queensland government information security classification ... · the queensland government...

Queensland Government Enterprise Architecture

Queensland Government information security classification framework

Final

September 2018

V4.0.0

OFFICIAL - Public

QGEA OFFICIAL - Public Information security classification framework

Final| v4.0.0| September 2018 of 39

Document details

Security classification OFFICIAL - Public

Date of review of security classification

September 2018

Authority Queensland Government Chief Information Officer

Author Cyber Security Unit, Queensland Government Chief Information Office

Documentation status Working draft Draft post consultation Final version

Contact for enquiries and proposed changes All enquiries regarding this document should be directed in the first instance to:

Cyber Security Unit Queensland Government Chief Information Office [email protected]

Acknowledgements This version of the Queensland Government information security classification framework was developed and updated by the Queensland Government Chief Information Office.

Feedback was also received from a number of agencies, which was greatly appreciated.

Copyright Queensland Government Information Security Classification Framework

© The State of Queensland (Queensland Government Chief Information Office) 2018

Licence

This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact [email protected].

To attribute this material, cite the Queensland Government Chief Information Office.

The licence does not apply to any branding or images.

Information security This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as OFFICIAL - Public and will be managed according to the requirements of the QGISCF.



Contents

1 Executive Summary ............................................................................................................... 4

2 Introduction ............................................................................................................................ 5

2.1 Purpose .......................................................................................................................... 5

2.2 Scope ............................................................................................................................. 5

2.3 Audience ........................................................................................................................ 6

3 Implementation ...................................................................................................................... 6

4 Integrity assessment ............................................................................................................. 7

5 Availability assessment ........................................................................................................ 8

6 Confidentiality assessment .................................................................................................. 9

6.1 Confidentiality classification labels ................................................................................. 9

6.2 Sharing information and the ‘need to know’ ................................................................. 11

6.3 Confidentiality business impact levels .......................................................................... 12

6.4 Information asset confidentiality control summary ........................................................ 13

7 Information security assessment process ........................................................................ 15

7.1 Identify information ....................................................................................................... 15

7.2 Determine the owner of the information ....................................................................... 16

7.3 Undertake Business impact level assessment and Assign C.I.A levels ....................... 16

7.4 Select and apply controls ............................................................................................. 16

7.5 Ongoing activities ......................................................................................................... 17

8 Business impact levels ....................................................................................................... 17

Appendix A Integrity – Business impact assessment - example ........................................... 21

Appendix B Availability – Business impact assessment - example ...................................... 24

Appendix C Confidentiality – Business impact assessment - example ................................ 25

Appendix D Security classification by domain ........................................................................ 27

Appendix E Mapping between old and new confidentiality classifications .......................... 31

Appendix F Frequently asked questions about security classification, publishing and Creative Commons licensing ............................................................................................. 32

Appendix G Use of additional descriptors for information ..................................................... 34

Appendix H Additional resources ............................................................................................. 35

Appendix I Glossary ................................................................................................................. 36

Appendix J Implementation Timing ......................................................................................... 38



1 Executive Summary The Queensland Government Information Security Classification Framework (QGISCF) sits under the Information security policy (IS18:2018).

Agencies should classify their information and assets according to business impact and implement appropriate controls according to the classification.

To apply information classification at the enterprise level an organisation needs to:

determine its business impact levels from the loss, compromise, misuse of information for the agency in terms of the impact to confidentiality (C), integrity (I) and availability (A);

analyse the organisation’s information and information assets against the business impact levels it has created and assign C, I, A values;

determine and apply appropriate controls to safeguard the information and information assets in a consistent manner; and

regularly assess whether the controls assigned for C, I and A values are adequate to maintain the organisation within its chosen risk tolerance level.

The Confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact). Where an agency has determined high confidentiality information to be at the PROTECTED level, an agency must consider the PROTECTED controls outlined in the current cyber security manual published by the Australian Cyber Security Centre1.

Where an information asset is shared between government agencies, partner agencies should apply equivalent controls to those determined by the information-owning agency to be adequate.

1 https://cyber.gov.au/government/publications/australian-government-information-security-manual-ism/



2 Introduction

2.1 Purpose

This document, the Queensland Government Information Security Classification Framework (QGISCF), supports the Information Security Policy (IS18:2018). It sets the minimum requirements for information security classification.

Information security (IS18:2018) Policy Requirement 3: Agencies must meet minimum security requirements states that Queensland Government ICT assets that create, store, process or transmit information are assigned appropriate controls in accordance with the QGISCF.

Consistent classification of information helps Queensland government agencies make more informed and timely decisions about how they should capture, store, maintain, transmit, process, use and share information to best deliver services to Queenslanders.

The confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact).

Agencies must: determine impact from loss of confidentiality, integrity and availability to information on a

risk basis and assign the relevant security classifications; apply appropriate controls to safeguard confidentiality, integrity and availability of

information; label all new information with a higher confidentiality level than OFFICIAL.

