Final | September 2018 | v3.0.0 | OFFICIAL - Public | QGCIO
A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government departments on the recommended practices for a given topic area. They are intended to help departments understand the appropriate approach to addressing a particular issue or doing a particular task. Unlike a guideline, which is better practice advice, a standard is enforced by policy.
The Information security incident reporting standard was developed to provide departments advice in meeting their information security incident reporting requirements under the Information security policy (IS18:2018). This standard should be read in conjunction with the Information security incident management guideline.
This document is primarily intended for departmental staff and operational areas involved in information security incident management, response and reporting.
This standard relates to reporting requirement within the Information security policy (IS18:2018).
Mandatory reporting requirements are indicated by the word “must”. All other elements are either informative or are recommendations and are indicated by the word “should”.
The Information security incident management guideline provides guidance on meeting reporting obligations.
Information security event
A security ‘event’ is ‘an identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that may be security relevant’ [ISO/IEC 27000:2018].
Information security incident
An information security ‘incident’ is defined as ‘a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security’ [ISO/IEC 27000:2018].
This standard has been developed to centrally coordinate reporting and monitoring processes for information security incidents within Queensland government. The Queensland Government Chief Information Office (QGCIO) houses the Queensland Government Information Security Virtual Response Team (QGISVRT). The QGISVRT are the central point of contact for information security incident reporting, and are responsible for incident coordination from a whole-of-government perspective.
Incident reporting provides significant benefits for both Queensland Government departments and the QGISVRT:
- reporting obligations ensure information is provided in a timely manner through appropriate channels to the intended audience
- QGISVRT can advise departments how to contain/limit the impact from an incident, or direct them to other sources for incident management or resolution
- mandatory incident reporting fields ensure information is accurate, complete and actionable
- quarterly reporting builds a comprehensive security risk profile which can be used for trend analysis
- continuous improvement of incident response processes and appropriate control selection through the application of lessons learned
- allows consistent response plans to be developed by the QGISVRT.
The Business Impact Level (BIL) reporting table determines a department’s reporting obligations in relation to an information security incident.
BIL’s are defined in the Queensland Government Information Security Classification Framework (QGISCF) and are determined by the business owner of the system.
If a system does not have a BIL assigned, the business owner of the system must be consulted to determine the appropriate level.
Systems which have not been assessed under the Queensland Government Information Security Classification Framework v4.0.0 (QGISCF) should use ‘Appendix C - Mapping between old and new confidentiality classifications’ to determine immediate reporting requirements.
It should be noted this is based on ‘confidentiality’ only, and a full assessment of the system should be completed once the incident has concluded to determine the systems integrity and availability BILs.
Departments must report:
- immediately for security incidents affecting a system with a Medium BIL or above
- immediately for security incidents affecting multiple systems / departments
- quarterly for all other security incidents.
- report and share all security related events or incidents.
Business impact level reporting table
The table below will determine a department’s reporting requirements.
|Breadth of the incident||Business impact level|
|Single department / system||Quarterly||Immediately|
|Multiple departments / systems||Immediately|
What to report
- submit to the QGISVRT data for all ‘information security incident reporting fields’ (see 3.4 – Information security incident reporting fields section)
- report incidents as per the BIL reporting table to the QGISVRT.
- group and summarise similar incidents which do not meet the immediate reporting obligations, which are to be included in quarterly reporting
- document and maintain all information security incidents within an auditable information security incident register.
When and how to report
For immediate reporting, departments must:
- report incidents at the point they are determined to correspond with an ‘immediate’ requirement in the BIL reporting table (see 3.1 – Reporting obligations) to the QGISVRT
- use any of the following communications channels:
- phone - 07 3215 3951
- email – firstname.lastname@example.org
- formally agreed upon channel between the department and CSU prior to the incident occurring
For quarterly reporting, departments must:
- provide a copy of the department’s information security incident register for that quarter to the QGISVRT
- ensure reports are submitted no later than two weeks after the final day in each quarter
- Chief Information Officers (CIO) can seek a temporary extension for their department by emailing QGISVRT@qld.gov.au
- QGISVRT will notify a departments CIO of non-compliance with this standard if reports are not received within the given timeframe.
- ensure incidents are reported to the QGISVRT by a person whose roles and responsibilities include information security
- operate a platform which allows for the aggregation of security event and incident information / logs, which is made available to the QGISVRT (read-only access)
- report and share all security related events or incidents.
Departments who opt to provide the QGISVRT with read-only, real-time access to their information security incident register (or SIEM) will be noted as meeting their quarterly reporting obligations.
Reporting quarter 1 (Q1) 1 January to 31 March
Reporting quarter 2 (Q2) 1 April to 30 June
Reporting quarter 3 (Q3) 1 July to 30 September
Reporting quarter 4 (Q4) 1 October to 31 December
Information security incident reporting fields
Information security incident management can involve making critical business decisions. To support these decisions, information must be timely, accurate and complete.
The mandatory ‘information security incident reporting fields’ standardise the minimum incident information that must be captured by departments and reported to the QGISVRT.
Where information is incomplete or not yet available, departments must provide an update when it becomes available.
Departments must report:
- Contact information
- Date and time discovered
- Incident scope
- Business impact level
- Incident summary
- Impact to the department
- Incident type (see Appendix B)
- Indicators of compromise (IOC’s)
Departments should report:
How QGISVRT uses incident information
The QGISVRT collects and maintains a register of information security incidents which enables it to:
- effectively coordinate whole-of-government incident response
- maintain visibility of incidents which may impact other government departments
- provide advice and guidance to departments handling incidents.
