifying controls [9]. “An information security and risk management (ISRM) strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile ‘“ [14]. It is therefore assumed that the NDIA has identified and documented these shared information security and risk management concerns through policy and procedure.

The Compliance Council of Australia (CCA) advises that “an information security management system (ISMS) is a combination of processes and policies that help you identify, management and protect valuable corporate data and information against various risks. Specifically, the ISM’s key objective is to ensure the confidential, integrity and availability of data and information is maintained” [1]. The CCA recommend ISO 27001 as ‘the internationally recognised standard that sets the requirement for ISMS’ [2]. Microsoft also cite ISO standards in complying with the Australian Government Information Security Registered Assessor Program (IRAP), which includes ‘information security risk management’ [4]. The ISO 27000 series is also prioritised and referenced as part of the Protective Security Policy Framework (PSPF) under Information Security Standards [5] for Australian Government entities, administered by the Attorney’s Generals Department. It seems clear information security risk management is a high priority for the Australian Government and providers. Furthermore, ISO 27k seems to be the professional and international standard [15], particularly in the healthcare and public health record sectors.

Australian States and Territories have seemingly placed greater importance on information security management systems and compliance. In 2013, the Western Australia Auditor General noted that “99% of the agencies review had serious gaps in their management of information security when assessed against better practice international standards. Many of the agencies are not adopting a strategic approach to identifying and assessing risks” [6], resulting in ‘unnecessary risk’ [7] to government and public information. Following on from similar observations, the Government of Victoria recently produced an Information Security Risk Management Practitioners Guide [11], which also emphasis the protection of Australian public information and data assets, including the use of the ISO 27000 suite of information security risk management standards [12], as part of a positive obligation for State entities and officers [24] . By comparison, the Queensland Government has long provided clear guidance and best practice for information risk management [16] of Whole of Government risk management of public information, data and records, declaring that “Information risk management should be incorporated into all decisions in day-to-day operations and if effectively used, can be a tool for managing information proactively rather than reactively”. The more contemporary version from the Queensland Government’s Information Security Policy (IS18:2018) expands upon these concepts considerably, including the adoption and endorsement of ISO 27000 as the framework of that state government’s Information Security Management System [19]. Which in turn links into the Attorney General’s Department and the Australian Governments Protective Security Policy Framework (PSPF) [21].

The Australian Prudential Regulation Authority (APRA) observed that “the pervasive nature of information security threats and vulnerabilities and the need for sound practices and a solid business understanding in order to maintain an information security capability commensurate with those threats and vulnerabilities. It also reflects that APRA regulated entities have developed distinct practices and disciplines to manage information security risk, information technology (IT) risk and operational risk. In APRA’s view, these are all necessary and complementary disciplines” [22]. Which stems from an extensive cross-industry consultation, following observations that “ effective information security is increasingly critical as information security attacks are increasing in frequency, sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. This was clearly evident from the results of APRA’s two cyber surveys, which indicated that incidents varied in nature, sophistication and impact” [23].

Chief Information Security Officers’ (CISO) appear very familiar with the requirements of Information Security and Risk Management (ISRM) [13]. Along with the Information Systems Audit and Control Association’s (ISACA) long-standing guidance on the development of information security and risk management strategies [14], including specific, measurable and auditable guidelines for ISRM.

In sum, the NDIA seems to collect, manage and ‘secure’ a significant amount of public information. Therefore, it seems reasonable that the NDIA has a well developed, mature and consistent approach to information security risk management, supported by accompanying policy and procedures, which make up the focus of this request.

Thank you for your assistance.

Yours faithfully,

Shirley

References:

1. Compliance Council of Australia (2012) What is an information security management system?, Available at: <https://www.compliancecouncil.com.au/sta...>. Accessed [8 Jul 21]
2. Ibid
3. Microsoft (2012) Australian Government Information Security Registered Assessor Program (IRAP), Available at: < https://docs.microsoft.com/en-us/complia...>. Access [8 Jul 21]
4. Ibid
5. Attorney General’s Department (2021) Relevant Australian and International Standards: Information Security Standards, Available at: < https://web.archive.org/web/202104011652...>. Accessed [8 Jul 21]
6. Western Australia Auditor General (2013) Information Systems Audit Report, 11, Western Australia Government, Available at: < https://audit.wa.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
7. Ibid
8. Rapid 7 (2021) Information Security Risk Management: Identify and achieve an acceptable level of risk, Available at: < https://www.rapid7.com/fundamentals/info...>. Accessed [8 Jul 21]
9. Ibid
10. NIST (2011) Information Security, National Institute of Standards and Technology, U.S Department of Commerce, Available at: < https://nvlpubs.nist.gov/nistpubs/Legacy...>, Accessed [8 Jul 21]
11. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: < https://ovic.vic.gov.au/wp-content/uploa...>. Accessed [8 Jul 21]
12. Ibid
13. CISO Portal (2021) Information Security Risk Management: What and How?, Available at: https://www.ciso-portal.com/information-...>. Accessed [8 Jul 21]
14. ISACA (2010) Developing an Information Security and Risk Management Strategy, Available at: , https://www.isaca.org/resources/isaca-jo...> .
15. Dashti, S., Giorgini, P. And Paja, E. (2017) Information Security Management, Conference Paper, IFIP Working Conference on the Practice of Enterprise Modeling, Available at: ,https://hal.inria.fr/hal-01765266/file/4...>. Accessed [8 Jul 21]
16. Queensland Government (2002) Queensland Government Information Architecture: Best Practice Guide, Information Risk Management, Available at < https://www.qgcio.qld.gov.au/__data/asse...>. Accessed [8 Jul 21]
17. Ibid. Page 5
18. Queensland Government (2019) Queensland Government Enterprise Architecture: Information Security Policy, Available at: < https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
19. Ibid
20. Queensland Government (2021) Queensland Government Enterprise Architecture: How should I manage my information?, Available at: < https://www.qgcio.qld.gov.au/information...>. Accessed [8 Jul 21]
21. Queensland Government (2020) Queensland Government Enterprise Architecture: Information Security Classification Framework, Available at: ,https://www.qgcio.qld.gov.au/documents/i...>. Accessed [8 Jul 21]
22. APRA (2019) Prudential Practice Guide: CPG 234 Information Security, Australian Prudential Regulation Authority, Australian Government, Available at: <https://www.apra.gov.au/sites/default/fi...>. Accessed [8 Jul 21]
23. APRA (2018) Information Security Management: A new cross-industry prudential standard, Discussion Paper, Australian Prudential Regulation Authority, Australian Government, Available at: < https://www.apra.gov.au/sites/default/fi...> . Accessed [8 Jul 21]
24. OVIC (2021) Practitioner Guide: Information Security Risk Management, Version 2.0, Office of the Victorian Information Commissioner, Government of Victoria, Available at: <https://ovic.vic.gov.au/data-protection/...>. Accessed [8 Jul 21]

