Information Security (IS18) - Queensland Government … Final Information Standard 18: Information...

ICT Policy and Coordination Office Department of Public Works

Queensland Government Enterprise Architecture

Information Standard 18: Information Security - Implementation Guideline

Final

July 2011

v1.0.2

PUBLIC

QGEA


Final v1.0.2, July 2011 of 37

PUBLIC

PUBLIC

Document details

Security classification PUBLIC

Date of review of security classification

July 2011

Authority Queensland Government Chief Information Officer

Author ICT Policy and Coordination Office

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Director, Policy Development ICT Policy and Coordination Office [email protected]

Acknowledgements This version of the Information Standard 18: Information Security - Implementation Guideline was developed and updated by the ICT Policy and Coordination Office.

This guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.

Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.

Copyright


Copyright © The State of Queensland (Department of Public Works) 2010

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

mailto:[email protected]

QGEA



PUBLIC

PUBLIC

Contents

1 Introduction .......................................................................................................................... 5

1.1 Purpose ........................................................................................................................ 5

1.2 Audience....................................................................................................................... 5

1.3 Scope ........................................................................................................................... 5

1.4 Document structure ...................................................................................................... 5

2 Background .......................................................................................................................... 6

3 Policy, planning and governance ....................................................................................... 8

3.1 Information security policy ............................................................................................ 8

3.2 Information security plan ............................................................................................... 8

3.3 Internal governance .................................................................................................... 10

3.4 External party governance .......................................................................................... 10

4 Asset management ............................................................................................................ 11

4.1 Asset protection responsibility ..................................................................................... 11

4.2 Information security classification ............................................................................... 12

5 Human resources management ........................................................................................ 12

5.1 Pre-employment ......................................................................................................... 12

5.2 During employment ..................................................................................................... 12

5.3 Post-employment ........................................................................................................ 13

6 Physical and environmental management ....................................................................... 15

6.1 Building controls and secure areas ............................................................................. 15

6.2 Equipment security ..................................................................................................... 15

7 Communications and operations management ............................................................... 17

7.1 Operational procedures and responsibilities ............................................................... 17

7.2 Third party service delivery ......................................................................................... 17

7.3 Capacity planning and system acceptance ................................................................. 17

7.4 Application integrity ..................................................................................................... 17

7.5 Backup procedures ..................................................................................................... 19

7.6 Network security ......................................................................................................... 20

7.7 Media handling ........................................................................................................... 22

7.8 Information exchange ................................................................................................. 23

7.9 eCommerce ................................................................................................................ 24

7.10 Information processing monitoring .............................................................................. 24

8 Access management ......................................................................................................... 26

8.1 Access control policy .................................................................................................. 26

8.2 Authentication ............................................................................................................. 26

8.3 User access ................................................................................................................ 26

8.4 User responsibilities .................................................................................................... 27

8.5 Network access .......................................................................................................... 27

8.6 Operating system access ............................................................................................ 27

QGEA



PUBLIC

PUBLIC

8.7 Application and information access ............................................................................. 28

8.8 Mobile computing and telework access ....................................................................... 28

9 System acquisition, development and maintenance ....................................................... 29

9.1 System security requirements ..................................................................................... 29

9.2 Correct processing ...................................................................................................... 29

9.3 Cryptographic controls ................................................................................................ 29

9.4 System files ................................................................................................................ 29

9.5 Secure development and support processes .............................................................. 30

9.6 Technical vulnerability management ........................................................................... 30

10 Incident management ........................................................................................................ 31

10.1 Event/weakness reporting ........................................................................................... 31

10.2 Incident procedures .................................................................................................... 31

11 Business continuity management .................................................................................... 33

11.1 Business continuity ..................................................................................................... 33

11.2 Disaster recovery ........................................................................................................ 33

12 Compliance management .................................................................................................. 34

12.1 Legal requirements ..................................................................................................... 34

12.2 Policy requirements .................................................................................................... 34

12.3 Audit requirements ...................................................................................................... 34

13 Reporting requirements .................................................................................................... 35

13.1 Event and incident information .................................................................................... 35

13.2 VRT communication alerts .......................................................................................... 35

Appendix A Information security related legislation and standards ..................................... 36

QGEA



PUBLIC

PUBLIC

1 Introduction

1.1 Purpose

This guideline provides information and advice for Queensland Government agencies to

consider when implementing the mandatory principles of Information Standard 18:

Information security (IS18). The requirements of IS18 and this supporting guideline, are

based on the three elements of information security:

confidentiality – ensuring that information is accessible only to those authorised to have

access

integrity – safeguarding the accuracy and completeness of information and processing

methods

availability – ensuring that authorised users have access to information and associated

assets when required.

These guidelines do not form the mandatory component of IS18 and are for information

only, however they are based on best practice and agencies are strongly recommended to

consider the advice provided in this document.

1.2 Audience

This document is primarily intended for:

information security governance bodies

information security strategic areas

information security operational areas.

1.3 Scope

This guideline supports IS18.

1.4 Document structure

The Queensland Government Information Security Policy Framework (QGISPF) represents

information security at two levels of detail. This guideline has been similarly divided into two

levels of domains, with the ten level one domains corresponding with the ten mandatory

principles in IS18. Please note a „reporting requirements‟ heading has also been included to

align with IS18. Headings are as follows:

policy, planning and governance

asset management

human resources management

physical and environmental management

communications and operations management

access management

system acquisition, development and maintenance

incident management

business continuity management

compliance management

reporting requirements.

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/Pages/security.aspx





http://qgcio.govnet.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/QG%20Information%20Security%20Policy%20Framework%201%200%201.pdf



QGEA



PUBLIC

PUBLIC

2 Background

IS18 has been developed to provide agencies with the minimum requirements for

information security management. However, some agencies may find that their particular

agency requires more stringent information security controls to be implemented. In these

cases it is suggested that agencies refer to the following for guidance:

ISO/IEC 27000 series of standards (incorporating ISO 17799) – International Standard

ISO/IEC 27000 series is available through Standards Australia (SAI Global

distributors).

Tools and templates (Queensland Government employees only) issued by Security

Planning and Coordination, Queensland Police Service (function formerly residing in

Department of Premier and Cabinet)

Australian Government Protective Security Policy Framework –– the Australian

Government Protective Security Policy Framework (PSPF) is issued by the Attorney-

General‟s Department. This standard is restricted to Government agencies and can be

purchased by emailing [email protected]. The PSPF has superseded the Australian

Government Protective Security Manual (PSM) as of June 2010

Australian Government Information Security Manual - the Australian Government

Information Security Manual (ISM) is available through the Department of Defence –

Defence Signals Directorate website.

Agencies may also consider the application of various methods and industry frameworks for

managing their agency information security.

Note that the Queensland Government is not legislatively obliged to comply with the PSPF

and ISM. However, the Queensland Government is a signatory to a Memorandum of

Understanding that commits it to engage in practices consistent with these manuals.

