IS18 - Implementation Guideline

Information Standard 18: Information
Security - Implementation Guideline

Final
November 2010
v1.0.0
PUBLIC
Queensland Government Enterprise Architecture
ICT Policy and Coordination Office

Department of Public Works
PUBLIC
QGEA Information Standard 18: Information Security - Implementation Guideline
Document details
Security classification PUBLIC
Date of review of security November 2010
classification
Authority Queensland Government Chief Information Officer
Author ICT Policy and Coordination Office
Documentation status Working draft Consultation release  Final version
Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:
Director, Policy Development
ICT Policy and Coordination Office
ICTPolicy@qld.gov.au
Acknowledgements
This version of the Information Standard 18: Information Security - Implementation Guideline was
developed and updated by the ICT Policy and Coordination Office.
Feedback was also received from a number of agencies, including members of the Information
Security Reference Group, which was greatly appreciated.
Copyright
Information Standard 18: Information Security - Implementation Guideline
Copyright © The State of Queensland (Department of Public Works) 2010
Licence
Information Standard 18: Information Security - Implementation Guideline by the ICT Policy and
Coordination Office is licensed under a Creative Commons Attribution 2.5 Australia License.
Permissions may be available beyond the scope of this licence. See www.qgcio.qld.gov.au.
Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.
Final v1.0.0, November 2010 Page 2 of 36

PUBLIC
PUBLIC
Contents
1 Introduction............................................................................................................................ 5
1.1 Purpose .......................................................................................................................... 5
1.2 Audience ........................................................................................................................ 5
1.3 Scope ............................................................................................................................. 5
1.4 Document structure ........................................................................................................ 5
2 Background............................................................................................................................ 6
3 Policy, planning and governance......................................................................................... 8

3.1 Information security policy .............................................................................................. 8
3.2 Information security plan ................................................................................................ 8
3.3 Internal governance...................................................................................................... 10
3.4 External party governance ........................................................................................... 10
4 Asset management.............................................................................................................. 11
4.1 Asset protection responsibility ...................................................................................... 11
4.2 Information security classification................................................................................. 12
5 Human resources management ......................................................................................... 12

5.1 Pre-employment ........................................................................................................... 12
5.2 During employment ...................................................................................................... 12
5.3 Post-employment ......................................................................................................... 13
6 Physical and environmental management ........................................................................ 15

6.1 Building controls and secure areas .............................................................................. 15
6.2 Equipment security ....................................................................................................... 15
7 Communications and operations management................................................................ 17

7.1 Operational procedures and responsibilities ................................................................ 17
7.2 Third party service delivery .......................................................................................... 17
7.3 Capacity planning and system acceptance .................................................................. 17
7.4 Application integrity ...................................................................................................... 17
7.5 Backup procedures ...................................................................................................... 19
7.6 Network security ........................................................................................................... 20
7.7 Media handling ............................................................................................................. 21
7.8 Information exchange ................................................................................................... 22
7.9 eCommerce .................................................................................................................. 23
7.10 Information processing monitoring ............................................................................... 23
8 Access management ........................................................................................................... 25

8.1 Access control policy .................................................................................................... 25
8.2 Authentication............................................................................................................... 25
8.3 User access.................................................................................................................. 25
8.4 User responsibilities ..................................................................................................... 26
8.5 Network access ............................................................................................................ 26
8.6 Operating system access ............................................................................................. 26

PUBLIC
PUBLIC
8.7 Application and information access .............................................................................. 27

8.8 Mobile computing and telework access........................................................................ 27
9 System acquisition, development and maintenance ....................................................... 28

9.1 System security requirements ...................................................................................... 28
9.2 Correct processing ....................................................................................................... 28
9.3 Cryptographic controls ................................................................................................. 28
9.4 System files .................................................................................................................. 28
9.5 Secure development and support processes ............................................................... 29
9.6 Technical vulnerability management ............................................................................ 29
10 Incident management.......................................................................................................... 30
10.1 Event/weakness reporting ............................................................................................ 30
10.2 Incident procedures ...................................................................................................... 30
11 Business continuity management ..................................................................................... 32

11.1 Business continuity....................................................................................................... 32
11.2 Disaster recovery ......................................................................................................... 32
12 Compliance management ................................................................................................... 33

12.1 Legal requirements....................................................................................................... 33
12.2 Policy requirements ...................................................................................................... 33
12.3 Audit requirements ....................................................................................................... 33
13 Reporting requirements ...................................................................................................... 34

13.1 Event and incident information ..................................................................................... 34
13.2 VRT communication alerts ........................................................................................... 34
Appendix A Information security related legislation and standards ..................................... 35

PUBLIC
PUBLIC
1 Introduction
1.1 Purpose
This guideline provides information and advice for Queensland Government agencies to
consider when implementing the mandatory principles of Information Standard 18:
Information security (IS18). The requirements of IS18 and this supporting guideline, are
based on the three elements of information security:
 confidentiality – ensuring that information is accessible only to those authorised to have
access
 integrity – safeguarding the accuracy and completeness of information and processing
methods
 availability – ensuring that authorised users have access to information and associated
assets when required.
These guidelines do not form the mandatory component of IS18 and are for information
only, however they are based on best practice and agencies are strongly recommended to
consider the advice provided in this document.
1.2 Audience
This document is primarily intended for:
 information security governance bodies
 information security strategic areas
 information security operational areas.
1.3 Scope
This guideline supports IS18.
1.4 Document structure

The Queensland Government Information Security Policy Framework (QGISPF) represents
information security at two levels of detail. This guideline has been similarly divided into two
levels of domains, with the ten level one domains corresponding with the ten mandatory
principles in IS18. Please note a ‘reporting requirements’ heading has also been included to
align with IS18. Headings are as follows:
 policy, planning and governance
 asset management
 human resources management
 physical and environmental management
 communications and operations management
 access management
 system acquisition, development and maintenance
 incident management
 business continuity management
 compliance management
 reporting requirements.

PUBLIC
PUBLIC
2 Background
IS18 has been developed to provide agencies with the minimum requirements for
information security management. However, some agencies may find that their particular
agency requires more stringent information security controls to be implemented. In these
cases it is suggested that agencies refer to the following for guidance:
 ISO/IEC 27000 series of standards (incorporating ISO 17799) – International Standard
ISO/IEC 27000 series is available through Standards Australia (SAI Global
distributors).
 Tools and templates (Queensland Government employees only) issued by Security
Planning and Coordination, Queensland Police Service (function formerly residing in
Department of Premier and Cabinet)
 Australian Government Protective Security Policy Framework –– the Australian
Government Protective Security Policy Framework (PSPF) is issued by the Attorney-
General’s Department. This standard is restricted to Government agencies and can be
purchased by emailing pspf@ag.gov.au. The PSPF has superseded the Australian
Government Protective Security Manual (PSM) as of June 2010
 Australian Government Information Security Manual - the Australian Government
Information Security Manual (ISM) is available through the Department of Defence –
Defence Signals Directorate website.
Agencies may also consider the application of various methods and industry frameworks for
managing their agency information security.
Note that the Queensland Government is not legislatively obliged to comply with the PSPF
and ISM. However, the Queensland Government is a signatory to a Memorandum of
Understanding that commits it to engage in practices consistent with these manuals.
There are a number of other documents that support implementation of IS18 that have
been produced by the ICT Policy and Coordination Office. These documents are referred to
throughout this document and also in Figure 1 (page 7).

