The DAC understands the importance of an effective information security program to protect the confidentiality, integrity and availability of all assets from potential threats. This allows us to perform our services effectively and maintain our reputation as a trusted user of government data.
This strong commitment to security is reflected in the implementation of security polices, processes and controls, as well as dedicated staff to manage information security.
Security Policies and Compliance
All DAC security policies and procedures are implemented according to NSW government policies and legislation and are reviewed on a regular basis.
As part of NSW Customer Service, DAC also has the requirement to comply with the NSW Government Cyber Security Policy and the Department Secretary must attest annually to the adequacy of its digital information and information systems security. The DAC is bound by the Data Sharing (Government Sector) Act 2015, the framework under which DAC can request data and public sector agencies can share data with the DAC safely.
Regular penetration tests are conducted by independent security organisations and we re-mediate accordingly with the results.
The DAC technical infrastructure is hosted in a secure data centre in NSW.
This secure building has card readers, on premise security and strict visitor access controls.
All DAC personnel are required to complete a Police Check and Working with Children Check if required. All personnel are also mandated to sign a confidentiality agreement.
All DAC personnel are required to complete regular compliance training, including ICT password, cyber-security awareness, corporate governance and finance, code of conduct, and fraud and corruption.
We have a dedicated:
- Data Governance team, who is responsible for provisioning data access, and completing data audits
- Service management team, who is responsible for platform, security compliance, education, user management and access controls
All information assets are managed as per the Record Management Framework Policy, which complies with the State Record Act 1998. The Information Labelling, Classification and Handling Policy is in place to help identify the confidentiality requirements of all information assets and ensure appropriate labelling and handling through its lifecycle – creation, storage, archival and sharing of information.
Record Retention and Disposal Policy is also in place to ensure appropriate retention and disposal of information assets.
The DAC follows a formal process for creation and deletion of user accounts and access to specific data.
Access to the platform is permitted via a secure connection through a VPN server, which provides an authenticated encrypted tunnel between a privileged users’ end points and the services they can use within the platform.
The Password Management Policy is in place and defines the requirements for password changes, re-use and complexity for all user and administrator passwords.
All DAC software development must follow ‘secure by design’ coding techniques. A clearly defined separation exists between Production and Development environments to ensure better management and security for the production systems, while allowing greater flexibility in the Development environment.
Strict Change Management processes are in place, which includes a risk assessment, change request review and approval, technical and functional verification and final sign off for all components listed in the change request.
All DAC source code is stored within a dedicated code repository.
A dedicated service management team manage and administer the platform.
The service manager is responsible for security of the platform.