Escolar Documentos
Profissional Documentos
Cultura Documentos
PUBLIC
Document details
Security classification PUBLIC
Date of review of security November 2010
classification
Authority Queensland Government Chief Information Officer
Author ICT Policy and Coordination Office
Documentation status Working draft Consultation release Final version
Acknowledgements
This version of the Information Standard 18: Information Security - Implementation Guideline was
developed and updated by the ICT Policy and Coordination Office.
Feedback was also received from a number of agencies, including members of the Information
Security Reference Group, which was greatly appreciated.
Copyright
Information Standard 18: Information Security - Implementation Guideline
Copyright © The State of Queensland (Department of Public Works) 2010
Licence
Information Standard 18: Information Security - Implementation Guideline by the ICT Policy and
Coordination Office is licensed under a Creative Commons Attribution 2.5 Australia License.
Permissions may be available beyond the scope of this licence. See www.qgcio.qld.gov.au.
Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.
Contents
1 Introduction............................................................................................................................ 5
1.1 Purpose .......................................................................................................................... 5
1.2 Audience ........................................................................................................................ 5
1.3 Scope ............................................................................................................................. 5
1.4 Document structure ........................................................................................................ 5
2 Background............................................................................................................................ 6
4 Asset management.............................................................................................................. 11
4.1 Asset protection responsibility ...................................................................................... 11
4.2 Information security classification................................................................................. 12
10 Incident management.......................................................................................................... 30
10.1 Event/weakness reporting ............................................................................................ 30
10.2 Incident procedures ...................................................................................................... 30
1 Introduction
1.1 Purpose
This guideline provides information and advice for Queensland Government agencies to
consider when implementing the mandatory principles of Information Standard 18:
Information security (IS18). The requirements of IS18 and this supporting guideline, are
based on the three elements of information security:
confidentiality – ensuring that information is accessible only to those authorised to have
access
integrity – safeguarding the accuracy and completeness of information and processing
methods
availability – ensuring that authorised users have access to information and associated
assets when required.
These guidelines do not form the mandatory component of IS18 and are for information
only, however they are based on best practice and agencies are strongly recommended to
consider the advice provided in this document.
1.2 Audience
This document is primarily intended for:
information security governance bodies
information security strategic areas
information security operational areas.
1.3 Scope
This guideline supports IS18.
2 Background
IS18 has been developed to provide agencies with the minimum requirements for
information security management. However, some agencies may find that their particular
agency requires more stringent information security controls to be implemented. In these
cases it is suggested that agencies refer to the following for guidance:
ISO/IEC 27000 series of standards (incorporating ISO 17799) – International Standard
ISO/IEC 27000 series is available through Standards Australia (SAI Global
distributors).
Tools and templates (Queensland Government employees only) issued by Security
Planning and Coordination, Queensland Police Service (function formerly residing in
Department of Premier and Cabinet)
Australian Government Protective Security Policy Framework –– the Australian
Government Protective Security Policy Framework (PSPF) is issued by the Attorney-
General’s Department. This standard is restricted to Government agencies and can be
purchased by emailing pspf@ag.gov.au. The PSPF has superseded the Australian
Government Protective Security Manual (PSM) as of June 2010
Australian Government Information Security Manual - the Australian Government
Information Security Manual (ISM) is available through the Department of Defence –
Defence Signals Directorate website.
Agencies may also consider the application of various methods and industry frameworks for
managing their agency information security.
Note that the Queensland Government is not legislatively obliged to comply with the PSPF
and ISM. However, the Queensland Government is a signatory to a Memorandum of
Understanding that commits it to engage in practices consistent with these manuals.
There are a number of other documents that support implementation of IS18 that have
been produced by the ICT Policy and Coordination Office. These documents are referred to
throughout this document and also in Figure 1 (page 7).
Step 2: Identify major information assets and business critical ICT assets
This information may be sourced from the agency’s disaster recovery register. Agencies are
required to establish this register under IS18.
The process or methodology used by the agency to assess security risks should be based
on the agency’s preferred risk management processes. In the absence of an agency risk
methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines.
4 Asset management
4.1 Asset protection responsibility
4.1.1 Information assets
It is a requirement of Information Standard 44, Information asset custodianship (IS44) that
agencies:
identify their information assets
establish and maintain an information asset register.
Agencies may wish to use this register or establish a separate one, to record the
information security classification of its information assets. The following documents
provide agencies with implementation guidance:
IS44
Identification and classification of information assets guideline
Queensland Government Information Security Classification Framework (QGISCF)
Queensland Government Information Security Controls Standard (QGISCS).