There are a number of other documents that support implementation of IS18 that have

been produced by the ICT Policy and Coordination Office. These documents are referred to

throughout this document and also in Figure 1 (page 7).


http://infostore.saiglobal.com/store2/Details.aspx?ProductID=1119299

http://www.safeguarding.qld.gov.au/govassets/index.htm

http://www.ag.gov.au/pspf


http://www.dsd.gov.au/library/infosec/ism.html


http://www.dsd.gov.au/infosec/ism.htm


QGEA



PUBLIC

PUBLIC

‘Queensland Government Information Standard 18: Information Security’

Mandatory principle 1:

Policy, Planning &

Governance

Mandatory Principle 5:

Communications and

Operations Management

Mandatory Principle 4:

Physical and

Environmental

ManagementMandatory Principle 3:

Human Resource

Management


Asset Management


Access Management


System Acquisition, Dev &

Maint.


Business Continuity

Management


Incident Management


Compliance Management

QGIS policy -

mandatory

clauses

Implementing

internal

information

security

governance

QGISCF NTSAF

KEY

Mandatory

principle

Supporting

product

mandatory

Supporting

product non-

mandatory

External

information

security

governance

QGISCS QGISCF QGISCS

NTSAF QGISCFQGAF QGISCS QGAFQGISCF NTSAFQGAF

Information

security event

and incident

reporting

standard and

spreadsheet

Information

security

incident

category

guideline

Business

continuity

plan doc.

guideline

Disaster

recovery

planning

guideline

IS18

compliance

spreadsheet

‘Queensland Government Information Standard 18: Information Security – Implementation guideline’

Figure 1 IS18: Information security supporting documents organised by mandatory principle

QGEA



PUBLIC

PUBLIC

3 Policy, planning and governance

3.1 Information security policy

The agency information security policy serves as the foundation for information security

management within the agency. The development of this policy is the first step in

establishing management commitment and the responsibilities for information security

within the agency and should therefore be concise and clear. The Information Security

Policy – Mandatory Clauses has been developed to assist agencies in the development of

their information security policy and details the minimum set of mandatory requirements

and quality criteria that must be included within the agency policy and makes suggestions

for agency specific considerations.

3.2 Information security plan

The level of detail contained in the agency‟s information security plan should be

commensurate with the complexity of the agency‟s information environment, its business

functions and the information security risks that it faces. The suggested approach for the

development of the plan is to:

develop an overarching information security plan, which outlines the security program

for the agency as a whole

support this information security plan with a number of detailed plans for each separate

entity/agency portfolio and/or significant or high risk agency information systems and

processes.

Regardless of the development or format of the plan, information security planning should

be integrated into the agency‟s culture through its strategic and organisational plans and

operational practices. Security considerations should be incorporated into the agency

corporate planning process and ICT strategic resource planning, to ensure that the agency

information security plan meets the business and operational needs of the agency and its

clients.

3.2.1 Suggested steps for developing an information security plan

There are a number of steps which should be used to develop the agency information

security plan.

Step 1: Identify agency goals and objectives for information security

Identify linkages between the agency information security policy and all agency corporate

plans, strategies, goals and objectives to establish the key areas which may impact on the

current or future information security environment of the agency.

Step 2: Identify major information assets and business critical ICT assets

This information may be sourced from the agency‟s disaster recovery register. Agencies are

required to establish this register under IS18.

Step 3: Conduct a risk assessment

Conduct a risk assessment on the major information assets with the assigned owners of

these assets on an annual basis or after any significant change has occurred (eg.

machinery-of-Government).




QGEA



PUBLIC

PUBLIC

The process or methodology used by the agency to assess security risks should be based

on the agency‟s preferred risk management processes. In the absence of an agency risk

methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk

management – Principles and guidelines.

Step 4: Current situation

Gather information regarding existing agency security policies, procedures and controls and

map these against the:

data obtained from the risk assessment process

mandatory principles of IS18 and/or any other security standards that the agency uses

agency‟s security architecture targets.

Step 5: Analysis of any gaps and the effectiveness of existing controls

Conduct an analysis of any gaps and the effectiveness of the existing controls against the

information obtained from step 4 above.

Step 6: Develop recommendations and strategies

Develop and document recommended controls and prioritised plan of actions/strategies

which need to be implemented or maintained to achieve the desired level of agency

security, how this is to be achieved and who is responsible. Information security plans

should provide for treatments that are both cost-effective and appropriate to the level of

risk. Where agencies identify a high level of risk in their information environment (based on

the information security classification of information assets in its care) it is suggested that it

consult with specialist information security agencies or industry professional bodies for

advice or technical assistance in developing their strategies and plans.

Step 7: Identify outstanding/residual risks that will not be treated

Document any ongoing risks that will remain untreated or assessed as acceptable risks.

Step 8: Obtain agreement on risks and strategies

To ensure that the information security plan meets the requirements of the business it is

important to gain agreement from the information asset owners. This will ensure that the

strategies and plan adequately reflects the protection of the assets from a business

perspective and will also inform the prioritisation process for treatment.

Step 9: Develop actions and timetable

Document and develop a detailed plan of activities and actions along with timeframes for

implementing the controls and strategies agreed on.

Step 10: Determine resourcing

Document and detail the resourcing requirements for the implementation of the controls and

strategies including the personnel, materials and budget for its implementation.

Step 11: Endorsement and publishing of the information security plan

Gain endorsement of the information security plan from the appropriate governance body

and senior executive on an annual basis.




QGEA



PUBLIC

PUBLIC

Step 12: Implementation of the information security plan

To facilitate a systematic and co-ordinated approach to security and risk management,

agencies should establish a structure or framework to help develop and implement the

agency information security plan.

Step 13: Ongoing monitoring and review

To ensure that security controls in the agency continue to remain relevant to the agency

goals, objectives and operational and business environments, the agency‟s information

security plan should be reviewed, monitored and reported on, on an ongoing basis. The

information gained from these activities is used to inform future agency security plans and

strategies.

It is suggested that agencies review their security plan at least annually to identify changes

to the risk profile and to assess the effectiveness of existing controls. Further to this, the

agency should ensure that security planning becomes an integral component of all agency

management, projects and activities rather than an isolated and once a year planning

activity.

3.2.2 General agency security plan

Whilst the ICT Policy and Coordination Office works with agencies to improve information

security practices across the Queensland Government, protective security and counter-

terrorism issues throughout Queensland are coordinated by the Queensland Police Service.

The Government Asset Protection (GAP) Project has produced the Guide for general

security planning which agencies should refer to when developing their general agency

security plan. Enquiries about this document can be directed to the Queensland Police

Service‟s Security Planning and Coordination team on 07 3406 3677 or by emailing

[email protected].

3.3 Internal governance

The Information Security Internal Governance Guideline provides implementation advice for

this domain.

Information on internal governance arrangements for ICT and information management are

available in the following documents respectively:

Information Standard 2: ICT Resources Strategic Planning

Information Security Internal Governance Guideline.

3.4 External party governance

See the Information Security External Party Governance Guideline.



http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/Business.aspx




QGEA



PUBLIC

PUBLIC

4 Asset management

4.1 Asset protection responsibility

4.1.1 Information assets

It is a requirement of Information Standard 44, Information asset custodianship (IS44) that

agencies:

identify their information assets

establish and maintain an information asset register.

Agencies may wish to use this register or establish a separate one, to record the

information security classification of its information assets. The following documents

provide agencies with implementation guidance:

IS44

Identification and classification of information assets guideline

Queensland Government Information Security Classification Framework (QGISCF)

Queensland Government Information Security Controls Standard (QGISCS).