Where an agency has determined information warrants the PROTECTED label, the agency must consider the PROTECTED controls outlined in the current cyber security manual published by the Australian Cyber Security Centre2.

Agencies should: record gaps between the agency treatment of PROTECTED information and the current

ASD cyber security manual in the agency risk register and share this with partner agencies.

apply labels to all information to signify confidentiality levels document the maximum security classification levels and other usage restrictions for

their information assets; and educate users about responsibilities and handling requirements for handling and use of

information over its lifecycle.

Custodians of information should: maintain a control environment deemed adequate by the information owner.

2.2 Scope

This framework provides a process and direction for determining the security classification of information considering the three elements of information security.




Information security consideration descriptions

2.2.1 National security

The QGISCF does not provide specific guidance for handling national security information, classified material or systems that are assessed to have confidentiality requirements above PROTECTED. Where an agency has cause to handle such material/systems, it should refer to the Australian Government Protective Security Policy Framework (PSPF) and the Security and Counter-Terrorism Group in Queensland Police Service. Telephone 07 3364 4549 or email [email protected]

2.3 Audience

Queensland Government information must be security assessed. This document is intended for the use of employees and contractors within Queensland Government agencies.

It will be relevant to:

information owners, information asset custodians and users who are responsible for classification and control of Queensland Government information assets

users of the information for any relevant and responsible purposes, including sharing or processing the information

any people who are designing agency services such as business process specialists, service designers and system architects

business managers, external third parties and service stakeholders

information security managers and auditors who may assess the security of services

records managers and others who have responsibility for managing classified information assets over time

chief information officers and other ICT managers and employees responsible for the supply and operation of information systems.

3 Implementation This framework must be used by all Queensland Government agencies to assess the information security of their information and information assets.

The classification assessment levels are as follows.



Information security – confidentiality, integrity and availability

The organisation should identify and apply assessment levels for confidentiality, integrity and availability impact to their information. The assessment levels are used to identify which controls are appropriate to safeguard that information.

Where an agency shares information with partner agencies, there is an expectation that the partner agencies will apply equivalent controls. It is good practice to document the business impact levels for information and relevant control expectations between agencies when they share information. In some cases, a classification guide may be useful. Guides give users greater clarity in determining classification levels using specific examples relevant to the subject matter.

There is not always a direct relationship between confidentiality, integrity and availability. For example, information might have a low or negligible confidentiality requirement and be assigned an OFFICIAL classification level. However, it might also have a high integrity and medium availability assessment.

In that case, the control selection would skew towards a control set that enhanced integrity as much as possible, did not unnecessarily restrict availability, and met the department’s minimum control requirements for confidentiality.

4 Integrity assessment Information integrity refers to how well the information reflects its underlying subject. ISO/IEC 27000:2016 defines integrity as the ‘property of accuracy and completeness.’ (2.40)

Information integrity may be compromised by accident or by a (semantic) attack. Such attacks can be especially destructive against financial systems (e.g. Fraud) and SCADA3

3 Supervisory Control and Data Acquisition - systems that monitor and control industrial, infrastructure, and facility-based processes that exist in the physical world



(e.g. Stuxnet). With the rise of the Internet of Things, information integrity, including data quality, will be an increasing concern.

The business impact of inadequate information integrity may differ for different information assets. Inadequate information integrity in a financial system will almost certainly have significant financial and/or legal consequences; whereas inadequate information integrity in an email distribution list may only result in inconvenience and slight embarrassment.

The integrity level of ‘low or none’, ‘medium’ or ‘high’ should describe the business impact given a hazard event where inappropriate or unauthorised changes have reduced the integrity of the information. The higher the integrity requirement, the more control should be implemented to safeguard information against inappropriate or unauthorised change.

The outcome of information security integrity assessment should be an indication of the business impact should the integrity of information be compromised. Information integrity levels are determined by the agency business needs, but at a minimum, information should be stored, handled and disposed of in accordance with the Public Records Act 2002. Other specific legislation, such as the Information Privacy Act 2009 and financial accountability regulations may also create information integrity requirements for agencies.

Appendix A is an example of how a business impact assessment can be used to assess integrity levels.

5 Availability assessment For information to be useful and serve the organisations purpose, it must reliably be available when it is needed and, in a form that is able to be consumed by users. Information availability refers to how accessible information is for an intended user or audience at the time the information is required.

Agencies must determine the availability requirements of information that they own and manage and the business impact if the information is not available to the right people or systems at the right time.

For example, an organisation maintains a list of widget quantities stored in its warehouse. The information integrity of the list relates to the accuracy and completeness of the list relative to the number of actual physical widgets held in the warehouse. Following an assessment of business impact levels for the list. The list is assessed to have a ‘high’ integrity BIL requirement. Because of the ‘high’ BIL, the organisation identifies controls which ensure that when audited during the annual physical stocktake, the list of widget quantities is highly accurate and complete.

