ICT policies and standards support the strategic directions of the Government of South Australia. They direct the consolidation and rationalisation of ICT processes and technologies with the aims of increasing flexibility, decreasing costs and enhancing management of ICT assets.
The policies and standards published by the Office of the Chief Information Officer:
- underpin the across-government enterprise architecture and its associated business process, application, data/information and technology components
- facilitate consistency in the procurement of service provision arrangements across-government.
The Office of the Chief Information Officer’s policies and standards apply to all Government of South Australia agencies and instrumentalities, although exemptions may be granted under certain circumstances.
A review date for each policy and standard is to be included in the metadata of all relevant documents.
Who is involved?
Policies and standards must be endorsed by an appropriate governance authority prior to publication. The authority will depend on the nature of the document but may be the Chief Information Officer, the ICT Board, the Strategy and Standards Steering Committee, the Major Projects and Infrastructure Cabinet Committee or Cabinet.
The Strategy and Innovation Directorate within the Office of the Chief Information Officer oversees the preparation, management and publication of policies, standards and guidelines.
The secretariat does not engage in the development of policies and standards itself. This is undertaken by discipline experts in the Office of the Chief Information Officer or in other government agencies.
The directorate initiates reviews of documents as their expiry dates approach. Responsibility for implementing policies and standards within agencies is identified in the policy documents produced by the directorate.
Agencies may develop their own ICT policies and standards to address local requirements. Such documents should be aligned with those of the Office of the Chief Information Officer.
Policies and standards links
The following policy and standards sites are relevant in the SA Government context:
Christian BertramPlease note
Strategy and Innovation
Phone: 08 8204 8481
other policies, standards and guidelines, aside from those listed below, are available for government agencies and statutory authorities. For further information about these policies please email CIOAdministrator@sa.gov.au
Applications and internet
- Government domain - OCIO_P5.3 (PDF 116 KB)
This document describes the policy appropriate for the management of internal and external domains used by the Government of South Australia and local government.
- Website Writing Guide
The Website Writing Guide has been developed by Website Criteria Pty Ltd in conjunction with various Government of South Australia departments. It provides definitive rulings and advice on website writing style and protocols.
The guide was developed using many sources, including the Commonwealth Government Style Manual, the Government of South Australia's Plain English Good Practice Guide and the World Wide Web Consortium’s accessibility guidelines.
Standards - internet
- SmartForm Standard – SAGOV_S5.3 (PDF 383 KB)
This document specifies the requirements for electronic forms with capabilities and facilitates a consistent approach to the design and build of a SmartForm within the South Australian Government.
Environment and social
- Greening of ICT - OCIO_G9.1 (PDF 52 KB)
Government agencies and staff should, at all times, ensure that they take into account the environmental impact of Information Communication Technology (ICT) operations and the environmental impact of the procurement of value for money ICT products and services.
ICT Policies, Standards, Architecture and Processes
- Compliant Authorities
( PDF 188 KB) (Role and responsibilities of the IT Security Adviser (DOC 274 KB)
This policy identifies government entities required to follow across-government Policies, Standards, Guidelines, Procedures and Notifications on Information and Communication Technology.
- Exemptions Policy
( PDF 98 KB)
Agencies seeking exemption from government ICT policies or standards must advise the Chief Technology Officer prior to undertaking investigation of alternatives and must obtain approval for exemption prior to implementing alternative solutions.
- Protective Security Management Framework
( PDF 63 KB)
The Protective Security Management Framework (PSMF) is a Cabinet approved document issued by the Department of Premier and Cabinet as Cabinet Circular No. 30. It descibes the arrangements and expectations for personnel, physical and information security in South Australian Government agencies.
- Information Security Management Framework
( PDF 4.84 MB) ( DOCX 2.66 MB)
The Information Security Management Framework (ISMF) addresses cyber security in the Government of South Australia, and consists of 40 policies supported by 140 standards. It is a business driven risk-based approach that is aligned with the Australian Government Protective Security Policy Framework and the 27001 international standard for information security management systems.
