Queensland Government Enterprise Architecture

Information security incident reporting standard

Final

July 2014

v2.0.1

PUBLIC

QGEA PUBLIC Information security incident reporting standard

Document detailsSecurity classification PUBLIC

Date of review of security classification July 2014

Authority Queensland Government Chief Information Officer

Author Queensland Government Chief Information Office

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:

The Queensland Government Information Security virtual response team (QGISVRT)

QGISVRT@qld.gov.au

AcknowledgementsThis version of the Queensland Government Enterprise Architecture (QGEA) Information security incident reporting standard was developed and updated by the Queensland Government Chief Information Office.

CopyrightInformation security incident reporting standard

Copyright © The State of Queensland (Queensland Government Chief Information Office) 2013

Licence

Information security incident reporting standard by the Queensland Government Chief Information Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope of this licence, contact qgcio@qgcio.qld.gov.au.

To attribute this material, cite the Queensland Government Chief Information Office.

Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Final | v2.0.1 | July 2014 Page 2 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

Contents1 Introduction.............................................................................................................................4

1.1 Purpose...........................................................................................................................41.2 Audience..........................................................................................................................41.3 Scope...............................................................................................................................4

2 Background.............................................................................................................................42.1 How can this standard be used?.....................................................................................5

3 The incident reporting process.............................................................................................6

4 What to report.........................................................................................................................9

5 When and how to report.........................................................................................................9

Figures Figure 1: Information security incident management – suite of documents.......................................5Figure 2: Information security incident reporting process..................................................................6

Final | v2.0.1 | July 2014 Page 3 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

1 Introduction1.1 Purpose

A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government agencies on the recommended practices for a given topic area. They are intended to help agencies understand the appropriate approach to addressing a particular issue or doing a particular task. Unlike a guideline, which is best practice advice, a standard is enforced by policy.The Information security incident reporting standard was developed to provide agencies advice in meeting their information security incident reporting requirements under Information standard 18: Information security (IS18). This standard should also be read in conjunction with the Information security incident category guideline, and the Information security incident management guideline.

1.2 AudienceThis document is primarily intended for departmental staff and operational areas involved in information security reporting.

1.3 ScopeThis standard relates to the incident management and compliance management principles of IS18.

2 BackgroundThe Auditor-General of Queensland Report to Parliament No. 4 for 2009 detailed a number of key network security issues outlined in section 4.2 – information technology network security. With regards to information security incident management, the report found that: there is no centrally coordinated reporting and monitoring process for government IT

security incidents no mandatory standards exist that require agencies to report such incidents formal processes for security incident and problem management are not in place agencies should monitor their networks for potential security breaches.

This standard was developed to establish an information security reporting process and to provide guidance on what needs to be reported, how it is to be reported and the timelines involved. A centralised incident reporting process for the Queensland Government provides the following benefits: facilitates an analysis and understanding of the type and breadth of information security

incidents that the Queensland Government faces facilitates the development of proactive controls for the whole-of-government to reduce

the number of information security incidents within the Queensland Government networks

allows agencies to use the analysis data to assist with bids for budget funding for the management of their information security incidents

allows information to be reviewed and correlated across the agency, to allow analysis to determine the scope and priority of control implementation initiatives

Final | v2.0.1 | July 2014 Page 4 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

allows agencies to comprehensively define and develop response plans and mitigation strategies

allows agencies to effectively update their information security policies and plans, including supporting procedures, techniques and training measures to prevent the recurrence of similar information security incidents

facilitates information sharing and consistency across Queensland Government agencies

allows more informed business risk and impact analysis across Queensland Government agencies

allows consistent response plans to be developed by the whole-of-government virtual response team

supports the implementation of the Information security incident category guideline enables consistency with AS/NZS ISO/IEC 27001:2006 Information technology -

Security techniques - Information security management systems - Requirements.

2.1 How can this standard be used?This standard forms part of the supporting documents to assist with implementation of IS18, specifically the principles relating to incident management and compliance management. The suite of supporting documents to assist agencies in meeting their internal incident management requirements and external incident reporting requirements is depicted below in figure 1.

Figure 1: Information security incident management – suite of documents

Final | v2.0.1 | July 2014 Page 5 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

3 The incident reporting process

Figure 2: Information security incident reporting process

Final | v2.0.1 | July 2014 Page 6 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

An overview of the steps is as follows:

When an event or incident occurs, agencies may be able to gather data from any automated detection system that the agency may have operating (depending on the type of event\incident experienced). However, while incidents can be recorded on these systems, details of the incident must be entered into the agency’s incident and response register (which is a mandatory requirement under IS18). Agencies may also have a need to separately record events that fall outside of the automated detection systems (e.g. physical access to a secure area) to facilitate agency analysis of events (as possible pre-cursors to a larger attack or evidence of process failure).

The management of the event/incident from this point until its closure is generally outside the scope of this standard (including interacting with the virtual response team for coordination or assistance, and reporting to authorities, such as Queensland Police or the Crime and Misconduct Commission); except, all events and incidents rated High or Very High must be alerted to the virtual response team as soon as practical (within 48 hours) for consideration of potential implications across government and timely awareness of attacks that may be against multiple agencies.

