Information security policy (IS18:2018)

Policy

Final | December 2017 | v7.0.0 | PUBLIC | QGCIO

Purpose

The Queensland Government is responsible for a significant amount of information.  To ensure trust and deliver business value it is critical that this information is protected appropriately.

This policy seeks to ensure all agencies apply a consistent, risk-based approach, to the implementation of information security to maintain confidentiality, integrity and availability.

Policy statement

The Queensland Government will identify and manage risks to information, applications and technologies, through their life cycle, using Information Security Management Systems (ISMS).

Policy benefits

The implementation of this policy will:

  • encourage security functions to be operationalised and integrated with day-to-day/business-as-usual processes and activities enabling the Queensland Government to predict and respond to the changing threat environment
  • enable Queensland Government to align to international best practice approaches
  • facilitate a systematic approach to risk, to improve decision making
  • provide a flexible and tailored approach to meet individual agency business needs and different risk appetites in an increasingly complex ICT and business environment
  • allow for independent security system reviews to provide an increased level of confidence and trust in government
  • support better allocation of time and resources to security challenges relevant to specific agencies
  • leverage increasing industry adoption of ISO 27001 which will assist in aligning requirements and improving transparency when using cloud and managed services.

Applicability

This policy applies to all Queensland Government departments.

Under the Financial and Performance Management Standard 2009 all accountable officers and statutory bodies must safeguard their assets through the establishment of internal controls and must have regard to the Financial Accountability Handbook. In addition, accountable officers or statutory bodies within the scope of the Financial and Performance Management Standard 2009 must in accordance with section 27(3)(a) apply the mandatory principles contained in the information standards and policies issued under the QGEA in developing and implementing any financial information management system. More information on the authority and applicability is available here.

Policy requirements

Policy requirement 1:  Agencies must implement an ISMS based on ISO 27001

Agencies must implement and operate an ISMS based on the current version of ISO 27001  Information technology - Security techniques - Information security management systems – Requirements. The scope of the ISMS will include the protection of all information, application and technology assets.

Policy requirement 2:  Agencies must apply a systematic and repeatable approach to risk management

Risk management is an integral part of operating an ISMS where risks must be considered at a business level. Agencies must adopt a risk management framework by integrating their ISMS into their corporate risk management processes.

Policy requirement 3:  Agencies must meet minimum security requirements

To ensure a consistent security posture, the ISMS must meet the following requirements:

Policy requirement 4:  Agency accountable officers must obtain assurance for systems

Every system is unique and assurance should be applied sensibly and appropriately. Accountable officers must obtain assurance to establish an understanding of information security protections and adherence to information security policy.

The level of assurance applied to systems must be based on the criticality/significance of the system, using the business impact levels determination methodology outlined in the QGISCF.

See the Queensland Government Information Security Assurance Guideline for more information.

Policy requirement 5:  Accountable officers must attest to the appropriateness of agency information security

Agency accountable officers must:

Endorsement must be obtained from the agency's accountable officer through corporate audit and risk committee.

Issue and review

Version: v7.0.0
Issue date: 18 December 2017
Next review date: December 2018

This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the QGCIO Cyber-Security Unit and approved by the Queensland Government Chief Information Officer.

Implementation

This policy comes into effect from 1 October 2018.

Reporting requirements

This policy has specific reporting requirements:

#Reporting requirementDate
1a) Agencies must submit an endorsed Information Security Compliance Checklist annually by 30 October every year to the Queensland Government Chief Information Office.
b) Endorsement must be obtained from the agency's accountable officer through corporate audit and risk committee.
annually at 30 October each year
2Communicate incident response activities and threat intelligence to the Queensland Government Chief Information Office Virtual Response Team as per the QGEA Information security incident reporting standard.Ongoing

Last Reviewed: 24 May 2018