PUBLIC
PUBLIC
Figure 1 IS18: Information security supporting documents organised by mandatory principle

PUBLIC
PUBLIC
3 Policy, planning and governance

3.1 Information security policy
The agency information security policy serves as the foundation for information security
management within the agency. The development of this policy is the first step in
establishing management commitment and the responsibilities for information security
within the agency and should therefore be concise and clear. The Information Security
Policy – Mandatory Clauses has been developed to assist agencies in the development of
their information security policy and details the minimum set of mandatory requirements
and quality criteria that must be included within the agency policy and makes suggestions
for agency specific considerations.
3.2 Information security plan

The level of detail contained in the agency’s information security plan should be
commensurate with the complexity of the agency’s information environment, its business
functions and the information security risks that it faces. The suggested approach for the
development of the plan is to:
 develop an overarching information security plan, which outlines the security program
for the agency as a whole
 support this information security plan with a number of detailed plans for each separate
entity/agency portfolio and/or significant or high risk agency information systems and
processes.
Regardless of the development or format of the plan, information security planning should
be integrated into the agency’s culture through its strategic and organisational plans and
operational practices. Security considerations should be incorporated into the agency
corporate planning process and ICT strategic resource planning, to ensure that the agency
information security plan meets the business and operational needs of the agency and its
clients.
3.2.1 Suggested steps for developing an information security plan

There are a number of steps which should be used to develop the agency information
security plan.
Step 1: Identify agency goals and objectives for information security

Identify linkages between the agency information security policy and all agency corporate
plans, strategies, goals and objectives to establish the key areas which may impact on the
current or future information security environment of the agency.
Step 2: Identify major information assets and business critical ICT assets
This information may be sourced from the agency’s disaster recovery register. Agencies are
required to establish this register under IS18.
Step 3: Conduct a risk assessment

Conduct a risk assessment on the major information assets with the assigned owners of
these assets on an annual basis or after any significant change has occurred (eg.
machinery-of-Government).

PUBLIC
PUBLIC
The process or methodology used by the agency to assess security risks should be based
on the agency’s preferred risk management processes. In the absence of an agency risk
methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines.
Step 4: Current situation

Gather information regarding existing agency security policies, procedures and controls and
map these against the:
 data obtained from the risk assessment process
 mandatory principles of IS18 and/or any other security standards that the agency uses
 agency’s security architecture targets.
Step 5: Analysis of any gaps and the effectiveness of existing controls

Conduct an analysis of any gaps and the effectiveness of the existing controls against the
information obtained from step 4 above.
Step 6: Develop recommendations and strategies

Develop and document recommended controls and prioritised plan of actions/strategies
which need to be implemented or maintained to achieve the desired level of agency
security, how this is to be achieved and who is responsible. Information security plans
should provide for treatments that are both cost-effective and appropriate to the level of
risk. Where agencies identify a high level of risk in their information environment (based on
the information security classification of information assets in its care) it is suggested that it
consult with specialist information security agencies or industry professional bodies for
advice or technical assistance in developing their strategies and plans.
Step 7: Identify outstanding/residual risks that will not be treated

Document any ongoing risks that will remain untreated or assessed as acceptable risks.
Step 8: Obtain agreement on risks and strategies

To ensure that the information security plan meets the requirements of the business it is
important to gain agreement from the information asset owners. This will ensure that the
strategies and plan adequately reflects the protection of the assets from a business
perspective and will also inform the prioritisation process for treatment.
Step 9: Develop actions and timetable

Document and develop a detailed plan of activities and actions along with timeframes for
implementing the controls and strategies agreed on.
Step 10: Determine resourcing

Document and detail the resourcing requirements for the implementation of the controls and
strategies including the personnel, materials and budget for its implementation.
Step 11: Endorsement and publishing of the information security plan

Gain endorsement of the information security plan from the appropriate governance body
and senior executive on an annual basis.

PUBLIC
PUBLIC
Step 12: Implementation of the information security plan

To facilitate a systematic and co-ordinated approach to security and risk management,
agencies should establish a structure or framework to help develop and implement the
agency information security plan.
Step 13: Ongoing monitoring and review

To ensure that security controls in the agency continue to remain relevant to the agency
goals, objectives and operational and business environments, the agency’s information
security plan should be reviewed, monitored and reported on, on an ongoing basis. The
information gained from these activities is used to inform future agency security plans and
strategies.
It is suggested that agencies review their security plan at least annually to identify changes
to the risk profile and to assess the effectiveness of existing controls. Further to this, the
agency should ensure that security planning becomes an integral component of all agency
management, projects and activities rather than an isolated and once a year planning
activity.
3.2.2 General agency security plan

Whilst the ICT Policy and Coordination Office works with agencies to improve information
security practices across the Queensland Government, protective security and counter-
terrorism issues throughout Queensland are coordinated by the Queensland Police Service.
The Government Asset Protection (GAP) Project has produced the Guide for general
security planning which agencies should refer to when developing their general agency
security plan. Enquiries about this document can be directed to the Queensland Police
Service’s Security Planning and Coordination team on 07 3406 3677 or by emailing
security.planning@police.qld.gov.au.
3.3 Internal governance

The Information Security Internal Governance Guideline provides implementation advice for
this domain.
Information on internal governance arrangements for ICT and information management are
available in the following documents respectively:
 Information Standard 2: ICT Resources Strategic Planning
 Information Security Internal Governance Guideline.
3.4 External party governance

See the Information Security External Party Governance Guideline.

PUBLIC
PUBLIC
4 Asset management
4.1 Asset protection responsibility
4.1.1 Information assets
It is a requirement of Information Standard 44, Information asset custodianship (IS44) that
agencies:
 identify their information assets
 establish and maintain an information asset register.
Agencies may wish to use this register or establish a separate one, to record the
information security classification of its information assets. The following documents
provide agencies with implementation guidance:
 IS44
 Identification and classification of information assets guideline
 Queensland Government Information Security Classification Framework (QGISCF)
 Queensland Government Information Security Controls Standard (QGISCS).
Disposal of information assets

For information assets that are public records, their retention and disposal must be
managed in accordance with a retention and disposal schedule approved by the state
archivist, under the Public Records Act 2002. For further information regarding the disposal
of records agencies should refer to Information Standard 31: Retention and disposal of
public records (IS31).
For all other information assets agencies should refer to the QGISCF and the QGISCS.
Refer to section 4.2 below for guidance on the disposal of equipment.
4.1.2 Control of technology devices

It is a requirement of IS18 and the Information Security Policy – Mandatory Clauses that
agencies identify their ICT assets, document them and assign owners for the maintenance
of information security controls. ICT assets must be assigned information security controls
commensurate with the highest level of security classification applied to the information
assets contained within or transmitted via the ICT asset. The following documents provide
agencies with further implementation requirements and guidance:
 Queensland Government Information Security Classification Framework
 Queensland Government Network Transmission Security Assurance Framework
(NTSAF).
In the absence of advice within these documents, agencies should consider guidance from
the:
 PSPF
 ISM.