foi, National Disability Insurance Agency

Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
Reduced Activity Period
The NDIA have a Reduced Activity Period from Saturday 23 December 2023 to
Monday 1 January 2024.
Therefore, any enquiries received between these dates will be responded to
after Tuesday 2 January 2024.

Please note: due to a high volume of requests, our ability to respond to
you in a timely manner may be affected.
We will action your request as soon as possible and will endeavour to
process your matter within the legislative deadlines. We may need to seek
your agreement to an extension of time. We appreciate your understanding
if this is required.
Participant Information
Did you know the NDIA has other ways to access the documents and
information that we hold?

Participants, Guardians and Nominees can obtain copies of some participant
information through our National Contact Centre (NCC). For more
information about what’s available through the NCC, please contact 1800
800 110.
Please visit our [1]Access to Information webpage to find out more about
accessing information through:

* The [2]Participant Information Access (PIA) scheme
* The [3]Information Publication Scheme (IPS)
* The [4]myplace portal for participants   
* The [5]myplace portal for providers

Access to Data
You can also request data and statistics. Please visit our [6]Data and
insights webpage page for further information.
If you are able to obtain your information from a source listed above, you
can withdraw your FOI request by emailing [7][NDIA request email]

Further Information
Information about how to make an FOI request can be found on our website:
[8]Freedom of Information
Should you have a query unrelated to FOI, please contact the Agency by
email at [9][email address] or via webchat at [10]ndis.gov.au.
Alternatively, you can also contact us by phoning 1800 800 110.
Kind regards   

Freedom of Information Team  
Parliamentary, Ministerial and FOI Branch  
Government Division  
National Disability Insurance Agency  
E: [NDIA request email]    
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
2. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
3. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
4. https://www.ndis.gov.au/participants/usi...
https://www.ndis.gov.au/participants/usi...
5. https://www.ndis.gov.au/providers/workin...
https://www.ndis.gov.au/providers/workin...
6. https://data.ndis.gov.au/
https://data.ndis.gov.au/
7. mailto:[NDIA request email]
mailto:[NDIA request email]
8. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
9. mailto:[email address]
mailto:[email address]
10. https://www.ndis.gov.au/
https://www.ndis.gov.au/

hide quoted sections

Dear National Disability Insurance Agency,

It seems the response to my request has been delayed. By law, the NDIA should normally have responded promptly and by February 19, 2024 (30 days). Could you please acknowledge receipt of this notification and provide an update.

Yours faithfully,

Shirley

foi, National Disability Insurance Agency

Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
Please note: due to a high volume of requests, our ability to respond to
you in a timely manner may be affected. We will action your request as
soon as possible and will endeavour to process your matter within the
legislative deadlines. We may need to seek your agreement to an extension
of time. We appreciate your understanding if this is required.
Participant Information
Did you know the NDIA has other ways to access the documents and
information that we hold?

Participants, Guardians and Nominees can obtain copies of some participant
information through our National Contact Centre (NCC). For more
information about what’s available through the NCC, please contact 1800
800 110.
Please visit our [1]Access to Information webpage to find out more about
accessing information through:

* The [2]Participant Information Access (PIA) scheme
* The [3]Information Publication Scheme (IPS)
* The [4]myplace portal for participants   
* The [5]myplace portal for providers

Access to Data
You can also request data and statistics. Please visit our [6]Data and
insights webpage page for further information.
If you are able to obtain your information from a source listed above, you
can withdraw your FOI request by emailing [7][NDIA request email]

Further Information
Information about how to make an FOI request can be found on our website:
[8]Freedom of Information
Should you have a query unrelated to FOI, please contact the Agency by
email at [9][email address] or via webchat at [10]ndis.gov.au.
Alternatively, you can also contact us by phoning 1800 800 110.
Kind regards   

Freedom of Information Team 

Complaints Management & FOI Branch

General Counsel Division 

National Disability Insurance Agency 

E [11][NDIA request email]  

  

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging. 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
2. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
3. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
4. https://www.ndis.gov.au/participants/usi...
https://www.ndis.gov.au/participants/usi...
5. https://www.ndis.gov.au/providers/workin...
https://www.ndis.gov.au/providers/workin...
6. https://data.ndis.gov.au/
https://data.ndis.gov.au/
7. mailto:[NDIA request email]
mailto:[NDIA request email]
8. https://www.ndis.gov.au/about-us/policie...
https://www.ndis.gov.au/about-us/policie...
9. mailto:[email address]
mailto:[email address]
10. https://www.ndis.gov.au/
https://www.ndis.gov.au/
11. mailto:[NDIA request email]

hide quoted sections

foi, National Disability Insurance Agency

1 Attachment

 

 

Dear Shirley

 

Thank you for your Freedom of Information request. Your request has been
registered under FOI 23/24-0804

 

We endeavour to process requests within 30 days, however, due to a large
increase in FOI requests over recent months this time frame has been
unachievable.

 

We apologise in advance if it takes us longer than expected to provide you
with information. We appreciate your patience and understanding.  

Once your matter is allocated to a staff member a decision maker or admin
officer will contact you to advise the matter has progressed and next
steps if appropriate.

 If you would like to discuss your request, please contact us at
[1][NDIA request email] and advise of a suitable time to call.  