For example, inadequate information availability of a patient’s electronic health record can have significant impacts to a clinician’s ability to deliver quality health care. In an emergency department, the information needs to be available to clinicians within a short time of being required. The information needs to have a High availability assessment. The same information, where it is accessed within a billing system, may have a Low availability requirement.



The outcome of Information security availability assessment of ‘high’, ‘medium’ or ‘low’ is based on the business impact should the information availability be compromised. Information availability assessment levels are determined by the agency business needs.

Information availability can be compromised because of both human directed (intentional) and non-directed (unintentional) events.

Unintentional events include failure of equipment due to lack of maintenance or a natural occurrence such as a cyclone.

Intentional attacks, such as denial of service attacks cause disruption of normal functioning of information systems, leading to availability compromise over varying timescales.

Agencies should assess the risk that loss of information availability might cause damage to the organisation and consider whether specific controls are warranted. In many cases, planned and tested business continuity and disaster recovery processes will provide significant mitigation to information availability risk, however, where information is assessed to have a high availability impact, there may be a need for additional controls or approaches to ensure information is available to the right people and systems within the time tolerance required.

Appendix B may assist in identifying availability objectives to support business impact requirements.

6 Confidentiality assessment An information security confidentiality assessment examines the impact should the information be inappropriately released. A confidentiality level can be applied to individual documents or information assets. The information security (confidentiality) level applied to a document or data element flags how access to the information should be restricted and the efforts that should be made in doing so.

6.1 Confidentiality classification labels

The confidentiality classification labels are considered in relation to the increasing confidentiality business impact, should information be compromised or shared inappropriately.

The confidentiality classification labels for Queensland Government information are:

OFFICIAL

SENSITIVE

PROTECTED

QGISCF does not deal with National Security Information (NSI) that is assessed to be classified above PROTECTED, however the framework integrates into the broader Australian Government approach to allow interoperability.



Confidentiality Requirement

Classification Label Minimum Controls

Low OFFICIAL As per QGEA and agency risk assessment

Medium SENSITIVE As per QGEA and agency risk assessment

High PROTECTEDAs per QGEA and agency risk assessment. Agency must consider the controls outlined

for PROTECTED information in CSM

National Security Information (NSI)Not covered by QGISCF Refer to federal PSPFSeek advice from QPS

Agencies must undertake an information security confidentiality (business impact) assessment to determine the appropriate confidentiality level (OFFICIAL, SENSITIVE, PROTECTED).

An agency must apply security controls which are commensurate with the assessed business impact.

This framework does not mandate specific controls - agencies should select the controls best suited to their business and technology needs.

The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.

For PROTECTED information, an agency must consider the controls outlined for PROTECTED information in the current Australian Government information security manual4.

Where the controls applied to PROTECTED information are not equivalent to those outlined in the information security manual, the agency accountable officer must accept any resulting risk. The risk should be recorded in the agency risk register and shared with partner agencies.

6.1.1 OFFICIAL

OFFICIAL represents most Queensland Government information by volume, but lowest business impact per document if compromised or lost. However, where information is aggregated on an information asset such as an ICT Server, the impact of compromise may increase and with it, the controls.

OFFICIAL information is routine information without special sensitivity or handling requirements. All routine public-sector business, operations and services is treated as OFFICIAL. At the OFFICIAL classification there is a general presumption that data may be shared across government. Security measures should be proportionate and driven by the business requirement.

Most OFFICIAL information is subject to the Public Records Act 2002.




6.1.2 SENSITIVE

The use of the SENSITIVE indicates that information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost.

SENSITIVE information must be labelled

Examples of SENSITIVE information may include:

government or agency business, whose compromise could affect the government’s capacity to make decisions or operate, the public’s confidence in government, the stability of the market place and so on

commercial interests, whose compromise could significantly affect the competitive process and provide the opportunity for unfair advantage

legal professional privilege

law enforcement operations whose compromise could adversely affect crime prevention strategies, particular investigations or adversely affect personal safety

personal information, which is required to be safeguarded under the Information Privacy Act 2009, or other legislation.

Most SENSITIVE information is subject to the Public Records Act 2002.

6.1.3 PROTECTED

PROTECTED information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the State, the Government, commercial entities or members of the public.

PROTECTED information must be labelled

Cabinet information is PROTECTED. Cabinet documents (CABINET information) can be damaging to the public policy agenda and the government generally, and to the public interest. Unlawful disclosure of Cabinet information may constitute an offence under the Criminal Code Act 1899, Public Sector Ethics Act 1994 and may constitute official misconduct under the Crime and Misconduct Act 2001. The primary guidance document to support these processes, including the handling of Cabinet material, is the Queensland Cabinet Handbook.

Most PROTECTED information is subject the Public Records Act 2002.

6.2 Sharing information and the ‘need to know’

The ‘need to share’ information must be balanced with the ‘need to know’ information to perform official tasks. Access to some information needs to be restricted because it could harm government interests or the people of Queensland. Applying a security classification to information signals that the agency has assessed the business impact arising from loss of the information’s confidentiality and expects those that access it to secure it appropriately.