PUBLIC
PUBLIC
4.2 Information security classification

Agencies should refer to the QGISCF which provides detailed implementation requirements
and guidance with respect to the information security classification and control of
information assets. Additional advice is available within the QGISCS.
Agencies should be mindful that the information security classification of an information
asset, does not limit the operation of legislation. For example, a policy document classified
as PROTECTED may be assessed as suitable for release under the Right to Information
Act 2009. In this situation, the information would need to be reclassified as PUBLIC.
5 Human resources management

5.1 Pre-employment
Depending on the nature of the agency’s business, consideration should be given as to
whether:
 specific information security clauses should be included in terms and conditions of
employment (eg. responsibilities and disciplinary processes)
 additional scrutiny is required during the recruitment and selection phase for positions
involving exposure to classified or sensitive information or where relevant legislation is
in place (eg. security assessments and criminal history checks). When dealing with
employment for these types of positions the following include examples of what
requirements the agency needs to consider:
– the availability of satisfactory character referees
– the completeness and accuracy of resume and qualifications
– security and criminal history checks (where required under legislation or where
clearly identified risks can be reduced by such checks)
– the PSPF for further information on employing staff who will be dealing with
national security classified information.
5.2 During employment

5.2.1 Induction, training and awareness programs
The information security induction, training and awareness program should:
 address all levels of staff and all areas of the agency
 cover the following:
– general employee responsibilities (see Information Security Internal Governance
Guideline)
– information security responsibilities concerned with particular roles (see
Information Security Internal Governance Guideline)
– the correct operation of information systems and ICT facilities and devices (see
also Information Standard 38: Use of ICT Facilities and Devices (IS38))
– reporting of information security events, weaknesses and incidents
– information security related responsibilities within the agency code of conduct and
the disciplinary penalties for breaches.
 be updated regularly to include changes in the information security plan and policy
 include regular refresher training.

PUBLIC
PUBLIC
Examples of mechanisms that agencies may consider when developing information security
induction, training and awareness programs include:
 addressing information security responsibilities within the agency’s code of conduct
 briefing sessions
 online tutorials
 regular distribution of educational material (eg. security updates, log-on notices,
factsheets, newsletter articles and posters)
 distributing copies of the agency’s information security policy and obtaining a signed
acknowledgement of understanding from each employee (especially those that handle
classified information).
It is the responsibility of:
 managers to ensure that their employees undertake information security induction
training and regular refresher training
 agency employees to understand and follow information security policy and processes.
5.2.2 Roles and responsibilities

High level information security roles and responsibilities are defined within the Information
Security Internal Governance Guideline. Agencies should use this guideline as a basis for
developing, documenting and assigning information security roles and responsibilities within
their environment.
5.2.3 Disciplinary processes

The disciplinary actions and processes for misconduct and official misconduct should be
determined under the Public Service Act 2008 and/or other relevant legislation, regulation
and policy that apply to the agency. These should be documented in the agency’s terms
and conditions of employment.
For guidance on information security incident management, agencies should refer to
Section 10 – Incident Management in this document
5.3 Post-employment
The Public Service Commission’s Directive No. 2/09: Employment separations procedures,
requires agencies to establish separation procedures in all cases where an employee is
separating employment from the Queensland Public Service. Implementation of this
directive is supported by an Employment separation checklist.
In addition the Information Security Policy – Mandatory Clauses requires agencies to set up
procedures for ensuring the security of the agency during the separation of employees
from, or movement within the agency. It is recommended that agencies also ensure that
procedures are in place for termination of employment.
To meet this requirement, it is suggested that agencies implement:
 exit interviews that ensure the employee understands their continuing responsibilities
for maintaining information confidentiality and privacy (especially when the employee
has had access to classified information), and respecting the Queensland
Government’s intellectual property rights – this should include the consequences of
non compliance with these responsibilities

PUBLIC
PUBLIC
 separation checklists that confirm:

– exit interview has been conducted
– all Queensland Government property has been returned (eg. access cards/keys,
credit cards, mobile phones, personal digital assistants)
– the employee’s user ID has been disabled and access rights revoked.
As is the case with many personnel security issues, the responsibility for employee
separation procedures does not remain with one area of the agency but requires a
coordinated approach across the agency.

PUBLIC
PUBLIC
6 Physical and environmental management

Agency information security should work with those responsible for protective security
within their agency to ensure that appropriate physical and environmental management
controls are implemented.
6.1 Building controls and secure areas

The level of building and secure area controls to be implemented would depend on the
classification of information assets stored therein under the QGISCF. The QGISCF and the
QGISCS provide some guidance with regard to building controls and secure areas.
In the absence of advice within these documents, agencies should refer to:
 Guides and tools (Queensland Government employees only) issued by the Security
Planning and Coordination unit within the Queensland Police Service
 AS 2834-1995 Computer accommodation
 PSPF
 ISM.
6.2 Equipment security

The level of controls to be applied to agency equipment would depend on the classification
of the information assets the equipment stores or transmits under the QGISCF. The
QGISCF provides some guidance with regard to the following controls:
 preparation and handling
 removal from workplace and monitoring
 discussing classified information (including telephone and video conference)
 copying and storage
 electronic transmission
 archive and disposal.
Additional advice is available within the QGISCS.
Agency risk assessments may identify the need for additional information security controls
for equipment.
In the absence of advice within the above documents, agencies should refer to the:
 PSPF
 ISM.
Note: the Queensland Government is not legislatively obliged to comply with the PSPF and
ISM. However, the Queensland Government is a signatory to a Memorandum of
Understanding that commits it to engage in practices consistent with these manuals.
6.2.1 Offsite equipment

When developing policies and processes for the use and/or maintenance of offsite
equipment, agencies should ensure:
 a risk assessment is conducted prior to locating equipment offsite
 Equipment and media taken off the premises are not left unattended in public places.
This extends to ensuring that portable equipment is carried as hand luggage and
disguised where possible during travel
 manufacturers’ instructions for protecting equipment are followed

PUBLIC
PUBLIC
 teleworking arrangements are determined by risk assessment and suitable controls are
applied as appropriate (eg. backup, virus protection)
 adequate insurance cover for offsite equipment. 1
6.2.2 Maintenance of equipment

To ensure availability and integrity of information, equipment should always be maintained
according to manufacturers’ maintenance guidelines. Maintenance processes cover a wide
range of activities including preventative, repair and upgrade maintenance, which may be
the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate
policies and processes are in place to protect agency information, during any maintenance
process.
Agencies should be mindful of the risks of continuing to use equipment that is no longer
supported by a vendor. Unsupported equipment are subject to increased information
security risks as patches for new vulnerabilities identified will not be available.
6.2.3 Disposal of equipment

The QGISCF and the QGISCS provide some guidance on appropriate controls for disposal
of electronic media and equipment commensurate with security classification levels.
In accordance with Information Standard 13: Procurement and disposal of ICT products and
services (IS13) disposal of government-owned ICT resources must be:
 conducted with approval from the accountable officer or delegated personnel
 supervised and certified upon completion by a person delegated by the accountable
officer.
Agencies should ensure that these policies and processes include employee training.
Further implementation guidance is available within the ISM which provides detailed
instructions on product and media sanitisation and disposal.
1
AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p.35.

