Information security - IS18
The Queensland Government is responsible for a significant amount of information held in both electronic and paper-based formats, and it is critical that this information be protected appropriately.
This information standard seeks to ensure all agencies implement a consistent approach to the implementation of information security to protect information assets, and any ICT assets which create, process, store, view or transmit information, against unauthorised use or accidental modification, loss or release.
Agencies must develop, document, implement, maintain and review appropriate security controls to protect the information they hold by:
- establishing appropriate information security policy, planning and governance within the agency in line with this information standard, including adopting all specified frameworks, standards and reporting requirements
- ensuring appropriate security controls are implemented as detailed by this information standard and its supporting documents.
This information standard relates to all domains within the information security slice of the Queensland Government Enterprise Architecture (QGEA). Under the Financial and Performance Management Standard 2009 all accountable officers and statutory bodies must safeguard their assets through the establishment of internal controls and must have regard to the Financial Accountability Handbook. The Financial Accountability Handbook identifies Information Standard 18: Information Security as being applicable when designing, developing and implementing agency internal ICT controls. As such this information standard applies to all accountable officers and statutory bodies as defined in the Financial Accountability Act 2009.
Issue and review
This QGEA information standard is published within the QGEA and is administered by the Queensland Government Chief Information Office. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer on 3 November 2010.
This QGEA information standard will be reviewed on a two yearly basis or as required. The next review date is November 2012.
Current Version: v5.0.1 (November 2010)
Due to the extent of advice required to support agencies in the implementation of the Information Security Principles, a separate IS18 Implementation Guideline has been developed.
Implementation advice and toolboxes
Implementation advice and toolboxes are provided to assist agencies in implementing the mandatory principles of each Information Standard.
Principle 1 - Policy, planning and governance
Agency management must recognise the importance of, and demonstrate a commitment to, maintaining a robust agency information security environment. Agencies at a minimum must:
- develop an Information Security Policy which contains the mandatory clauses detailed in the Information Security Policy – Mandatory Clauses document
- develop an Information Security Plan, ensuring alignment with agency business planning, general security plan and risk assessment findings
- establish and document information security internal governance arrangements (including roles and responsibilities) to implement, maintain and control operational information security within the agency
- establish and document information security external governance arrangements to ensure that third party service level agreements and operational level agreements clearly articulate the level of security required and are regularly monitored.
Principle 2 - Asset management
Agencies must implement procedures for the classification and protective control of information assets (regardless of format). Agencies may wish to extend existing information asset and technology registers to incorporate security classification and control requirements. Agencies at a minimum must ensure:
- all information assets are assigned appropriate classification and control in accordance with the Queensland Government Information Security Classification Framework (QGISCF)
- all ICT assets that create, store, process or transmit security classified information are assigned ICT asset custodians and are also assigned appropriate controls in accordance with the QGICSF.
Principle 3 - Human Resources management
Agencies must minimise the risk of loss or misuse of information assets by ensuring that security controls are incorporated into agency human resource management, including the development of supporting policies and processes. At a minimum, agencies must:
- implement induction and ongoing training and security awareness programs, to ensure that all employees are aware of and acknowledge the agency’s information security policy, their security responsibilities and associated security processes
- document and assign security roles and responsibilities where employees have access to security classified information or perform specific security related roles, and ensure that security requirements are addressed, in recruitment and selection and in job descriptions
- develop and implement procedures for the separation of employees from, or movement within, the agency.
Principle 4 - Physical and environmental management
The level of physical controls implemented must minimise or remove the risk of equipment or information being rendered inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation. At a minimum, agencies must ensure that:
- they meet the requirements of the QGISCF
- policies and processes are implemented to monitor and protect the use and/or maintenance of information assets and ICT assets away from premises
- policies and processes are implemented for the secure disposal or reuse of ICT assets which are commensurate with the information asset’s security classification level.
