Upload
truongliem
View
222
Download
2
Embed Size (px)
Citation preview
ICT Policy and Coordination Office Department of Public Works
Queensland Government Enterprise Architecture
Information Standard 18: Information Security - Implementation Guideline
Final
July 2011
v1.0.2
PUBLIC
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 2 of 37
PUBLIC
PUBLIC
Document details
Security classification PUBLIC
Date of review of security classification
July 2011
Authority Queensland Government Chief Information Officer
Author ICT Policy and Coordination Office
Documentation status Working draft Consultation release Final version
Contact for enquiries and proposed changes
All enquiries regarding this document should be directed in the first instance to:
Director, Policy Development ICT Policy and Coordination Office [email protected]
Acknowledgements This version of the Information Standard 18: Information Security - Implementation Guideline was developed and updated by the ICT Policy and Coordination Office.
This guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.
Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.
Copyright
Information Standard 18: Information Security - Implementation Guideline
Copyright © The State of Queensland (Department of Public Works) 2010
Information security
This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 3 of 37
PUBLIC
PUBLIC
Contents
1 Introduction .......................................................................................................................... 5
1.1 Purpose ........................................................................................................................ 5
1.2 Audience....................................................................................................................... 5
1.3 Scope ........................................................................................................................... 5
1.4 Document structure ...................................................................................................... 5
2 Background .......................................................................................................................... 6
3 Policy, planning and governance ....................................................................................... 8
3.1 Information security policy ............................................................................................ 8
3.2 Information security plan ............................................................................................... 8
3.3 Internal governance .................................................................................................... 10
3.4 External party governance .......................................................................................... 10
4 Asset management ............................................................................................................ 11
4.1 Asset protection responsibility ..................................................................................... 11
4.2 Information security classification ............................................................................... 12
5 Human resources management ........................................................................................ 12
5.1 Pre-employment ......................................................................................................... 12
5.2 During employment ..................................................................................................... 12
5.3 Post-employment ........................................................................................................ 13
6 Physical and environmental management ....................................................................... 15
6.1 Building controls and secure areas ............................................................................. 15
6.2 Equipment security ..................................................................................................... 15
7 Communications and operations management ............................................................... 17
7.1 Operational procedures and responsibilities ............................................................... 17
7.2 Third party service delivery ......................................................................................... 17
7.3 Capacity planning and system acceptance ................................................................. 17
7.4 Application integrity ..................................................................................................... 17
7.5 Backup procedures ..................................................................................................... 19
7.6 Network security ......................................................................................................... 20
7.7 Media handling ........................................................................................................... 22
7.8 Information exchange ................................................................................................. 23
7.9 eCommerce ................................................................................................................ 24
7.10 Information processing monitoring .............................................................................. 24
8 Access management ......................................................................................................... 26
8.1 Access control policy .................................................................................................. 26
8.2 Authentication ............................................................................................................. 26
8.3 User access ................................................................................................................ 26
8.4 User responsibilities .................................................................................................... 27
8.5 Network access .......................................................................................................... 27
8.6 Operating system access ............................................................................................ 27
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 4 of 37
PUBLIC
PUBLIC
8.7 Application and information access ............................................................................. 28
8.8 Mobile computing and telework access ....................................................................... 28
9 System acquisition, development and maintenance ....................................................... 29
9.1 System security requirements ..................................................................................... 29
9.2 Correct processing ...................................................................................................... 29
9.3 Cryptographic controls ................................................................................................ 29
9.4 System files ................................................................................................................ 29
9.5 Secure development and support processes .............................................................. 30
9.6 Technical vulnerability management ........................................................................... 30
10 Incident management ........................................................................................................ 31
10.1 Event/weakness reporting ........................................................................................... 31
10.2 Incident procedures .................................................................................................... 31
11 Business continuity management .................................................................................... 33
11.1 Business continuity ..................................................................................................... 33
11.2 Disaster recovery ........................................................................................................ 33
12 Compliance management .................................................................................................. 34
12.1 Legal requirements ..................................................................................................... 34
12.2 Policy requirements .................................................................................................... 34
12.3 Audit requirements ...................................................................................................... 34
13 Reporting requirements .................................................................................................... 35
13.1 Event and incident information .................................................................................... 35
13.2 VRT communication alerts .......................................................................................... 35
Appendix A Information security related legislation and standards ..................................... 36
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 5 of 37
PUBLIC
PUBLIC
1 Introduction
1.1 Purpose
This guideline provides information and advice for Queensland Government agencies to
consider when implementing the mandatory principles of Information Standard 18:
Information security (IS18). The requirements of IS18 and this supporting guideline, are
based on the three elements of information security:
confidentiality – ensuring that information is accessible only to those authorised to have
access
integrity – safeguarding the accuracy and completeness of information and processing
methods
availability – ensuring that authorised users have access to information and associated
assets when required.
These guidelines do not form the mandatory component of IS18 and are for information
only, however they are based on best practice and agencies are strongly recommended to
consider the advice provided in this document.
1.2 Audience
This document is primarily intended for:
information security governance bodies
information security strategic areas
information security operational areas.
1.3 Scope
This guideline supports IS18.
1.4 Document structure
The Queensland Government Information Security Policy Framework (QGISPF) represents
information security at two levels of detail. This guideline has been similarly divided into two
levels of domains, with the ten level one domains corresponding with the ten mandatory
principles in IS18. Please note a „reporting requirements‟ heading has also been included to
align with IS18. Headings are as follows:
policy, planning and governance
asset management
human resources management
physical and environmental management
communications and operations management
access management
system acquisition, development and maintenance
incident management
business continuity management
compliance management
reporting requirements.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 6 of 37
PUBLIC
PUBLIC
2 Background
IS18 has been developed to provide agencies with the minimum requirements for
information security management. However, some agencies may find that their particular
agency requires more stringent information security controls to be implemented. In these
cases it is suggested that agencies refer to the following for guidance:
ISO/IEC 27000 series of standards (incorporating ISO 17799) – International Standard
ISO/IEC 27000 series is available through Standards Australia (SAI Global
distributors).
Tools and templates (Queensland Government employees only) issued by Security
Planning and Coordination, Queensland Police Service (function formerly residing in
Department of Premier and Cabinet)
Australian Government Protective Security Policy Framework –– the Australian
Government Protective Security Policy Framework (PSPF) is issued by the Attorney-
General‟s Department. This standard is restricted to Government agencies and can be
purchased by emailing [email protected]. The PSPF has superseded the Australian
Government Protective Security Manual (PSM) as of June 2010
Australian Government Information Security Manual - the Australian Government
Information Security Manual (ISM) is available through the Department of Defence –
Defence Signals Directorate website.
Agencies may also consider the application of various methods and industry frameworks for
managing their agency information security.
Note that the Queensland Government is not legislatively obliged to comply with the PSPF
and ISM. However, the Queensland Government is a signatory to a Memorandum of
Understanding that commits it to engage in practices consistent with these manuals.
