Security fine without standard: NSW DET

Security fine without standard: NSW DET

Summary: The NSW Department of Education (DET) has defended its IT security arrangements despite being in breach of baseline government-mandated standards.


The NSW Department of Education (DET) has defended its IT security arrangements despite being in breach of baseline government-mandated standards.

Glasses on paper

(Glasses image by Matheus Almeida, CC2.0)

The agency is one of the largest of many NSW government departments to have ignored decade-old directives from the Department of Premier and Cabinet to comply with the ISO 27001 information security standard.

The department would not discuss the reasons behind its non-compliance, despite having an internal IT security department that deals "with all aspects of IT security and compliance".

It said its "current IT security measures are effective and meet the needs of students, staff and other DET officers", adding that it "is working towards compliance with the standard when the current revision of its requirements is complete".

The 27002 sister standard, which underlies parts of 27001, is under review by the International Standards Organisation and is set for release later this year.

While government staff were reticent to comment, it is understood agencies are still required to be compliant to the standard.

NSW Premier and Cabinet Director General Brendan O'Reilly has previously said that addressing the widespread lax compliance to ISO 27001 will be a focus of the government.

Not a standard fit?

Some experts have criticised whether ISO 27001, which contains 133 security controls and policies, is appropriate for agencies.

Securus Global managing director Drazen Drazic said government agencies might be getting lost in the "process" of compliance, rather than the simple technology requirements.

"With ISO 27001, you pick and choose what you will comply with — and if it fits within the basic statement, then you're compliant," Drazic said. "But it doesn't mean you're compliant."

"Agencies tend to get caught up in the process, as opposed to the technical implementations of standard."

He said the industry-enforced Payment Card Industry Data Security Standard (PCI DSS) is more specific.

HackLabs director Chris Gatford agreed. He said a modified version of the PCI DSS may be a better security reference for agencies with only basic security arrangements.

"Focusing on essentials like PCI DSS is a good starting point for organisations that are essentially starting from scratch, because it covers a lot of the basics," Gatford said.

The idea is that agencies would apply the same processes that PCI DSS uses to protect credit card data to whichever data they need to keep secure, such as tax file numbers.

A decade of denial

In 2001, the NSW Government ordered that state agencies comply with Australian Standard 17799, which preceded ISO 27001. This directive issued by the office of then Premier Bob Carr required agencies to adopt a baseline level of technology, policy and frameworks in order to protect sensitive data.

Following the directive, information security managers across NSW government agencies formed a committee, led by then Government Chief Information Office (GCIO) standards guru Nigel Evans. It was designed to help agencies handle the compliance requirements, described by some as onerous.

The group met between 2002 and 2009, and served as an important forum for cash-strapped agencies to share expertise on how to implement the security standards, penned by the GCIO, and pitch the sometimes unpopular restrictions to staff and executive bureaucrats.

"The Information Security Management in Government forum met to discuss matters of interest in the sector. It was not a formal governance body and its discussions did not form government policy," the Department of Services, Technology and Administration said in a statement when asked about the forum.

The committee ended in 2009 after its key facilitator was promoted to a position outside of the information security industry.

Despite the committee's six years of operation and several scathing state audit reports, most NSW agencies remained non-compliant with ISO 27001, according to a recent audit report. The department did not answer queries on any planned replacement due to the pending election.

The NSW auditor had previously said that the government failed to monitor compliance or even set deadlines and consequences for non-compliance.

The auditor blamed an absence of central security oversight and enforcement for the non-compliance to the premier's directive.

Those agencies certified to the standard include the NSW Ombudsman, the Independent Commission Against Corruption, the Independent Pricing and Regulatory Tribunal, the Department of Commerce, the Roads and Traffic Authority, and Railcorp.

Topics: Government, Government AU, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Some might suggest that PCI-DSS is the credit card suppliers' solution to security risks - transfer the risks to merchants and banks. It's a typical US designed 'tick and flick' job that lawyers like.

    A review of ICAC reports over the last several years suggests that varied weaknesses in internal ICT security were a major contributing factor and would not have been prevented by PCI-DSS compliance. ISO2700n is designed for 'all of organisation', PCI-DSS is not.

    Contrary to the beliefs of some vendors, security technology is not the entire solution. Most govt departments almost certainly have more than enough of it. As any familiarity with ISO 2700n reveals information security is a management matter, selection of controls (type ands strength) requires risk assessment, although this can be simplifed by well chosen baselines. Technology also requires effective configuration management, as aspect of the standard that is often forgotten. How many govt depts have the necessary CM is a relevant question. And how many information security vendors in Sydney are competant in it is an interesting one.

    However, the nub of an ISMS is addressing the three aspects, technology (the easy bit and beloved by vendors), management policies and operating processes (takes effort to establish and time to bed down and get working properly), and trained and security aware staff (not just ICT, and takes time to change attitudes, habits and practices).

    The real issue with ISMS lies in the scope of the certification, starting small and expanding it is OK. Starting small and staying that way is not, although the entire organisation doesn't necessarily have to be certified if they are using certified processes. The problem with certications is that often they are technology-centric (ie too much attention to the 133 possible control types) instead of being management systems. A management system is all about processes for routine, periodic and exceptional matters.