 

Kind regards

Rachael

Freedom of Information Team

General Counsel Division

National Disability Insurance Agency

E [2][NDIA request email]

[3]NDIA logo

 

 

 

 

-----Original Message-----
From: Shirley <[FOI #11038 email]>
Sent: Sunday, February 25, 2024 3:28 PM
To: foi <[NDIA request email]>
Subject: Re: Freedom of Information request - NDIA Information Security
Risk Management Policy and Procedures

 

[You don't often get email from
[4][FOI #11038 email]. Learn why this is
important at [5]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear National Disability Insurance Agency,

 

 

 

It seems the response to my request has been delayed. By law, the NDIA
should normally have responded promptly and by February 19, 2024 (30
days). Could you please acknowledge receipt of this notification and
provide an update.

 

 

 

Yours faithfully,

 

 

 

Shirley

 

 

 

-----Original Message-----

 

 

 

Thank you for your email to the National Disability Insurance Agency

 

(NDIA) Freedom of Information (FOI) team.

 

Reduced Activity Period

 

The NDIA have a Reduced Activity Period from Saturday 23 December 2023 to

 

Monday 1 January 2024.

 

Therefore, any enquiries received between these dates will be responded to

 

after Tuesday 2 January 2024.

 

 

 

Please note: due to a high volume of requests, our ability to respond to

 

you in a timely manner may be affected.

 

We will action your request as soon as possible and will endeavour to

 

process your matter within the legislative deadlines. We may need to seek

 

your agreement to an extension of time. We appreciate your understanding

 

if this is required.

 

Participant Information

 

Did you know the NDIA has other ways to access the documents and

 

information that we hold?

 

 

 

Participants, Guardians and Nominees can obtain copies of some participant

 

information through our National Contact Centre (NCC). For more

 

information about what’s available through the NCC, please contact 1800

 

800 110.

 

Please visit our [1]Access to Information webpage to find out more about

 

accessing information through:

 

 

 

* The [2]Participant Information Access (PIA) scheme

 

* The [3]Information Publication Scheme (IPS)

 

* The [4]myplace portal for participants

 

* The [5]myplace portal for providers

 

 

 

Access to Data

 

You can also request data and statistics. Please visit our [6]Data and

 

insights webpage page for further information.

 

If you are able to obtain your information from a source listed above, you

 

can withdraw your FOI request by emailing [7][NDIA request email]

 

 

 

Further Information

 

Information about how to make an FOI request can be found on our website:

 

[8]Freedom of Information

 

Should you have a query unrelated to FOI, please contact the Agency by

 

email at [9][email address] or via webchat at [10]ndis.gov.au.

 

Alternatively, you can also contact us by phoning 1800 800 110.

 

Kind regards

 

 

 

Freedom of Information Team

 

Parliamentary, Ministerial and FOI Branch

 

Government Division

 

National Disability Insurance Agency

 

E: [NDIA request email] 

 

 

 

References

 

 

 

Visible links

 

1.
[6]https://aus01.safelinks.protection.outlo...

 

       
[7]https://aus01.safelinks.protection.outlo...

 

2.
[8]https://aus01.safelinks.protection.outlo...

 

       
[9]https://aus01.safelinks.protection.outlo...

 

3.
[10]https://aus01.safelinks.protection.outlo...

 

       
[11]https://aus01.safelinks.protection.outlo...

 

4.
[12]https://aus01.safelinks.protection.outlo...

 

       
[13]https://aus01.safelinks.protection.outlo...

 

5.
[14]https://aus01.safelinks.protection.outlo...

 

       
[15]https://aus01.safelinks.protection.outlo...

 

6.
[16]https://aus01.safelinks.protection.outlo...

 

       
[17]https://aus01.safelinks.protection.outlo...

 

7. [18]mailto:[NDIA request email]

 

        [19]mailto:[NDIA request email]

 

8.
[20]https://aus01.safelinks.protection.outlo...

 

       
[21]https://aus01.safelinks.protection.outlo...

 

9. [22]mailto:[email address]

 

        [23]mailto:[email address]

 

10.
[24]https://aus01.safelinks.protection.outlo...

 

       
[25]https://aus01.safelinks.protection.outlo...

 

 

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

 

[26][FOI #11038 email]

 

 

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

 

[27]https://aus01.safelinks.protection.outlo...

 

 

 

Please note that in some cases publication of requests and responses will
be delayed.

 

 

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

 

-------------------------------------------------------------------

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. mailto:[FOI #11038 email]
5. https://aka.ms/LearnAboutSenderIdentific...
6. https://www.ndis.gov.au/about-us/policie...
7. https://www.ndis.gov.au/about-us/policie...
8. https://www.ndis.gov.au/about-us/policie...
9. https://www.ndis.gov.au/about-us/policie...
10. https://www.ndis.gov.au/about-us/policie...
11. https://www.ndis.gov.au/about-us/policie...
12. https://www.ndis.gov.au/participants/usi...
13. https://www.ndis.gov.au/participants/usi...
14. https://www.ndis.gov.au/providers/workin...
15. https://www.ndis.gov.au/providers/workin...
16. https://data.ndis.gov.au/
17. https://data.ndis.gov.au/
18. mailto:[ndia
19. mailto:[ndia
20. https://www.ndis.gov.au/about-us/policie...
21. https://www.ndis.gov.au/about-us/policie...
22. mailto:[email
23. mailto:[email
24. https://www.ndis.gov.au/
25. https://www.ndis.gov.au/
26. mailto:[FOI #11038 email]
27. https://www.righttoknow.org.au/help/offi...

hide quoted sections

Dear foi,

It has been sometime since my request, without update or acknowledgement of receipt and submission. Can you please provide an update and forecast for completion?

Yours sincerely,

Shirley

Dear National Disability Insurance Agency,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of National Disability Insurance Agency's handling of my FOI request 'NDIA Information Security Risk Management Policy and Procedures'.

It has been over two months since my submission and application for information. This is well outside the legal statute for FOI requests. Please review and provide information on the status and failure to date.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/n...

Yours faithfully,

Shirley

foi, National Disability Insurance Agency

3 Attachments

Dear Shirley

 

Thank you for your request for an Internal Review of matter FOI
23/24-0804.

 

Because the matter is still being processed, we cannot action your request
for an Internal Review.