PUBLIC
PUBLIC
7 Communications and operations management

7.1 Operational procedures and responsibilities
When documenting operational procedures agencies should at a minimum ensure that
detailed operating instructions are in place for all processes outlined in the mandatory
principles of IS18.
In terms of assigning operational responsibilities agencies should consider the separation of
operational functions and duties where procedures involve activities, which could be
susceptible to unauthorised activity, misuse of information or pose a conflict of interest,
such as security audits.
7.2 Third party service delivery

Agencies should ensure that third party services are managed and operated according to
service level or operating level agreements. Further advice is available within the
Information Security External Party Governance Guideline and the Information Security
Internal Governance Guideline.
7.3 Capacity planning and system acceptance

To minimise threats to the operational environment agencies should at a minimum ensure:
 adequate testing and change control mechanisms are in place for the migration of new
or modified systems into the operational environment
 that the information environment is managed in a way that will easily accommodate
changes or future expansions so as to not adversely impact the operational
environment.
7.4 Application integrity

Agencies are required to implement controls for the prevention, detection and removal of
malicious and mobile code.
7.4.1 Malicious code

Malicious code includes, but is not limited to, viruses, spyware, worms, Trojan horses and
logic bombs. The following controls are recommended:
 anti-malware software
 software authorisation policy and processes
 education and awareness
 infection handling procedures.
Anti-malicious code software

Agencies should ensure that current anti-malicious code software is installed. The following
points summarise some of the considerations an agency should make when implementing
anti-malicious code software.
 when selecting a product agencies should consider:
– the vendor’s track record and frequency of updates
– using more than one product to ensure maximum protection.

PUBLIC
PUBLIC
 the anti-malicious code software should be configured to:

– run whole of server scans daily
– sit inside the agency firewall in real time mode to ensure malicious and mobile
code infections are identified and cleaned immediately upon detection
– deal with both spam and instant messaging.
 a separate server or computer should be configured to sit inside the agency firewall in
real-time mode – this server should be configured with appropriate software to check
for malicious code (if a virus is detected and all incoming and outgoing email
attachments can be cleaned then the message can be distributed or if attachments
cannot be cleaned then the message should be blocked)
 the anti-malicious code software must be updated with new definition files and
scanning engines as soon as possible after vendors make them available
 the implemented anti-malicious code software should be regularly reviewed
 agencies should ensure that virus protection and recovery strategies are included in
risk management and business continuity plans.
Software authorisation policy

Agencies should establish a policy outlining the prohibited use and installation of software
not authorised by the agency including user responsibilities with regards to downloading
software from the internet, email or media devices. In order to reduce the risk of malicious
code being introduced into agencies systems via these mechanisms. See also IS38.
Education and awareness

Users must be educated about malicious code in general, the risks posed, virus symptoms
and warning signs including what processes should be followed in the case of a suspected
virus. Agencies should consider network broadcasts or a system for alerting users of virus
attacks. Ensuring that personnel are aware of their responsibilities when using the Internet
and the agency’s software authorisation policy will also reduce the risk of the introduction of
malicious code.
Further implementation guidance is available within:
 ISM
 IS38.
Infection handling procedures

The ISM provides some instructions on the handling of malicious code infections.
7.4.2 Mobile code

The AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management defines mobile codes as…
‘software code which transfers from one computer to another computer and then
executes automatically and performs a specific function with little or no user
interaction. Mobile code is associated with a number of middleware services. In
addition to ensuring that mobile code does not contain malicious code, control of
mobile code is essential to avoid unauthorised use or disruption of system, network,
or application resources and other breaches of information security.’
The following controls are recommended:
 blocking
 education and awareness.

PUBLIC
PUBLIC
Blocking
Agencies may wish to consider blocking the use and receipt of mobile code. However, this
should be balanced against the potential loss of business functionality. A middle ground
may be the blocking of mobile code for selected websites only. This approach must be
consistent with the agency’s internet acceptable use policy. See further IS38.
Agencies should be mindful that active content filters must be installed on a
gateway/firewall if they are to be effective.
Education and awareness

Users should be educated about mobile code in general including the risks posed.
Further implementation advice on mobile code controls is available in AS/NZS ISO/IEC
27002:2006 Information technology – Security techniques – Code of practice for
information security management.
7.4.3 Reporting malicious and mobile code incidents

In addition agencies are required to establish reporting procedures for malicious and mobile
code incidents. For further advice on reporting of malicious and mobile code incidents see:
 Information Security Incident Category Guideline
 Information Security Event and Incident Management Guideline (not yet approved)
 AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –
Information security incident management.
7.5 Backup procedures

When establishing backup procedures and processes, agencies should consider the
following factors to minimise threats to the integrity and availability of information:
 backup information should be afforded appropriate controls (including physical and
environmental) commensurate with the information security classification of the
information assets involved
 backup cycles should be based on analysis of the business risk, frequency with which
data and software is changed and the criticality of the system to business operations.
The cycle should include, as a minimum:
– incremental daily backups of data and full weekly backups of all data, operating
system and applications - backups of data on a cycle deemed appropriate by the
IT Manager, but as a minimum, on a weekly basis
– backups of the complete operating system, and applications on a cycle deemed
appropriate by the IT Manager, but as a minimum, on a monthly basis.
 a register of backups, including verification of their success, should be maintained
 restoration procedures should be documented and available to those that require it and
at the location that the information is backed up
 the means to recover the information is stored at its back up location or is at least
available from an identified source as required
 a cycle of backup media should be used for all backups (see also below regarding
business continuity and ICT disaster recovery)
 in addition to regular back up cycles, a system backup should be performed before and
after major changes to the operating system, system software, or applications
 consideration should be taken when upgrading technologies to ensure that backup
data is able to read in the new environment