There are a number of other documents that support implementation of IS18 that have
been produced by the ICT Policy and Coordination Office. These documents are referred to
throughout this document and also in Figure 1 (page 7).
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 7 of 37
PUBLIC
PUBLIC
‘Queensland Government Information Standard 18: Information Security’
Mandatory principle 1:
Policy, Planning &
Governance
Mandatory Principle 5:
Communications and
Operations Management
Mandatory Principle 4:
Physical and
Environmental
ManagementMandatory Principle 3:
Human Resource
Management
Mandatory principle 2:
Asset Management
Mandatory principle 6:
Access Management
Mandatory principle 7:
System Acquisition, Dev &
Maint.
Mandatory principle 9:
Business Continuity
Management
Mandatory principle 8:
Incident Management
Mandatory principle 10:
Compliance Management
QGIS policy -
mandatory
clauses
Implementing
internal
information
security
governance
QGISCF NTSAF
KEY
Mandatory
principle
Supporting
product
mandatory
Supporting
product non-
mandatory
External
information
security
governance
QGISCS QGISCF QGISCS
NTSAF QGISCFQGAF QGISCS QGAFQGISCF NTSAFQGAF
Information
security event
and incident
reporting
standard and
spreadsheet
Information
security
incident
category
guideline
Business
continuity
plan doc.
guideline
Disaster
recovery
planning
guideline
IS18
compliance
spreadsheet
‘Queensland Government Information Standard 18: Information Security – Implementation guideline’
Figure 1 IS18: Information security supporting documents organised by mandatory principle
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 8 of 37
PUBLIC
PUBLIC
3 Policy, planning and governance
3.1 Information security policy
The agency information security policy serves as the foundation for information security
management within the agency. The development of this policy is the first step in
establishing management commitment and the responsibilities for information security
within the agency and should therefore be concise and clear. The Information Security
Policy – Mandatory Clauses has been developed to assist agencies in the development of
their information security policy and details the minimum set of mandatory requirements
and quality criteria that must be included within the agency policy and makes suggestions
for agency specific considerations.
3.2 Information security plan
The level of detail contained in the agency‟s information security plan should be
commensurate with the complexity of the agency‟s information environment, its business
functions and the information security risks that it faces. The suggested approach for the
development of the plan is to:
develop an overarching information security plan, which outlines the security program
for the agency as a whole
support this information security plan with a number of detailed plans for each separate
entity/agency portfolio and/or significant or high risk agency information systems and
processes.
Regardless of the development or format of the plan, information security planning should
be integrated into the agency‟s culture through its strategic and organisational plans and
operational practices. Security considerations should be incorporated into the agency
corporate planning process and ICT strategic resource planning, to ensure that the agency
information security plan meets the business and operational needs of the agency and its
clients.
3.2.1 Suggested steps for developing an information security plan
There are a number of steps which should be used to develop the agency information
security plan.
Step 1: Identify agency goals and objectives for information security
Identify linkages between the agency information security policy and all agency corporate
plans, strategies, goals and objectives to establish the key areas which may impact on the
current or future information security environment of the agency.
Step 2: Identify major information assets and business critical ICT assets
This information may be sourced from the agency‟s disaster recovery register. Agencies are
required to establish this register under IS18.
Step 3: Conduct a risk assessment
Conduct a risk assessment on the major information assets with the assigned owners of
these assets on an annual basis or after any significant change has occurred (eg.
machinery-of-Government).
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 9 of 37
PUBLIC
PUBLIC
The process or methodology used by the agency to assess security risks should be based
on the agency‟s preferred risk management processes. In the absence of an agency risk
methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines.
Step 4: Current situation
Gather information regarding existing agency security policies, procedures and controls and
map these against the:
data obtained from the risk assessment process
mandatory principles of IS18 and/or any other security standards that the agency uses
agency‟s security architecture targets.
Step 5: Analysis of any gaps and the effectiveness of existing controls
Conduct an analysis of any gaps and the effectiveness of the existing controls against the
information obtained from step 4 above.
Step 6: Develop recommendations and strategies
Develop and document recommended controls and prioritised plan of actions/strategies
which need to be implemented or maintained to achieve the desired level of agency
security, how this is to be achieved and who is responsible. Information security plans
should provide for treatments that are both cost-effective and appropriate to the level of
risk. Where agencies identify a high level of risk in their information environment (based on
the information security classification of information assets in its care) it is suggested that it
consult with specialist information security agencies or industry professional bodies for
advice or technical assistance in developing their strategies and plans.
Step 7: Identify outstanding/residual risks that will not be treated
Document any ongoing risks that will remain untreated or assessed as acceptable risks.
Step 8: Obtain agreement on risks and strategies
To ensure that the information security plan meets the requirements of the business it is
important to gain agreement from the information asset owners. This will ensure that the
strategies and plan adequately reflects the protection of the assets from a business
perspective and will also inform the prioritisation process for treatment.
Step 9: Develop actions and timetable
Document and develop a detailed plan of activities and actions along with timeframes for
implementing the controls and strategies agreed on.
Step 10: Determine resourcing
Document and detail the resourcing requirements for the implementation of the controls and
strategies including the personnel, materials and budget for its implementation.
Step 11: Endorsement and publishing of the information security plan
Gain endorsement of the information security plan from the appropriate governance body
and senior executive on an annual basis.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 10 of 37
PUBLIC
PUBLIC
Step 12: Implementation of the information security plan
To facilitate a systematic and co-ordinated approach to security and risk management,
agencies should establish a structure or framework to help develop and implement the
agency information security plan.
Step 13: Ongoing monitoring and review
To ensure that security controls in the agency continue to remain relevant to the agency
goals, objectives and operational and business environments, the agency‟s information
security plan should be reviewed, monitored and reported on, on an ongoing basis. The
information gained from these activities is used to inform future agency security plans and
strategies.
It is suggested that agencies review their security plan at least annually to identify changes
to the risk profile and to assess the effectiveness of existing controls. Further to this, the
agency should ensure that security planning becomes an integral component of all agency
management, projects and activities rather than an isolated and once a year planning
activity.
3.2.2 General agency security plan
Whilst the ICT Policy and Coordination Office works with agencies to improve information
security practices across the Queensland Government, protective security and counter-
terrorism issues throughout Queensland are coordinated by the Queensland Police Service.
The Government Asset Protection (GAP) Project has produced the Guide for general
security planning which agencies should refer to when developing their general agency
security plan. Enquiries about this document can be directed to the Queensland Police
Service‟s Security Planning and Coordination team on 07 3406 3677 or by emailing
3.3 Internal governance
The Information Security Internal Governance Guideline provides implementation advice for
this domain.
Information on internal governance arrangements for ICT and information management are
available in the following documents respectively:
Information Standard 2: ICT Resources Strategic Planning
Information Security Internal Governance Guideline.