 

The FOI Act gives you the right to apply to the Office of the Australian
Information Commissioner (OAIC) to seek a review of this decision.

 

If you wish to have the decision reviewed by the OAIC, you may apply for
the review, in writing, or by using the online merits review form
available on the OAIC’s website at [1]www.oaic.gov.au, within 60 days of
receipt of this letter.

 

Applications for review can be lodged with the OAIC in the following ways:

 

Online:       [2]www.oaic.gov.au
Post:          GPO Box 5218, Sydney NSW 2001
Email:        [3][email address]
Phone:       1300 363 992 (local call charge)

 

Complaints to the Office of the Australian Information Commissioner or the
Commonwealth Ombudsman

You may complain to either the Commonwealth Ombudsman or the OAIC about
actions taken by the NDIA in relation to your request. The Ombudsman will
consult with the OAIC before investigating a complaint about the handling
of an FOI request.

 

Your complaint to the OAIC can be directed to the contact details
identified above. Your complaint to the Ombudsman can be directed to:

 

Phone:       1300 362 072 (local call charge)
Email:        [4][email address]

 

Your complaint should be in writing and should set out the grounds on
which it is considered that the actions taken in relation to the request
should be investigated.

 

 

Rachael

Freedom of Information Team 

General Counsel Division

National Disability Insurance Agency 

E [5][NDIA request email]  

 

 

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging. 

 

 

 

 

-----Original Message-----
From: Shirley <[FOI #11038 email]>
Sent: Sunday, March 24, 2024 7:17 PM
To: foi <[NDIA request email]>
Subject: Internal review of Freedom of Information request - NDIA
Information Security Risk Management Policy and Procedures

 

[You don't often get email from
[6][FOI #11038 email]. Learn why this is
important at [7]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear National Disability Insurance Agency,

 

Please pass this on to the person who conducts Freedom of Information
reviews.

 

I am writing to request an internal review of National Disability
Insurance Agency's handling of my FOI request 'NDIA Information Security
Risk Management Policy and Procedures'.

 

It has been over two months since my submission and application for
information. This is well outside the legal statute for FOI requests.
Please review and provide information on the status and failure to date.

 

A full history of my FOI request and all correspondence is available on
the Internet at this address:
[8]https://aus01.safelinks.protection.outlo...

 

Yours faithfully,

 

Shirley

 

 

 

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[9][FOI #11038 email]

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

[10]https://aus01.safelinks.protection.outlo...

 

Please note that in some cases publication of requests and responses will
be delayed.

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

-------------------------------------------------------------------

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. http://www.oaic.gov.au/
2. http://www.oaic.gov.au/
3. mailto:[email address]
4. mailto:[email address]
5. mailto:[NDIA request email]
6. mailto:[FOI #11038 email]
7. https://aka.ms/LearnAboutSenderIdentific...
8. https://www.righttoknow.org.au/request/n...
9. mailto:[FOI #11038 email]
10. https://www.righttoknow.org.au/help/offi...

hide quoted sections

foi, National Disability Insurance Agency

3 Attachments

Dear Shirley,

Thank you for your request of 19 January 2024, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).

 

I sincerely apologise for the delay in processing your matter. This
request has recently been allocated to me and I am working on it as a
matter of priority.

 

Scope revision

For clarity, and to assist with the document search process, I suggest a
revision of scope for the following documents:

o Security Risk Management Procedure
o Security Risk Management Policy

 

Please reply to this email and let me know if you agree with the above by
17 May 2024.

 

Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant). 

 

Disclosure Log

Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.

 

If you have any concerns about the publication of information you have
requested, please contact us.

 

Please contact us at [1][NDIA request email] if you have any questions or need
help.

 

Kind regards

 

Karla
Freedom of Information Officer

Complaints Management & FOI Branch

General Counsel Division

National Disability Insurance Agency

E: [2][NDIA request email]

 

[3]Title: NDIS delivered by the National Disability Insurance Agency

[4]LGBTIQA+ rainbow graphic

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[5]Aboriginal and Torres Strait Islander flags graphic

 

 

-----Original Message-----
From: Shirley [6][FOI #11038 email]
Sent: Friday, January 19, 2024 7:00 AM
To: foi [7][NDIA request email]
Subject: Freedom of Information request - NDIA Information Security Risk
Management Policy and Procedures

 

[You don't often get email from
[8][FOI #11038 email]. Learn why this is
important at [9]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear National Disability Insurance Agency,

 

 

 

Dear National Disability Insurance Agency,

 

 

 

Please provide a copy of the NDIA Information Security Risk Management
Policy and Procedure. This includes the supporting Information Security
Risk Management Plan. That is, for clarity, the documents which scoped the
NDIA’s information security risk management (ISRM) requirements and the
subsequent policies and procedures that deliver, manage and ensure these
actions and compliance are conducted.

 

 

 

Context:

 

 

 

The Queensland Government defines information management as “"the means by
which an organisation plans, collects, organises, governs, secures, uses,
controls, disseminates, exchanges, maintains and disposes of its
information; as well as any means through which the organisation ensures
that the value of that information is identified and exploited to its
fullest extent.” Security is implied. “Security risk related to the
operation and use of information systems is just one of many components of
organizational risk that senior leaders/executives address as part of
their ongoing risk management responsibilities“ [10]. Whereas “Information
security risk management (ISRM) is the process of managing risks
associated with the use of information technology. It involves,
identifying, assessing and treating risks to the confidentiality,
integrity and availability of an organisation’s assets. The end goal of
this process is to treat risks in accordance with an organisation's
overall risk tolerance” [8] through a four-step process of identifying
assets, identifying vulnerabilities, identifying threats and identifying
controls [9]. “An information security and risk management (ISRM) strategy
provides an organization with a road map for information and information
infrastructure protection with goals and objectives that ensure
capabilities provided are aligned to business goals and the organization’s
risk profile ‘“ [14]. It is therefore assumed that the NDIA has identified
and documented these shared information security and risk management
concerns through policy and procedure.

