For the federal agency Statistics Austria (hereinafter Statistics Austria) security and protection of collected, processed and administered data and information is an utmost priority.
Information Security (Informationssicherheit - InSi) includes the protection of data and information with the identified need for protection against loss, manipulation and undesired disclosure and thus also the protection of corresponding data and information storage media and processing facilities. Information on paper, digital storage media and the verbal transmission of information are also part of information security.
The "Information Security - Statistics Austria" document contains the goals and management principles of Statistics Austria on the subject of information security as well as the requirements for the InSi management system, which is intended to ensure an appropriate InSi level. It is based on the internationally recognized ISO 27001 standard, was put into effect by the Directorate General of Statistics Austria and is revised in an annual cycle.
The IT divison was commissioned to set up and continuously improve an InSi management system. Associated with this is the establishment of the role of an InSi officer, who is in charge of the coordination, control and reporting for this management system.
The InSi team provides topic-specific guidelines and regularly checks their currentness. Changes to the guidelines must be approved by the Directorate General. All documents relevant to information security are available on Statistics Austria's intranet.
One group of information with a particularly high protection requirement is "personal data", the information security of which must be ensured in accordance with the specifications of the European General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz - DSG). The data protection officer established for this topic in the Divison Central Services and the InSi officer work closely together as members of the InSi team.
Periodical reviews and ongoing monitoring of the InSi processes, compliance with the guidelines and the implemented security measures provide information about their effectiveness and form the basis for necessary changes and continuous improvement. The overall effectiveness of the InSi management system is periodically evaluated by the Directorate General to ensure its ongoing suitability and appropriateness.
When implementing and continuously improving the InSi management process, attention must be paid to effectiveness and efficiency, but especially to the balance between the necessary information security and the maintenance of undisturbed operational processes.