PUBLIC
PUBLIC
 a cycle of regular tests should be implemented to verify that the system can be
recovered from the backups produced (see also below regarding business continuity
and ICT disaster recovery)
 a cycle of backup media should be retained of all information required to meet
customer service, legal or statutory obligations.
 effective backup procedures are important to ensure business continuity and the ability
to recover from disasters – for business continuity and ICT disaster recovery purposes:
– at least one copy in each backup cycle and restoration procedures should be
stored off-site and in accordance with the business continuity and relevant ICT
disaster recovery plans
– regular tests (at least annually) should ensure that backup procedures meet the
requirements of business continuity and ICT disaster recovery plans
– see further section 11.
Queensland State Archives provides advice on risks associated with relying on backups as
evidence of business activity and the appropriate retention of backups. For further
information refer to the Queensland State Archives Public Records Brief: Management of
backups.
7.6 Network security

Network security management is critical to the overall security of the agency information
environment. Agencies should ensure that appropriate governance and controls are in
place to protect networks from internal and external threats including intrusion, disruption or
exposure through malicious or accidental action. These controls should be commensurate
with the highest level of security classification applied to the information assets contained
within the network, and transported between agency gateways. Where possible the
application and monitoring of network security controls should be automated in order to
address scalability requirements and to reduce costs. Processes in place for secure
network management include but are not limited to:
 designing networks, including their infrastructure are designed with appropriate controls
for that entity
 for all ICT assets that provide services accessible outside Queensland Government’s
internal networks it is recommended that:
– these are isolated to a separate, security network domain, called a demilitarised
zone (DMZ)
– the DMZ is secured with controls commensurate with the highest level of
information security classification for the information assets stored within or
transiting the DMZ, including defence-in-depth deployments, firewalls, intrusion
detection and prevention systems (IDP), monitoring and reporting
– business requirements for access controls for all ICT assets within the DMZ are
identified and implemented.
 maintaining current documentation for network and gateway systems, including firewall
and security device configurations and ensuring that only staff with a need to know
have access to this documentation
 security configuration management and software updates
 monitoring and analysis of logs from firewalls for security breaches

PUBLIC
PUBLIC
 alerts for detected breaches and intrusion attempts, and a documented response
process
 regular testing of network security.
Agencies are to note that the Queensland Government Consolidated Infrastructure (QGCI)
as delivered by the Foundation Infrastructure Project (FIP), will be provisioning an IDP
service and a multi-tenanted security information and event management solution, and
offering these services to agencies that migrate to this new whole-of-Government solution.
Agencies wishing to utilise these technologies within their own network management
domain, should seek guidance from the QGCTO on the interoperability with the QGCI
solution; however, the preference is for agencies to consume whole-of-Government
services provided by CITEC.
Further implementation guidance is available within the NTSAF.
7.6.1 Firewalls
Agencies should implement firewalls:
 at the network perimeter to prevent unauthorised access to agency networks
 on the internal network and on servers (depending on the agency’s network security
architecture).
Agencies should document tightly defined firewall rules that match network access
requirements. This should be stored in a secure location and be known to those employees
with a need to know. Agency change control and configuration processes must include
consideration of any required changes to agency firewall rules to ensure ongoing
appropriate firewall protection. Reviews of firewall rules should be scheduled on a regular
basis.
Agency firewall and gateway architecture should also be subject to regular tests, to identify
any security weaknesses. Agencies should report the results of these tests and any
corrective actions to the information security governance body.
7.7 Media handling

The level of controls to be applied to agency media would depend on the security
classification assigned to that media under the QGISCF. The QGISCF and the QGISCS
provide some guidance with regard to the following controls:
 preparation and handling
 removal from workplace and monitoring
 copying and storage
 archive and disposal.
Agency risk assessments may identify the need for additional information security controls
for media.
In the absence of advice within the QGISCF, agencies should refer to the ISM.
Note that the Queensland Government is not legislatively obliged to comply with the ISM.
However, the Queensland Government is a signatory to a Memorandum of Understanding
that commits it to engage in practices consistent with this manual.

PUBLIC
PUBLIC
7.8 Information exchange

To ensure the security of information exchanged within the agency and with external
parties, including online information systems, the agency should ensure information
handling and exchange procedures are established in line with the:
 QGISCF
 QGISCS
 Queensland Government Authentication Framework (QGAF)
 NTSAF.
See also IS44.
7.8.1 Email
Email has become a critical business enabler, with information included in emails often
traversing public untrusted/uncontrolled networks such as the internet.
Agencies should ensure that information within emails is appropriately protected or does
not reduce the risk profile of the agency by:
 ensuring staff have clear guidelines regarding the use of email for sensitive or security
classified information
 ensuring that passwords are used on email systems (this may be achieved by use of a
password at network login)
 prohibiting the use of scanned signatures (they can be cut and pasted to give the
appearance that a document was signed officially)
 acknowledging that email communication is not private - any opinions expressed via
external e-mail, where they are not related to the conduct of business, should be noted
as individual opinions and not those of the organisation by inclusion of a disclaimer.
For example:
“This email, together with any attachments, is intended for the named
recipient/s only.
If you have received this message in error, you are asked to inform the sender
as quickly as possible and delete this message and any copies of this
message from your computer system network. Any form of disclosure,
modification, distribution and/or publication of this email message is
prohibited. Unless stated otherwise, this e-mail represents only the views of
the Sender and not the views of the Department of xxxxx.”
 ensuring email systems are backed-up and maintained in accordance with operational
system management standards
 ensuring the evidentiary value of electronic message transactions, and the general
reliability and availability of the electronic messaging system is maintained. For
Queensland Government policy on implementation advice on emails that are public
records, agencies should refer to the Queensland State Archives’ Managing emails that
are public records policy and guideline.
Agencies should refer to IS38 for further advice regarding email policy.
Further advice on email transmission is available within the references listed in section 7.8
above.

PUBLIC
PUBLIC
7.9 eCommerce
7.9.1 eCommerce and online transactions
All agency eCommerce and online transactions and services must be assessed against and
consistent with the requirements of QGAF and NTSAF.
Further implementation advice is available within:
Information security management systems – Requirements
 AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management
 PCI Data Security Standard (PCI DSS) for payment account data security.
7.9.2 Publicly available information

Internet security is a critical current and ongoing security issue for agencies. The internet
creates a window into the agency network that opens up the potential for unauthorised
access and security threats to the confidentiality, integrity and availability of its information
and all information facilities.
Agencies should assess their internet security requirements and develop policies and
controls to manage all aspects of online and internet activities. The issues to take into
consideration are numerous, however, a few of the points to assess include:
 anonymity and privacy including the requirements of the Information Privacy Act 2009
 data confidentiality
 use of cookies
 applications and plug-ins
 type of language to be used
 practices for downloading executables
 web server security configuration and auditing
 access controls
 use of data encryption.
Impact and risk assessments should be conducted on all web security controls on a regular,
if not on-going basis, and external expert advice should be sought where possible.
7.10 Information processing monitoring

Agencies are required to ensure that audit logs of user activities, exceptions and
information security events are produced, maintained and monitored.
Agencies need to ensure that their system and user monitoring activities are in line with all
legislative obligations and the risk the system or activities pose to the security of the
environment. Agencies should refer to IS38 for further information regarding the monitoring
of communications including email and the Information Privacy Act 2009 for obligations
regarding the protection of personal information.
Audit, fault, administrator and operator logs should be produced, maintained and monitored
on a regular basis to assist in maintaining the security of the agency information
environment.

