Information and Communications Technology Controls Guide
The guide is available as a PDF form.
Information and Communications Technology Controls Guide
Foreword
This guide has been developed to assist organisations with identifying areas for improvement regarding their information and communications technology (ICT) controls. It draws on the work undertaken in ICT controls-based audits across the Victorian public sector. It is designed to promote more robust practices and to enhance the ICT control environments at public sector organisations. ICT controls should form part of each organisations' broader security considerations, which should address both internal and external threats and risks. This guide does not replace the standards and guidelines which Victorian public sector organisations must comply with, but rather it complements them.
Public sector organisations are encouraged to assess their ICT control environments against this better practice guide, and use the results to improve their practices.
Dr Peter Frost
Acting Auditor-General
February 2016
The importance of ICT controls
Public sector organisations increasingly use complex and interconnected ICT systems to deliver services to Victorians, and therefore it is vital that they have effective and appropriate controls in place. A conceptual example is illustrated below.
ICT systems
An ICT system is a collection of computer hardware and programs that work together to support business and operational processes. ICT systems are primarily made up of three core components:
- Operating system—core programs that run on the ICT hardware that enable other programs to work. Examples of operating systems include Microsoft Windows, Unix and IBM OS/400.
- Applications—programs that deliver business and operational requirements. Examples of applications include Oracle E-business suite, SAP and TechnologyOne. These components are typically supported by an organisation's network infrastructure.
ICT controls
ICT controls are policies, procedures and activities put in place by an organisation to ensure the confidentiality, integrity and availability of its ICT systems and data.
ICT controls include the establishment and adherence to appropriate structures for managing:
- organisational governance
- system security
- ICT operations and architecture
- change and release
- system development and implementation
- backup and recovery.
The PDF of this guide contains interactive checklists for each of these topics.
Further references and resources
Further guidance on ICT controls and practices is available through resources such as those below:
- Victorian Protective Data Security Standards - www.cpdp.vic.gov.au/
- The Australian Government Information Security Manual - www.asd.gov.au/infosec/ism/
- Control Objectives for Information and Related Technology (COBIT) - cobitonline.isaca.org/
- Information Technology Infrastructure Library (ITIL) - www.itsmf.org.au/?page=ITILInfrastructure
- ISO/IEC 27001 - Information security management - www.iso.org/iso/home/standards/management-standards/iso27001.htm
- Payment Card Industry Data Security Standard (PCI DSS) - www.pcisecuritystandards.org/index.php
- VAGO Investing Smarter in Public Sector ICT better practice guide