 

 

 

The Compliance Council of Australia (CCA) advises that “an information
security management system (ISMS) is a combination of processes and
policies that help you identify, management and protect valuable corporate
data and information against various risks. Specifically, the ISM’s key
objective is to ensure the confidential, integrity and availability of
data and information is maintained” [1]. The CCA recommend ISO 27001 as
‘the internationally recognised standard that sets the requirement for
ISMS’ [2]. Microsoft also cite ISO standards in complying with the
Australian Government Information Security Registered Assessor Program
(IRAP), which includes ‘information security risk management’ [4]. The ISO
27000 series is also prioritised and referenced as part of the Protective
Security Policy Framework (PSPF) under Information Security Standards [5]
for Australian Government entities, administered by the Attorney’s
Generals Department. It seems clear information security risk management
is a high priority for the Australian Government and providers.
Furthermore, ISO 27k seems to be the professional and international
standard [15], particularly in the healthcare and public health record
sectors.

 

 

 

Australian States and Territories have seemingly placed greater importance
on information security management systems and compliance. In 2013, the
Western Australia Auditor General noted that “99% of the agencies review
had serious gaps in their management of information security when assessed
against better practice international standards. Many of the agencies are
not adopting a strategic approach to identifying and assessing risks” [6],
resulting in ‘unnecessary risk’ [7] to government and public information.
Following on from similar observations, the Government of Victoria
recently produced an Information Security Risk Management Practitioners
Guide [11], which also emphasis the protection of Australian public
information and data assets, including the use of the ISO 27000 suite of
information security risk management standards [12], as part of a positive
obligation for State entities and officers [24] . By comparison, the
Queensland Government has long provided clear guidance and best practice
for information risk management [16] of Whole of Government risk
management of public information, data and records, declaring that
“Information risk management should be incorporated into all decisions in
day-to-day operations and if effectively used, can be a tool for managing
information proactively rather than reactively”. The more contemporary
version from the Queensland Government’s Information Security Policy
(IS18:2018) expands upon these concepts considerably, including the
adoption and endorsement of ISO 27000 as the framework of that state
government’s Information Security Management System [19]. Which in turn
links into the Attorney General’s Department and the Australian
Governments Protective Security Policy Framework (PSPF) [21].

 

 

 

The Australian Prudential Regulation Authority (APRA) observed that “the
pervasive nature of information security threats and vulnerabilities and
the need for sound practices and a solid business understanding in order
to maintain an information security capability commensurate with those
threats and vulnerabilities. It also reflects that APRA regulated entities
have developed distinct practices and disciplines to manage information
security risk, information technology (IT) risk and operational risk. In
APRA’s view, these are all necessary and complementary disciplines” [22].
Which stems from an extensive cross-industry consultation, following
observations that “ effective information security is increasingly
critical as information security attacks are increasing in frequency,
sophistication and impact, with perpetrators continuously refining their
efforts to compromise systems, networks and information worldwide. This
was clearly evident from the results of APRA’s two cyber surveys, which
indicated that incidents varied in nature, sophistication and impact”
[23].

 

 

 

Chief Information Security Officers’ (CISO) appear very familiar with the
requirements of Information Security and Risk Management (ISRM) [13].
Along with the Information Systems Audit and Control Association’s (ISACA)
long-standing guidance on the development of information security and risk
management strategies [14], including specific, measurable and auditable
guidelines for ISRM.

 

 

 

In sum, the NDIA seems to collect, manage and ‘secure’ a significant
amount of public information. Therefore, it seems reasonable that the NDIA
has a well developed, mature and consistent approach to information
security risk management, supported by accompanying policy and procedures,
which make up the focus of this request.

 

 

 

Thank you for your assistance.

 

 

 

Yours faithfully,

 

 

 

Shirley

 

 

 

References:

 

 

 

1. Compliance Council of Australia (2012) What is an information security
management system?, Available at:
<[10]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

2. Ibid

 

3. Microsoft (2012) Australian Government Information Security Registered
Assessor Program (IRAP), Available at: <
[11]https://aus01.safelinks.protection.outlo......>.
Access [8 Jul 21]

 

4. Ibid

 

5. Attorney General’s Department (2021) Relevant Australian and
International Standards: Information Security Standards, Available at: <
[12]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

6. Western Australia Auditor General (2013) Information Systems Audit
Report, 11, Western Australia Government, Available at: <
[13]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

7. Ibid

 

8. Rapid 7 (2021) Information Security Risk Management: Identify and
achieve an acceptable level of risk, Available at: <
[14]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

9. Ibid

 

10. NIST (2011) Information Security, National Institute of Standards and
Technology, U.S Department of Commerce, Available at: <
[15]https://aus01.safelinks.protection.outlo......>,
Accessed [8 Jul 21]

 

11. OVIC (2021) Practitioner Guide: Information Security Risk Management,
Version 2.0, Office of the Victorian Information Commissioner, Government
of Victoria, Available at: <
[16]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

12. Ibid

 

13. CISO Portal (2021) Information Security Risk Management: What and
How?, Available at:
[17]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

14. ISACA (2010) Developing an Information Security and Risk Management
Strategy, Available at: ,
[18]https://aus01.safelinks.protection.outlo......>
.

 

15. Dashti, S., Giorgini, P. And Paja, E. (2017) Information Security
Management, Conference Paper, IFIP Working Conference on the Practice of
Enterprise Modeling, Available at:
,https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

16. Queensland Government (2002) Queensland Government Information
Architecture: Best Practice Guide, Information Risk Management, Available
at <
[19]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

17. Ibid. Page 5

 

18. Queensland Government (2019) Queensland Government Enterprise
Architecture: Information Security Policy, Available at: <
[20]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

19. Ibid

 

20. Queensland Government (2021) Queensland Government Enterprise
Architecture: How should I manage my information?, Available at: <
[21]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

21. Queensland Government (2020) Queensland Government Enterprise
Architecture: Information Security Classification Framework, Available at:
,https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

22. APRA (2019) Prudential Practice Guide: CPG 234 Information Security,
Australian Prudential Regulation Authority, Australian Government,
Available at:
<[22]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

23. APRA (2018) Information Security Management: A new cross-industry
prudential standard, Discussion Paper, Australian Prudential Regulation
Authority, Australian Government, Available at: <
[23]https://aus01.safelinks.protection.outlo......>
. Accessed [8 Jul 21]

 

24. OVIC (2021) Practitioner Guide: Information Security Risk Management,
Version 2.0, Office of the Victorian Information Commissioner, Government
of Victoria, Available at:
<[24]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

 

 

-------------------------------------------------------------------

 

 

 

Please use this email address for all replies to this request:

 

[25][FOI #11038 email]

 

 

 

Is [26][NDIA request email] the wrong address for Freedom of Information
requests to National Disability Insurance Agency? If so, please contact us
using this form:

 

[27]https://aus01.safelinks.protection.outlo...