Disposal of information assets

For information assets that are public records, their retention and disposal must be

managed in accordance with a retention and disposal schedule approved by the state

archivist, under the Public Records Act 2002. For further information regarding the disposal

of records agencies should refer to Information Standard 31: Retention and disposal of

public records (IS31).

For all other information assets agencies should refer to the QGISCF and the QGISCS.

Refer to section 4.2 below for guidance on the disposal of equipment.

4.1.2 Control of technology devices

It is a requirement of IS18 and the Information Security Policy – Mandatory Clauses that

agencies identify their ICT assets, document them and assign owners for the maintenance

of information security controls. ICT assets must be assigned information security controls

commensurate with the highest level of security classification applied to the information

assets contained within or transmitted via the ICT asset. The following documents provide

agencies with further implementation requirements and guidance:

Queensland Government Information Security Classification Framework

Queensland Government Network Transmission Security Assurance Framework

(NTSAF).

In the absence of advice within these documents, agencies should consider guidance from

the:

PSPF

ISM.

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/Information.aspx


http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/toolbox/Pages/InformationAssetCustodianship.aspx

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/toolbox/Pages/InformationAssetCustodianship.aspx



http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm







http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGISCF%20v1.0.1.doc





QGEA



PUBLIC

PUBLIC

4.2 Information security classification

Agencies should refer to the QGISCF which provides detailed implementation requirements

and guidance with respect to the information security classification and control of

information assets. Additional advice is available within the QGISCS.

Agencies should be mindful that the information security classification of an information

asset, does not limit the operation of legislation. For example, a policy document classified

as PROTECTED may be assessed as suitable for release under the Right to Information

Act 2009. In this situation, the information would need to be reclassified as PUBLIC.

5 Human resources management

5.1 Pre-employment

Depending on the nature of the agency‟s business, consideration should be given as to

whether:

specific information security clauses should be included in terms and conditions of

employment (eg. responsibilities and disciplinary processes)

additional scrutiny is required during the recruitment and selection phase for positions

involving exposure to classified or sensitive information or where relevant legislation is

in place (eg. security assessments and criminal history checks). When dealing with

employment for these types of positions the following include examples of what

requirements the agency needs to consider:

– the availability of satisfactory character referees

– the completeness and accuracy of resume and qualifications

– security and criminal history checks (where required under legislation or where

clearly identified risks can be reduced by such checks)

– the PSPF for further information on employing staff who will be dealing with

national security classified information.

5.2 During employment

5.2.1 Induction, training and awareness programs

The information security induction, training and awareness program should:

address all levels of staff and all areas of the agency

cover the following:

– general employee responsibilities (see Information Security Internal Governance

Guideline)

– information security responsibilities concerned with particular roles (see

Information Security Internal Governance Guideline)

– the correct operation of information systems and ICT facilities and devices (see

also Information Standard 38: Use of ICT Facilities and Devices (IS38))

– reporting of information security events, weaknesses and incidents

– information security related responsibilities within the agency code of conduct and

the disciplinary penalties for breaches.

be updated regularly to include changes in the information security plan and policy

include regular refresher training.



http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_R.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_R.htm






QGEA



PUBLIC

PUBLIC

Examples of mechanisms that agencies may consider when developing information security

induction, training and awareness programs include:

addressing information security responsibilities within the agency‟s code of conduct

briefing sessions

online tutorials

regular distribution of educational material (eg. security updates, log-on notices,

factsheets, newsletter articles and posters)

distributing copies of the agency‟s information security policy and obtaining a signed

acknowledgement of understanding from each employee (especially those that handle

classified information).

It is the responsibility of:

managers to ensure that their employees undertake information security induction

training and regular refresher training

agency employees to understand and follow information security policy and processes.

5.2.2 Roles and responsibilities

High level information security roles and responsibilities are defined within the Information

Security Internal Governance Guideline. Agencies should use this guideline as a basis for

developing, documenting and assigning information security roles and responsibilities within

their environment.

5.2.3 Disciplinary processes

The disciplinary actions and processes for misconduct and official misconduct should be

determined under the Public Service Act 2008 and/or other relevant legislation, regulation

and policy that apply to the agency. These should be documented in the agency‟s terms

and conditions of employment.

For guidance on information security incident management, agencies should refer to

Section 10 – Incident Management in this document

5.3 Post-employment

The Public Service Commission‟s Directive No. 2/09: Employment separations procedures,

requires agencies to establish separation procedures in all cases where an employee is

separating employment from the Queensland Public Service. Implementation of this

directive is supported by an Employment separation checklist.

In addition the Information Security Policy – Mandatory Clauses requires agencies to set up

procedures for ensuring the security of the agency during the separation of employees

from, or movement within the agency. It is recommended that agencies also ensure that

procedures are in place for termination of employment.

To meet this requirement, it is suggested that agencies implement:

exit interviews that ensure the employee understands their continuing responsibilities

for maintaining information confidentiality and privacy (especially when the employee

has had access to classified information), and respecting the Queensland

Government‟s intellectual property rights – this should include the consequences of

non compliance with these responsibilities



http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm

http://www.psc.qld.gov.au/page/corporate-publications/directive/index.shtml

http://www.psc.qld.gov.au/page/corporate-publications/catalogue/ceo-ses-so.shtml#separation


QGEA



PUBLIC

PUBLIC

separation checklists that confirm:

– exit interview has been conducted

– all Queensland Government property has been returned (eg. access cards/keys,

credit cards, mobile phones, personal digital assistants)

– the employee‟s user ID has been disabled and access rights revoked.

As is the case with many personnel security issues, the responsibility for employee

separation procedures does not remain with one area of the agency but requires a

coordinated approach across the agency.

QGEA



PUBLIC

PUBLIC

6 Physical and environmental management

Agency information security should work with those responsible for protective security

within their agency to ensure that appropriate physical and environmental management

controls are implemented.

6.1 Building controls and secure areas

The level of building and secure area controls to be implemented would depend on the

classification of information assets stored therein under the QGISCF. The QGISCF and the

QGISCS provide some guidance with regard to building controls and secure areas.

In the absence of advice within these documents, agencies should refer to:

Guides and tools (Queensland Government employees only) issued by the Security

Planning and Coordination unit within the Queensland Police Service

AS 2834-1995 Computer accommodation

PSPF

ISM.

6.2 Equipment security

The level of controls to be applied to agency equipment would depend on the classification

of the information assets the equipment stores or transmits under the QGISCF. The

QGISCF provides some guidance with regard to the following controls:

preparation and handling

removal from workplace and monitoring

discussing classified information (including telephone and video conference)

copying and storage

electronic transmission

archive and disposal.

Additional advice is available within the QGISCS.

Agency risk assessments may identify the need for additional information security controls

for equipment.

In the absence of advice within the above documents, agencies should refer to the:

PSPF

ISM.

Note: the Queensland Government is not legislatively obliged to comply with the PSPF and

ISM. However, the Queensland Government is a signatory to a Memorandum of

Understanding that commits it to engage in practices consistent with these manuals.

6.2.1 Offsite equipment

When developing policies and processes for the use and/or maintenance of offsite

equipment, agencies should ensure:

a risk assessment is conducted prior to locating equipment offsite

Equipment and media taken off the premises are not left unattended in public places.