The ISMF applies to South Australian Government agencies and suppliers whose contractual requirements include it.
Additional standards issued as external ISMF publications are:
- ISMF Standard 137 – Information Security Management
( PDF 250 KB) ( DOCX 3.2 MB)
This standard supports legacy purchasing arrangements and contracts that are yet to be refreshed to reflect ISMF version 3. This standard makes it possible for such contracts to be relayed to the new framework.
- ISMF Standard 138 - Privacy and confidentiality
( PDF 250 KB) ( DOCX 3.2 MB)
Each agency must define ‘authorised access’ for all its data, for example, who has access, what authority is required and the level of access allowed. This information is contained in Cabinet Circular Number 12 (Cabinet Administrative Instruction 1/89) titled Information Privacy Principles.
- ISMF Standard 139 - Security in an outsourced environment
( PDF 250 KB) ( DOCX 3.2 MB)
Contracts with external service providers must specify agency-approved information on security policies and procedures. Such contracts must contain provisions to indemnify the Government of South Australia and its agencies against the outcomes of violations to the policies and procedures.
- ISMF Standard 140 - Notifiable incidents
( PDF 700 KB) ( DOCX 3.5 MB)
Agencies and applicable suppliers must notify the Office of the Chief Information Officer about incidents which disrupt or have the potential to disrupt government information and communication technology services. A standalone version of the incident report form is also available by clicking here.
- Web Application Security Standards - SAGOV/S4.14
( PDF 345 KB) ( DOCX 494 KB)
Agencies and applicable suppliers should comply with the requirements of this standard when developing web applications.
- Web Server Security Standards - SAGOV/S4.15
( PDF 451 KB) ( DOCX 558 KB)
Agencies and applicable suppliers should comply with the requirements of this standard when configuring servers that will host web applications.
The following ISMF Rulings are official interpretative statements of general applicability:
- ISMF Ruling 2 – Storage and processing of Australian Government information in outsourced or offshore ICT arrangements
( PDF 521 KB) ( DOCX 792 KB)
Guidelines and utilities to support ISMF implementation
The following guidelines and utilities assist agencies and applicable suppliers in adhering to the requirements of the ISMF:
- ISMF Guideline 1 - Securing smart-phones and other portable storage devices
( PDF 170 KB) ( DOCX 780 KB)
- ISMF Guideline 2 - Personnel vetting and security clearances
( PDF 200 KB) ( DOCX 790 KB)
- ISMF Guideline 3 - Critical ICT
( PDF 168 KB) ( DOCX 785 KB)
- ISMF Guideline 4 - Developing cyber security standards, plans and guidelines
( PDF 450 KB) ( DOCX 2 MB)
- ISMF Guideline 5 - Reporting and reviewing security incidents
( PDF 200 KB) ( DOCX 1.5 MB)
- ISMF Guideline 6 - Home-based work and telecommuting
( PDF 240 KB) ( DOCX 1.5 MB)
- ISMF Guideline 7 - Departing personnel
( PDF 200 KB) ( DOCX 1.5 MB)
- ISMF Guideline 8 - Cloud computing
( PDF 170 KB) ( DOCX 5 MB)
- ISMF Guideline 9 - Cyber security in procurement activities
( PDF 180 KB) ( DOCX 800 KB)
- ISMF Guideline 10 - Transition guidance for agencies and suppliers
( PDF 160 KB) ( DOCX 785 KB)
- ISMF Guideline 11 - New classification scheme for confidentiality of information and associated assets
( PDF 577 KB) ( DOCX 827 KB)
- ISMF Guideline 12 - Legal, regulatory and contractual compliance requirements
( PDF 200 KB) ( DOCX 796 KB)
- ISMF Guideline 13 - Roles and responsibilities in establishing and maintaining an Information Security Management System
( PDF 1.2 MB) ( DOCX 846 KB)
- ISMF Guideline 14 - An approach to risk assessment using the ISMF
(PDF 204 KB) ( DOCX 2.4 MB)
- ISMF Guideline 15 - An approach to classification using the ISMF
( PDF 465 KB) ( DOCX 1.7 MB)
- ISMF Guideline 16 - Working away from the office or abroad
( PDF 511 KB) ( DOCX 1.7 MB)
- ISMF Guideline 17 - Role and responsibilities of the IT Security Adviser
(PDF 223KB) (DOCX 2.47 MB)
- ISMS Statement of Applicability tool (for use with ISMF version 3.1)
( XLS 565 KB)
This spreadsheet will help scope and define the applicable policies, standards and controls from the ISMF for a given location, business function or ICT system. The spreadsheet can also be used to describe what standards and controls have been applied to a given environment during an ICT audit.