- collect and securely store information relating to information security incidents
- by default, share de-identified threat intelligence (where possible) gathered during an incident, such as indicators of compromise, unless requested not to by a department
- analyse and interpret incident information to identify trends or patterns, provide advice to agencies, determine the impact to whole-of-government and publish de-identified materials relating to the analysis of incidents.
QGCIO will not:
- Provide information to entities outside of Queensland Government which may identify a department / agency without their express permission.
Mandatory information security incident reporting fields
Successful information security incident management relies on data consistency and data quality
The benefits of consistent and quality data include:
- quicker response times
- actionable information
- reduced uncertainty
- reduced duplication of effort
- increased confidence in information and recommendations.
To ensure the QGISVRT is able to fulfil its role effectively and efficiently, the following fields must be completed when submitting an incident report to the QGISVRT.
This is the primary contact point for the incident in your department.
Recommended details include:
- The name of your department
- The name of the staff member reporting the incident
- Phone number(s)
- Email address(s)
Date and time discovered
Date and time (GMT+10) the incident was first discovered
Note: Cloud-based services may use UTC, these should be translated into GMT+10 to ensure accurate timelines are maintained.
The department’s determination of how wide spread is the incident. Particularly relevant for Service Providers where one incident may affect multiple customers.
Business Impact Level (if not known) must be determined by referring to the Queensland Government Information Security Classification Framework (QGISCF).
Note: Initial reporting can include the BIL by itself however, ideally the Confidentiality, Integrity and Availability ratings should be made available to provide context around the affected asset.
A brief description of the incident
Example: ‘External webserver compromised via a publicly available remote code execution exploit’
Impact to the department
A brief description of how the business has been impacted i.e. the real-world consequences.
Example 1: ‘Customers are unable to submit renewals requests via the website, causing increased call centre traffic and complaints’.
Example 2: ‘A Director-Generals email account has been compromised and is sending malicious emails’
What type of incident has occurred based on the definitions in ‘Appendix B – Incident type’
Indicators of compromise
These are the artefacts of the event or incident which can be used to determine if a compromise may have occurred, for example:
- IP addresses
- Email headers
- Email addresses
- Email subjects
- Email body
- Web Domains
- File hashes
- File types / files
- Other indicators of relevance
For the purposes of information security event and incident reporting, incidents must be assigned an incident classification from the table below
Theft/loss of assets
The theft or loss of any information or technology asset/device (including portable and fixed media) that might have been or has been used to either process or store Queensland Government information.
The compromise of Queensland Government account credentials providing unauthorised access to a malicious 3rd party. This often involves leveraging the targets position of trust, or escalating privileges to move laterally.
Types of account compromises include:
- Business email compromise
- Local credentials (LAN)
- Administrator credentials
- SaaS Credentials
Emails or domains which masquerade as a legitimate entity with the goal of compromising a user’s information such as:
- Access credentials
- Personal information
- Banking information
Unauthorised access to information/systems
Unauthorised access from internal and external sources to Queensland Government information and systems.
Use this type if the incident does not fit into account compromise or intrusions against networks.
Unauthorised release of or disclosure of information
Unauthorised release or disclosure of Queensland Government information.
Software programs designed to cause damage to Queensland Government systems.
Software programs designed to extort a payment, usually financial, by denying authorised user access to Queensland Government information systems.
Intrusions against networks
Intrusions targeting Queensland Government internal infrastructure. This includes but is not limited to:
- Remote code execution
- Denial-of-service (DoS)/distributed denial-of-service (DDoS)
- Website defacements
- Brute force attempts.
Intrusions that cannot be attributed, after analysis, to what is considered consistent with Internet noise. For example intrusion attempts that consistently target internal network infrastructure, users or services provided for external use such as web applications.
Abuse of privileges
Unauthorised changes to privileged user settings on stand-alone or networked equipment including network profiles, local user or device configuration files that have not been approved through the Department’s change management process.
Unauthorised changes to information, applications, systems or hardware
Any unauthorised changes to an organisation’s file system, including media, through insertion, modification or deletion. For example, changes to the standard operating environments (SOEs), addition of executables or the modification of an executable’s configuration.
Any unauthorised installation of additional processing, communications or storage equipment into the IT network. This includes but is not limited to:
- routers, switches, modems, firewalls
- portable games units
- USB devices
- smart phones
- wireless access points.
Violation of information security policy
Any violation of information security policy or the information security related aspects of the code of conduct.
Suspicious system behaviour or failure (hardware/software) or communications)
Unknown network activities affecting/degrading network performance with increased network bandwidth usage and decreased response time, using excessive CPU, increased suspicious network requests or increased Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts leading to application crashes.
Includes a malfunction within the electronic circuits, electromechanical components of a computer/communications system, or malfunction/inability of a program to continue processing due to erroneous logic.
Sharing/stealing/loss of passwords or other authentication token.
Any damage or destruction of physical information assets or electronic devices.
Natural events and other events which result in damage to information and systems. This includes but is not limited to:
- excessive heat
- biological agents
- toxic dispersion
- power outage.
Mapping between old and new confidentiality classification
Click the thumbnail below to download