This extends to ensuring that portable equipment is carried as hand luggage and

disguised where possible during travel

manufacturers‟ instructions for protecting equipment are followed




http://premiers.govnet.qld.gov.au/security/gap_tools_temps.html








QGEA



PUBLIC

PUBLIC

teleworking arrangements are determined by risk assessment and suitable controls are

applied as appropriate (eg. backup, virus protection)

adequate insurance cover for offsite equipment.1

6.2.2 Maintenance of equipment

To ensure availability and integrity of information, equipment should always be maintained

according to manufacturers‟ maintenance guidelines. Maintenance processes cover a wide

range of activities including preventative, repair and upgrade maintenance, which may be

the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate

policies and processes are in place to protect agency information, during any maintenance

process.

Agencies should be mindful of the risks of continuing to use equipment that is no longer

supported by a vendor. Unsupported equipment are subject to increased information

security risks as patches for new vulnerabilities identified will not be available.

6.2.3 Disposal of equipment

The QGISCF and the QGISCS provide some guidance on appropriate controls for disposal

of electronic media and equipment commensurate with security classification levels.

In accordance with Information Standard 13: Procurement and disposal of ICT products and

services (IS13) disposal of government-owned ICT resources must be:

conducted with approval from the accountable officer or delegated personnel

supervised and certified upon completion by a person delegated by the accountable

officer.

Agencies should ensure that these policies and processes include employee training.

Further implementation guidance is available within the ISM which provides detailed

instructions on product and media sanitisation and disposal.

1 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security

management, p.35.






QGEA



PUBLIC

PUBLIC

7 Communications and operations management

7.1 Operational procedures and responsibilities

When documenting operational procedures agencies should at a minimum ensure that

detailed operating instructions are in place for all processes outlined in the mandatory

principles of IS18.

In terms of assigning operational responsibilities agencies should consider the separation of

operational functions and duties where procedures involve activities, which could be

susceptible to unauthorised activity, misuse of information or pose a conflict of interest,

such as security audits.

7.2 Third party service delivery

Agencies should ensure that third party services are managed and operated according to

service level or operating level agreements. Further advice is available within the

Information Security External Party Governance Guideline and the Information Security

Internal Governance Guideline.

7.3 Capacity planning and system acceptance

To minimise threats to the operational environment agencies should at a minimum ensure:

adequate testing and change control mechanisms are in place for the migration of new

or modified systems into the operational environment

that the information environment is managed in a way that will easily accommodate

changes or future expansions so as to not adversely impact the operational

environment.

7.4 Application integrity

Agencies are required to implement controls for the prevention, detection and removal of

malicious and mobile code.

7.4.1 Malicious code

Malicious code includes, but is not limited to, viruses, spyware, worms, Trojan horses and

logic bombs. The following controls are recommended:

anti-malware software

software authorisation policy and processes

education and awareness

infection handling procedures.

Anti-malicious code software

Agencies should ensure that current anti-malicious code software is installed. The following

points summarise some of the considerations an agency should make when implementing

anti-malicious code software.

when selecting a product agencies should consider:

– the vendor‟s track record and frequency of updates

– using more than one product to ensure maximum protection.





QGEA



PUBLIC

PUBLIC

the anti-malicious code software should be configured to:

– run whole of server scans daily

– sit inside the agency firewall in real time mode to ensure malicious and mobile

code infections are identified and cleaned immediately upon detection

– deal with both spam and instant messaging.

a separate server or computer should be configured to sit inside the agency firewall in

real-time mode – this server should be configured with appropriate software to check

for malicious code (if a virus is detected and all incoming and outgoing email

attachments can be cleaned then the message can be distributed or if attachments

cannot be cleaned then the message should be blocked)

the anti-malicious code software must be updated with new definition files and

scanning engines as soon as possible after vendors make them available

the implemented anti-malicious code software should be regularly reviewed

agencies should ensure that virus protection and recovery strategies are included in

risk management and business continuity plans.

Software authorisation policy

Agencies should establish a policy outlining the prohibited use and installation of software

not authorised by the agency including user responsibilities with regards to downloading

software from the internet, email or media devices. In order to reduce the risk of malicious

code being introduced into agencies systems via these mechanisms. See also IS38.

Education and awareness

Users must be educated about malicious code in general, the risks posed, virus symptoms

and warning signs including what processes should be followed in the case of a suspected

virus. Agencies should consider network broadcasts or a system for alerting users of virus

attacks. Ensuring that personnel are aware of their responsibilities when using the Internet

and the agency‟s software authorisation policy will also reduce the risk of the introduction of

malicious code.

Further implementation guidance is available within:

ISM

IS38.

Infection handling procedures

The ISM provides some instructions on the handling of malicious code infections.

7.4.2 Mobile code

The AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of

practice for information security management defines mobile codes as…

„software code which transfers from one computer to another computer and then

executes automatically and performs a specific function with little or no user

interaction. Mobile code is associated with a number of middleware services. In

addition to ensuring that mobile code does not contain malicious code, control of

mobile code is essential to avoid unauthorised use or disruption of system, network,

or application resources and other breaches of information security.‟

The following controls are recommended:

blocking

education and awareness.







QGEA



PUBLIC

PUBLIC

Blocking

Agencies may wish to consider blocking the use and receipt of mobile code. However, this

should be balanced against the potential loss of business functionality. A middle ground

may be the blocking of mobile code for selected websites only. This approach must be

consistent with the agency‟s internet acceptable use policy. See further IS38.

Agencies should be mindful that active content filters must be installed on a

gateway/firewall if they are to be effective.

Education and awareness

Users should be educated about mobile code in general including the risks posed.

Further implementation advice on mobile code controls is available in AS/NZS ISO/IEC

27002:2006 Information technology – Security techniques – Code of practice for

information security management.

7.4.3 Reporting malicious and mobile code incidents

In addition agencies are required to establish reporting procedures for malicious and mobile

code incidents. For further advice on reporting of malicious and mobile code incidents see:

Information Security Incident Category Guideline

Information Security Event and Incident Management Guideline (not yet approved)

AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –

Information security incident management.

7.5 Backup procedures

When establishing backup procedures and processes, agencies should consider the

following factors to minimise threats to the integrity and availability of information:

backup information should be afforded appropriate controls (including physical and

environmental) commensurate with the information security classification of the

information assets involved

backup cycles should be based on analysis of the business risk, frequency with which

data and software is changed and the criticality of the system to business operations.

