These policies relate to ICT security and include supporting guidelines and templates related to the Information Security Management Framework (ISMF).

Protective Security Management Framework

PCO30
The Protective Security Management Framework (PSMF) describes the arrangements and expectations for personnel, physical and information security in South Australian Government agencies.

Information Security Management Framework

DPC/F4.1
The Information Security Management Framework (ISMF) addresses cyber security in the Government of South Australia, and consists of 40 policies supported by 140 standards.

Information Security Management Framework (DOCX, 3.5 MB)

Information Security Management Framework (PDF, 7.8 MB)

ISMF Change Log

ISMF change log showing the differences between recent versions.

ISMF Change Log (DOCX, 131.9 KB)

ISMF Change Log (PDF, 356.7 KB)

Security management requirements for critical ICT

DPC/R4.1
ISMF Ruling 1

This ruling is issued for application of the South Australian Government Information Security Management Framework (ISMF) to critical Information Communications Technology (ICT).

ISMF Ruling 1 - Security management requirements for critical ICT (DOCX, 128.5 KB)

ISMF Ruling 1 - Security management requirements for critical ICT (PDF, 363.2 KB)

Storage and Processing of Information in Outsourced or Offshore ICT Arrangements

DPC/R4.2
ISMF Ruling 2

This ruling describes how South Australian Government information is managed in alignment with the Cabinet approved expectations stipulated in the PSMF.

ISMF Ruling 2 - Storage and Processing of Information in Outsourced or Offshore ICT Arrangements (DOCX, 129.4 KB)

ISMF Ruling 2 - Storage and Processing of Information in Outsourced or Offshore ICT Arrangements (PDF, 300.7 KB)

Transition Guidance for Agencies and Suppliers

DPC/G4.1a
ISMF Guideline 1a

This guideline assists agencies and relevant suppliers in transitioning from the current state to an operating environment that meets the requirements introduced in ISMF version 3.

ISMF Guideline 1a - Transition Guidance for Agencies and Suppliers (DOCX, 130.4 KB)

ISMF Guideline 1a - Transition Guidance for Agencies and Suppliers (PDF, 203.9 KB)

Roles and Responsibilities in establishing and maintaining an ISMS

DPC/G4.1b
ISMF Guideline 1b

This guideline provides clarification on the roles and responsibilities within agencies that are currently defining, establishing and maintaining an Information Security Management System (ISMS).

ISMF Guideline 1b - Roles and Responsibilities in establishing and maintaining an ISMS (DOCX, 137.9 KB)

ISMF Guideline 1b - Roles and Responsibilities in establishing and maintaining an ISMS (PDF, 325.6 KB)

An approach to risk assessment using the ISMF

DPC/G4.2
ISMF Guideline 2

This guideline describes a process flow for managing risk and recording risk treatments and applied controls from the ISMF.

ISMF Guideline 2 - An approach to risk assessment using the ISMF (DOCX, 130.7 KB)

ISMF Guideline 2 - An approach to risk assessment using the ISMF (PDF, 291.9 KB)

Developing cyber security standards, plans and guidelines

DPC/G4.3
ISMF Guideline 3

This document describes the processes for initiating, developing and endorsing across-government cyber security ICT standards, guidelines or plans.

ISMF Guideline 3 - Developing cyber security standards, plans and guidelines (DOCX, 238.7 KB)

ISMF Guideline 3 - Developing cyber security standards, plans and guidelines (PDF, 358.4 KB)

Role and responsibilities of the ITSA

DPC/G4.4b 
ISMF Guideline 4b

This guideline describes the role of the Information Technology Security Adviser (ITSA).

ISMF Guideline 4b - Role and responsibilities of the ITSA (DOCX, 132.3 KB)

ISMF Guideline 4b - Role and responsibilities of the ITSA (PDF, 303.1 KB)

Cyber security in procurement activities

DPC/G4.6
ISMF Guideline 6

This guideline highlights specific policies and standards related to procurement.

ISMF Guideline 6 - Cyber security in procurement activities (DOCX, 140.4 KB)

ISMF Guideline 6 - Cyber security in procurement activities (PDF, 354.5 KB)

Asset Management

DPC/G4.7
ISMF Guideline 7

This guideline has been developed to provide clarification on the steps involved in creating and maintaining an information asset inventory and the roles and responsibilities regarding these activities.

ISMF Guideline 7 - Asset Management (DOCX, 127.9 KB)

ISMF Guideline 7 - Asset Management (PDF, 282.9 KB)

An approach to classification using the ISMF

DPC/G4.8a
ISMF Guideline 8a

This guideline outlines a process for classifying information and associated information assets.

ISMF Guideline 8a - An approach to classification using the ISMF (DOCX, 146.6 KB)

ISMF Guideline 8a - An approach to classification using the ISMF (PDF, 314.0 KB)

New classification scheme for confidentiality of information and associated assets

DPC/G4.8b
ISMF Guideline 8b

This guideline assists agencies and suppliers in translating earlier classification markings to the revised scheme.

ISMF Guideline 8b - New classification scheme for confidentiality of information and associated assets (DOCX, 210.8 KB)

ISMF Guideline 8b - New classification scheme for confidentiality of information and associated assets (PDF, 536.8 KB)

Personnel vetting and security clearances

DPC/G4.9
ISMF Guideline 9

All personnel (including contractors) requiring ongoing access to the Australian Government security classified information or resources need security clearances.

ISMF Guideline 9 - Personnel vetting and security clearances (DOCX, 128.1 KB)

ISMF Guideline 9 - Personnel vetting and security clearances (PDF, 472.6 KB)

Departing personnel

DPC/G4.11
ISMF Guideline 11

Agencies are required to take steps to manage personnel departures from the organisation.

