What services are available to secure my information?

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance), SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) allow agencies to assess the hygiene of all email sent externally using their DNS domain names including the ability to know when their email or web domains are being spoofed and potentially used in phishing attacks.

To assist agencies in configuring appropriate DMARC, SPF and DKIM records for their domains and having visibility to the hygiene state of their external email, the QGCIO Cyber Security Unit have centrally funded access the web-based DMARCAnalyzer Service (https://www.dmarcanalyzer.com).

DMARCAnalyzer training - Part 1

DMARCAnalyzer training - Part 2

Click here for a PDF of the part 2 training video (PDF, 1101.2 KB)

ISMS Community of Practice

A Community of Practice has been established to raise awareness of information security and share information, methods and tools to assist agencies in operating a standards based Information Security Management System (ISMS).

The Community of Practice meets monthly and uses sharepoint for communication. If you wish to be involved, please follow this link: ISMS Community of Practice sharepoint. Please contact cybersecurityunit@qgcio.qld.gov.au for more information.

Questions for ISMS committees

  • Which threat actors are we concerned about?
  • Why would they target us?
  • What are the consequences?
What are our most valuable information assets?
  • What threats do we face?
  • Are those threats changing? Are they increasing or decreasing?
  • Which are our greatest threats?
  • Which areas of the business carry the greatest risk?
What are the consequences of cyber security incident to that information and/or business function?
  • What systems hold this data and where is it located?
  • How well are these systems protected?
  • Who is responsible for protecting them?
  • When were the protections last reviewed/tested?
How do we know the protection is up to date?
  • What vulnerabilities currently exist in the system?
  • How long have they existed?
  • How long will it take to fix them?
  • Are we reducing or accumulating risks?
  • How is this systems vulnerability posture compared to other systems?
When was the last penetration test of this system?
  • What were the findings?
  • Have those findings been addressed?
  • Who has admin access?
  • Is admin access audited/logged/reviewed?
  • Could we detect misuse of or attacks against the system?
Do we have a plan to respond to deal with a cyber incident in that system?
  • Do we have an incident response plan?
  • Do we have an assurance plan?
Have we implemented the ASD Essential 8 in all areas of the organisation?
  • What risks are we accepting (explicitly / implicitly)?
  • Who is authorised to accept these risks?
  • What is the highest priority investment currently required for cyber security in the organisation?
  • Do we have visibility of security events in our systems?
  • Which areas of the business have the least visibility/control?
Cyber Security Awareness
  • What behaviours of our staff (or clients) increase our risk?
  • What can be done to reduce these behaviours?
  • Is security awareness improving in our staff?
  • How do we compare to similar organisations?
  • How susceptible are we to phishing?
  • How susceptible are we to social engineering?
  • How susceptible are we to physical compromise (tailgating, unescorted visitors, break-in)?
Third party risks
  • Which vendors are depending on to maintain security?
  • Do we have contractual requirements for them to report security incidents to us?
  • Do we get a regular security status report from them?
  • How do we know they are managing our security effectively?
  • Are there business arrangements and partnerships that handle sensitive data about our business?
Non-IT systems
  • Do we understand the interconnectedness of IT and non-IT systems in our organisation?
  • What Operational Technology (non-IT) do we have? (SCADA, CCTV, Building Mgt, Process Control, & other IOT)
  • Have we considered cyber risk to OT?
  • How do executives get a picture of OT risk?
  • How is remote access controlled to these OT systems?

ISO 27000 suite

ISO 27000 will play an important part in the new information security policy.  Important modules of the suite have been made available free of charge to Queensland Government departments.  To access the available modules, please click here.


Last Reviewed: 03 August 2017