The cycle should include, as a minimum:

– incremental daily backups of data and full weekly backups of all data, operating

system and applications - backups of data on a cycle deemed appropriate by the

IT Manager, but as a minimum, on a weekly basis

– backups of the complete operating system, and applications on a cycle deemed

appropriate by the IT Manager, but as a minimum, on a monthly basis.

a register of backups, including verification of their success, should be maintained

restoration procedures should be documented and available to those that require it and

at the location that the information is backed up

the means to recover the information is stored at its back up location or is at least

available from an identified source as required

a cycle of backup media should be used for all backups (see also below regarding

business continuity and ICT disaster recovery)

in addition to regular back up cycles, a system backup should be performed before and

after major changes to the operating system, system software, or applications

consideration should be taken when upgrading technologies to ensure that backup

data is able to read in the new environment








QGEA



PUBLIC

PUBLIC

a cycle of regular tests should be implemented to verify that the system can be

recovered from the backups produced (see also below regarding business continuity

and ICT disaster recovery)

a cycle of backup media should be retained of all information required to meet

customer service, legal or statutory obligations.

effective backup procedures are important to ensure business continuity and the ability

to recover from disasters – for business continuity and ICT disaster recovery purposes:

– at least one copy in each backup cycle and restoration procedures should be

stored off-site and in accordance with the business continuity and relevant ICT

disaster recovery plans

– regular tests (at least annually) should ensure that backup procedures meet the

requirements of business continuity and ICT disaster recovery plans

– see further section 11.

Queensland State Archives provides advice on risks associated with relying on backups as

evidence of business activity and the appropriate retention of backups. For further

information refer to the Queensland State Archives Public Records Brief: Management of

backups.

7.6 Network security

Network security management is critical to the overall security of the agency information

environment. Agencies should ensure that appropriate governance and controls are in

place to protect networks from internal and external threats including intrusion, disruption or

exposure through malicious or accidental action. These controls should be commensurate

with the highest level of security classification applied to the information assets contained

within the network, and transported between agency gateways. Where possible the

application and monitoring of network security controls should be automated in order to

address scalability requirements and to reduce costs. Processes in place for secure

network management include but are not limited to:

designing networks, including their infrastructure are designed with appropriate controls

for that entity

for all ICT assets that provide services accessible outside Queensland Government‟s

internal networks it is recommended that:

– these are isolated to a separate, security network domain, called a demilitarised

zone (DMZ)

– the DMZ is secured with controls commensurate with the highest level of

information security classification for the information assets stored within or

transiting the DMZ, including defence-in-depth deployments, firewalls, intrusion

detection and prevention systems (IDP), monitoring and reporting

– business requirements for access controls for all ICT assets within the DMZ are

identified and implemented.

maintaining current documentation for network and gateway systems, including firewall

and security device configurations and ensuring that only staff with a need to know

have access to this documentation

security configuration management and software updates

monitoring and analysis of logs from firewalls for security breaches

http://www.archives.qld.gov.au/

http://www.archives.qld.gov.au/

QGEA



PUBLIC

PUBLIC

alerts for detected breaches and intrusion attempts, and a documented response

process

regular testing of network security.

Agencies are to note that the Queensland Government Consolidated Infrastructure (QGCI)

as delivered by the Foundation Infrastructure Project (FIP), will be provisioning an IDP

service and a multi-tenanted security information and event management solution, and

offering these services to agencies that migrate to this new whole-of-Government solution.

Agencies wishing to utilise these technologies within their own network management

domain, should seek guidance from the QGCTO on the interoperability with the QGCI

solution; however, the preference is for agencies to consume whole-of-Government

services provided by CITEC.

Further implementation guidance is available within the NTSAF.

7.6.1 Firewalls

Agencies should implement firewalls:

at the network perimeter to prevent unauthorised access to agency networks

on the internal network and on servers (depending on the agency‟s network security

architecture).

Agencies should document tightly defined firewall rules that match network access

requirements. This should be stored in a secure location and be known to those employees

with a need to know. Agency change control and configuration processes must include

consideration of any required changes to agency firewall rules to ensure ongoing

appropriate firewall protection. Reviews of firewall rules should be scheduled on a regular

basis.

Agency firewall and gateway architecture should also be subject to regular tests, to identify

any security weaknesses. Agencies should report the results of these tests and any

corrective actions to the information security governance body.

7.6.2 Firewall Warning Notice

It is recommended that agencies implement ICT system firewall warning notices for

Queensland Government external facing ICT devices (eg. firewalls, intrusion prevention

systems, bastion hosts, screening routers etc) to provide potential users with notice as to

the private nature of the system and that monitoring and reporting activities may be

conducted.

Crown Law has been consulted as part of the development of a standard warning notice to

ensure the notice complies with statutory obligations while remaining as succinct as

possible. The Commonwealth and Queensland Criminal Codes both prohibit unauthorised

access to ICT systems and typically provide for offenders to be imprisoned for periods of

time varying from two to ten years. Crown Law advised that there is no statutory

requirement for a firewall notice to refer to any specific legislation and including references

to legislation governing this area would only increase the length of the firewall without

offering any substantial legal benefit.

As per Crown Law advice, the ways in which a firewall notice may have legal effect, if

appropriately worded and implemented, include:

forming a contract, enforceable by legal action, obliging the user not to use the system

for unauthorised purposes

providing notice to the user that their electronic communications may be accessed by

third parties, to establish the „knowledge‟ of the sender of a communication necessary

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx#n

QGEA



PUBLIC

PUBLIC

to avoid contravening the Telecommunications (Interception and Access) Act 1979

through unlawful interception of the communication

making an individual aware of the use and disclosure of personal information for the

purposes of compliance with the Information Privacy Act 2009.

The following notice is intended to meet the 265 character requirement and to secure the

best chance of having the legal effects outlined above:

“This private ICT system is for authorised use only.

By using this system you agree to use it only as authorised. You consent to

agency personnel monitoring or recording your use (including personal

information and communications) and using or disclosing such records for

disciplinary or law enforcement purposes.”

Crown Law has advised that at this time, users will not be required to actively „accept‟ the

terms of the firewall notice prior to entering their login details. However, agencies should

consider this in light of other existing login notices they are using which require employees

to acknowledge their responsibilities (such as employee use of ICT facilities and devices

under Information Standard 38 (IS38)).

7.7 Media handling

The level of controls to be applied to agency media would depend on the security

classification assigned to that media under the QGISCF. The QGISCF and the QGISCS

provide some guidance with regard to the following controls:

preparation and handling

removal from workplace and monitoring

copying and storage

archive and disposal.

Agency risk assessments may identify the need for additional information security controls

for media.

In the absence of advice within the QGISCF, agencies should refer to the ISM.

Note that the Queensland Government is not legislatively obliged to comply with the ISM.

However, the Queensland Government is a signatory to a Memorandum of Understanding

that commits it to engage in practices consistent with this manual.







QGEA



PUBLIC

PUBLIC

7.8 Information exchange

To ensure the security of information exchanged within the agency and with external

parties, including online information systems, the agency should ensure information

handling and exchange procedures are established in line with the:

QGISCF

QGISCS

Queensland Government Authentication Framework (QGAF)

NTSAF.

See also IS44.

7.8.1 Email

Email has become a critical business enabler, with information included in emails often

traversing public untrusted/uncontrolled networks such as the internet.

Agencies should ensure that information within emails is appropriately protected or does

not reduce the risk profile of the agency by:

ensuring staff have clear guidelines regarding the use of email for sensitive or security

classified information

ensuring that passwords are used on email systems (this may be achieved by use of a

password at network login)

prohibiting the use of scanned signatures (they can be cut and pasted to give the

appearance that a document was signed officially)

acknowledging that email communication is not private - any opinions expressed via

external e-mail, where they are not related to the conduct of business, should be noted

as individual opinions and not those of the organisation by inclusion of a disclaimer.

For example:

“This email, together with any attachments, is intended for the named

recipient/s only.