 

 

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

 

[28]https://aus01.safelinks.protection.outlo...

 

 

 

Please note that in some cases publication of requests and responses will
be delayed.

 

 

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

 

 

 

-------------------------------------------------------------------

 

 

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. https://intranet.ndiastaff.ndia.gov.au/h...
6. mailto:[FOI #11038 email]
7. mailto:[NDIA request email]
8. mailto:[FOI #11038 email]
9. https://aka.ms/LearnAboutSenderIdentific...
10. https://www.compliancecouncil.com.au/sta
11. https://docs.microsoft.com/en-us/complia
12. https://web.archive.org/web/202104011652
13. https://audit.wa.gov.au/wp-content/uploa
14. https://www.rapid7.com/fundamentals/info
15. https://nvlpubs.nist.gov/nistpubs/Legacy
16. https://ovic.vic.gov.au/wp-content/uploa
17. https://www.ciso-portal.com/information-
18. https://www.isaca.org/resources/isaca-jo
19. https://www.qgcio.qld.gov.au/__data/asse
20. https://www.qgcio.qld.gov.au/documents/i
21. https://www.qgcio.qld.gov.au/information
22. https://www.apra.gov.au/sites/default/fi
23. https://www.apra.gov.au/sites/default/fi
24. https://ovic.vic.gov.au/data-protection/
25. mailto:[FOI #11038 email]
26. mailto:[NDIA request email]
27. https://www.righttoknow.org.au/change_re...
28. https://www.righttoknow.org.au/help/offi...

hide quoted sections

Dear foi,

Thank you for the update Karla.

If the NDIA full and complete information security and information security risk management guidance and specific terms of reference are contained within:

- Security Risk Management Procedure
- Security Risk Management Policy

Then I agree to the revised scope.

Yours sincerely,

Shirley

foi, National Disability Insurance Agency

2 Attachments

Dear Shirley,

 

Thank you for your prompt response. I apologise for the delay in my
response.

 

The Security Risk Management Policy is part of the agency's overall Risk
Management Framework and describes how the Agency will manage security
risks, as part of the Agency’s compliance with the Protective Security
Policy Framework (PSPF).

This policy largely outlines how the Agency will manage security risks and
touches on security goals and strategic objectives; threats, risks and
vulnerabilities; tolerance to security risks; capability to manage
security risks as well as strategies to implement security risk
management.

The Security Risk Management Procedure sits under and is to be read in
conjunction with the Security Risk Management Policy.

This procedure describes how the Agency manages risks across all areas of
security (governance, information, personnel and physical) to determine
sources of threat and risk (and potential events) that could affect
government or entity business.

It also touches on Security risk assessments and treatments as well as the
Risk Committee.

 

If you are happy with the proposed scope according to the description of
the documents above, please let me know by 24 May 2024.

 

Please note that a scope revision will not restrict your ability to
request documents in the future, and you can email [1][NDIA request email]
after you receive the documents if you wish to request further
information.

 

Kind regards

 

Karla

Senior Freedom of Information Officer

Complaints Management & FOI Branch  

General Counsel Division 

National Disability Insurance Agency

E: [2][NDIA request email]

[3]Title: NDIS delivered by the National Disability Insurance Agency

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[4]Aboriginal and Torres Strait Islander flags graphic

 

 

 

 

-----Original Message-----

From: Shirley <[5][FOI #11038 email]>

Sent: Thursday, May 16, 2024 6:29 AM

To: foi <[6][NDIA request email]>

Subject: Re: FOI 23/24-0804 - Your Request for Information - Scope
Revision [SEC=OFFICIAL]

 

Dear foi,

 

 

 

Thank you for the update Karla.

 

 

 

If the NDIA full and complete information security and information
security risk management guidance and specific terms of reference are
contained within:

 

 

 

- Security Risk Management Procedure

 

- Security Risk Management Policy

 

 

 

Then I agree to the revised scope.

 

 

 

Yours sincerely,

 

 

 

Shirley

 

 

 

-----Original Message-----

 

 

 

Dear Shirley,

 

 

 

Thank you for your request of 19 January 2024, made under the Freedom of

 

Information Act 1982 (FOI Act), for copies of documents held by the

 

National Disability Insurance Agency (NDIA).

 

 

 

 

 

 

 

I sincerely apologise for the delay in processing your matter. This

 

request has recently been allocated to me and I am working on it as a

 

matter of priority.

 

 

 

 

 

 

 

Scope revision

 

 

 

For clarity, and to assist with the document search process, I suggest a

 

revision of scope for the following documents:

 

 

 

o Security Risk Management Procedure

 

o Security Risk Management Policy

 

 

 

 

 

 

 

Please reply to this email and let me know if you agree with the above by

 

17 May 2024.

 

 

 

 

 

 

 

Unless you advise otherwise, we will take it that you agree to the names

 

and contact details of NDIA staff being excluded from the scope of your

 

request (that is, the information will be treated as irrelevant). 

 

 

 

 

 

 

 

Disclosure Log

 

 

 

Information released under the FOI Act may be published on the NDIA’s

 

disclosure log located on our website, subject to certain exceptions.

 

 

 

 

 

 

 

If you have any concerns about the publication of information you have

 

requested, please contact us.

 

 

 

 

 

 

 

Please contact us at [1][NDIA request email] if you have any questions or
need

 

help.

