Keeping data secure is essential to maintain privacy, but it also assures that information is protected from unauthorised disclosure, modification or destruction.
Last year, the City of Melbourne implemented an Information Security Management Program to ensure a holistic approach to the way Council deals with its information security.
Council’s Technology Projects Leader, Kylie Murphy, said the policy aims to inform staff of their responsibilities, protect corporate information or assets in all forms (electronic and hardcopy), manage business exposure to information security risks, and meet regulatory obligations.
“In 2005, Council was benchmarked by internal auditors against the security standard AS/NZS 7799:2001,” Kylie Murphy said. “Findings identified that our existing policies were inadequate, as the existing policy scope was limited to email and internet. As such, consultants were engaged to apply a holistic approach to information security governance within the City of Melbourne. This resulted in the implementation of an industry best practice Information Security Management Program into our operational environment.”
A major part of the program was the development of two governing documents, as well as supporting material (policies and procedures) and controls. These documents were aligned with AS/NZS 7799.
In 2008, an Information Security Management Framework was implemented, and an Information Security Policy established the foundation for Council to improve the maturity of information security governance over time.
The Information Security Management Framework is a formal statement of intent regarding information security. It covers Council’s information security policy, information asset classification and control, business continuity and disaster recovery planning, and more.
The Information Security Policy explicitly states staff responsibilities, in areas such as their fundamental security obligation, intellectual property, protection of information for legal purposes, confidentiality, user accounts and passwords, computer software, licensing and so forth.
Kylie Murphy said the key benefits of the Information Security Management Program to date include an improved corporate information security maturity level and greater staff awareness.
“As a result of the program, a corporate Information Security Forum has also been established,” she said. “This is led by senior executives to manage security breaches and exceptions to the policy.
“In addition, our existing fraud incident investigation procedure has been extended to include information security incidents and formal staff training has been delivered in conjunction with Council’s Risk Management team.”
For further information contact Kylie Murphy on (03) 9658 8720.