If you have received this message in error, you are asked to inform the sender

as quickly as possible and delete this message and any copies of this

message from your computer system network. Any form of disclosure,

modification, distribution and/or publication of this email message is

prohibited. Unless stated otherwise, this e-mail represents only the views of

the Sender and not the views of the Department of xxxxx.”

ensuring email systems are backed-up and maintained in accordance with operational

system management standards

ensuring the evidentiary value of electronic message transactions, and the general

reliability and availability of the electronic messaging system is maintained. For

Queensland Government policy on implementation advice on emails that are public

records, agencies should refer to the Queensland State Archives‟ Managing emails that

are public records policy and guideline.

Agencies should refer to IS38 for further advice regarding email policy.

Further advice on email transmission is available within the references listed in section 7.8

above.






http://www.archives.qld.gov.au/downloads/emails_that_are_public_records_policy_and_guideline.pdf

http://www.archives.qld.gov.au/downloads/emails_that_are_public_records_policy_and_guideline.pdf


QGEA



PUBLIC

PUBLIC

7.9 eCommerce

7.9.1 eCommerce and online transactions

All agency eCommerce and online transactions and services must be assessed against and

consistent with the requirements of QGAF and NTSAF.

Further implementation advice is available within:


Information security management systems – Requirements

AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of

practice for information security management

PCI Data Security Standard (PCI DSS) for payment account data security.

7.9.2 Publicly available information

Internet security is a critical current and ongoing security issue for agencies. The internet

creates a window into the agency network that opens up the potential for unauthorised

access and security threats to the confidentiality, integrity and availability of its information

and all information facilities.

Agencies should assess their internet security requirements and develop policies and

controls to manage all aspects of online and internet activities. The issues to take into

consideration are numerous, however, a few of the points to assess include:

anonymity and privacy including the requirements of the Information Privacy Act 2009

data confidentiality

use of cookies

applications and plug-ins

type of language to be used

practices for downloading executables

web server security configuration and auditing

access controls

use of data encryption.

Impact and risk assessments should be conducted on all web security controls on a regular,

if not on-going basis, and external expert advice should be sought where possible.

7.10 Information processing monitoring

Agencies are required to ensure that audit logs of user activities, exceptions and

information security events are produced, maintained and monitored.

Agencies need to ensure that their system and user monitoring activities are in line with all

legislative obligations and the risk the system or activities pose to the security of the

environment. Agencies should refer to IS38 for further information regarding the monitoring

of communications including email and the Information Privacy Act 2009 for obligations

regarding the protection of personal information.

Audit, fault, administrator and operator logs should be produced, maintained and monitored

on a regular basis to assist in maintaining the security of the agency information

environment.



http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_I.htm



QGEA



PUBLIC

PUBLIC

Logging facilities and log information should:

be protected against tampering and unauthorised access

collect at a minimum the auditing requirements specified in the QGISCS and may in

addition consider collecting the following:

– user ID‟s

– dates and times of key activities

– the identity and location of the computer

– network addresses and protocols

– systems alerts or failures

– activation of anti-virus and intrusion detection and prevention systems2.

in the case of log information, retained as a record and/or in compliance with

requirements to collect and retain evidence.

For further guidance agencies should refer to:





IS40 Recordkeeping

IS31 Retention and disposal of public records

HB 171-2003 Guidelines for the management of IT evidence.

2 AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security

management, p. 55-56.






http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Recordkeeping.aspx

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Retention%20and%20Disposal%20of%20Public%20Records.aspx

http://www.saiglobal.com/PDFTemp/Previews/OSH/as/misc/handbook/HB171.PDF

QGEA



PUBLIC

PUBLIC

8 Access management

8.1 Access control policy

The agency‟s access control policy should address and detail access control rules and

rights for each group of users. Generally these should be based on „what must be generally

forbidden unless expressly permitted‟, ensuring that business requirements are followed.

Access controls need to be consistent with policy and legal requirements. The overall

framework for access rights should be reviewed on a regular basis to determine that they

remain appropriate.

8.2 Authentication

Authentication codes should be changed when there is an indication of possible system

security or authentication code compromise.

QGAF provides a process and a set of definitions which will allow agencies, as service

providers, to evaluate the risk associated with their services and determine the appropriate

level of authentication assurance required. Agencies should refer to the QGAF series of

documents for detailed information regarding authentication management.

Agencies are also required to align with the Identity and Access Management Policy and

meet the targets within its accompanying position.

8.3 User access

8.3.1 User registration

User access rights should be in accordance with information owner requirements and

should be authorised by the user‟s manager before the user is granted access to the

information or system. The manager should ensure that the user has a sufficient

understanding of the system before approving access rights.

Access control mechanisms should be used to restrict access to all computer systems,

including hardware, software and data.

If user authentication is based upon passwords the following controls should be considered:

the user should be required to change temporary passwords at the first logon

(temporary passwords only being valid for one day)

users should be required to change their authentication code after a predetermined

period of time, through either automatic or manual means and should not be allowed to

reuse an authentication code for at least 13 cycles

user access should be rejected after three rejected attempts to logon

where passwords are used as authorisation, users should be educated in selecting and

using passwords.

All access control privileges of users should default to denial of access when there is a

malfunction in the computer or network access control system.

All changes to an employee‟s user duties should be reflected in their access control rights.

Changes should be carried out on a timely basis. Access privileges should be disabled or

modified when users change jobs, or leave the agency permanently, or are on leave for a

prolonged period.




http://qgcio.govnet.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/Identity%20and%20Access%20Management%20policy.pdf

http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/Identity%20and%20Access%20Management%20position.pdf

QGEA



PUBLIC

PUBLIC

User access rights should be subject to regular review using a formal process. Agencies

should consider reviewing and possibly disabling access rights which have not been used

within the last 30 calendar day period.

8.3.2 Privilege management

The use of special privileges should be restricted and controlled as the unnecessary

allocation or unauthorised use of special privileges can be a major factor to system security

failure. Special privileges include:

high privilege users (for example administrator/supervisor access rights)

security administration (for example security administrator)

root access/operating system access

network management access

database administration.

8.4 User responsibilities

Users should be made aware of their responsibilities with regard to system access

including:

following the password policy and processes

securing unattended equipment

keeping a clear desk and screen3.

8.5 Network access

In relation to controlling unauthorised network access agencies should consider

implementing:

network access control policies and software

gateway and firewall technologies for filtering and controlling traffic.

8.5.1 Remote network access

To minimise risks from external connections, agency remote access processes should at a

minimum register all persons with remote access privileges and log all remote access

attempts and activity and ensure all users are authenticated before access to the network is

granted.

8.6 Operating system access

Agencies should implement controls to prevent unauthorised access to operating systems.

The following should be considered:

implementation of secure log-on procedures for operating systems, including:

– ensuring that minimal information is disclosed about the system

– the log-on is validated only upon correct input of all data.

assigning all users with a unique identifier (user ID) and a suitable authentication

technique to substantiate identity claims

not reassigning user IDs, instead disabling the user ID when no longer required

managing password quality with a formal system

3 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security

management, p. 63.

QGEA



PUBLIC

PUBLIC

restricting and controlling the use of systems that may have the capability of overriding

system and application controls

shutting down sessions after a defined period of inactivity

limiting user connection times where appropriate.