3.4 External party governance
See the Information Security External Party Governance Guideline.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 11 of 37
PUBLIC
PUBLIC
4 Asset management
4.1 Asset protection responsibility
4.1.1 Information assets
It is a requirement of Information Standard 44, Information asset custodianship (IS44) that
agencies:
identify their information assets
establish and maintain an information asset register.
Agencies may wish to use this register or establish a separate one, to record the
information security classification of its information assets. The following documents
provide agencies with implementation guidance:
IS44
Identification and classification of information assets guideline
Queensland Government Information Security Classification Framework (QGISCF)
Queensland Government Information Security Controls Standard (QGISCS).
Disposal of information assets
For information assets that are public records, their retention and disposal must be
managed in accordance with a retention and disposal schedule approved by the state
archivist, under the Public Records Act 2002. For further information regarding the disposal
of records agencies should refer to Information Standard 31: Retention and disposal of
public records (IS31).
For all other information assets agencies should refer to the QGISCF and the QGISCS.
Refer to section 4.2 below for guidance on the disposal of equipment.
4.1.2 Control of technology devices
It is a requirement of IS18 and the Information Security Policy – Mandatory Clauses that
agencies identify their ICT assets, document them and assign owners for the maintenance
of information security controls. ICT assets must be assigned information security controls
commensurate with the highest level of security classification applied to the information
assets contained within or transmitted via the ICT asset. The following documents provide
agencies with further implementation requirements and guidance:
Queensland Government Information Security Classification Framework
Queensland Government Network Transmission Security Assurance Framework
(NTSAF).
In the absence of advice within these documents, agencies should consider guidance from
the:
PSPF
ISM.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 12 of 37
PUBLIC
PUBLIC
4.2 Information security classification
Agencies should refer to the QGISCF which provides detailed implementation requirements
and guidance with respect to the information security classification and control of
information assets. Additional advice is available within the QGISCS.
Agencies should be mindful that the information security classification of an information
asset, does not limit the operation of legislation. For example, a policy document classified
as PROTECTED may be assessed as suitable for release under the Right to Information
Act 2009. In this situation, the information would need to be reclassified as PUBLIC.
5 Human resources management
5.1 Pre-employment
Depending on the nature of the agency‟s business, consideration should be given as to
whether:
specific information security clauses should be included in terms and conditions of
employment (eg. responsibilities and disciplinary processes)
additional scrutiny is required during the recruitment and selection phase for positions
involving exposure to classified or sensitive information or where relevant legislation is
in place (eg. security assessments and criminal history checks). When dealing with
employment for these types of positions the following include examples of what
requirements the agency needs to consider:
– the availability of satisfactory character referees
– the completeness and accuracy of resume and qualifications
– security and criminal history checks (where required under legislation or where
clearly identified risks can be reduced by such checks)
– the PSPF for further information on employing staff who will be dealing with
national security classified information.
5.2 During employment
5.2.1 Induction, training and awareness programs
The information security induction, training and awareness program should:
address all levels of staff and all areas of the agency
cover the following:
– general employee responsibilities (see Information Security Internal Governance
Guideline)
– information security responsibilities concerned with particular roles (see
Information Security Internal Governance Guideline)
– the correct operation of information systems and ICT facilities and devices (see
also Information Standard 38: Use of ICT Facilities and Devices (IS38))
– reporting of information security events, weaknesses and incidents
– information security related responsibilities within the agency code of conduct and
the disciplinary penalties for breaches.
be updated regularly to include changes in the information security plan and policy
include regular refresher training.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 13 of 37
PUBLIC
PUBLIC
Examples of mechanisms that agencies may consider when developing information security
induction, training and awareness programs include:
addressing information security responsibilities within the agency‟s code of conduct
briefing sessions
online tutorials
regular distribution of educational material (eg. security updates, log-on notices,
factsheets, newsletter articles and posters)
distributing copies of the agency‟s information security policy and obtaining a signed
acknowledgement of understanding from each employee (especially those that handle
classified information).
It is the responsibility of:
managers to ensure that their employees undertake information security induction
training and regular refresher training
agency employees to understand and follow information security policy and processes.
5.2.2 Roles and responsibilities
High level information security roles and responsibilities are defined within the Information
Security Internal Governance Guideline. Agencies should use this guideline as a basis for
developing, documenting and assigning information security roles and responsibilities within
their environment.
5.2.3 Disciplinary processes
The disciplinary actions and processes for misconduct and official misconduct should be
determined under the Public Service Act 2008 and/or other relevant legislation, regulation
and policy that apply to the agency. These should be documented in the agency‟s terms
and conditions of employment.
For guidance on information security incident management, agencies should refer to
Section 10 – Incident Management in this document
5.3 Post-employment
The Public Service Commission‟s Directive No. 2/09: Employment separations procedures,
requires agencies to establish separation procedures in all cases where an employee is
separating employment from the Queensland Public Service. Implementation of this
directive is supported by an Employment separation checklist.
In addition the Information Security Policy – Mandatory Clauses requires agencies to set up
procedures for ensuring the security of the agency during the separation of employees
from, or movement within the agency. It is recommended that agencies also ensure that
procedures are in place for termination of employment.
To meet this requirement, it is suggested that agencies implement:
exit interviews that ensure the employee understands their continuing responsibilities
for maintaining information confidentiality and privacy (especially when the employee
has had access to classified information), and respecting the Queensland
Government‟s intellectual property rights – this should include the consequences of
non compliance with these responsibilities
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 14 of 37
PUBLIC
PUBLIC
separation checklists that confirm:
– exit interview has been conducted
– all Queensland Government property has been returned (eg. access cards/keys,
credit cards, mobile phones, personal digital assistants)
– the employee‟s user ID has been disabled and access rights revoked.
As is the case with many personnel security issues, the responsibility for employee
separation procedures does not remain with one area of the agency but requires a
coordinated approach across the agency.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 15 of 37
PUBLIC
PUBLIC
6 Physical and environmental management
Agency information security should work with those responsible for protective security
within their agency to ensure that appropriate physical and environmental management
controls are implemented.
6.1 Building controls and secure areas
The level of building and secure area controls to be implemented would depend on the
classification of information assets stored therein under the QGISCF. The QGISCF and the
QGISCS provide some guidance with regard to building controls and secure areas.
In the absence of advice within these documents, agencies should refer to:
Guides and tools (Queensland Government employees only) issued by the Security
Planning and Coordination unit within the Queensland Police Service
AS 2834-1995 Computer accommodation
PSPF
ISM.
6.2 Equipment security
The level of controls to be applied to agency equipment would depend on the classification
of the information assets the equipment stores or transmits under the QGISCF. The
QGISCF provides some guidance with regard to the following controls:
preparation and handling
removal from workplace and monitoring
discussing classified information (including telephone and video conference)
copying and storage
electronic transmission
archive and disposal.
Additional advice is available within the QGISCS.
Agency risk assessments may identify the need for additional information security controls
for equipment.
In the absence of advice within the above documents, agencies should refer to the:
PSPF
ISM.
Note: the Queensland Government is not legislatively obliged to comply with the PSPF and
ISM. However, the Queensland Government is a signatory to a Memorandum of
Understanding that commits it to engage in practices consistent with these manuals.