 

 

 

 

 

 

 

Kind regards

 

 

 

 

 

 

 

Karla

 

Freedom of Information Officer

 

 

 

Complaints Management & FOI Branch

 

 

 

General Counsel Division

 

 

 

National Disability Insurance Agency

 

 

 

E: [2][NDIA request email]

 

 

 

 

 

 

 

[3]Title: NDIS delivered by the National Disability Insurance Agency

 

 

 

[4]LGBTIQA+ rainbow graphic

 

 

 

The NDIA acknowledges the Traditional Custodians of Country throughout

 

Australia and their continuing connection to land, sea and community. We

 

pay our respects to them and their cultures and to Elders past, present

 

and emerging.

 

 

 

[5]Aboriginal and Torres Strait Islander flags graphic

 

 

 

 

 

 

 

 

 

 

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

 

[7][FOI #11038 email]

 

 

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

 

[8]https://aus01.safelinks.protection.outlo...

 

 

 

Please note that in some cases publication of requests and responses will
be delayed.

 

 

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

 

-------------------------------------------------------------------

 

 

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
5. mailto:[FOI #11038 email]
6. mailto:[NDIA request email]
7. mailto:[FOI #11038 email]
8. https://www.righttoknow.org.au/help/offi...

hide quoted sections

Dear foi/Karla,

Thank you. I agree with the proposed scope.

Yours sincerely,

Shirley

foi, National Disability Insurance Agency

4 Attachments

Dear Shirley

Thank you for your request for information.

Please find attached correspondence and documents in relation to your
request.  If you require these in a different format, please let us know.

Please contact us at [1][NDIA request email] if you have any questions or
require help.

Thank you.

 

Kind regards

 

Karla (KCL656)

Senior Freedom of Information Officer

Complaints Management & FOI Branch  

General Counsel Division 

National Disability Insurance Agency

E: [2][NDIA request email]

[3]Title: NDIS delivered by the National Disability Insurance Agency

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[4]Aboriginal and Torres Strait Islander flags graphic

 

-----Original Message-----
From: Shirley [5][FOI #11038 email]
Sent: Friday, January 19, 2024 7:00 AM
To: foi [6][NDIA request email]
Subject: Freedom of Information request - NDIA Information Security Risk
Management Policy and Procedures

 

[You don't often get email from
[7][FOI #11038 email]. Learn why this is
important at [8]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear National Disability Insurance Agency,

 

 

 

Dear National Disability Insurance Agency,

 

 

 

Please provide a copy of the NDIA Information Security Risk Management
Policy and Procedure. This includes the supporting Information Security
Risk Management Plan. That is, for clarity, the documents which scoped the
NDIA’s information security risk management (ISRM) requirements and the
subsequent policies and procedures that deliver, manage and ensure these
actions and compliance are conducted.

 

 

 

Context:

 

 

 

The Queensland Government defines information management as “"the means by
which an organisation plans, collects, organises, governs, secures, uses,
controls, disseminates, exchanges, maintains and disposes of its
information; as well as any means through which the organisation ensures
that the value of that information is identified and exploited to its
fullest extent.” Security is implied. “Security risk related to the
operation and use of information systems is just one of many components of
organizational risk that senior leaders/executives address as part of
their ongoing risk management responsibilities“ [10]. Whereas “Information
security risk management (ISRM) is the process of managing risks
associated with the use of information technology. It involves,
identifying, assessing and treating risks to the confidentiality,
integrity and availability of an organisation’s assets. The end goal of
this process is to treat risks in accordance with an organisation's
overall risk tolerance” [8] through a four-step process of identifying
assets, identifying vulnerabilities, identifying threats and identifying
controls [9]. “An information security and risk management (ISRM) strategy
provides an organization with a road map for information and information
infrastructure protection with goals and objectives that ensure
capabilities provided are aligned to business goals and the organization’s
risk profile ‘“ [14]. It is therefore assumed that the NDIA has identified
and documented these shared information security and risk management
concerns through policy and procedure.

 

 

 

The Compliance Council of Australia (CCA) advises that “an information
security management system (ISMS) is a combination of processes and
policies that help you identify, management and protect valuable corporate
data and information against various risks. Specifically, the ISM’s key
objective is to ensure the confidential, integrity and availability of
data and information is maintained” [1]. The CCA recommend ISO 27001 as
‘the internationally recognised standard that sets the requirement for
ISMS’ [2]. Microsoft also cite ISO standards in complying with the
Australian Government Information Security Registered Assessor Program
(IRAP), which includes ‘information security risk management’ [4]. The ISO
27000 series is also prioritised and referenced as part of the Protective
Security Policy Framework (PSPF) under Information Security Standards [5]
for Australian Government entities, administered by the Attorney’s
Generals Department. It seems clear information security risk management
is a high priority for the Australian Government and providers.
Furthermore, ISO 27k seems to be the professional and international
standard [15], particularly in the healthcare and public health record
sectors.

 

 

 

Australian States and Territories have seemingly placed greater importance
on information security management systems and compliance. In 2013, the
Western Australia Auditor General noted that “99% of the agencies review
had serious gaps in their management of information security when assessed
against better practice international standards. Many of the agencies are
not adopting a strategic approach to identifying and assessing risks” [6],
resulting in ‘unnecessary risk’ [7] to government and public information.
Following on from similar observations, the Government of Victoria
recently produced an Information Security Risk Management Practitioners
Guide [11], which also emphasis the protection of Australian public
information and data assets, including the use of the ISO 27000 suite of
information security risk management standards [12], as part of a positive
obligation for State entities and officers [24] . By comparison, the
Queensland Government has long provided clear guidance and best practice
for information risk management [16] of Whole of Government risk
management of public information, data and records, declaring that
“Information risk management should be incorporated into all decisions in
day-to-day operations and if effectively used, can be a tool for managing
information proactively rather than reactively”. The more contemporary
version from the Queensland Government’s Information Security Policy
(IS18:2018) expands upon these concepts considerably, including the
adoption and endorsement of ISO 27000 as the framework of that state
government’s Information Security Management System [19]. Which in turn
links into the Attorney General’s Department and the Australian
Governments Protective Security Policy Framework (PSPF) [21].