PUBLIC
PUBLIC
Logging facilities and log information should:

 be protected against tampering and unauthorised access
 collect at a minimum the auditing requirements specified in the QGISCS and may in
addition consider collecting the following:
– user ID’s
– dates and times of key activities
– the identity and location of the computer
– network addresses and protocols
– systems alerts or failures
– activation of anti-virus and intrusion detection and prevention systems 2 .
 in the case of log information, retained as a record and/or in compliance with
requirements to collect and retain evidence.
For further guidance agencies should refer to:
 IS40 Recordkeeping
 IS31 Retention and disposal of public records
 HB 171-2003 Guidelines for the management of IT evidence.
2
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security
management, p. 55-56.

PUBLIC
PUBLIC
8 Access management
8.1 Access control policy
The agency’s access control policy should address and detail access control rules and
rights for each group of users. Generally these should be based on ‘what must be generally
forbidden unless expressly permitted’, ensuring that business requirements are followed.
Access controls need to be consistent with policy and legal requirements. The overall
framework for access rights should be reviewed on a regular basis to determine that they
remain appropriate.
8.2 Authentication
Authentication codes should be changed when there is an indication of possible system
security or authentication code compromise.
QGAF provides a process and a set of definitions which will allow agencies, as service
providers, to evaluate the risk associated with their services and determine the appropriate
level of authentication assurance required. Agencies should refer to the QGAF series of
documents for detailed information regarding authentication management.
Agencies are also required to align with the Identity and Access Management Policy and
meet the targets within its accompanying position.
8.3 User access

8.3.1 User registration
User access rights should be in accordance with information owner requirements and
should be authorised by the user’s manager before the user is granted access to the
information or system. The manager should ensure that the user has a sufficient
understanding of the system before approving access rights.
Access control mechanisms should be used to restrict access to all computer systems,
including hardware, software and data.
If user authentication is based upon passwords the following controls should be considered:
 the user should be required to change temporary passwords at the first logon
(temporary passwords only being valid for one day)
 users should be required to change their authentication code after a predetermined
period of time, through either automatic or manual means and should not be allowed to
reuse an authentication code for at least 13 cycles
 user access should be rejected after three rejected attempts to logon
 where passwords are used as authorisation, users should be educated in selecting and
using passwords.
All access control privileges of users should default to denial of access when there is a
malfunction in the computer or network access control system.
All changes to an employee’s user duties should be reflected in their access control rights.
Changes should be carried out on a timely basis. Access privileges should be disabled or
modified when users change jobs, or leave the agency permanently, or are on leave for a
prolonged period.

PUBLIC
PUBLIC
User access rights should be subject to regular review using a formal process. Agencies
should consider reviewing and possibly disabling access rights which have not been used
within the last 30 calendar day period.
8.3.2 Privilege management

The use of special privileges should be restricted and controlled as the unnecessary
allocation or unauthorised use of special privileges can be a major factor to system security
failure. Special privileges include:
 high privilege users (for example administrator/supervisor access rights)
 security administration (for example security administrator)
 root access/operating system access
 network management access
 database administration.
8.4 User responsibilities

Users should be made aware of their responsibilities with regard to system access
including:
 following the password policy and processes
 securing unattended equipment
 keeping a clear desk and screen 3 .
8.5 Network access

In relation to controlling unauthorised network access agencies should consider
implementing:
 network access control policies and software
 gateway and firewall technologies for filtering and controlling traffic.
8.5.1 Remote network access

To minimise risks from external connections, agency remote access processes should at a
minimum register all persons with remote access privileges and log all remote access
attempts and activity and ensure all users are authenticated before access to the network is
granted.
8.6 Operating system access

Agencies should implement controls to prevent unauthorised access to operating systems.
The following should be considered:
 implementation of secure log-on procedures for operating systems, including:
– ensuring that minimal information is disclosed about the system
– the log-on is validated only upon correct input of all data.
 assigning all users with a unique identifier (user ID) and a suitable authentication
technique to substantiate identity claims
 not reassigning user IDs, instead disabling the user ID when no longer required
 managing password quality with a formal system
3
AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p. 63.

PUBLIC
PUBLIC
 restricting and controlling the use of systems that may have the capability of overriding
system and application controls
 shutting down sessions after a defined period of inactivity
 limiting user connection times where appropriate.
Further implementation advice is available within AS/NZS ISO/IEC 27002:2006 Information
technology – Security techniques – Code of practice for information security management.
8.7 Application and information access

Agencies should consider implementing controls that assist in restricting access to
information within applications, by the use of menus and controlling access rights (eg. read,
write, delete).
Access to system utilities that may be used to alter data or program code should be kept to
a minimum with all system master passwords restricted to, and maintained by system
owners or applicable appointee.
All remote access support applications and utilities should only be provided to authorised
information systems support personnel. Policies should also be in place for the
configuration of such systems.
All vendor and default passwords should to be changed prior to an application going into
operation.
8.8 Mobile computing and telework access

Risk assessments and policies and processes for mobile computing and telework access
should consider:
 physical security of the site
 security of the telecommunications link
 lack of control of information, for example, access by family or friends
 increased risk of disclosure or unauthorised use of information
 increased risk of unauthorised access to agency network and systems
 support and maintenance of hardware and software updates
 backup procedures
 access security aspects (such as writing down of instructions for login including
passwords).
Further details on movement of information assets outside the agency can be found in the
QGISCF.
8.8.1 Using privately owned equipment

To ensure the integrity of government networks privately owned devices (eg. home
computers) should not be connected to agency networks unless either:
 specific technology has been implemented to ensure security for the agency
 detailed risk assessments are conducted to assess all security impacts.
Detailed risk assessments must include all aspects of information security including:
 authentication measures
 access controls
 virus and malicious code
 physical and personnel security.