6.2.1 Offsite equipment
When developing policies and processes for the use and/or maintenance of offsite
equipment, agencies should ensure:
a risk assessment is conducted prior to locating equipment offsite
Equipment and media taken off the premises are not left unattended in public places.
This extends to ensuring that portable equipment is carried as hand luggage and
disguised where possible during travel
manufacturers‟ instructions for protecting equipment are followed
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 16 of 37
PUBLIC
PUBLIC
teleworking arrangements are determined by risk assessment and suitable controls are
applied as appropriate (eg. backup, virus protection)
adequate insurance cover for offsite equipment.1
6.2.2 Maintenance of equipment
To ensure availability and integrity of information, equipment should always be maintained
according to manufacturers‟ maintenance guidelines. Maintenance processes cover a wide
range of activities including preventative, repair and upgrade maintenance, which may be
the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate
policies and processes are in place to protect agency information, during any maintenance
process.
Agencies should be mindful of the risks of continuing to use equipment that is no longer
supported by a vendor. Unsupported equipment are subject to increased information
security risks as patches for new vulnerabilities identified will not be available.
6.2.3 Disposal of equipment
The QGISCF and the QGISCS provide some guidance on appropriate controls for disposal
of electronic media and equipment commensurate with security classification levels.
In accordance with Information Standard 13: Procurement and disposal of ICT products and
services (IS13) disposal of government-owned ICT resources must be:
conducted with approval from the accountable officer or delegated personnel
supervised and certified upon completion by a person delegated by the accountable
officer.
Agencies should ensure that these policies and processes include employee training.
Further implementation guidance is available within the ISM which provides detailed
instructions on product and media sanitisation and disposal.
1 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p.35.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 17 of 37
PUBLIC
PUBLIC
7 Communications and operations management
7.1 Operational procedures and responsibilities
When documenting operational procedures agencies should at a minimum ensure that
detailed operating instructions are in place for all processes outlined in the mandatory
principles of IS18.
In terms of assigning operational responsibilities agencies should consider the separation of
operational functions and duties where procedures involve activities, which could be
susceptible to unauthorised activity, misuse of information or pose a conflict of interest,
such as security audits.
7.2 Third party service delivery
Agencies should ensure that third party services are managed and operated according to
service level or operating level agreements. Further advice is available within the
Information Security External Party Governance Guideline and the Information Security
Internal Governance Guideline.
7.3 Capacity planning and system acceptance
To minimise threats to the operational environment agencies should at a minimum ensure:
adequate testing and change control mechanisms are in place for the migration of new
or modified systems into the operational environment
that the information environment is managed in a way that will easily accommodate
changes or future expansions so as to not adversely impact the operational
environment.
7.4 Application integrity
Agencies are required to implement controls for the prevention, detection and removal of
malicious and mobile code.
7.4.1 Malicious code
Malicious code includes, but is not limited to, viruses, spyware, worms, Trojan horses and
logic bombs. The following controls are recommended:
anti-malware software
software authorisation policy and processes
education and awareness
infection handling procedures.
Anti-malicious code software
Agencies should ensure that current anti-malicious code software is installed. The following
points summarise some of the considerations an agency should make when implementing
anti-malicious code software.
when selecting a product agencies should consider:
– the vendor‟s track record and frequency of updates
– using more than one product to ensure maximum protection.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 18 of 37
PUBLIC
PUBLIC
the anti-malicious code software should be configured to:
– run whole of server scans daily
– sit inside the agency firewall in real time mode to ensure malicious and mobile
code infections are identified and cleaned immediately upon detection
– deal with both spam and instant messaging.
a separate server or computer should be configured to sit inside the agency firewall in
real-time mode – this server should be configured with appropriate software to check
for malicious code (if a virus is detected and all incoming and outgoing email
attachments can be cleaned then the message can be distributed or if attachments
cannot be cleaned then the message should be blocked)
the anti-malicious code software must be updated with new definition files and
scanning engines as soon as possible after vendors make them available
the implemented anti-malicious code software should be regularly reviewed
agencies should ensure that virus protection and recovery strategies are included in
risk management and business continuity plans.
Software authorisation policy
Agencies should establish a policy outlining the prohibited use and installation of software
not authorised by the agency including user responsibilities with regards to downloading
software from the internet, email or media devices. In order to reduce the risk of malicious
code being introduced into agencies systems via these mechanisms. See also IS38.
Education and awareness
Users must be educated about malicious code in general, the risks posed, virus symptoms
and warning signs including what processes should be followed in the case of a suspected
virus. Agencies should consider network broadcasts or a system for alerting users of virus
attacks. Ensuring that personnel are aware of their responsibilities when using the Internet
and the agency‟s software authorisation policy will also reduce the risk of the introduction of
malicious code.
Further implementation guidance is available within:
ISM
IS38.
Infection handling procedures
The ISM provides some instructions on the handling of malicious code infections.
7.4.2 Mobile code
The AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management defines mobile codes as…
„software code which transfers from one computer to another computer and then
executes automatically and performs a specific function with little or no user
interaction. Mobile code is associated with a number of middleware services. In
addition to ensuring that mobile code does not contain malicious code, control of
mobile code is essential to avoid unauthorised use or disruption of system, network,
or application resources and other breaches of information security.‟
The following controls are recommended:
blocking
education and awareness.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 19 of 37
PUBLIC
PUBLIC
Blocking
Agencies may wish to consider blocking the use and receipt of mobile code. However, this
should be balanced against the potential loss of business functionality. A middle ground
may be the blocking of mobile code for selected websites only. This approach must be
consistent with the agency‟s internet acceptable use policy. See further IS38.
Agencies should be mindful that active content filters must be installed on a
gateway/firewall if they are to be effective.
Education and awareness
Users should be educated about mobile code in general including the risks posed.
Further implementation advice on mobile code controls is available in AS/NZS ISO/IEC
27002:2006 Information technology – Security techniques – Code of practice for
information security management.
7.4.3 Reporting malicious and mobile code incidents
In addition agencies are required to establish reporting procedures for malicious and mobile
code incidents. For further advice on reporting of malicious and mobile code incidents see:
Information Security Incident Category Guideline
Information Security Event and Incident Management Guideline (not yet approved)
AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –
Information security incident management.
7.5 Backup procedures
When establishing backup procedures and processes, agencies should consider the
following factors to minimise threats to the integrity and availability of information:
backup information should be afforded appropriate controls (including physical and
environmental) commensurate with the information security classification of the
information assets involved
backup cycles should be based on analysis of the business risk, frequency with which
data and software is changed and the criticality of the system to business operations.