Further implementation advice is available within AS/NZS ISO/IEC 27002:2006 Information

technology – Security techniques – Code of practice for information security management.

8.7 Application and information access

Agencies should consider implementing controls that assist in restricting access to

information within applications, by the use of menus and controlling access rights (eg. read,

write, delete).

Access to system utilities that may be used to alter data or program code should be kept to

a minimum with all system master passwords restricted to, and maintained by system

owners or applicable appointee.

All remote access support applications and utilities should only be provided to authorised

information systems support personnel. Policies should also be in place for the

configuration of such systems.

All vendor and default passwords should to be changed prior to an application going into

operation.

8.8 Mobile computing and telework access

Risk assessments and policies and processes for mobile computing and telework access

should consider:

physical security of the site

security of the telecommunications link

lack of control of information, for example, access by family or friends

increased risk of disclosure or unauthorised use of information

increased risk of unauthorised access to agency network and systems

support and maintenance of hardware and software updates

backup procedures

access security aspects (such as writing down of instructions for login including

passwords).

Further details on movement of information assets outside the agency can be found in the

QGISCF.

8.8.1 Using privately owned equipment

To ensure the integrity of government networks privately owned devices (eg. home

computers) should not be connected to agency networks unless either:

specific technology has been implemented to ensure security for the agency

detailed risk assessments are conducted to assess all security impacts.

Detailed risk assessments must include all aspects of information security including:

authentication measures

access controls

virus and malicious code

physical and personnel security.




QGEA



PUBLIC

PUBLIC

9 System acquisition, development and maintenance

9.1 System security requirements

Security requirements and specifications should be addressed and agreed for any new or

improved system in the initial stages of development, or acquisition. These requirements

should identify and address any potential risks, vulnerabilities and/or conflicts with existing

systems or business processes. Where possible, authentication should be managed

through a separate enterprise directory product. Where appropriate agencies should also

consider seeking independent evaluation or security certification of systems.

Agencies should ensure that applications which are to be implemented into the web

environment undergo a stringent risk assessment process in the development phase and

during the life of the application to ensure appropriate security controls are in place.

Agencies should also ensure that patch management issues are assessed and considered

prior to the implementation of systems and, in the case of developed applications, that

periodic code reviews are incorporated into security maintenance.

9.2 Correct processing

Agencies should ensure that implementation policies and processes outlining the practices

for input validation, internal processing checks and controls, message authentication

techniques and output data validation are in place to ensure appropriate security of all

application and systems development. These processes should be in accordance with the

risks associated with the system data and its security classification. Audit trails and activity

logs should also be written into applications for the validation of data and internal

processing.

9.3 Cryptographic controls

In order to provide a trusted communications channel over untrusted communication paths,

cryptographic algorithms are a recommended control set. Further information on

cryptographic controls can be located in the NTSAF.

9.4 System files

Operational software should be maintained at a level supported by the supplier and ideally

maintained to the latest available patch level. Appropriate testing, planning and migration

control measures should be carried out when upgrading patches or installing new software

versions to ensure the overall security of the agency operational environment is not

adversely impacted. The testing of systems and data should be controlled and monitored

especially where operational data sets are used.

Access controls should be implemented to ensure restricted access to all systems and

applications including system source code.

Agencies should be mindful that they must retire or replace software that is approaching

end of mainstream support as per the Software currency policy and the targets within the

Software currency position.


http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/Software%20Currency%20Policy.pdf

http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGEA%202.0/Software%20Currency%20position.pdf

QGEA



PUBLIC

PUBLIC

9.5 Secure development and support processes

Policies and processes should be in place for control of changes to operational applications

including version control for software upgrades. To minimise threats to the operational

environment agencies should consider but not limit activities to ensuring:

adequate testing and change control mechanisms are in place for the migration of new

or modified systems into the operational environment

that the information environment is managed so that future expansions or changes can

be accommodated and do not adversely impact the operational environment.

For further information on change management see the ICT Infrastructure change

management guideline.

9.6 Technical vulnerability management

As a first step, agencies should ensure that they have a current and complete register of

application and technology assets including vendor, version numbers, current state of

deployment and contacts for persons responsible for the asset (agency ICT Baseline data

may be a useful starting point). Agencies should refer to AS/NZS ISO/IEC 27002:2006

Information technology – Security techniques – Code of practice for information security

management which provides guidance on establishing effective management processes for

technical vulnerabilities.

Agencies should be mindful that the Foundation Infrastructure Project (FIP) is investigating

options for the supply of enterprise management software for the whole-of-Government ICT

infrastructure, which includes patch vulnerability management software.

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx#i

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx#i



QGEA



PUBLIC

PUBLIC

10 Incident management

When addressing information security incident management, agencies should be mindful

that the Queensland Government Chief Technology Office (QGCTO) is establishing a

virtual response team (VRT) that will include representatives from participating agencies.

The VRT is being established to assist any agency requesting analysis and potential

resolution of incidents of a significant nature only. Expertise may be drawn upon resources

external to the Queensland Government if required.

It should be noted that the VRT is a consultative service only, and successful resolution,

including payment for external resources, will be borne by the requesting agency.

CITEC, as the mandated whole-of-Government service provider, has also negotiated a

Standing Offer Arrangement (SOA) for the procurement of Security Information and Event

Management (SIEM) technology. A SIEM can be utilised for managing event and log

information from all agency network devices, and offers the ability to assist with the analysis

of events and incidents, as well as automating the process of generating reports. The SIEM

technology can either be purchased by an agency or managed by CITEC on behalf of an

agency

10.1 Event/weakness reporting

When agencies are developing their policies and/or procedures for information security

event and weakness reporting, the following guidelines should be taken into consideration:




Information security incident management.

10.2 Incident procedures

When agencies are developing procedures to manage information security incidents, the

following guidelines should be taken into consideration:




Information security incident management

Information Security Internal Governance Guideline

Australian Standards‟ „HB 171-2003 Guidelines for the management of IT evidence.

For information security incidents that involve breaches of privacy, agencies should refer to

the:

Information Privacy Act 2009

OICs Privacy breach management and notification guideline

Privacy Act 1988 (Cth)

Australian Government Office of the Privacy Commissioner‟s Guide to handling

personal information security breaches.

Under IS18 agencies must establish and maintain and information security incident and

response register and record all incidents. The register may be created manually or linked










http://www.oic.qld.gov.au/files/IPAGuidelines/Guideline%20-%20privacy%20breach%20management%20and%20notification%20-%201-12-09%20-%20v1.1.pdf

http://www.comlaw.gov.au/ComLaw/Management.nsf/current/bytitle/32AA97DFE9AA8326CA256F7100071D25?OpenDocument&mostrecent=1

http://www.privacy.gov.au/materials/types/guidelines/view/6478

http://www.privacy.gov.au/materials/types/guidelines/view/6478


QGEA



PUBLIC

PUBLIC

with existing business process tools, such as an Information Technology Infrastructure

Library (ITIL) compliant ticketing system.