‘We share by default and we make every piece of data count. Sharing information and knowledge creates trust, which enables cooperation and good decision making…… However, we don’t share without thought. We have standards around closed, shared and open data as well as privacy standards, which we use and embrace to facilitate trust building’ DIGITAL1ST p11 - https://digital1st.initiatives.qld.gov.au/documents/digital-strategy.pdf



Both over-classification and under-classification of information can be detrimental to government.

over classification of information results in agencies misallocating their resources to spend more money on security than might otherwise be required

under classification results in agencies exposing themselves to risk because they do not allocate security resources to the information requiring additional safeguards.

All government information must be:

handled with due care and in accordance with authorised procedures, regulation and legislation

assessed against the impact that loss of confidentiality would cause to the agency, and

released in accordance with the policies, legislative requirements and directives of the Queensland Government and the courts.

Discrete information (unstructured data)

Discrete information, such as documents or emails, may receive an information security confidentiality assessment to indicate the business impact should the information be compromised or made available to the wrong individuals. Agencies should create guidance and procedures to assist employees to classify discrete information correctly.

Information assets (structured data)

For Information assets, a system’s confidentiality assessment provides an indication of the maximum sensitivity and confidentiality of information that the system is accredited to handle by the agency’s accountable officer. Any assessment must also consider the aggregate sensitivity of the data held in the system.

Australian Government Protective Security Policy Framework

QGISCF is intended to be compatible with the Australian Government Protective Security Policy Framework (PSPF) and Australian Government Cyber Security Manual (formerly ISM). Queensland has adopted the security classification levels OFFICIAL, SENSITIVE and PROTECTED to align with the federal government approach.

6.3 Confidentiality business impact levels

Departments should identify on a risk basis which business impacts should be considered when identifying whether loss of information confidentiality has a high, medium or ‘low or negligible’ impact. The business impact level (confidentiality) will determine the classification label.

Appendix C may assist in identifying confidentiality objectives to support business impact requirements.



Confidentiality impact and classification levels

6.4 Information asset confidentiality control summary

This section contains summary details of the controls relevant for the various levels.

6.4.1 OFFICIAL

Information with

a ‘low’ or

‘negligible’

confidentiality

business impact

level

Majority of

government

information.

Should be

labelled

OFFICIAL

OFFICIAL information is routine information without special sensitivity or handling requirements. compromise may cause limited damage to national security, government agencies, commercial entities or members of the public.

The unauthorised disclosure or compromise of OFFICIAL information assets may undermine public confidence in Government operations.

OFFICIAL information has confidentiality requirements, unless it is being published

It may be helpful to mark assets with this classification level so that it is known that an assessment has been made. Information assets which may not be assessed in a timely manner and do not have a default domain classification established may be best marked.

Store, handle, archive and disposal - Subject to requirements of the Queensland Information Security Policy (IS18); AND - Store and handle based on risk acceptable to the information owner as outlined in agency Information Security Management System (ISMS); AND - In accordance with authorised retention and disposal schedule issued under the Public Records Act 2002. For minimum requirements:

Refer to QGAF and NTSAF The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.



6.4.2 SENSITIVE

Information with a ‘medium’ confidentiality business impact level requiring additional care in handling

Must be labelled SENSITIVE

SENSITIVE information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost Examples may be:

government or agency business, whose compromise could affect the government’s capacity to make decisions or operate, the public’s confidence in government, the stability of the market place and so on

commercial interests, whose compromise could affect the competitive process and provide the - opportunity for unfair advantage

legal professional privilege law enforcement operations, whose compromise could hamper or render less

useful crime prevention strategies or investigations or adversely affect personal safety

personal information, which is required to be safeguarded under the Information Privacy Act 2009, the Public Records Act 2002 or other legislation.

Store, handle, archive and disposal - Subject to requirements of the Queensland Information Security Policy (IS18); AND - Store and handle based on risk acceptable to the information owner as outlined in agency Information Security Management System (ISMS); AND - In accordance with authorised retention and disposal schedule issued under the Public Records Act 2002. For minimum requirements: Refer to QGAF and NTSAF The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.

6.4.3 PROTECTED

Must be labelled PROTECTED Green folder, yellow stripe

Information with a ‘High’ confidentiality business impact level, whose

compromise could cause actual damage to the State, the Government, commercial entities or members of the public. For instance, compromise could:

endanger individuals’ lives and private entities; work substantially against government finances or economic and

commercial interests; substantially undermine the financial viability of major organisations; and/or impede the investigation or facilitate the commission of serious crime.

Information passed by other governments that is marked PROTECTED Cabinet information The Queensland Cabinet Handbook dictates security classifications, markings and handling for Queensland Cabinet material.



Preparation and handling Markings Distinct markings on document or information asset. Centre of top and bottom of each page, in capitals, 5mm (20 point) bold and red if possible. SCI Register Desirable.