- SA Government Critical ICT Infrastructure Register – Submission Template
( XLS 40 KB)
This spreadsheet is designed to assist agencies submit information about their Critical ICT Infrastructure and Services to the Office of the Chief Information Officer. Agencies should refer to the information provided in ISMF Ruling 1 and ISMF Guideline 3 for more information.
Further informationSecurity and Risk Assurance
- Contract management framework - OCIO_P2.5 (PDF 120 KB)
This document addresses information communication technology contracts. It is aimed at people responsible for managing government contracts at portfolio and agency level.
- Software asset compliance - OCIO_P2.6 (PDF 104 KB)
This document directs compliant authorities to adhere to specific compliance and management methods and standards regarding software assets.
- Microsoft Software Agreement - Enterprise and Select Plus Policy - OCIO_P2.4 (PDF 121 KB)
Agencies must use the Microsoft Software Licensing and Services Contract for the acquisition of all Microsoft software licenses and products. This agreement covers all agencies except the Department of Education and Children Services, the Department of Further Education, Employment, Science and Technology and SA Water. These procure software under specific licences.
- Standards for Microsoft-based desktops (accessible to SA Government employees only)
This document specifies the standard for Microsoft-based personal and notebook computers across the Government of South Australia, including computer software of the desktop, network and the back office systems needed to support, run and maintain them.
- Technology Standard for Apple desktops (accessible to SA Government employees only)
This document specifies the standard for Apple-based personal and notebook computers across the Government of South Australia, including computer software of the desktop, network and the back office systems needed to support, run and maintain them.
- Network technology standards (Please contact Christine Lewis, Office of the Chief Information Officer, telephone 8226 5998).
This document defines the current and emerging standards that are appropriate for use within the Government of South Australia's data, telephony and radio networks. It contains technologies to interconnect various resources (such as computers and information devices) including technologies, protocols, transport media, topology and naming services.
- Messaging services (Please contact Christine Lewis, Office of the Chief Information Officer, telephone 8226 5998).
Having single messaging technology makes support more effective and encourages whole-of-government e-Business initiatives.
- Naming standards - South Australian Government Electronic Messaging Service (@sa.gov.au) (Please contact Christine Lewis, Office of the Chief Information Officer, telephone 8226 5998).
SAGEMS mobility service
- SAGEMS mobility service (accessible to SA Government employees only)
This document states the approval, management and usage requirements that need to be satisfied when purchasing a smartphone for connection to SAGEMS. It also mandates the security requirements that a smartphone must satisfy before its connection to SAGEMS.
- Infrastructure threat protection software (accessible to SA Government employees only)
This document describes the threat management and protection anti-virus and personal firewall software technologies suitable for anti-virus, anti-spy ware, and anti-spam for desktops, notebooks and servers appropriate for use within the Government of South Australia.
- Videoconferencing technology standards (accessible to SA Government employees only)
This document identifies technical standards and conventions that are to be applied when implementing videoconferencing systems within the Government of South Australia.