QGCTO is currently implementing of a strategic whole-of-Government information security

management service with CITEC, which will introduce new Security Information and Event

Management (SIEM) technology to assist with the collation and summarisation of events

and incidents, including the generation of reports. As part of the migration strategy for

agencies to consume whole-of-Government services, QGCTO will work with agencies in

understanding the benefits of adopting a SIEM service. This will include understanding the

benefits of utilising a SIEM in maintaining a register and the ability to provide more accurate

and timely reporting.

QGEA



PUBLIC

PUBLIC

11 Business continuity management

11.1 Business continuity

Agency business continuity plans should be reviewed and tested on a regular basis to

ensure that all current business and ICT systems and infrastructure are accounted for.

When developing the agency testing strategy, the importance of each system to the

business operations and the ability to recover it within the time frames required by users

should determine the extent of the testing. Business continuity plans should ensure that

information security controls are maintained and this should be within scope of the testing

strategy.

Agencies should also undertake a review of their plans and strategies after any significant

disruption to information services or failure to ascertain the cause, assess the remedy and

ensure procedures are adjusted to reduce the likelihood of any repeat occurrence. For

further information, please refer to

Business continuity plan documentation guideline (Queensland Government

employees only)

Queensland Government guide for business continuity planning (Queensland

Government employees only)

Australian Standards HB:221:2004 Business continuity management.

11.2 Disaster recovery

To ensure the availability of information, and ICT systems and services following a disaster,

agencies need to document information and ICT disaster recovery plans.

When documenting agency information and ICT disaster recovery arrangements, agencies

should refer to the ICT asset disaster recovery planning guideline. The plans should ensure

that information security controls are recovered as part of the plan.

When developing information risk management strategies to assess the vulnerability of

information and ICT assets and the impact on these assets as a result of a security failure

or a disaster, agencies should consider adapting the AS/NZS ISO 31000:2009 Risk

management – Principles and guidelines. Further information can also be found in the

Information risk management best practice guide.

It is a requirement of IS18 that agencies „establish an information and ICT asset disaster

recovery register to assess and classify systems to determine their criticality‟. Note that this

register does not need to be a new register, agencies are free to utilise existing registers

that they may have provided that they assess and classify information and ICT assets to

determine their criticality.

Requirements and advice regarding disaster recovery for public records is available from

Queensland State Archives.

http://qgcio.govnet.qld.gov.au/govnet/Documents/Architecture%20and%20Standards/Information%20Security/BCP%20Guideline%201.0.0.doc

http://premiers.govnet.qld.gov.au/security/docs/GAP%20Guide%20for%20Business%20Continuity%20Planning.pdf

http://www.saiglobal.com/PDFTemp/Previews/OSH/as/misc/handbook/HB221-2004.PDF




http://qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx


http://www.archives.qld.gov.au/default.asp

QGEA



PUBLIC

PUBLIC

12 Compliance management

12.1 Legal requirements

A summary of information security related legal requirements is included in Appendix A.

However, this is no replacement for agencies seeking legal advice on the specific legal

requirements that apply to them from their internal legal section.

12.2 Policy requirements

Information security policies, procedures and compliance should be reviewed and reported

on to appropriate management at least annually to ensure the reliability and overall

effectiveness of the security controls for all information systems, networks infrastructures

and applications.

12.3 Audit requirements

Agencies should ensure that appropriately qualified personnel are assigned to audit the

compliance of the information environment against agency policies, processes and industry

technical standards to ensure appropriate security levels are maintained. These personnel

should, where practical, not be involved in the operational information or systems

environment of the agency.

QGEA



PUBLIC

PUBLIC

13 Reporting requirements

13.1 Event and incident information

Under IS18 agencies must submit their Security Event and Incident Management

information to the QGCTO. Actual reporting requirements may evolve over time as the

process matures.

In the interim, the QGCTO is in the process of establishing a Virtual Response Team and

gathering business requirements for a whole-of-Government AusCERT subscription

service. QGCTO is currently working with CITEC and a large agency to implement the

SIEM technology chosen as part of the FIP tender.

As soon as these technologies, processes and services are in place, consultation with

agencies will commence on determining the level of detail for events and incidents that will

be reported to QGCTO on an ongoing monthly basis.

13.2 VRT communication alerts

Under IS18 agencies must send Virtual Response Team communication alerts to all

agencies as directed by the QGCTO. Actual reporting requirements will evolve over time as

the process matures. After the whole-of-Government Virtual Response Team is

established, further information will be provided on the level of detail for events and

incidents that will be reported to QGCTO.

The intent of this communication forum is to have agencies participate in the notification of

observed security events and incidents and to share information in order to both contain

and resolve incidents in a timely manner. There is no requirement to divulge any sensitive

information that may cause distress to the participating agencies.



QGEA



PUBLIC

PUBLIC

Appendix A Information security related legislation and standards

This appendix provides a summary of some of the information security related obligations that

apply to Queensland Government agencies.

The contents of this appendix do not constitute legal advice and should not be relied on as a

comprehensive statement of information security legislative obligations.

A.1 Legislation

Criminal Code Act 1995 (Cth)

Electronic Transactions Act 1999 (Cth)

Electronic Transactions (Queensland) Act 2001 (Qld)

Evidence Act 1977

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2009 (Qld)

Information Privacy Act 2009 (Qld)

Privacy Act 1988 (Cth)

Public Records Act 2002 (Qld)

Public Sector Ethics Act 1994 (Qld)

Public Service Act 2008 (Qld)

Right to Information Act 2009 (Qld)

Telecommunications Act 1997 (Cth)

Telecommunications (Interception and Access) Act 1979 (Cth).

A.2 International /Australian standards and guidelines

AS 2834-1995 Computer accommodation






Information security incident management

AS/NZS ISO 31000:2009 Risk management – Principles and guidelines

Australian Standards HB 171:2003 Guidelines for the management of IT evidence

Australian Standards HB:221:2004 Business continuity management

Queensland Government Counter Terrorism Strategy 2008-2012 – Department of

Premier and Cabinet (function now residing in Queensland Police Service)

Queensland Government Counter Terrorism Plan 2007 – Department of Premier and

Cabinet (function now residing in Queensland Police)

Government Asset Protection Framework – Queensland Treasury.

A.3 Australian Government standards

PSPF

ISM.


QGEA



PUBLIC

PUBLIC

A.4 Queensland Government Enterprise Architecture

Business continuity plan documentation guideline

Directory services position

Information security external governance guideline

Identification and classification of information assets guideline

Identity management, authentication and authorisation services position

Implementing internal information security governance guideline

Information risk management best practice guide

Information security event and incident category guideline

Information security event and incident management guideline

Information Security external security governance guideline

Information Standard 2: ICT resources strategic planning

Information Standard 13: Procurement and disposal of ICT products and services

Information Standard 31: Retention and disposal of public records

Information Standard 38: Use of ICT facilities and devices

Information Standard 40: Recordkeeping

Information Standard 44: Information asset custodianship

Network management position

Network transmission security assurance framework

Patch management policy and position

Queensland Government authentication framework

Queensland Government ICT disaster recovery plan development guideline

Queensland Government information risk management guidelines

Queensland Government information security classification framework

Queensland Government information security policy - mandatory clauses.

Information Security (IS18) - Queensland Government … Final Information Standard 18: Information...

Documents

Transcript of Information Security (IS18) - Queensland Government … Final Information Standard 18: Information...