 

 

 

The Australian Prudential Regulation Authority (APRA) observed that “the
pervasive nature of information security threats and vulnerabilities and
the need for sound practices and a solid business understanding in order
to maintain an information security capability commensurate with those
threats and vulnerabilities. It also reflects that APRA regulated entities
have developed distinct practices and disciplines to manage information
security risk, information technology (IT) risk and operational risk. In
APRA’s view, these are all necessary and complementary disciplines” [22].
Which stems from an extensive cross-industry consultation, following
observations that “ effective information security is increasingly
critical as information security attacks are increasing in frequency,
sophistication and impact, with perpetrators continuously refining their
efforts to compromise systems, networks and information worldwide. This
was clearly evident from the results of APRA’s two cyber surveys, which
indicated that incidents varied in nature, sophistication and impact”
[23].

 

 

 

Chief Information Security Officers’ (CISO) appear very familiar with the
requirements of Information Security and Risk Management (ISRM) [13].
Along with the Information Systems Audit and Control Association’s (ISACA)
long-standing guidance on the development of information security and risk
management strategies [14], including specific, measurable and auditable
guidelines for ISRM.

 

 

 

In sum, the NDIA seems to collect, manage and ‘secure’ a significant
amount of public information. Therefore, it seems reasonable that the NDIA
has a well developed, mature and consistent approach to information
security risk management, supported by accompanying policy and procedures,
which make up the focus of this request.

 

 

 

Thank you for your assistance.

 

 

 

Yours faithfully,

 

 

 

Shirley

 

 

 

References:

 

 

 

1. Compliance Council of Australia (2012) What is an information security
management system?, Available at:
<[9]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

2. Ibid

 

3. Microsoft (2012) Australian Government Information Security Registered
Assessor Program (IRAP), Available at: <
[10]https://aus01.safelinks.protection.outlo......>.
Access [8 Jul 21]

 

4. Ibid

 

5. Attorney General’s Department (2021) Relevant Australian and
International Standards: Information Security Standards, Available at: <
[11]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

6. Western Australia Auditor General (2013) Information Systems Audit
Report, 11, Western Australia Government, Available at: <
[12]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

7. Ibid

 

8. Rapid 7 (2021) Information Security Risk Management: Identify and
achieve an acceptable level of risk, Available at: <
[13]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

9. Ibid

 

10. NIST (2011) Information Security, National Institute of Standards and
Technology, U.S Department of Commerce, Available at: <
[14]https://aus01.safelinks.protection.outlo......>,
Accessed [8 Jul 21]

 

11. OVIC (2021) Practitioner Guide: Information Security Risk Management,
Version 2.0, Office of the Victorian Information Commissioner, Government
of Victoria, Available at: <
[15]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

12. Ibid

 

13. CISO Portal (2021) Information Security Risk Management: What and
How?, Available at:
[16]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

14. ISACA (2010) Developing an Information Security and Risk Management
Strategy, Available at: ,
[17]https://aus01.safelinks.protection.outlo......>
.

 

15. Dashti, S., Giorgini, P. And Paja, E. (2017) Information Security
Management, Conference Paper, IFIP Working Conference on the Practice of
Enterprise Modeling, Available at:
,https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

16. Queensland Government (2002) Queensland Government Information
Architecture: Best Practice Guide, Information Risk Management, Available
at <
[18]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

17. Ibid. Page 5

 

18. Queensland Government (2019) Queensland Government Enterprise
Architecture: Information Security Policy, Available at: <
[19]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

19. Ibid

 

20. Queensland Government (2021) Queensland Government Enterprise
Architecture: How should I manage my information?, Available at: <
[20]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

21. Queensland Government (2020) Queensland Government Enterprise
Architecture: Information Security Classification Framework, Available at:
,https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

22. APRA (2019) Prudential Practice Guide: CPG 234 Information Security,
Australian Prudential Regulation Authority, Australian Government,
Available at:
<[21]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

23. APRA (2018) Information Security Management: A new cross-industry
prudential standard, Discussion Paper, Australian Prudential Regulation
Authority, Australian Government, Available at: <
[22]https://aus01.safelinks.protection.outlo......>
. Accessed [8 Jul 21]

 

24. OVIC (2021) Practitioner Guide: Information Security Risk Management,
Version 2.0, Office of the Victorian Information Commissioner, Government
of Victoria, Available at:
<[23]https://aus01.safelinks.protection.outlo......>.
Accessed [8 Jul 21]

 

 

 

-------------------------------------------------------------------

 

 

 

Please use this email address for all replies to this request:

 

[24][FOI #11038 email]

 

 

 

Is [25][NDIA request email] the wrong address for Freedom of Information
requests to National Disability Insurance Agency? If so, please contact us
using this form:

 

[26]https://aus01.safelinks.protection.outlo...

 

 

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

 

[27]https://aus01.safelinks.protection.outlo...

 

 

 

Please note that in some cases publication of requests and responses will
be delayed.

 

 

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

 

 

 

-------------------------------------------------------------------

 

 

 

 

 

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
5. mailto:[FOI #11038 email]
6. mailto:[NDIA request email]
7. mailto:[FOI #11038 email]
8. https://aka.ms/LearnAboutSenderIdentific...
9. https://www.compliancecouncil.com.au/sta
10. https://docs.microsoft.com/en-us/complia
11. https://web.archive.org/web/202104011652
12. https://audit.wa.gov.au/wp-content/uploa
13. https://www.rapid7.com/fundamentals/info
14. https://nvlpubs.nist.gov/nistpubs/Legacy
15. https://ovic.vic.gov.au/wp-content/uploa
16. https://www.ciso-portal.com/information-
17. https://www.isaca.org/resources/isaca-jo
18. https://www.qgcio.qld.gov.au/__data/asse
19. https://www.qgcio.qld.gov.au/documents/i
20. https://www.qgcio.qld.gov.au/information
21. https://www.apra.gov.au/sites/default/fi
22. https://www.apra.gov.au/sites/default/fi
23. https://ovic.vic.gov.au/data-protection/
24. mailto:[FOI #11038 email]
25. mailto:[NDIA request email]
26. https://www.righttoknow.org.au/change_re...
27. https://www.righttoknow.org.au/help/offi...

hide quoted sections