Store, handle, archive and disposal In accordance with authorised retention and disposal schedule issued under the Public Records Act 2002.

Subject to minimum requirements of the Queensland Information Security Policy (IS18); AND Store and handle based on risk acceptable to the information owner as outlined in agency Information Security Management System (ISMS); Refer to QGAF and NTSAF; The agency must consider the controls outlined for PROTECTED information in the current Cyber Security Manual published by the Australian Signals Directorate. The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information. See section 6.1 for further information.

https://cyber.gov.au/government/publications/australian-government-information-security-manual-ism/

7 Information security assessment process It is necessary to ensure that the information security assessment is a living process, that is, information security needs to be periodically and regularly reassessed as part of the Information Security Management System (ISMS).

Each of the steps identified below is expanded in more detail in the following sub-sections.

Information security assessment process

7.1 Identify information

Agencies must identify any information assets that they hold.



The Information asset custodianship policy (IS44) states the Queensland Government will identify its information assets and assign appropriate custodianship roles and responsibilities to ensure these assets are managed throughout their lifecycle.

Information assets can be documents, electronic messages, a row in a database (or the database table itself), collections of metadata, or a table or figure within a document. An information asset may hold information in multiple formats or media types.

Information assets can be identified by a range of agency processes, including during application of the ICT planning methodology and ICT profiling (Queensland Government employees only).

In some cases, it may be prudent to logically segment an information asset to be able to assign different business impact levels to the information it contains. Segmentation is discussed further in the appendices.

7.2 Determine the owner of the information

All agency information must have an owner as per IS44.

Ownership of an information asset or discrete segment of information must reside with only one individual with authority to make decisions about how the information should be handled.

Information ownership must be documented and kept current.

Information ownership may be delegated by the accountable officer (agency head) on a risk basis.

The information owner is responsible for establishing the overall confidentiality, integrity and availability assessments of their information.

The information owner may delegate the day to day authority (custodianship) for maintaining asset information controls which must be clearly documented in line with IS44.

7.3 Undertake Business impact level assessment and Assign C.I.A levels

Using the department’s business impact levels, information must be assessed to determine confidentiality, integrity and availability levels.

Other agency, regulatory or legislative issues including those arising from the Public Records Act (2002) may also impact on the impact assessment of the information, and need to be considered at this point.

7.4 Select and apply controls

Appropriate controls must be applied to ensure that safeguards are applied to information assets commensurate with the assessed security levels. In limited cases, the controls are mandated (e.g. high confidentiality information), but in most cases, agencies are encouraged to identify suitable better practice control sets from reputable sources such as ASD, ISO/IEC 27002, NIST or ENISA that meet their needs on a risk basis.



7.5 Ongoing activities

7.5.1 Continuous review

As environments and circumstances change, information owners should review confidentiality levels to ensure controls remain appropriate. The impact from loss, compromise, or damage to information may reduce or increase over time.

The decision to change the business impact level for information rests with the information owner.

De-identification, aggregation and redaction techniques can be used to support proactive information release under right to information and Information access and use policy (IS33). However, care and expertise is required to ensure these are effective and do not introduce risk.

Due care is required to ensure privacy is preserved with data derived from information about individuals.

7.5.2 Assurance

The information security assessment in each category are determined by the Business Impact Level (BIL) of the information or asset. In turn, the BIL guides the level of assurance that should be sought by the organisation relative to the assessed information.

At higher business impact levels, more robust assurance should be sought by the business.

More detail is provided in the Information security assurance and classification guideline (link to be inserted).

7.5.3 Education and awareness

The ongoing education and awareness of all employees regarding the importance of classifying information is critical to the success of the overall agency security environment.

Agencies should ensure that all employees have a clear understanding of the agency information security classification policies and procedures, their responsibilities, and principles. Employees who create, process or handle security classified information assets should be trained in how to assess and handle classified information.

Education and awareness programs will likely vary across an agency and between agencies and depend on the type of work and types of information assets dealt with.

Information custodians should be given assistance to understand their roles and responsibilities.

Guides to help employees work through the assessment and classification process should be developed. These are of use where information security assessment is not routinely part of an employee’s duties with agency specific examples used to assist.

8 Business impact levels

Putting it all together

Information security assessment has traditionally been an assessment of the confidentiality of an information asset. Whilst emphasis is legitimately placed on the determination of confidentiality, it is important to also recognise and assess integrity and availability requirements for information on agency operations.



Many Queensland Government information assets have significant requirements for information integrity and availability. The use of the business impact levels can assist those agencies to classify assets against their integrity and availability, as well as confidentiality. Importantly, where information is found to have high availability or high integrity requirements, agencies should assign proportionate controls based on the BILs.

The information owner must classify the information they are responsible for against the three dimensions of information security.