Examples of mechanisms that agencies may consider when developing information security
induction, training and awareness programs include:
addressing information security responsibilities within the agency’s code of conduct
briefing sessions
online tutorials
regular distribution of educational material (eg. security updates, log-on notices,
factsheets, newsletter articles and posters)
distributing copies of the agency’s information security policy and obtaining a signed
acknowledgement of understanding from each employee (especially those that handle
classified information).
It is the responsibility of:
managers to ensure that their employees undertake information security induction
training and regular refresher training
agency employees to understand and follow information security policy and processes.
5.3 Post-employment
The Public Service Commission’s Directive No. 2/09: Employment separations procedures,
requires agencies to establish separation procedures in all cases where an employee is
separating employment from the Queensland Public Service. Implementation of this
directive is supported by an Employment separation checklist.
In addition the Information Security Policy – Mandatory Clauses requires agencies to set up
procedures for ensuring the security of the agency during the separation of employees
from, or movement within the agency. It is recommended that agencies also ensure that
procedures are in place for termination of employment.
To meet this requirement, it is suggested that agencies implement:
exit interviews that ensure the employee understands their continuing responsibilities
for maintaining information confidentiality and privacy (especially when the employee
has had access to classified information), and respecting the Queensland
Government’s intellectual property rights – this should include the consequences of
non compliance with these responsibilities
teleworking arrangements are determined by risk assessment and suitable controls are
applied as appropriate (eg. backup, virus protection)
adequate insurance cover for offsite equipment. 1
1
AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p.35.
Blocking
Agencies may wish to consider blocking the use and receipt of mobile code. However, this
should be balanced against the potential loss of business functionality. A middle ground
may be the blocking of mobile code for selected websites only. This approach must be
consistent with the agency’s internet acceptable use policy. See further IS38.
Agencies should be mindful that active content filters must be installed on a
gateway/firewall if they are to be effective.
a cycle of regular tests should be implemented to verify that the system can be
recovered from the backups produced (see also below regarding business continuity
and ICT disaster recovery)
a cycle of backup media should be retained of all information required to meet
customer service, legal or statutory obligations.
effective backup procedures are important to ensure business continuity and the ability
to recover from disasters – for business continuity and ICT disaster recovery purposes:
– at least one copy in each backup cycle and restoration procedures should be
stored off-site and in accordance with the business continuity and relevant ICT
disaster recovery plans
– regular tests (at least annually) should ensure that backup procedures meet the
requirements of business continuity and ICT disaster recovery plans
– see further section 11.
Queensland State Archives provides advice on risks associated with relying on backups as
evidence of business activity and the appropriate retention of backups. For further
information refer to the Queensland State Archives Public Records Brief: Management of
backups.
alerts for detected breaches and intrusion attempts, and a documented response
process
regular testing of network security.
Agencies are to note that the Queensland Government Consolidated Infrastructure (QGCI)
as delivered by the Foundation Infrastructure Project (FIP), will be provisioning an IDP
service and a multi-tenanted security information and event management solution, and
offering these services to agencies that migrate to this new whole-of-Government solution.
Agencies wishing to utilise these technologies within their own network management
domain, should seek guidance from the QGCTO on the interoperability with the QGCI
solution; however, the preference is for agencies to consume whole-of-Government
services provided by CITEC.
Further implementation guidance is available within the NTSAF.
7.6.1 Firewalls
Agencies should implement firewalls:
at the network perimeter to prevent unauthorised access to agency networks
on the internal network and on servers (depending on the agency’s network security
architecture).
Agencies should document tightly defined firewall rules that match network access
requirements. This should be stored in a secure location and be known to those employees
with a need to know. Agency change control and configuration processes must include
consideration of any required changes to agency firewall rules to ensure ongoing
appropriate firewall protection. Reviews of firewall rules should be scheduled on a regular
basis.
Agency firewall and gateway architecture should also be subject to regular tests, to identify
any security weaknesses. Agencies should report the results of these tests and any
corrective actions to the information security governance body.
7.8.1 Email
Email has become a critical business enabler, with information included in emails often
traversing public untrusted/uncontrolled networks such as the internet.
Agencies should ensure that information within emails is appropriately protected or does
not reduce the risk profile of the agency by:
ensuring staff have clear guidelines regarding the use of email for sensitive or security
classified information
ensuring that passwords are used on email systems (this may be achieved by use of a
password at network login)
prohibiting the use of scanned signatures (they can be cut and pasted to give the
appearance that a document was signed officially)
acknowledging that email communication is not private - any opinions expressed via
external e-mail, where they are not related to the conduct of business, should be noted
as individual opinions and not those of the organisation by inclusion of a disclaimer.
For example:
“This email, together with any attachments, is intended for the named
recipient/s only.