The cycle should include, as a minimum:
– incremental daily backups of data and full weekly backups of all data, operating
system and applications - backups of data on a cycle deemed appropriate by the
IT Manager, but as a minimum, on a weekly basis
– backups of the complete operating system, and applications on a cycle deemed
appropriate by the IT Manager, but as a minimum, on a monthly basis.
a register of backups, including verification of their success, should be maintained
restoration procedures should be documented and available to those that require it and
at the location that the information is backed up
the means to recover the information is stored at its back up location or is at least
available from an identified source as required
a cycle of backup media should be used for all backups (see also below regarding
business continuity and ICT disaster recovery)
in addition to regular back up cycles, a system backup should be performed before and
after major changes to the operating system, system software, or applications
consideration should be taken when upgrading technologies to ensure that backup
data is able to read in the new environment
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 20 of 37
PUBLIC
PUBLIC
a cycle of regular tests should be implemented to verify that the system can be
recovered from the backups produced (see also below regarding business continuity
and ICT disaster recovery)
a cycle of backup media should be retained of all information required to meet
customer service, legal or statutory obligations.
effective backup procedures are important to ensure business continuity and the ability
to recover from disasters – for business continuity and ICT disaster recovery purposes:
– at least one copy in each backup cycle and restoration procedures should be
stored off-site and in accordance with the business continuity and relevant ICT
disaster recovery plans
– regular tests (at least annually) should ensure that backup procedures meet the
requirements of business continuity and ICT disaster recovery plans
– see further section 11.
Queensland State Archives provides advice on risks associated with relying on backups as
evidence of business activity and the appropriate retention of backups. For further
information refer to the Queensland State Archives Public Records Brief: Management of
backups.
7.6 Network security
Network security management is critical to the overall security of the agency information
environment. Agencies should ensure that appropriate governance and controls are in
place to protect networks from internal and external threats including intrusion, disruption or
exposure through malicious or accidental action. These controls should be commensurate
with the highest level of security classification applied to the information assets contained
within the network, and transported between agency gateways. Where possible the
application and monitoring of network security controls should be automated in order to
address scalability requirements and to reduce costs. Processes in place for secure
network management include but are not limited to:
designing networks, including their infrastructure are designed with appropriate controls
for that entity
for all ICT assets that provide services accessible outside Queensland Government‟s
internal networks it is recommended that:
– these are isolated to a separate, security network domain, called a demilitarised
zone (DMZ)
– the DMZ is secured with controls commensurate with the highest level of
information security classification for the information assets stored within or
transiting the DMZ, including defence-in-depth deployments, firewalls, intrusion
detection and prevention systems (IDP), monitoring and reporting
– business requirements for access controls for all ICT assets within the DMZ are
identified and implemented.
maintaining current documentation for network and gateway systems, including firewall
and security device configurations and ensuring that only staff with a need to know
have access to this documentation
security configuration management and software updates
monitoring and analysis of logs from firewalls for security breaches
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 21 of 37
PUBLIC
PUBLIC
alerts for detected breaches and intrusion attempts, and a documented response
process
regular testing of network security.
Agencies are to note that the Queensland Government Consolidated Infrastructure (QGCI)
as delivered by the Foundation Infrastructure Project (FIP), will be provisioning an IDP
service and a multi-tenanted security information and event management solution, and
offering these services to agencies that migrate to this new whole-of-Government solution.
Agencies wishing to utilise these technologies within their own network management
domain, should seek guidance from the QGCTO on the interoperability with the QGCI
solution; however, the preference is for agencies to consume whole-of-Government
services provided by CITEC.
Further implementation guidance is available within the NTSAF.
7.6.1 Firewalls
Agencies should implement firewalls:
at the network perimeter to prevent unauthorised access to agency networks
on the internal network and on servers (depending on the agency‟s network security
architecture).
Agencies should document tightly defined firewall rules that match network access
requirements. This should be stored in a secure location and be known to those employees
with a need to know. Agency change control and configuration processes must include
consideration of any required changes to agency firewall rules to ensure ongoing
appropriate firewall protection. Reviews of firewall rules should be scheduled on a regular
basis.
Agency firewall and gateway architecture should also be subject to regular tests, to identify
any security weaknesses. Agencies should report the results of these tests and any
corrective actions to the information security governance body.
7.6.2 Firewall Warning Notice
It is recommended that agencies implement ICT system firewall warning notices for
Queensland Government external facing ICT devices (eg. firewalls, intrusion prevention
systems, bastion hosts, screening routers etc) to provide potential users with notice as to
the private nature of the system and that monitoring and reporting activities may be
conducted.
Crown Law has been consulted as part of the development of a standard warning notice to
ensure the notice complies with statutory obligations while remaining as succinct as
possible. The Commonwealth and Queensland Criminal Codes both prohibit unauthorised
access to ICT systems and typically provide for offenders to be imprisoned for periods of
time varying from two to ten years. Crown Law advised that there is no statutory
requirement for a firewall notice to refer to any specific legislation and including references
to legislation governing this area would only increase the length of the firewall without
offering any substantial legal benefit.
As per Crown Law advice, the ways in which a firewall notice may have legal effect, if
appropriately worded and implemented, include:
forming a contract, enforceable by legal action, obliging the user not to use the system
for unauthorised purposes
providing notice to the user that their electronic communications may be accessed by
third parties, to establish the „knowledge‟ of the sender of a communication necessary
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 22 of 37
PUBLIC
PUBLIC
to avoid contravening the Telecommunications (Interception and Access) Act 1979
through unlawful interception of the communication
making an individual aware of the use and disclosure of personal information for the
purposes of compliance with the Information Privacy Act 2009.
The following notice is intended to meet the 265 character requirement and to secure the
best chance of having the legal effects outlined above:
“This private ICT system is for authorised use only.
By using this system you agree to use it only as authorised. You consent to
agency personnel monitoring or recording your use (including personal
information and communications) and using or disclosing such records for
disciplinary or law enforcement purposes.”
Crown Law has advised that at this time, users will not be required to actively „accept‟ the
terms of the firewall notice prior to entering their login details. However, agencies should
consider this in light of other existing login notices they are using which require employees
to acknowledge their responsibilities (such as employee use of ICT facilities and devices
under Information Standard 38 (IS38)).
7.7 Media handling
The level of controls to be applied to agency media would depend on the security
classification assigned to that media under the QGISCF. The QGISCF and the QGISCS
provide some guidance with regard to the following controls:
preparation and handling
removal from workplace and monitoring
copying and storage
archive and disposal.
Agency risk assessments may identify the need for additional information security controls
for media.
In the absence of advice within the QGISCF, agencies should refer to the ISM.
Note that the Queensland Government is not legislatively obliged to comply with the ISM.
However, the Queensland Government is a signatory to a Memorandum of Understanding
that commits it to engage in practices consistent with this manual.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 23 of 37
PUBLIC
PUBLIC
7.8 Information exchange
To ensure the security of information exchanged within the agency and with external
parties, including online information systems, the agency should ensure information
handling and exchange procedures are established in line with the:
QGISCF
QGISCS
Queensland Government Authentication Framework (QGAF)
NTSAF.
See also IS44.
7.8.1 Email
Email has become a critical business enabler, with information included in emails often
traversing public untrusted/uncontrolled networks such as the internet.