PUBLIC
PUBLIC
9 System acquisition, development and maintenance

9.1 System security requirements
Security requirements and specifications should be addressed and agreed for any new or
improved system in the initial stages of development, or acquisition. These requirements
should identify and address any potential risks, vulnerabilities and/or conflicts with existing
systems or business processes. Where possible, authentication should be managed
through a separate enterprise directory product. Where appropriate agencies should also
consider seeking independent evaluation or security certification of systems.
Agencies should ensure that applications which are to be implemented into the web
environment undergo a stringent risk assessment process in the development phase and
during the life of the application to ensure appropriate security controls are in place.
Agencies should also ensure that patch management issues are assessed and considered
prior to the implementation of systems and, in the case of developed applications, that
periodic code reviews are incorporated into security maintenance.
9.2 Correct processing

Agencies should ensure that implementation policies and processes outlining the practices
for input validation, internal processing checks and controls, message authentication
techniques and output data validation are in place to ensure appropriate security of all
application and systems development. These processes should be in accordance with the
risks associated with the system data and its security classification. Audit trails and activity
logs should also be written into applications for the validation of data and internal
processing.
9.3 Cryptographic controls

In order to provide a trusted communications channel over untrusted communication paths,
cryptographic algorithms are a recommended control set. Further information on
cryptographic controls can be located in the NTSAF.
9.4 System files

Operational software should be maintained at a level supported by the supplier and ideally
maintained to the latest available patch level. Appropriate testing, planning and migration
control measures should be carried out when upgrading patches or installing new software
versions to ensure the overall security of the agency operational environment is not
adversely impacted. The testing of systems and data should be controlled and monitored
especially where operational data sets are used.
Access controls should be implemented to ensure restricted access to all systems and
applications including system source code.
Agencies should be mindful that they must retire or replace software that is approaching
end of mainstream support as per the Software currency policy and the targets within the
Software currency position.

PUBLIC
PUBLIC
9.5 Secure development and support processes

Policies and processes should be in place for control of changes to operational applications
including version control for software upgrades. To minimise threats to the operational
environment agencies should consider but not limit activities to ensuring:
 adequate testing and change control mechanisms are in place for the migration of new
or modified systems into the operational environment
 that the information environment is managed so that future expansions or changes can
be accommodated and do not adversely impact the operational environment.
For further information on change management see the ICT Infrastructure change
management guideline.
9.6 Technical vulnerability management

As a first step, agencies should ensure that they have a current and complete register of
application and technology assets including vendor, version numbers, current state of
deployment and contacts for persons responsible for the asset (agency ICT Baseline data
may be a useful starting point). Agencies should refer to AS/NZS ISO/IEC 27002:2006
Information technology – Security techniques – Code of practice for information security
management which provides guidance on establishing effective management processes for
technical vulnerabilities.
Agencies should be mindful that the Foundation Infrastructure Project (FIP) is investigating
options for the supply of enterprise management software for the whole-of-Government ICT
infrastructure, which includes patch vulnerability management software.

PUBLIC
PUBLIC
10 Incident management
When addressing information security incident management, agencies should be mindful
that the Queensland Government Chief Technology Office (QGCTO) is establishing a
virtual response team (VRT) that will include representatives from participating agencies.
The VRT is being established to assist any agency requesting analysis and potential
resolution of incidents of a significant nature only. Expertise may be drawn upon resources
external to the Queensland Government if required.
It should be noted that the VRT is a consultative service only, and successful resolution,
including payment for external resources, will be borne by the requesting agency.
CITEC, as the mandated whole-of-Government service provider, has also negotiated a
Standing Offer Arrangement (SOA) for the procurement of Security Information and Event
Management (SIEM) technology. A SIEM can be utilised for managing event and log
information from all agency network devices, and offers the ability to assist with the analysis
of events and incidents, as well as automating the process of generating reports. The SIEM
technology can either be purchased by an agency or managed by CITEC on behalf of an
agency
10.1 Event/weakness reporting

When agencies are developing their policies and/or procedures for information security
event and weakness reporting, the following guidelines should be taken into consideration:
Information security incident management.
10.2 Incident procedures

When agencies are developing procedures to manage information security incidents, the
following guidelines should be taken into consideration:
Information security incident management
 Information Security Internal Governance Guideline
 Australian Standards’ ‘HB 171-2003 Guidelines for the management of IT evidence.
For information security incidents that involve breaches of privacy, agencies should refer to
the:
 Information Privacy Act 2009
 OICs Privacy breach management and notification guideline
 Privacy Act 1988 (Cth)
 Australian Government Office of the Privacy Commissioner’s Guide to handling
personal information security breaches.
Under IS18 agencies must establish and maintain and information security incident and
response register and record all incidents. The register may be created manually or linked

PUBLIC
PUBLIC
with existing business process tools, such as an Information Technology Infrastructure

Library (ITIL) compliant ticketing system.
QGCTO is currently implementing of a strategic whole-of-Government information security
management service with CITEC, which will introduce new Security Information and Event
Management (SIEM) technology to assist with the collation and summarisation of events
and incidents, including the generation of reports. As part of the migration strategy for
agencies to consume whole-of-Government services, QGCTO will work with agencies in
understanding the benefits of adopting a SIEM service. This will include understanding the
benefits of utilising a SIEM in maintaining a register and the ability to provide more accurate
and timely reporting.

PUBLIC
PUBLIC
11 Business continuity management

11.1 Business continuity
Agency business continuity plans should be reviewed and tested on a regular basis to
ensure that all current business and ICT systems and infrastructure are accounted for.
When developing the agency testing strategy, the importance of each system to the
business operations and the ability to recover it within the time frames required by users
should determine the extent of the testing. Business continuity plans should ensure that
information security controls are maintained and this should be within scope of the testing
strategy.
Agencies should also undertake a review of their plans and strategies after any significant
disruption to information services or failure to ascertain the cause, assess the remedy and
ensure procedures are adjusted to reduce the likelihood of any repeat occurrence. For
further information, please refer to
 Business continuity plan documentation guideline (Queensland Government
employees only)
 Queensland Government guide for business continuity planning (Queensland
Government employees only)
 Australian Standards HB:221:2004 Business continuity management.
11.2 Disaster recovery

To ensure the availability of information, and ICT systems and services following a disaster,
agencies need to document information and ICT disaster recovery plans.
When documenting agency information and ICT disaster recovery arrangements, agencies
should refer to the ICT asset disaster recovery planning guideline. The plans should ensure
that information security controls are recovered as part of the plan.
When developing information risk management strategies to assess the vulnerability of
information and ICT assets and the impact on these assets as a result of a security failure
or a disaster, agencies should consider adapting the AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines. Further information can also be found in the
Information risk management best practice guide.
It is a requirement of IS18 that agencies ‘establish an information and ICT asset disaster
recovery register to assess and classify systems to determine their criticality’. Note that this
register does not need to be a new register, agencies are free to utilise existing registers
that they may have provided that they assess and classify information and ICT assets to
determine their criticality.
Requirements and advice regarding disaster recovery for public records is available from
Queensland State Archives.

PUBLIC
PUBLIC
12 Compliance management
12.1 Legal requirements
A summary of information security related legal requirements is included in Appendix A.
However, this is no replacement for agencies seeking legal advice on the specific legal
requirements that apply to them from their internal legal section.
12.2 Policy requirements

Information security policies, procedures and compliance should be reviewed and reported
on to appropriate management at least annually to ensure the reliability and overall
effectiveness of the security controls for all information systems, networks infrastructures
and applications.
12.3 Audit requirements

Agencies should ensure that appropriately qualified personnel are assigned to audit the
compliance of the information environment against agency policies, processes and industry
technical standards to ensure appropriate security levels are maintained. These personnel
should, where practical, not be involved in the operational information or systems
environment of the agency.

