These policies relate to ICT security and include supporting guidelines and templates related to the Information Security Management Framework (ISMF).
Protective Security Management Framework
The Protective Security Management Framework (PSMF) describes the arrangements and expectations for personnel, physical and information security in South Australian Government agencies.
Information Security Management Framework
The Information Security Management Framework (ISMF) addresses cyber security in the Government of South Australia, and consists of 40 policies supported by 140 standards.
ISMF Change Log
ISMF change log showing the differences between recent versions.
Security management requirements for critical ICT
ISMF Ruling 1
This ruling is issued for application of the South Australian Government Information Security Management Framework (ISMF) to critical Information Communications Technology (ICT).
Storage and Processing of Information in Outsourced or Offshore ICT Arrangements
ISMF Ruling 2
This ruling describes how South Australian Government information is managed in alignment with the Cabinet approved expectations stipulated in the PSMF.
Transition Guidance for Agencies and Suppliers
ISMF Guideline 1a
This guideline assists agencies and relevant suppliers in transitioning from the current state to an operating environment that meets the requirements introduced in ISMF version 3.
Roles and Responsibilities in establishing and maintaining an ISMS
ISMF Guideline 1b
This guideline provides clarification on the roles and responsibilities within agencies that are currently defining, establishing and maintaining an Information Security Management System (ISMS).
An approach to risk assessment using the ISMF
ISMF Guideline 2
This guideline describes a process flow for managing risk and recording risk treatments and applied controls from the ISMF.
Developing cyber security standards, plans and guidelines
ISMF Guideline 3
This document describes the processes for initiating, developing and endorsing across-government cyber security ICT standards, guidelines or plans.
Role and responsibilities of the ITSA
ISMF Guideline 4b
This guideline describes the role of the Information Technology Security Adviser (ITSA).
Cyber security in procurement activities
ISMF Guideline 6
This guideline highlights specific policies and standards related to procurement.
ISMF Guideline 7
This guideline has been developed to provide clarification on the steps involved in creating and maintaining an information asset inventory and the roles and responsibilities regarding these activities.
An approach to classification using the ISMF
ISMF Guideline 8a
This guideline outlines a process for classifying information and associated information assets.
New classification scheme for confidentiality of information and associated assets
ISMF Guideline 8b
This guideline assists agencies and suppliers in translating earlier classification markings to the revised scheme.
Personnel vetting and security clearances
ISMF Guideline 9
All personnel (including contractors) requiring ongoing access to the Australian Government security classified information or resources need security clearances.
ISMF Guideline 11
Agencies are required to take steps to manage personnel departures from the organisation.
Cyber security incident reporting scheme
ISMF Guideline 12a
This guideline has been developed to assist agencies understand the Cyber Security Incident Reporting Scheme and implement it in to their agency’s internal processes.
ISMF Guideline 18
This guideline provides information about the measures that should be implemented to provide appropriate levels of protection for Endpoint devices.
Media Handling: Portable storage devices and electronic media
ISMF Guideline 21
This guideline describes practices and procedures for secure information management, recovery, sanitisation and/or disposal activities for storage devices and media.
Monitoring and event logs
ISMF Guideline 23
This guideline will assist agencies in establishing and integrating appropriate logging and monitoring of information security events.
User Access Management
ISMF Guideline 25
This guideline deals with appropriate considerations for user access control measures for information and related systems and services.
Working away from the office or abroad
ISMF Guideline 30a
This guideline assists individuals and Responsible Parties (as defined in the ISMF) in fulfilling their information security obligations when working remotely or travelling on business.
Home-based work and telecommuting
ISMF Guideline 30b
Telecommuting offers a wide range of benefits but also brings a distinct set of risks to government information assets.
ISMF Guideline 37a
ICT infrastructure that the Government has a critical reliance on must be managed appropriately.
Legal, regulatory and contractual compliance requirements
ISMF Guideline 38
This guideline outlines legislative and regulatory requirements for agencies and suppliers to agencies whose contractual requirements include the ISMF.
Regular, periodic and independent reviews
ISMF Guideline 39
Agencies are responsible for developing and implementing procedures to ensure security compliance in accordance with the PSMF and the ISMF.
Notifiable Incidents - Cyber Security Incident Reporting
ISMF Standard 140
All agencies and applicable suppliers are required to report cyber security incidents and events which disrupt or are likely to disrupt ICT services.
ISMF Standard 141
Endpoint Protection refers to the security measures implemented for user accessible devices at the edge of a network that may contain or provide access to information for an end user.
ISMF Control Selection Tool
This spreadsheet will help agencies to define and document the policies, standards and controls from the ISMF that are applied to a given location, business function or ICT system.
SA Government Critical ICT Infrastructure Register Template
This spreadsheet is designed to assist agencies submit information about their critical ICT infrastructure and services to ICT and Digital Government
Off-site Storage of SA Government Data
This guideline provides succinct and overarching guidance for storing SA Government data off-site.