Agencies should ensure that information within emails is appropriately protected or does
not reduce the risk profile of the agency by:
ensuring staff have clear guidelines regarding the use of email for sensitive or security
classified information
ensuring that passwords are used on email systems (this may be achieved by use of a
password at network login)
prohibiting the use of scanned signatures (they can be cut and pasted to give the
appearance that a document was signed officially)
acknowledging that email communication is not private - any opinions expressed via
external e-mail, where they are not related to the conduct of business, should be noted
as individual opinions and not those of the organisation by inclusion of a disclaimer.
For example:
“This email, together with any attachments, is intended for the named
recipient/s only.
If you have received this message in error, you are asked to inform the sender
as quickly as possible and delete this message and any copies of this
message from your computer system network. Any form of disclosure,
modification, distribution and/or publication of this email message is
prohibited. Unless stated otherwise, this e-mail represents only the views of
the Sender and not the views of the Department of xxxxx.”
ensuring email systems are backed-up and maintained in accordance with operational
system management standards
ensuring the evidentiary value of electronic message transactions, and the general
reliability and availability of the electronic messaging system is maintained. For
Queensland Government policy on implementation advice on emails that are public
records, agencies should refer to the Queensland State Archives‟ Managing emails that
are public records policy and guideline.
Agencies should refer to IS38 for further advice regarding email policy.
Further advice on email transmission is available within the references listed in section 7.8
above.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 24 of 37
PUBLIC
PUBLIC
7.9 eCommerce
7.9.1 eCommerce and online transactions
All agency eCommerce and online transactions and services must be assessed against and
consistent with the requirements of QGAF and NTSAF.
Further implementation advice is available within:
AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques –
Information security management systems – Requirements
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management
PCI Data Security Standard (PCI DSS) for payment account data security.
7.9.2 Publicly available information
Internet security is a critical current and ongoing security issue for agencies. The internet
creates a window into the agency network that opens up the potential for unauthorised
access and security threats to the confidentiality, integrity and availability of its information
and all information facilities.
Agencies should assess their internet security requirements and develop policies and
controls to manage all aspects of online and internet activities. The issues to take into
consideration are numerous, however, a few of the points to assess include:
anonymity and privacy including the requirements of the Information Privacy Act 2009
data confidentiality
use of cookies
applications and plug-ins
type of language to be used
practices for downloading executables
web server security configuration and auditing
access controls
use of data encryption.
Impact and risk assessments should be conducted on all web security controls on a regular,
if not on-going basis, and external expert advice should be sought where possible.
7.10 Information processing monitoring
Agencies are required to ensure that audit logs of user activities, exceptions and
information security events are produced, maintained and monitored.
Agencies need to ensure that their system and user monitoring activities are in line with all
legislative obligations and the risk the system or activities pose to the security of the
environment. Agencies should refer to IS38 for further information regarding the monitoring
of communications including email and the Information Privacy Act 2009 for obligations
regarding the protection of personal information.
Audit, fault, administrator and operator logs should be produced, maintained and monitored
on a regular basis to assist in maintaining the security of the agency information
environment.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 25 of 37
PUBLIC
PUBLIC
Logging facilities and log information should:
be protected against tampering and unauthorised access
collect at a minimum the auditing requirements specified in the QGISCS and may in
addition consider collecting the following:
– user ID‟s
– dates and times of key activities
– the identity and location of the computer
– network addresses and protocols
– systems alerts or failures
– activation of anti-virus and intrusion detection and prevention systems2.
in the case of log information, retained as a record and/or in compliance with
requirements to collect and retain evidence.
For further guidance agencies should refer to:
AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques –
Information security management systems – Requirements
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management
IS40 Recordkeeping
IS31 Retention and disposal of public records
HB 171-2003 Guidelines for the management of IT evidence.
2 AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security
management, p. 55-56.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 26 of 37
PUBLIC
PUBLIC
8 Access management
8.1 Access control policy
The agency‟s access control policy should address and detail access control rules and
rights for each group of users. Generally these should be based on „what must be generally
forbidden unless expressly permitted‟, ensuring that business requirements are followed.
Access controls need to be consistent with policy and legal requirements. The overall
framework for access rights should be reviewed on a regular basis to determine that they
remain appropriate.
8.2 Authentication
Authentication codes should be changed when there is an indication of possible system
security or authentication code compromise.
QGAF provides a process and a set of definitions which will allow agencies, as service
providers, to evaluate the risk associated with their services and determine the appropriate
level of authentication assurance required. Agencies should refer to the QGAF series of
documents for detailed information regarding authentication management.
Agencies are also required to align with the Identity and Access Management Policy and
meet the targets within its accompanying position.
8.3 User access
8.3.1 User registration
User access rights should be in accordance with information owner requirements and
should be authorised by the user‟s manager before the user is granted access to the
information or system. The manager should ensure that the user has a sufficient
understanding of the system before approving access rights.
Access control mechanisms should be used to restrict access to all computer systems,
including hardware, software and data.
If user authentication is based upon passwords the following controls should be considered:
the user should be required to change temporary passwords at the first logon
(temporary passwords only being valid for one day)
users should be required to change their authentication code after a predetermined
period of time, through either automatic or manual means and should not be allowed to
reuse an authentication code for at least 13 cycles
user access should be rejected after three rejected attempts to logon
where passwords are used as authorisation, users should be educated in selecting and
using passwords.
All access control privileges of users should default to denial of access when there is a
malfunction in the computer or network access control system.
All changes to an employee‟s user duties should be reflected in their access control rights.
Changes should be carried out on a timely basis. Access privileges should be disabled or
modified when users change jobs, or leave the agency permanently, or are on leave for a
prolonged period.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 27 of 37
PUBLIC
PUBLIC
User access rights should be subject to regular review using a formal process. Agencies
should consider reviewing and possibly disabling access rights which have not been used
within the last 30 calendar day period.
8.3.2 Privilege management
The use of special privileges should be restricted and controlled as the unnecessary
allocation or unauthorised use of special privileges can be a major factor to system security
failure. Special privileges include:
high privilege users (for example administrator/supervisor access rights)
security administration (for example security administrator)
root access/operating system access
network management access
database administration.
8.4 User responsibilities
Users should be made aware of their responsibilities with regard to system access
including:
following the password policy and processes
securing unattended equipment
keeping a clear desk and screen3.
8.5 Network access
In relation to controlling unauthorised network access agencies should consider
implementing:
network access control policies and software
gateway and firewall technologies for filtering and controlling traffic.
8.5.1 Remote network access
To minimise risks from external connections, agency remote access processes should at a
minimum register all persons with remote access privileges and log all remote access
attempts and activity and ensure all users are authenticated before access to the network is
granted.
8.6 Operating system access
Agencies should implement controls to prevent unauthorised access to operating systems.
