DAC understands the importance of an effective information security program to protect the confidentiality, integrity and availability of all assets and information from potential threats and to allow us to perform our services effectively and maintain our reputation as a trusted user of government data.
This strong commitment to security is reflected in the implementation of security polices, processes and controls as well as dedicated staff to manage information security.
Security Policies and Compliance
All DAC security policies and procedures are implemented according to NSW government policies and legislation. These policies and procedures are reviewed on a regular basis.
As part of NSW Treasury, DAC also has the requirement to comply with the NSW Government Digital Information Security Policy (DISP) and the Treasury Secretary must attest annually to the adequacy of its digital information and information systems security. The DAC is bound by the Data Sharing (Government Sector) Act 2015, the framework under which DAC can request data and the purpose under which public sector agencies can share data with the DAC and the required data safeguards.
We conduct regular external and internal penetration tests by independent security organisations and re-mediate accordingly.
The DAC technical infrastructure is hosted in a secure NSW government data centre.
All DAC personnel are based at the NSW Treasury office. This secure building has card readers, on premise security and strict visitor access controls.
All DAC personnel at the DAC are required to complete a Police Check and Working with Children Check if required. All personnel are also mandated to sign a confidentiality agreement.
All DAC personnel are required to complete regular compliance training including ICT password, cyber-security awareness, corporate governance and finance, code of conduct, and fraud and corruption. We also have a strong focus on ensuring personnel have the right skills and training to perform their roles.
We have dedicated:
- Data Governance team, who is responsible for provisioning data access, and completing data audits
- Service management team, who is responsible for security of the platform, security compliance, education, user management and access controls to the platform
All information assets are managed as per Record Management Framework Policy, which complies with the State Record Act 1998. Information Labelling, Classification and Handling Policy is in place to help identify the confidentiality requirements of all information assets and ensure appropriate labelling and handling through its lifecycle – creation, storage, archival and sharing of information.
Record Retention and Disposal Policy is also in place to ensure appropriate retention and disposal of information assets.
The DAC follows a formal process for creation and deletion of user accounts and access to specific data on the DAC platform.
Access to the platform is permitted via a secure connection through a VPN server which provides an authenticated encrypted tunnel between a privileged users’ end points and the services they can use within the Platform.
The Password Management Policy is in place and defines the requirements for password changes, re-use and complexity for all user and administrator passwords.
All DAC software development must follow secure by design coding techniques. A clearly defined separation exists between Production and Development environments to ensure better management and security for the production systems, while allowing greater flexibility in the Development environment.
Strict Change Management process in place, which includes a risk assessment, change request review and approval, technical and functional verification and final sign off for all components listed in the change request.
All DAC source code is stored within a dedicated code repository.
A dedicated service management team manage and administer the platform.
The service manager is responsible for security of the platform.