When determining the correct information security level for an information asset or domain, a range of factors must be considered. Where information assets can be security classified according to legislation, regulation, policy, contractual or other pre-determined means, it should be so classified. For example, breach of proper undertakings to maintain the confidentiality of information provided by third parties and breach of statutory restrictions on the management and disclosure of information need to be considered, and these may influence the overall control selection.

Business Impact may be affected by information aggregation. Aggregation of information may change business impact against confidentiality, integrity and/or availability of information.

Controls commonly treat more than one risk. Control selection should aim to mitigate the highest impact risks and if possible, more than one area of the C.I.A. triad.

In this way, information security adds value and can be balanced more effectively against the needs of the organisation that it serves.

There are other methodologies for determining business impact levels such as those outlined in the Queensland Government ICT planning methodology.

Agencies should have a repeatable and consistent process to identify business impacts of threats to information in their organisation and that this should consider confidentiality, integrity and availability.



INTEGRITY AVAILABILITYCONFIDENTIALITY

HIGH(PROTECTED)

MEDIUM(SENSITIVE)

LOW(OFFICIAL)

HIGH

MEDIUM

LOW

HIGH

MEDIUM

LOW

LOW(OFFICIAL)

HIGH MEDIUM

Example assessment of business impacts to confidentiality, integrity, availability levels

This shows an example of an assessment, and in this case the asset has been assessed as high BIL based on integrity, medium availability and low for confidentiality.

The agency should consider existing controls required by the Information Security Policy (IS18) and whether these mandatory requirements treat assessed risk to a level that is tolerable to the information owner.

If not, consider additional integrity controls. Note that establishing cumulative control sets for CIA high-low may simplify architecture.

For example, an agency may choose to assess risk above baseline controls or create controls standards for classification, as follows:

Low Medium High

Confidentiality Assess Baseline Controls Baseline + Risk Assess

need for any additional

agency controls.

ASD – Cyber Security Man.

+ Risk Assess need for any

additional agency controls.

Integrity Assess Baseline Controls Baseline + Risk Assess


agency controls.

Baseline + Risk Assess


agency controls.



Availability Assess Baseline Controls Baseline + Risk Assess


agency controls.

Baseline + Risk Assess


agency controls.

Or, it may be efficient for agencies create controls standards for some/all of the CIA configurations:

Low Medium High

Confidentiality C Controls Standard Low C Controls Standard Med C Controls Standard High

(ASD - Cyber Security Man.

Controls, plus agency

controls)

Integrity I Controls Standard Low I Controls Standard Med I Controls Standard High

Availability A Controls Standard Low A Controls Standard Med A Controls Standard High



Appendix A Integrity – Business impact assessment - example

Integrity Impact Low Medium High

Risk to Individual safety

Consider any risk of injury or impact on safety, as well as the possibility of loss of life. This could be due to a semantic attack which causes a SCADA system to misfunction

Risk to individual safety

Direct actual risk to individual safety

Direct actual risk to individual life / lives

Data Quality Effect on agency data quality requirements

Record keeping does not meet Public Record Act (2002 QLD) requirements

Loss of historically important records

Significant failure of Evidentiary requirements (QLD Evidence Act 1977), Chain of Custody

Distress caused to any party

Information gathered about a party that is incorrect. Inability to correct inaccuracies effectively. Information is aged and therefore less accurate.

A party is concerned that information gathered is incorrect

Multiple parties are concerned or issues

Direct, tangible and significant distress caused

Personally sensitive data integrity failure

Does information held about clients have appropriate integrity/quality. Examples include medical records and other personal information. Inability to correct inaccurate information in a timely manner

Quality of personal information held is not fit for purpose

Low quality of holdings affects customers adversely over days

Inaccuracies in personal information have significant & tangible effects on multiple customers

Impact on Government finances or economic and

Impact on Government finances or economic and commercial interests. Fraud through the changing of government financial data is an integrity threat

Low - Moderate impact

Severe impact on a single agency

Catastrophic impact on multiple agencies



Integrity Impact Low Medium High commercial interests

Financial loss to any client[1] of the service provider or third party

Consider this from the service provider’s perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using the provided information to establish an identity which is not theirs, and then changing ownership details


Severe impact on small numbers of clients or third party

Catastrophic impact on multiple third parties, service providers or significant numbers of clients

Financial Loss to Agency / Service Provider

Consider this from the service provider’s perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, or a party gaining control of assets they don't legally own


Severe impact to an agency or a service provider

Catastrophic impact on multiple agencies and service providers

Assistance to Crime or impact on its detection

If the integrity of the information were low, would this have the potential to assist criminals.

Low Moderate detriment

Significant

Impact on development or operation of government policy

Would integrity loss impact government during the stages where policy is being formulated or implemented? The negative impact may be that a policy initiative will not proceed.

Low Medium Catastrophic

Impact on risk of litigation

Integrity loss impacts litigation against the state of QLD negatively

Low Medium Catastrophic




INSERT YOUR OWN IMPACTS HERE

Opportunity to add or remove impacts that specifically affect your department


[1] In order to assist in the determination of the appropriate level of impact, the following is suggested: Low < 10% of contract , Severe 60% of contract and Catastrophic 90% of contract.



