|
|
|
|
|
|
|
Date: 6 October 2010 |
|
|
|
|
|
Application / Information repository name: CERS - Client Expenditure Recording System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Business Reason for handling sensitive data |
Control Question Response |
Control Status |
Comments |
|
|
Access Controls |
|
|
|
|
|
Are there formal access controls in place? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The EMSOnline administrator (Damien Ryan-Green) controls top level permissions to the EMSOnline Data Control Centre, and people with lower level permissions control permissions to other users on a need to access / need to know basis. |
|
|
Do they articulate who has access to what and why? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The EMSOnline administrator (Damien Ryan-Green) controls permissions to limited parts of the EMSOnline Data Control Centre. People given this permission are approved by the DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy. |
|
|
Is the access allocated to a particular role or an individual? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Access is controlled by the EMSOnline administrator (Damien Ryan-Green), who delegates control further down the hierarchy as approved by the DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted. |
|
|
Are third parties permitted access to the application? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
All access is via the EMSOnline home page, with permissions controlled out of the Data Control Centre, see above. |
|
|
Are users required to undergo security checks / vetting before being granted access to the application? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
People given this permission are approved by the DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy. |
|
|
Is a password required to access the application? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline permissions read the user's login name, which has a password maintained by DHS |
|
|
Is access revoked when no longer needed? E.g. upon Termination? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted revoke access via a link on the EMSOnline home page. |
|
|
|
|
|
|
|
|
Anti-virus Software |
|
|
|
|
|
Is there anti-virus software installed on the device hosting the application ? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline is wholly developed within Microsoft Office on the DHS network, and is a recipient of all DHS anti-virus software that is provided to Microsoft Office within DHS. |
|
|
Are files virus scanned before being opened? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline is wholly developed within Microsoft Office on the DHS network, and is a recipient of all DHS virus scanning of Microsoft Office files opened within DHS. |
|
|
|
|
|
|
|
|
Auditing, Monitoring and Reviewing |
|
|
|
|
|
Are file and user activity monitored for inappropriate and illegal activity? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline is wholly developed within Microsoft Office on the DHS network, and the rules that apply to data entry in Microsoft Office files in general within DHS apply to data entered via EMSOnline. |
|
|
Are there regular processes in place to audit user activity and information processes? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted commission all the auditing that is required for data entered into a given app. |
|
|
When was the application last audited? |
N/A |
Documented in a Policy, Standard and in Procedures, Processes |
Audit reports are created daily / continuously, for the review of DHS Management Teams relevant to the apps hosted and / or the project managers for apps hosted. |
|
|
|
|
|
|
|
|
Incident Response |
|
|
|
|
|
Is there a documented process to deal with security incidents? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Updates of the EMSOnline Continuous Improvement Program is circulated regularly to the project managers for apps hosted, and the latest project plan for each app is made available to the project managers for apps hosted. This document contains a standard list of risk management headings, and the response. |
|
|
Has the application's security been breached and information inappropriately accessed or disclosed in the last 12 months? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
No security breaches have been reported in the history of apps hosted at EMSOnline (since its launch in 2001/02) |
|
|
|
|
|
|
|
|
Awareness |
|
|
|
|
|
Are users provided with an appropriate "user manual" and necessary security information? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The home page of EMSOnline contains a clear statement regarding the fact that all data hosted at EMSOnline is subject to security permissions. Users with access to the Data Control Centre agree to read the standard data security guidelines on an intro screen every time they enter the Data Control Centre, and agree to receive orientation from Christine Tiernan, Manager User Support Systems EMSOnline, prior to using the Data Control Centre for the first time. |
|
|
Do users know who to contact for security concerns? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The home page of EMSOnline contains a user support system via which users are able to log a request regarding security or any other matter. |
|
|
Is there a clearly defined owner (and delegate) for the application? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The home page of EMSOnline lists all hosted apps, and the project manager currently responsible for each. |
|
|
|
|
|
|
|
|
Backups, Business Continuity & Disaster Recovery |
|
|
|
|
|
|
|
|
|
|
|
Is the application backed up at regular intervals? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Every night on DHS backup tapes. |
|
|
Is there an alternative that can be used if the application is unavailable ? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
If the application is unavailable (for example due to scheduled maintenance by DHS ISB), users receive a prompt asking them to "try again later". Additional prompts specific to apps are |
|
|
Is there a formal Business Continuity Plan / Disaster Recovery plan in place and has it been tested within the last 12 months? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The EMSOnline Continuous Improvement Program and, if specific additional measures are required, the project plan for a given app, contains information regarding disaster recovery. We have only ever once needed a formal recovery, and that was soon after DHS Head Office relocated from 555 Collins St to 50 Lonsdale St in the early to mid 2000s: n028 went down for approx. one to two days, and we needed to be called in to recover rosters that had been uploaded in that window of time. |
|
|
|
|
|
|
|
|
Change Management |
|
|
|
|
|
|
|
|
|
|
|
Are formal change management processes used when making changes to the application? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The EMSOnline Continuous Improvement Program has as a condition for upgrade for apps that a change management plan must be in place. |