If you have received this message in error, you are asked to inform the sender
as quickly as possible and delete this message and any copies of this
message from your computer system network. Any form of disclosure,
modification, distribution and/or publication of this email message is
prohibited. Unless stated otherwise, this e-mail represents only the views of
the Sender and not the views of the Department of xxxxx.”
ensuring email systems are backed-up and maintained in accordance with operational
system management standards
ensuring the evidentiary value of electronic message transactions, and the general
reliability and availability of the electronic messaging system is maintained. For
Queensland Government policy on implementation advice on emails that are public
records, agencies should refer to the Queensland State Archives’ Managing emails that
are public records policy and guideline.
Agencies should refer to IS38 for further advice regarding email policy.
Further advice on email transmission is available within the references listed in section 7.8
above.
7.9 eCommerce
7.9.1 eCommerce and online transactions
All agency eCommerce and online transactions and services must be assessed against and
consistent with the requirements of QGAF and NTSAF.
Further implementation advice is available within:
AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques –
Information security management systems – Requirements
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management
PCI Data Security Standard (PCI DSS) for payment account data security.
2
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security
management, p. 55-56.
8 Access management
8.1 Access control policy
The agency’s access control policy should address and detail access control rules and
rights for each group of users. Generally these should be based on ‘what must be generally
forbidden unless expressly permitted’, ensuring that business requirements are followed.
Access controls need to be consistent with policy and legal requirements. The overall
framework for access rights should be reviewed on a regular basis to determine that they
remain appropriate.
8.2 Authentication
Authentication codes should be changed when there is an indication of possible system
security or authentication code compromise.
QGAF provides a process and a set of definitions which will allow agencies, as service
providers, to evaluate the risk associated with their services and determine the appropriate
level of authentication assurance required. Agencies should refer to the QGAF series of
documents for detailed information regarding authentication management.
Agencies are also required to align with the Identity and Access Management Policy and
meet the targets within its accompanying position.
User access rights should be subject to regular review using a formal process. Agencies
should consider reviewing and possibly disabling access rights which have not been used
within the last 30 calendar day period.
3
AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p. 63.
restricting and controlling the use of systems that may have the capability of overriding
system and application controls
shutting down sessions after a defined period of inactivity
limiting user connection times where appropriate.
Further implementation advice is available within AS/NZS ISO/IEC 27002:2006 Information
technology – Security techniques – Code of practice for information security management.
10 Incident management
When addressing information security incident management, agencies should be mindful
that the Queensland Government Chief Technology Office (QGCTO) is establishing a
virtual response team (VRT) that will include representatives from participating agencies.
The VRT is being established to assist any agency requesting analysis and potential
resolution of incidents of a significant nature only. Expertise may be drawn upon resources
external to the Queensland Government if required.
It should be noted that the VRT is a consultative service only, and successful resolution,
including payment for external resources, will be borne by the requesting agency.
CITEC, as the mandated whole-of-Government service provider, has also negotiated a
Standing Offer Arrangement (SOA) for the procurement of Security Information and Event
Management (SIEM) technology. A SIEM can be utilised for managing event and log
information from all agency network devices, and offers the ability to assist with the analysis
of events and incidents, as well as automating the process of generating reports. The SIEM
technology can either be purchased by an agency or managed by CITEC on behalf of an
agency
Under IS18 agencies must establish and maintain and information security incident and
response register and record all incidents. The register may be created manually or linked
12 Compliance management
12.1 Legal requirements
A summary of information security related legal requirements is included in Appendix A.
However, this is no replacement for agencies seeking legal advice on the specific legal
requirements that apply to them from their internal legal section.
13 Reporting requirements
13.1 Event and incident information
Under IS18 agencies must submit their Security Event and Incident Management
information to the QGCTO. Actual reporting requirements may evolve over time as the
process matures.
In the interim, the QGCTO is in the process of establishing a Virtual Response Team and
gathering business requirements for a whole-of-Government AusCERT subscription
service. QGCTO is currently working with CITEC and a large agency to implement the
SIEM technology chosen as part of the FIP tender.
As soon as these technologies, processes and services are in place, consultation with
agencies will commence on determining the level of detail for events and incidents that will
be reported to QGCTO on an ongoing monthly basis.
A.1 Legislation
Criminal Code Act 1995 (Cth)
Electronic Transactions Act 1999 (Cth)
Electronic Transactions (Queensland) Act 2001 (Qld)
Evidence Act 1977
Financial Accountability Act 2009 (Qld)
Financial and Performance Management Standard 2009 (Qld)
Information Privacy Act 2009 (Qld)
Privacy Act 1988 (Cth)
Public Records Act 2002 (Qld)
Public Sector Ethics Act 1994 (Qld)
Public Service Act 2008 (Qld)
Right to Information Act 2009 (Qld)
Telecommunications Act 1997 (Cth)
Telecommunications (Interception and Access) Act 1979 (Cth).