The following should be considered:
implementation of secure log-on procedures for operating systems, including:
– ensuring that minimal information is disclosed about the system
– the log-on is validated only upon correct input of all data.
assigning all users with a unique identifier (user ID) and a suitable authentication
technique to substantiate identity claims
not reassigning user IDs, instead disabling the user ID when no longer required
managing password quality with a formal system
3 AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security
management, p. 63.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 28 of 37
PUBLIC
PUBLIC
restricting and controlling the use of systems that may have the capability of overriding
system and application controls
shutting down sessions after a defined period of inactivity
limiting user connection times where appropriate.
Further implementation advice is available within AS/NZS ISO/IEC 27002:2006 Information
technology – Security techniques – Code of practice for information security management.
8.7 Application and information access
Agencies should consider implementing controls that assist in restricting access to
information within applications, by the use of menus and controlling access rights (eg. read,
write, delete).
Access to system utilities that may be used to alter data or program code should be kept to
a minimum with all system master passwords restricted to, and maintained by system
owners or applicable appointee.
All remote access support applications and utilities should only be provided to authorised
information systems support personnel. Policies should also be in place for the
configuration of such systems.
All vendor and default passwords should to be changed prior to an application going into
operation.
8.8 Mobile computing and telework access
Risk assessments and policies and processes for mobile computing and telework access
should consider:
physical security of the site
security of the telecommunications link
lack of control of information, for example, access by family or friends
increased risk of disclosure or unauthorised use of information
increased risk of unauthorised access to agency network and systems
support and maintenance of hardware and software updates
backup procedures
access security aspects (such as writing down of instructions for login including
passwords).
Further details on movement of information assets outside the agency can be found in the
QGISCF.
8.8.1 Using privately owned equipment
To ensure the integrity of government networks privately owned devices (eg. home
computers) should not be connected to agency networks unless either:
specific technology has been implemented to ensure security for the agency
detailed risk assessments are conducted to assess all security impacts.
Detailed risk assessments must include all aspects of information security including:
authentication measures
access controls
virus and malicious code
physical and personnel security.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 29 of 37
PUBLIC
PUBLIC
9 System acquisition, development and maintenance
9.1 System security requirements
Security requirements and specifications should be addressed and agreed for any new or
improved system in the initial stages of development, or acquisition. These requirements
should identify and address any potential risks, vulnerabilities and/or conflicts with existing
systems or business processes. Where possible, authentication should be managed
through a separate enterprise directory product. Where appropriate agencies should also
consider seeking independent evaluation or security certification of systems.
Agencies should ensure that applications which are to be implemented into the web
environment undergo a stringent risk assessment process in the development phase and
during the life of the application to ensure appropriate security controls are in place.
Agencies should also ensure that patch management issues are assessed and considered
prior to the implementation of systems and, in the case of developed applications, that
periodic code reviews are incorporated into security maintenance.
9.2 Correct processing
Agencies should ensure that implementation policies and processes outlining the practices
for input validation, internal processing checks and controls, message authentication
techniques and output data validation are in place to ensure appropriate security of all
application and systems development. These processes should be in accordance with the
risks associated with the system data and its security classification. Audit trails and activity
logs should also be written into applications for the validation of data and internal
processing.
9.3 Cryptographic controls
In order to provide a trusted communications channel over untrusted communication paths,
cryptographic algorithms are a recommended control set. Further information on
cryptographic controls can be located in the NTSAF.
9.4 System files
Operational software should be maintained at a level supported by the supplier and ideally
maintained to the latest available patch level. Appropriate testing, planning and migration
control measures should be carried out when upgrading patches or installing new software
versions to ensure the overall security of the agency operational environment is not
adversely impacted. The testing of systems and data should be controlled and monitored
especially where operational data sets are used.
Access controls should be implemented to ensure restricted access to all systems and
applications including system source code.
Agencies should be mindful that they must retire or replace software that is approaching
end of mainstream support as per the Software currency policy and the targets within the
Software currency position.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 30 of 37
PUBLIC
PUBLIC
9.5 Secure development and support processes
Policies and processes should be in place for control of changes to operational applications
including version control for software upgrades. To minimise threats to the operational
environment agencies should consider but not limit activities to ensuring:
adequate testing and change control mechanisms are in place for the migration of new
or modified systems into the operational environment
that the information environment is managed so that future expansions or changes can
be accommodated and do not adversely impact the operational environment.
For further information on change management see the ICT Infrastructure change
management guideline.
9.6 Technical vulnerability management
As a first step, agencies should ensure that they have a current and complete register of
application and technology assets including vendor, version numbers, current state of
deployment and contacts for persons responsible for the asset (agency ICT Baseline data
may be a useful starting point). Agencies should refer to AS/NZS ISO/IEC 27002:2006
Information technology – Security techniques – Code of practice for information security
management which provides guidance on establishing effective management processes for
technical vulnerabilities.
Agencies should be mindful that the Foundation Infrastructure Project (FIP) is investigating
options for the supply of enterprise management software for the whole-of-Government ICT
infrastructure, which includes patch vulnerability management software.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 31 of 37
PUBLIC
PUBLIC
10 Incident management
When addressing information security incident management, agencies should be mindful
that the Queensland Government Chief Technology Office (QGCTO) is establishing a
virtual response team (VRT) that will include representatives from participating agencies.
The VRT is being established to assist any agency requesting analysis and potential
resolution of incidents of a significant nature only. Expertise may be drawn upon resources
external to the Queensland Government if required.
It should be noted that the VRT is a consultative service only, and successful resolution,
including payment for external resources, will be borne by the requesting agency.
CITEC, as the mandated whole-of-Government service provider, has also negotiated a
Standing Offer Arrangement (SOA) for the procurement of Security Information and Event
Management (SIEM) technology. A SIEM can be utilised for managing event and log
information from all agency network devices, and offers the ability to assist with the analysis
of events and incidents, as well as automating the process of generating reports. The SIEM
technology can either be purchased by an agency or managed by CITEC on behalf of an
agency
10.1 Event/weakness reporting
When agencies are developing their policies and/or procedures for information security
event and weakness reporting, the following guidelines should be taken into consideration:
Information Security Incident Category Guideline
Information Security Event and Incident Management Guideline (not yet approved)
AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –
Information security incident management.
10.2 Incident procedures
When agencies are developing procedures to manage information security incidents, the
following guidelines should be taken into consideration:
Information Security Event and Incident Management Guideline (not yet approved)
Information Security Incident Category Guideline
AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –
Information security incident management
Information Security Internal Governance Guideline
Australian Standards‟ „HB 171-2003 Guidelines for the management of IT evidence.
For information security incidents that involve breaches of privacy, agencies should refer to
the:
Information Privacy Act 2009
OICs Privacy breach management and notification guideline
Privacy Act 1988 (Cth)
Australian Government Office of the Privacy Commissioner‟s Guide to handling
personal information security breaches.
Under IS18 agencies must establish and maintain and information security incident and
response register and record all incidents. The register may be created manually or linked
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 32 of 37
PUBLIC
PUBLIC
with existing business process tools, such as an Information Technology Infrastructure
Library (ITIL) compliant ticketing system.