ISMF Guideline 11 - Departing personnel (DOCX, 131.3 KB)

ISMF Guideline 11 - Departing personnel (PDF, 375.4 KB)

Cyber security incident reporting scheme

DPC/G4.12a
ISMF Guideline 12a

This guideline has been developed to assist agencies understand the Cyber Security Incident Reporting Scheme and implement it in to their agency’s internal processes.

ISMF Guideline 12a - Cyber security incident reporting scheme (DOCX, 531.4 KB)

ISMF Guideline 12a - Cyber security incident reporting scheme (PDF, 813.9 KB)

Endpoint Protection

DPC/G4.18
ISMF Guideline 18

This guideline provides information about the measures that should be implemented to provide appropriate levels of protection for Endpoint devices.

ISMF Guideline 18 - Endpoint Protection (DOCX, 142.5 KB)

ISMF Guideline 18 - Endpoint Protection (PDF, 368.2 KB)

Media Handling: Portable storage devices and electronic media

DPC/G4.21
ISMF Guideline 21

This guideline describes practices and procedures for secure information management, recovery, sanitisation and/or disposal activities for storage devices and media.

ISMF Guideline 21 - Media Handling: Portable storage devices and electronic media (DOCX, 130.7 KB)

ISMF Guideline 21 - Media Handling: Portable storage devices and electronic media (PDF, 299.7 KB)

Monitoring and event logs

DPC/G4.23
ISMF Guideline 23

This guideline will assist agencies in establishing and integrating appropriate logging and monitoring of information security events.

ISMF Guideline 23 - Monitoring and event logs (DOCX, 137.1 KB)

ISMF Guideline 23 - Monitoring and event logs (PDF, 319.6 KB)

User Access Management

DPC/G4.25
ISMF Guideline 25

This guideline deals with appropriate considerations for user access control measures for information and related systems and services.

ISMF Guideline 25 - User Access Management (DOCX, 136.5 KB)

ISMF Guideline 25 - User Access Management (PDF, 313.1 KB)

Working away from the office or abroad

DPC/G4.30a
ISMF Guideline 30a

This guideline assists individuals and Responsible Parties (as defined in the ISMF) in fulfilling their information security obligations when working remotely or travelling on business.

ISMF Guideline 30a - Working away from the office or abroad (DOCX, 131.0 KB)

ISMF Guideline 30a - Working away from the office or abroad (PDF, 378.1 KB)

Home-based work and telecommuting

DPC/G4.30b
ISMF Guideline 30b

Telecommuting offers a wide range of benefits but also brings a distinct set of risks to government information assets.

ISMF Guideline 30b - Home-based work and telecommuting (DOCX, 127.4 KB)

ISMF Guideline 30b - Home-based work and telecommuting (PDF, 360.8 KB)

Critical ICT

DPC/G4.37a
ISMF Guideline 37a

ICT infrastructure that the Government has a critical reliance on must be managed appropriately.

ISMF Guideline 37a - Critical information communications technology (DOCX, 148.9 KB)

ISMF Guideline 37a - Critical information communications technology (PDF, 383.5 KB)

Legal, regulatory and contractual compliance requirements

DPC/G4.38
ISMF Guideline 38

This guideline outlines legislative and regulatory requirements for agencies and suppliers to agencies whose contractual requirements include the ISMF.

ISMF Guideline 38 - Legal, regulatory and contractual compliance requirements (DOCX, 135.9 KB)

ISMF Guideline 38 - Legal, regulatory and contractual compliance requirements (PDF, 379.1 KB)

Regular, periodic and independent reviews

DPC/G4.39
ISMF Guideline 39

Agencies are responsible for developing and implementing procedures to ensure security compliance in accordance with the PSMF and the ISMF.

ISMF Guideline 39 - Regular, periodic and independent reviews (DOCX, 142.8 KB)

ISMF Guideline 39 - Regular, periodic and independent reviews (PDF, 354.8 KB)

Notifiable Incidents - Cyber Security Incident Reporting

DPC/S4.5
ISMF Standard 140

All agencies and applicable suppliers are required to report cyber security incidents and events which disrupt or are likely to disrupt ICT services.

ISMF Standard 140 - Notifiable Incidents - Cyber Security Incident Reporting (DOCX, 588.6 KB)

ISMF Standard 140 - Notifiable Incidents - Cyber Security Incident Reporting (PDF, 739.5 KB)

Endpoint Protection

DPC/S4.6
ISMF Standard 141

Endpoint Protection refers to the security measures implemented for user accessible devices at the edge of a network that may contain or provide access to information for an end user.

ISMF Standard 141 - Endpoint Protection (DOCX, 134.9 KB)

ISMF Standard 141 - Endpoint Protection (PDF, 299.8 KB)

ISMF Control Selection Tool

This spreadsheet will help agencies to define and document the policies, standards and controls from the ISMF that are applied to a given location, business function or ICT system.

ISMF Control Selection Tool (XLSX, 720.8 KB)

SA Government Critical ICT Infrastructure Register Template

This spreadsheet is designed to assist agencies submit information about their critical ICT infrastructure and services to ICT and Digital Government

SA Government Critical ICT Infrastructure Register Template (XLSX, 73.4 KB)

Off-site Storage of SA Government Data

DPC/G3.7
This guideline provides succinct and overarching guidance for storing SA Government data off-site.

Off-site Storage of SA Government Data (DOCX, 131.0 KB)

Off-site Storage of SA Government Data (PDF, 429.4 KB)