|
|
|
|
|
|
|
|
Patching |
|
|
|
|
|
|
|
|
|
|
|
Is the application up-to-date with known patches? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline is wholly developed within Microsoft Office on the DHS network, and receives all patches approved by DHS for Microsoft Office generally. |
|
|
Is there a structured process in place to ensure that application vulnerabilities are patched in a timely manner? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline is wholly developed within Microsoft Office on the DHS network, and receives all patches approved by DHS for Microsoft Office generally. |
|
|
|
|
|
|
|
|
Information Classification & Handling |
|
|
|
|
|
|
|
|
|
|
|
Is information being handled by the application assessed for integrity as well as confidentiality and availability requirements? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
All data entered into apps hosted at EMSOnline is data validated and screened to the level required by the project manager for the app. |
|
|
Is Information handled by the application appropriately classified and labelled according to DHS/DH requirements? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The classification and labelling of data entered into apps hosted at EMSOnline is in line with data entry into any Microsoft Office file, with additional labels such as the login name of the user, and the user's permission level and position, and other details of the user, as the relevant manager may require. |
|
|
Is Information handled by the application appropriately disposed of according to DHS/DH requirements when no longer required? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Please note that as far as we are aware, no data entered into EMSOnline should be disposed of. |
|
|
Is the application information encrypted / protected in accordance with DHS/DH requirements? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Information is protected to the maximum level allowed to us by DHS ISB via the DHS permissions structure and, where relevant, by the project managers for apps hosted. As part of our continuous improvement plan, we also continuously seek access to additional protection, with the current application as lodged being for hosting by an existing third party provider of hosting for DHS via SQL Server, rather than by ourselves. |
|
|
Can application information be downloaded to removable media such as USB drives? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Certain apps and many reports allow for information to be detached in standalone Microsoft Office and other files for the purpose of, for example, sending rosters to house staff, or roster stats to managers. |
|
|
Can information be uploaded to the application from removable media such as USB drives? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
Certain apps allow for information to be submitted from standalone Microsoft Office files for the purpose of, for example, submitting roster information into EMSOnline databases. |
|
|
|
|
|
|
|
|
Physical Security |
|
|
|
|
|
|
|
|
|
|
|
Where is the application hosted? - general DHS/DH network? Dedicated network? Standalone device? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The application is hosted entirely on the DHS Network. |
|
|
Is the device hosting the application in a secure environment? E.g. a data centre? Computer room? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The application is hosted in permissions controlled folders on the DHS Network. |
|
|
|
|
|
|
|
|
Information Flows |
|
|
|
|
|
|
|
|
|
|
|
Are the information flows to and from the application documented? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The EMSOnline Continuous Improvement Program contains a standard that the 'App Design' for an app is to contain all the screens in the app, and all data flows. |
|
|
Does the documentation include details of information: creation, maintenance, storage, exchange and sharing, input ,output and processing validation? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The business rules for creating an 'App Design' are specific in relation to all these types of information. |
|
|
|
|
|
|
|
|
Remote and Wireless Access |
|
|
|
|
|
|
|
|
|
|
|
Are there controls governing the physical location from where the application can be accessed? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The application can only be accessed when the user is logged into HSNet, and also has been granted the relevant permissions. |
|
|
Is remote access to the application permitted? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The application can only be accessed when the user is logged into HSNet, which for some managers can occur remotely. N.b. not all links work when logged in remotely, as the current scope of the application is that it should provide full access to users logged in locally (physically inside DHS). |
|
|
Is wireless access to the application permitted? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
Application by wireless is not permitted except where DHS may allow a user to login to HSNet using wireless. |
|
|
|
|
|
|
|
|
Compliance |
|
|
|
|
|
|
|
|
|
|
|
Has the application been assessed for compliance with DHS policies and standards within the last 12 months? And what were the outcomes? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
The application was originally developed as a small-scale local platform for North & West Metroplitan Region, and evolved incrementally to become a system used by all regions statewide. As a result of this item, we have formally requesting this assessment as part of the submission of this document. |
|
|
Are the Application owner and users conversant with the relevant legislative and regulatory requirements pertaining to the information being handled by the application? |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
The application owner (Damien Ryan-Green) has been working on this application and in particular the RosterCoster app since 1993, and is conversant to the extent that he has frequently been involved over the years in most issues relating to app development and maintenance. The EMSonline Continuous Improvement Program contains a permanent application for the maximum level of compliance within the context of limited project budgets. |
|
|
Is the application subject to legislative and /or regulatory compliance?
If so please indicate in appropriate column.. |
YES |
Documented in a Policy, Standard and in Procedures, Processes |
See above. |
|
|
Has the application's compliance with the relevant legislative and regulatory requirements been validated within the last 12 months? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
See above. |
|
|
Have there been any compliance breaches noted with the last 12 months, e.g. arising from a formal audit such as one conducted by VAGO or through other means and what were the outcomes if any? |
NO |
Documented in a Policy, Standard and in Procedures, Processes |
EMSOnline has never had a compliance breach since its introduction in 2001/02. |
|
|
|
|
|
|
|