QGCTO is currently implementing of a strategic whole-of-Government information security
management service with CITEC, which will introduce new Security Information and Event
Management (SIEM) technology to assist with the collation and summarisation of events
and incidents, including the generation of reports. As part of the migration strategy for
agencies to consume whole-of-Government services, QGCTO will work with agencies in
understanding the benefits of adopting a SIEM service. This will include understanding the
benefits of utilising a SIEM in maintaining a register and the ability to provide more accurate
and timely reporting.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 33 of 37
PUBLIC
PUBLIC
11 Business continuity management
11.1 Business continuity
Agency business continuity plans should be reviewed and tested on a regular basis to
ensure that all current business and ICT systems and infrastructure are accounted for.
When developing the agency testing strategy, the importance of each system to the
business operations and the ability to recover it within the time frames required by users
should determine the extent of the testing. Business continuity plans should ensure that
information security controls are maintained and this should be within scope of the testing
strategy.
Agencies should also undertake a review of their plans and strategies after any significant
disruption to information services or failure to ascertain the cause, assess the remedy and
ensure procedures are adjusted to reduce the likelihood of any repeat occurrence. For
further information, please refer to
Business continuity plan documentation guideline (Queensland Government
employees only)
Queensland Government guide for business continuity planning (Queensland
Government employees only)
Australian Standards HB:221:2004 Business continuity management.
11.2 Disaster recovery
To ensure the availability of information, and ICT systems and services following a disaster,
agencies need to document information and ICT disaster recovery plans.
When documenting agency information and ICT disaster recovery arrangements, agencies
should refer to the ICT asset disaster recovery planning guideline. The plans should ensure
that information security controls are recovered as part of the plan.
When developing information risk management strategies to assess the vulnerability of
information and ICT assets and the impact on these assets as a result of a security failure
or a disaster, agencies should consider adapting the AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines. Further information can also be found in the
Information risk management best practice guide.
It is a requirement of IS18 that agencies „establish an information and ICT asset disaster
recovery register to assess and classify systems to determine their criticality‟. Note that this
register does not need to be a new register, agencies are free to utilise existing registers
that they may have provided that they assess and classify information and ICT assets to
determine their criticality.
Requirements and advice regarding disaster recovery for public records is available from
Queensland State Archives.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 34 of 37
PUBLIC
PUBLIC
12 Compliance management
12.1 Legal requirements
A summary of information security related legal requirements is included in Appendix A.
However, this is no replacement for agencies seeking legal advice on the specific legal
requirements that apply to them from their internal legal section.
12.2 Policy requirements
Information security policies, procedures and compliance should be reviewed and reported
on to appropriate management at least annually to ensure the reliability and overall
effectiveness of the security controls for all information systems, networks infrastructures
and applications.
12.3 Audit requirements
Agencies should ensure that appropriately qualified personnel are assigned to audit the
compliance of the information environment against agency policies, processes and industry
technical standards to ensure appropriate security levels are maintained. These personnel
should, where practical, not be involved in the operational information or systems
environment of the agency.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 35 of 37
PUBLIC
PUBLIC
13 Reporting requirements
13.1 Event and incident information
Under IS18 agencies must submit their Security Event and Incident Management
information to the QGCTO. Actual reporting requirements may evolve over time as the
process matures.
In the interim, the QGCTO is in the process of establishing a Virtual Response Team and
gathering business requirements for a whole-of-Government AusCERT subscription
service. QGCTO is currently working with CITEC and a large agency to implement the
SIEM technology chosen as part of the FIP tender.
As soon as these technologies, processes and services are in place, consultation with
agencies will commence on determining the level of detail for events and incidents that will
be reported to QGCTO on an ongoing monthly basis.
13.2 VRT communication alerts
Under IS18 agencies must send Virtual Response Team communication alerts to all
agencies as directed by the QGCTO. Actual reporting requirements will evolve over time as
the process matures. After the whole-of-Government Virtual Response Team is
established, further information will be provided on the level of detail for events and
incidents that will be reported to QGCTO.
The intent of this communication forum is to have agencies participate in the notification of
observed security events and incidents and to share information in order to both contain
and resolve incidents in a timely manner. There is no requirement to divulge any sensitive
information that may cause distress to the participating agencies.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 36 of 37
PUBLIC
PUBLIC
Appendix A Information security related legislation and standards
This appendix provides a summary of some of the information security related obligations that
apply to Queensland Government agencies.
The contents of this appendix do not constitute legal advice and should not be relied on as a
comprehensive statement of information security legislative obligations.
A.1 Legislation
Criminal Code Act 1995 (Cth)
Electronic Transactions Act 1999 (Cth)
Electronic Transactions (Queensland) Act 2001 (Qld)
Evidence Act 1977
Financial Accountability Act 2009 (Qld)
Financial and Performance Management Standard 2009 (Qld)
Information Privacy Act 2009 (Qld)
Privacy Act 1988 (Cth)
Public Records Act 2002 (Qld)
Public Sector Ethics Act 1994 (Qld)
Public Service Act 2008 (Qld)
Right to Information Act 2009 (Qld)
Telecommunications Act 1997 (Cth)
Telecommunications (Interception and Access) Act 1979 (Cth).
A.2 International /Australian standards and guidelines
AS 2834-1995 Computer accommodation
AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques –
Information security management systems – Requirements
AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of
practice for information security management
AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques –
Information security incident management
AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
Australian Standards HB 171:2003 Guidelines for the management of IT evidence
Australian Standards HB:221:2004 Business continuity management
Queensland Government Counter Terrorism Strategy 2008-2012 – Department of
Premier and Cabinet (function now residing in Queensland Police Service)
Queensland Government Counter Terrorism Plan 2007 – Department of Premier and
Cabinet (function now residing in Queensland Police)
Government Asset Protection Framework – Queensland Treasury.
A.3 Australian Government standards
PSPF
ISM.
QGEA
Information Standard 18: Information Security - Implementation Guideline
Final v1.0.2, July 2011 Page 37 of 37
PUBLIC
PUBLIC
A.4 Queensland Government Enterprise Architecture
Business continuity plan documentation guideline
Directory services position
Information security external governance guideline
Identification and classification of information assets guideline
Identity management, authentication and authorisation services position
Implementing internal information security governance guideline
Information risk management best practice guide
Information security event and incident category guideline
Information security event and incident management guideline
Information Security external security governance guideline
Information Standard 2: ICT resources strategic planning
Information Standard 13: Procurement and disposal of ICT products and services
Information Standard 31: Retention and disposal of public records
Information Standard 38: Use of ICT facilities and devices
Information Standard 40: Recordkeeping
Information Standard 44: Information asset custodianship
Network management position
Network transmission security assurance framework
Patch management policy and position
Queensland Government authentication framework
Queensland Government ICT disaster recovery plan development guideline
Queensland Government information risk management guidelines
Queensland Government information security classification framework
Queensland Government information security policy - mandatory clauses.