Samoa’s information security policy 2024

May 2024

View the original document

Strategies and Action Plans

Author: Ministry of Communications & Information Technology (MCIT) of Samoa

The Information Security Policy 2024 issued by the Ministry of Communications & Information Technology (MCIT) of Samoa outlines the strategic framework and operational standards for protecting the Government of Samoa’s (GoS) information systems, digital assets, and related infrastructure. Below is a detailed explanation of the policy’s core elements:

Purpose and Objectives

The primary goal of the policy is to ensure the confidentiality, integrity, and availability of data and information within GoS systems. It aims to safeguard these assets from a range of cyber threats such as ransomware, social engineering, and DDoS attacks. It also supports secure operation during security breaches or disasters.

The policy establishes a unified approach across government agencies, sets minimum information security requirements, and aligns with the ISO/IEC 27001 standard for Information Security Management Systems (ISMS).

Scope and applicability

The policy applies to:

  • All GoS agencies including ministries, statutory bodies, and constitutional authorities.
  • All GoS staff, contractors, and third parties with access to GoS ICT resources.
  • All GoS data and digital assets, including those managed externally.
  • Devices and systems (e.g., BYOD, IoT) handling or transmitting GoS-related data.

Compliance and exemptions

Non-compliance must be reported to the national cybersecurity team (SamCERT), and may be escalated to the CEO of MCIT. Exemptions can be requested in writing and must be justified, recorded in the risk register, and reviewed periodically.

Core policy principles

  1. Foundational documentation across agencies supports a unified approach.
  2. Safeguards and risk mitigation measures include patching, access controls, and awareness campaigns.
  3. Shared responsibility encourages proactive behaviour and open communication regarding security.
  4. Controlled access ensures that only authorised individuals can access information or systems.
  5. Continuous improvement mandates regular review and updates of security practices.
  6. Information classification ensures proper handling of data based on sensitivity.
  7. Only approved, secure ICT systems are to be developed, procured, or used.

Standards and procedures

1. Information security risk management

A formal framework defines acceptable risk levels, enables strategic decision-making, and supports risk assessment and mitigation across all GoS activities.

2. Information classification and handling

All data must be classified according to impact assessment and protected accordingly. “Confidential” data must be reassessed biennially; ‘Highly Confidential’ annually.

3. Log management and monitoring

Logs must be synchronised, securely stored, and retained with a minimum of three months immediately accessible for review. Continuous monitoring is required to detect attacks.

4. Malicious code protection

Measures include anti-malware, intrusion prevention, file integrity monitoring, and application whitelisting to guard against malware.

5. Network infrastructure and configuration

Security standards must be applied to all network assets. Only authorised devices may connect, and suspicious traffic must be monitored and managed.

6. Patch and vulnerability management

Regular identification, testing, and deployment of patches is required to address known vulnerabilities and maintain system integrity.

7. Incident response

A structured process handles incidents in phases: detection, containment, eradication, recovery, and post-incident analysis. It includes communication, monitoring, and legal evidence considerations.

Roles and responsibilities

  • MCIT CEO: Oversees policy alignment with national strategy and promotes a culture of security.
  • SamCERT: Leads implementation, awareness, and capacity building across agencies.
  • Policy division (MCIT): Maintains the policy, assists in implementation, and ensures timely reviews.
  • Heads of ministries/agencies: Allocate responsibilities, enforce compliance, and manage agency-specific risks.
  • ICT staff: Conduct asset identification, integrate security into procurements and projects, and report incidents.
  • Audit & compliance committee: Evaluates the effectiveness of security measures.
  • System owners: Register systems, control access, and monitor risks.
  • All staff and contractors: Must comply with policy, participate in exercises, and report threats or incidents.

Review and version vontrol

The policy is versioned (currently at version 4.0) and is subject to regular review to reflect changes in the threat landscape, legal environment, or operational context.