Appendix B Availability – Business impact assessment - example

Availability Impact Low Medium High

Risk to Individual safety

Consider any risk of injury or impact on safety, as well as the possibility of loss of life. E.g. information is not available leading to safety risks or Timeliness ‐ information being slow to become available

Potential risk to individual safety

Risk to individual safety

Direct risk to individual life/ lives from information unavailability

Distress caused to any party

From the client’s or public’s point of view, distress could be caused by many things, including not being able to access their information, particularly in times of duress.

Some distress from information release

Significant and real distress

‐

Damage to any party’s standing or reputation

Does loss of availability of information or systems affect any party's standing or reputation? Issues to consider include potential for adverse publicity, either locally or wider and the potential for damage occurring to either the service provider's or client's ongoing reputation due to information being unavailable

Potential risk to reputation

Significant and long‐lasting damage to reputation.

‐

Inconvenience to any party

Consider factors such as releasing information which could lead to identity fraud being perpetrated. Not releasing information which means that customers should take additional steps to confirm processes

Some inconvenience

Significant inconvenience

‐

Public order Need to consider whether lack of information availability could risk community relations and public order.

Public order affected Public order significantly affected because information is unavailable

Complete loss of public order because information is unavailable

Impact on Government finances or economic and commercial interests

Impact on Government finances or economic and commercial interests. Would lack of availability affect economic standing

Low ‐ Moderate financial loss

Significant financial loss due to information being unavailable

Financial Loss to Agency / Service Provider

If information is unavailable or inaccessible, would this cause financial loss

None or Negligible

Significant financial loss


Would availability of information have the potential to assist to prevent the conduct of a crime or terrorist activity

Inability to release information may assist the conduct of a crime

Inability to release/share information to target stakeholders in time provides moderate assistance in the conduct of a crime

Inability to release/share information to target stakeholders in time means suspects of major crime escape justice

Impact on risk of litigation

Litigation against the state of Queensland is either helped or hindered by information availability

Moderate Significant



Availability BIL Low Medium High



Appendix C Confidentiality – Business impact assessment - example

Confidentiality Impact Low Medium High

Risk to Individual safety Consider risk of injury or impact on safety, as well as the possibility of loss of life. An example could include release of names or locations of under‐cover officers, people under protection orders.

Potential risk to individual safety

Direct actual risk to individual safety

Direct actual risk to individual life / lives

Assessment results in a rating of greater than high for any hazard event. The information is potentially National Security Information (e.g. SECRET) and must be safeguarded and classified ‘Above PROTECTED’ according to the Federal Government PSPF Refer to QLD Police Security and Counter‐Terrorism group

Distress caused to any party From the client’s or public’s point of view, distress could be caused by many things, including the release of private information.

Some distress from information release

Significant and real distress

‐

Damage to any party’s standing or reputation

Effect on any party's standing or reputation? Issues to consider include potential for adverse publicity, either locally or wider and the potential for damage occurring to either the service provider's or client's ongoing reputation.

Potential risk to reputation

Significant and long‐lasting damage to reputation.

‐

Inconvenience to any party Releasing information which could lead to identity fraud being perpetrated.

Some inconvenience

Significant inconvenience, direct significant tangible loss

‐

Public order Whether release of information could pose a risk to community relations and public order.

Public order affected

Public order significantly affected

Complete loss of public order

Release of commercially sensitive data to third parties

Would disclosure of information have a commercial impact on any party, commercially sensitive information that could impact on current or future business

Some commercial impact Significant commercial impact ‐

Release of personally sensitive data to third parties

Privacy ‐ Would release violate legislative or regulatory guidelines such as information privacy principles?

Moderate privacy impact Significant loss of sensitive personal information

‐

Impact government finances, economic

Impact on government finances or economic and commercial interests Would disclosure of information result in financial or economic consequences to government? E.g. Disclosure of planning results in changing property valuations.


Significant financial loss, loss of PCI:DSS

Financial loss to agency / service provider

Consider this from the service provider’s perspective ‐ what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using information to establish an identity which is not theirs


Significant financial loss, possible organisational collapse

‐

Threat or Opportunity to government agency’s systems or capacity to conduct their business

Would release of this information have the potential to prevent or enhance an agency or external party conducting their business? For how long would this reduction/prevention last?

Low ‐ Moderate threat to capacity Significant threat to agency systems or capacity to conduct business over years

‐



Confidentiality Impact (cont.) Low Medium High


Would release of this information have the potential to assist in the conduct of a crime or terrorist activity?

Release of information may assist the conduct of a crime

Release of information provides moderate assistance to the conduct of a crime

Suspects of major crime escape justice

Impact on development or operation of government policy

Would disclosure cause negative or positive impact to government during the stages where policy is being formulated or implemented?