The agency retains responsibility for management of the event/incident and it should be managed according to internal agency processes. For guidance, refer to the Information security incident management guideline.

Brief notification emails and updates may be used to keep the virtual response team aware of relevant issues. Unless requested by the virtual response team, submission of a completed incident reporting spreadsheet is not required. However, the incident must be included in the quarterly incident reporting.

In addition to mandatory virtual response team notification for high to very high incidents, agencies are encouraged to provide notification when events occur that may impact or interest other agencies. For example, if your agency detects a marked increase in phishing attacks, helpdesk calls about password resets or unusual network traffic, this could be reported to the virtual response team who can assess if this is unique to your agency or across multiple agencies, thereby signalling a more widespread issue that may require a whole-of-government response.

The QGISVRT provides preliminary advice and can assist in a resolution plan for agencies. They assist in attempting to arrange extra support if required and can provide support in communication with other agencies and stakeholders. The

Final | v2.0.1 | July 2014 Page 7 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

QGISVRT is also able to help, when appropriate, in briefings for Director Generals and Ministers.

The QGISVRT may generate de-identified case studies and other material to assist agencies and increase awareness.

As incidents are closed, the agency should complete the accompanying incident reporting spreadsheet.

In order to provide a consistent approach across Queensland Government agencies, all incidents must be assessed against the information security incident severity matrix located in the Incident category guideline.

Similar incidents of ‘moderate’ severity may be grouped and summarised in an aggregated manner.

Agencies must send the completed incident reporting spreadsheet to the QGISVRT at the specified reporting intervals. Further information regarding reporting timelines is located in section 5 of this standard and in IS18.

From this point onwards, QGISVRT is responsible for the collection and analysis of the incident data sent by agencies. After analysis, QGISVRT will produce the following reports: detailed report – this report will be produced quarterly and

will provide detail on the types of incidents Queensland Government agencies experience

highlight report – this will be a quarterly snapshot report highlighting the major trends and findings based on the detailed report.

Yearly report – this report will be produce annually and will provide overall statistical analysis to the previous 12 month period.

Final | v2.0.1 | July 2014 Page 8 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

The following stakeholders will receive copies of the various reports: Queensland Government agencies Chief Information Officer Leadership Team Queensland Government governance bodies of relevance

to incident and security event management.

In addition to the above, sanitised aggregate reporting and specific lessons related to incidents will be shared with collaborative and learning peers, such as: Cyber Security Operations Centre (CSOC) Queensland Government Information Security Forum.

4 What to reportThe definitions, categories and severities described in the Information security incident category guideline will be used as the basis for determining and defining what incidents will be reported to QGISVRT as part of the IS18 information security incident reporting requirements.

Incidents categorised as ‘high’ to ‘very high’ severity must be reported as soon as practical (within 48 hours) to the virtual response team at: QGISVRT@qld.gov.au.

For quarterly reporting, those incidents which have been determined to fall within the ‘moderate’ to ‘very high’ severity scale must be reported to the QGISVRT. Similar incidents of ‘moderate’ severity may be grouped and summarised in an aggregated manner. During completion of the reporting spreadsheet agencies should avoid including any confidential, sensitive and personal information where possible, just a broad outline of the incident details is sufficient. In addition, agencies will only be required to submit incidents that have been resolved during the reporting period. Any unresolved incidents should be included in the next reporting period. If an incident remains open after a second reporting period then it should be brought to the QGISVRT’s attention via a separate report attached to the information security incident reporting spreadsheet.

Agencies may report to the QGISVRT, at any time, any other event it feels could be useful for wider awareness.

Agencies will be notified in advance if there are any alterations to the severities and/or categories which must be reported to QGISVRT using the information security incident reporting spreadsheet.

5 When and how to reportIncidents categorised as ‘high’ to ‘very high’ severity must be reported as soon as practical (within 48 hours) to the virtual response team at: QGISVRT@qld.gov.au.

Agencies should provide a list of staff authorised to submit the completed incident reporting spreadsheet to QGISVRT. Only those spreadsheets received from authorised agency representatives will be included in analysis. Authorised agency staff must provide the completed incident reporting spreadsheet to QGISVRT on a quarterly basis as described in the reporting requirements section within IS18.

Quarterly reporting periods are through to the last day of the month in March, June September and December of each year. In the event that no events have occurred,

Final | v2.0.1 | July 2014 Page 9 of 10PUBLIC

QGEA PUBLIC Information security incident reporting standard

agencies must still submit an email advising that no reportable events have occurred.  Agencies should submit their quarterly reports no later than 10 business days from the end of each reporting period to QGISVRT@qld.gov.au. This spreadsheet will inform agencies as to the type of information that will be collected as part of the incident reporting.

The incident reporting spreadsheet will be accepted by QGISVRT from agency approved representatives via the following email address: QGISVRT@qld.gov.au.

Final | v2.0.1 | July 2014 Page 10 of 10PUBLIC