Government is embarking on a cybersecurity improvement campaign aimed at increasing cybersecurity resilience and awareness of cyber threats in the public service with the view of making all public servants safer and more secure online.
Public Service and Administration Director-General, Ms Yoliswa Makhasi, said an awareness drive will make cybersecurity everyone’s responsibility in the public service.
This follows a circular issued by the DPSA about the public service information security directive to all heads of both provincial and national departments.
The purpose of the circular is to provide direction in the public service regarding establishing departmental information security governance, practice, and procedures to protect information and technology assets.
“Through this Directive, we want to make it clear that in the public service cybersecurity is a shared responsibility to keep Government data and systems safe.
“The prescripts set out in the Directive must be applied to all national and provincial departments, government components, and employees employed in terms of the Public Service Act.
“This Directive only applies to members of the public services, educators, or members of the Intelligence only in as far as the provisions of this Directive are not contrary to the laws governing their employment,” said DG Makhasi.
The department will support the implementation of the Directive through a continuous awareness campaign to drive awareness of common social engineering techniques such as phishing, vishing and smishing, pretexting, baiting, psychology of influence and recognizing suspicious and spoofed domains, and identifying secure connections (HTTP & HTTPS) login information on untrusted or spoofed sites.
Implementation of the Directive
According to DG Makhasi, the Head of Department (HoD) must ensure that the department has an information security policy that is aligned with the provisions set out in the Directive.
Ms Makhasi said the departmental Information Communication and Technology (ICT) steering committee should also function as an information security forum. It is also the HoD’s responsibility to ensure that information is classified in terms of the uniform sensitivity classification scheme.
Protection against malicious and mobile code
The Directive further orders the HoD to ensure that;
- All information devices connected to the government network has up-to-date antivirus and integrity-checking software installed;
- Employees do not knowingly distribute viruses or bypass any detection systems in place;
- Employees exercise caution when opening any email if the source of the email is unknown to the user.
- Employees receiving or downloading data media from any source within the public service has the responsibility for ensuring that it is checked for viruses before use. Similarly, individuals intending to pass on data media within government or to external parties must ensure that it is first scanned for viruses.
- Employees are prevented from disabling or changing the configuration of the antivirus software installed on their personal computers.
- Suspected malicious code attacks are reported immediately on identification by following the internal security incident management procedure.
Back-UPS
Ms Makhasi said HoDs must ensure that backups are performed frequently based on the sensitivity of the data; that regardless of classification, the availability of all data is maintained through periodic backups and recovery mechanisms.
She further said that the HoD must ensure that departmental backups are covered in the existing contract/arrangement of any service provider and that the backups containing sensitive data are encrypted.
Media handling
“The HoD must ensure that government information is always stored/saved on departmental network servers, that removable computer media is protected against unauthorized access and that any loss or theft of removable computer media must be treated as a security breach and must be reported immediately,” the DG said.