Information security policy (IS18:2018)

Policy

Final | June 2019 | v8.1.1 | OFFICIAL - Public | QGCIO

Purpose

The Queensland Government is responsible for a significant amount of information. To ensure trust and deliver business value it is critical that this information is protected appropriately.

This policy seeks to ensure all departments apply a consistent, risk-based approach, to the implementation of information security to maintain confidentiality, integrity and availability.

Policy statement

The Queensland Government will identify and manage risks to information, applications and technologies, through their life cycle, using Information Security Management Systems (ISMS).

Policy benefits

The implementation of this policy will:

  • enable the Queensland Government to predict and respond to the changing threat environment
  • enable Queensland Government to align to international best practice approaches
  • facilitate a systematic approach to risk and improve decision making
  • provide a flexible and tailored approach to meet individual department business needs and different risk appetites in an increasingly complex ICT and business environment
  • allow for independent security system reviews to provide an increased level of confidence and trust in government
  • support better allocation of time and resources to security challenges relevant to specific departments
  • leverage increasing industry adoption of ISO 27001 which will assist in aligning requirements and improve transparency when using cloud and managed services.

Applicability

This policy applies to all Queensland Government departments (as defined by the Public Service Act 2008). Accountable officers (not already in scope of the Public Service Act 2008) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.

Policy requirements

Policy requirement 1:  Departments must implement an ISMS based on ISO 27001

Departments must implement and operate an ISMS based on the current version of ISO 27001  Information technology - Security techniques - Information security management systems – Requirements. The scope of the ISMS will include the protection of all information, application and technology assets.

Policy requirement 2:  Departments must apply a systematic and repeatable approach to risk management

Risk management is an integral part of operating an ISMS where risks must be considered at a business level. Departments must adopt a risk management framework by integrating their ISMS into their corporate risk management processes.

Policy requirement 3:  Departments must meet minimum security requirements

To ensure a consistent security posture and promote information sharing, Queensland Government departments must comply with the:

Policy requirement 4:  Departments accountable officers must obtain security assurance for systems

Every system is unique and security assurance should be applied sensibly and appropriately. Accountable officers must obtain security assurance to establish an understanding of information security protections and adherence to information security policy.

The level of security assurance applied to systems must be based on the criticality/significance of the system, using the business impact levels determination methodology outlined in the QGISCF.

See the Queensland Government information security assurance and classification guideline for more information.

Policy requirement 5:  Accountable officers must attest to the appropriateness of departmental information security

Departmental accountable officers (CEO/Director-General or equivalent) must:

Endorsement must be obtained from the department's accountable officer through corporate audit and risk committee.

Departments should publish the attestation in a manner that is publicly accessible, for example:

  • department website
  • department annual report.

Issue and review

Version: v8.1.1
Issue date: 17 June 2019
Next review date: June 2020

This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the QGCIO Cyber-Security Unit and approved by the Queensland Government Chief Information Officer.

Implementation

This policy came into effect on 1 October 2018.

Reporting requirements

This policy has specific reporting requirements:

#Reporting requirementDate
1

a) For the financial year ending 30 June 2019:

  • Departments must submit an Information security annual return that has been endorsed by the department's accountable officer to the Queensland Government Chief Information Office.
  • Departmental accountable officers must submit a letter of attestation to the Queensland Government Chief Information Officer.
30 October 2019
 

b) From 2020, for each financial year ending 30 June:

  • Departments must submit an Information security annual return that has been endorsed by the department's accountable officer to the Queensland Government Chief Information Office.
  • Departmental accountable officers must submit a letter of attestation to the Queensland Government Chief Information Officer
From 2020 annual at 30 September
2Communicate incident response activities and threat intelligence to the Queensland Government Chief Information Office Virtual Response Team as per the QGEA Information security incident reporting standard.Ongoing

Last Reviewed: 26 September 2019