PUBLIC
PUBLIC
13 Reporting requirements
13.1 Event and incident information
Under IS18 agencies must submit their Security Event and Incident Management
information to the QGCTO. Actual reporting requirements may evolve over time as the
process matures.
In the interim, the QGCTO is in the process of establishing a Virtual Response Team and
gathering business requirements for a whole-of-Government AusCERT subscription
service. QGCTO is currently working with CITEC and a large agency to implement the
SIEM technology chosen as part of the FIP tender.
As soon as these technologies, processes and services are in place, consultation with
agencies will commence on determining the level of detail for events and incidents that will
be reported to QGCTO on an ongoing monthly basis.
13.2 VRT communication alerts

Under IS18 agencies must send Virtual Response Team communication alerts to all
agencies as directed by the QGCTO. Actual reporting requirements will evolve over time as
the process matures. After the whole-of-Government Virtual Response Team is
established, further information will be provided on the level of detail for events and
incidents that will be reported to QGCTO.
The intent of this communication forum is to have agencies participate in the notification of
observed security events and incidents and to share information in order to both contain
and resolve incidents in a timely manner. There is no requirement to divulge any sensitive
information that may cause distress to the participating agencies.

PUBLIC
PUBLIC
Appendix A Information security related legislation and

standards
This appendix provides a summary of some of the information security related obligations that
apply to Queensland Government agencies.
The contents of this appendix do not constitute legal advice and should not be relied on as a
comprehensive statement of information security legislative obligations.
A.1 Legislation
 Criminal Code Act 1995 (Cth)
 Electronic Transactions Act 1999 (Cth)
 Electronic Transactions (Queensland) Act 2001 (Qld)
 Evidence Act 1977
 Financial Accountability Act 2009 (Qld)
 Financial and Performance Management Standard 2009 (Qld)
 Information Privacy Act 2009 (Qld)
 Privacy Act 1988 (Cth)
 Public Records Act 2002 (Qld)
 Public Sector Ethics Act 1994 (Qld)
 Public Service Act 2008 (Qld)
 Right to Information Act 2009 (Qld)
 Telecommunications Act 1997 (Cth)
 Telecommunications (Interception and Access) Act 1979 (Cth).
A.2 International /Australian standards and guidelines

 AS 2834-1995 Computer accommodation
Information security incident management
 AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
 Australian Standards HB 171:2003 Guidelines for the management of IT evidence
 Australian Standards HB:221:2004 Business continuity management
 Queensland Government Counter Terrorism Strategy 2008-2012 – Department of
Premier and Cabinet (function now residing in Queensland Police Service)
 Queensland Government Counter Terrorism Plan 2007 – Department of Premier and
Cabinet (function now residing in Queensland Police)
 Government Asset Protection Framework – Queensland Treasury.
A.3 Australian Government standards

 PSPF
 ISM.

PUBLIC
PUBLIC
A.4 Queensland Government Enterprise Architecture

 Business continuity plan documentation guideline
 Directory services position
 Information security external governance guideline
 Identification and classification of information assets guideline
 Identity management, authentication and authorisation services position
 Implementing internal information security governance guideline
 Information risk management best practice guide
 Information security event and incident category guideline
 Information security event and incident management guideline
 Information Security external security governance guideline
 Information Standard 2: ICT resources strategic planning
 Information Standard 13: Procurement and disposal of ICT products and services
 Information Standard 31: Retention and disposal of public records
 Information Standard 38: Use of ICT facilities and devices
 Information Standard 40: Recordkeeping
 Information Standard 44: Information asset custodianship
 Network management position
 Network transmission security assurance framework
 Patch management policy and position
 Queensland Government authentication framework
 Queensland Government ICT disaster recovery plan development guideline
 Queensland Government information risk management guidelines
 Queensland Government information security classification framework
 Queensland Government information security policy - mandatory clauses.

PUBLIC

IS18 - Implementation Guideline

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

IS18 - Implementation Guideline

Enviado por

Direitos autorais:

Formatos disponíveis

Information Standard 18: Information

Security - Implementation Guideline

Queensland Government Enterprise Architecture

ICT Policy and Coordination Office

Contact for enquiries and proposed changes

Final v1.0.0, November 2010 Page 2 of 36

3 Policy, planning and governance......................................................................................... 8

5 Human resources management ......................................................................................... 12

6 Physical and environmental management ........................................................................ 15

7 Communications and operations management................................................................ 17

8 Access management ........................................................................................................... 25

Final v1.0.0, November 2010 Page 3 of 36

8.7 Application and information access .............................................................................. 27

9 System acquisition, development and maintenance ....................................................... 28

11 Business continuity management ..................................................................................... 32

12 Compliance management ................................................................................................... 33

13 Reporting requirements ...................................................................................................... 34

Appendix A Information security related legislation and standards ..................................... 35

Final v1.0.0, November 2010 Page 4 of 36

1.4 Document structure

Final v1.0.0, November 2010 Page 5 of 36

Final v1.0.0, November 2010 Page 6 of 36

Figure 1 IS18: Information security supporting documents organised by mandatory principle

Final v1.0.0, November 2010 Page 7 of 36

3 Policy, planning and governance

3.2 Information security plan

3.2.1 Suggested steps for developing an information security plan

Step 1: Identify agency goals and objectives for information security

Step 3: Conduct a risk assessment

Final v1.0.0, November 2010 Page 8 of 36

Step 4: Current situation

Step 5: Analysis of any gaps and the effectiveness of existing controls

Step 6: Develop recommendations and strategies

Step 7: Identify outstanding/residual risks that will not be treated

Step 8: Obtain agreement on risks and strategies

Step 9: Develop actions and timetable

Step 10: Determine resourcing

Step 11: Endorsement and publishing of the information security plan

Final v1.0.0, November 2010 Page 9 of 36

Step 12: Implementation of the information security plan

Step 13: Ongoing monitoring and review

3.2.2 General agency security plan

3.3 Internal governance

3.4 External party governance

Final v1.0.0, November 2010 Page 10 of 36

Disposal of information assets

4.1.2 Control of technology devices

Final v1.0.0, November 2010 Page 11 of 36

4.2 Information security classification

5 Human resources management

5.2 During employment

Final v1.0.0, November 2010 Page 12 of 36

5.2.2 Roles and responsibilities

5.2.3 Disciplinary processes

Final v1.0.0, November 2010 Page 13 of 36

 separation checklists that confirm:

Final v1.0.0, November 2010 Page 14 of 36

6 Physical and environmental management

6.1 Building controls and secure areas

6.2 Equipment security

6.2.1 Offsite equipment

Final v1.0.0, November 2010 Page 15 of 36

6.2.2 Maintenance of equipment