Principle 5 - Communications and operations management
Operational procedures and controls must be documented and implemented to ensure that all information assets and ICT assets are managed securely and consistently, in accordance with the level of required security. Agencies must at a minimum ensure:
- the Network Transmission Security Assurance Framework (NTSAF) is used to ensure the security of data during transportation over communication networks
- a network security policy is developed and documented in line with the NTSAF to guide network administrators in achieving the appropriate level of network security
- adequate controls are defined and implemented for the prevention, detection, removal and reporting of attacks of malicious code on all ICT assets
- comprehensive systems maintenance processes and procedures including operator and audit/ fault logs, information backup procedures and archiving must be implemented
- operational change control procedures are implemented to ensure that changes to information processing facilities or systems are appropriately approved and managed
- methods for exchanging information within the agency, between agencies, through online services, and/or with third parties are compliant with legislative requirements and consistent with the QGISCF
- processes are developed and implemented to periodically review and test firewall rules and associated network architectures to ensure the expected level of network perimeter security is maintained.
Principle 6 - Access management
Control mechanisms based on business requirements, assessed/accepted risks, information classification and legislative obligations must be in place for controlling access to all information assets and ICT assets. At a minimum, agencies must ensure that:
- authentication requirements, including on-line transactions and services, are assessed against the Queensland Government Authentication Framework (QGAF)
- policies and/or procedures for user registration, authentication management, access rights and privileges are defined, documented and implemented for all ICT assets
- control measures are implemented to detect and regularly log, monitor and review information systems and network access and use, including all significant security relevant events.
Principle 7 - System acquisition, development and maintenance
During system acquisition, development and maintenance, security controls must be established and must be commensurate with the security classifications of the information contained within, or passing across, information systems, network infrastructure and applications. Agencies must at a minimum ensure:
- security requirements are addressed in the specifications, analysis and/or design phases and internal and/or external audit are consulted when implementing new or significant changes to financial or critical business information systems
- processes (including data validity checks, audit trails and activity logging) are established in applications to ensure development and support processes do not compromise the security of applications, systems or infrastructure
- authentication processes are consistent with the QGAF
- processes are developed and implemented to manage software vulnerability risk for all IT security infrastructures.
Principle 8 - Incident management
Effective management and response to information security incidents is critical to maintaining secure operations within the Queensland Government. Agencies at a minimum must:
- ensure information security incident management procedures are established to ensure appropriate responses in the event of information security incidents, breaches or system failures
- ensure all information security incidents are reported and escalated (where applicable) through appropriate management channels and/or authorities
- establish and maintain an information security incident and response register and record all incidents
- ensure that information security incidents caused by employees are investigated and where it is found that a deliberate information security violation or breach has occurred, that formal disciplinary processes are applied.
Principle 9 - Business continuity management
A managed process including documented plans must be in place to enable information and ICT assets to be restored or recovered in the event of a disaster or major security failure. At a minimum, agencies must:
- establish an information and ICT asset disaster recovery register to assess and classify systems to determine their criticality
- establish plans and processes to assess the risk and impact of the loss of information and ICT assets on agency business in the event of a disaster or security failure
- develop methods for reducing known risks to agency information and ICT assets
- ensure business continuity and information and ICT asset disaster recovery plans are maintained and tested to ensure systems and information are available and consistent with agency business and service level requirements.
Principle 10 - Compliance management
Agencies must ensure compliance with, and appropriate management of, all legislative and reporting obligations relating to information security. Agencies at a minimum must:
- ensure that all reasonable steps are taken to monitor, review and audit agency information security compliance
- all agency information security policies, processes and requirements including contracts with third parties, are reviewed for legislative compliance on a regular basis and the review results reported to appropriate agency management.
This standard has specific reporting requirements. Agencies must submit:
|Reporting requirement||Reporting office||Due date*|
|The endorsed Information Security Compliance Checklist||Queensland Government Chief Information Office||30 October every year|
|The agency's Information Security Event and Incident information as directed by the Queensland Government Chief Information Office||Queensland Government Chief Information Office||Quarterly - March, June, September, December|
|Send Virtual Response Team communication alerts to all agencies as directed by the Queensland Government Chief Information Office||Queensland Government Chief Information Office||Ongoing|
*Due dates may change depending on government commitments and priorities at the time.
This information standard is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.