Policy development is slowed Significant policy development is halted.

‐

Impact on the environment Impact the environment through information release Environmental impact Catastrophic environmental impact

‐

Impact on agency or Queensland Government workforce

Affect agency ability to function

Damage agency ability to function Significantly damage agency ability to function over years

‐

Impact on risk of litigation Litigation against the state of QLD is increased. Moderate Significant risk of litigation ‐

Impacts on National Security Causing damage to national security (as per Federal Government BILs)

Causing limited damage to national security

‐ Causing minor damage to national security

Impacts on National Infrastructure

Damage to QLD critical infrastructure Damaging or disrupting infrastructure

Damaging or disrupting significant infrastructure

‐

Impacts on Defence Operations

Defence operations in QLD Causing limited damage to the non‐operational effectiveness or security of Australian or allied forces without causing risk to life

‐ Causing damage to non‐operational effectiveness or security of Australian or allied forces causing re‐supply problems that could result in risk to life



Confidentiality BIL Low (OFFICIAL)

Medium (SENSITIVE)

High (PROTECTED)

NSI



Appendix D Security classification by domain It is often not practical to individually apply a full security assessment process to every document, record or other information asset in use in an agency. Particularly where there are large quantities of legacy documents.

Agencies should therefore consider an ‘information asset security domain’5 approach to information security classification.

Agencies may choose to use this approach with legacy information classified under earlier classification schemes using the mappings diagram at APPENDIX E.

Information asset security domain classifications are not mandatory and should only be established where a logical grouping and standard impact assessment can be identified. It should also be noted that an individual information asset security classification will override any broad domain classification.

An information asset security domain is a grouping of related information assets that share a security classification. The assessment may be based on higher confidentiality, higher integrity, higher availability or a combination of more than one requirement.

Security domains allow a defined level of security assessment to be automatically assigned to assets of the domain. This helps to ensure consistency and reduce owner and user workloads. Domain security classifications must be approved by the information owner/s responsible for the assets that the domain will apply to.

An example of an existing domain classification is cabinet documents, which are pre-determined as being CABINET-IN-CONFIDENCE with High integrity requirements and are treated as PROTECTED information assets. Any new information needs only to be individually assessed by exception, and the appropriate controls applied.

The domain security classification scope will be determined by the ability to group information assets with similar impact assessment results. Often domains will be related to business functions such as human resource management, strategy or procurement functions. Business classification schemes such as those developed for document and records management systems may be useful tools for identifying potential domain security classification areas.

Domain security classifications should be reviewed by agency information owners regularly to ensure they remain appropriate.

Information classified under previous schemes

Agencies may choose to apply a domain approach to legacy information classified under earlier classification schemes using the mappings diagram at APPENDIX E.

Segmentation of information assets by impact levels

In cases where information is assessed as having different business impact levels, it requires differential confidentiality, information integrity or availability controls.

Identifying, segmenting and/or segregating high business impact or data from other agency information and applying appropriate controls can be an efficient approach that is superior to raising the security of all information holdings.

5 It should be noted that the information security domain concept being discussed here is not intended to be the same as other domains that may be specified through the QGEA.



Generally segmenting information so that higher impact information sets are safeguarded from the broader information holdings will work best for Queensland agencies. This approach might be applied where the agency holds relatively small amounts of information that has a higher confidentiality classification, or integrity and availability requirements. Examples include credit card data (PCI-DSS) or information subject to specific legislation, such as the Privacy Act.

Public information

PUBLIC is not a security classification level under the new classification framework. However, there is no restriction on an information owner choosing to label information PUBLIC, noting that where the information is held on an information system, it will be subject to Integrity and Availability requirements.

Public information is OFFICIAL information that has undergone an agency authorised publication process to identify that it was suitable to be published. Some of these processes are not security related including relevant copyright identification processes.

Agencies need to maintain their own processes to approve information for public release. Some information assets intended for public consumption may have time-limited confidentiality requirements before release (for example, budget papers). In this case, the information should be embargoed, marked and appropriately safeguarded until publication is authorised.

De-identification, de-aggregation and redaction techniques can be used to support proactive information release under right to information and open data goals. However, care and expertise is required to ensure these are effective. Special care is required to ensure privacy is preserved with data derived from information about individuals. The Office of the Information Commissioner Queensland has some useful guidance on ‘Dataset publication and de-identification techniques’ and risks surrounding re-identification.

Further information - QGEA Information access and use policy (IS33).

National security information

National security information (NSI) is not a confidentiality classification as different NSI may need different levels of safe guarding. NSI is any official resource (including equipment) that records information about, or is associated with, Australia’s:

National security information relates to:

protection from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia’s defence system, acts of foreign interference and the protection of Australia’s territorial and border integrity from serious threats

defence capability

In some cases, the risk may dictate that national interest information requires the same safe guards as national security information. National interest information comprises official resources (including equipment) that records information about, or is associated with:

Australia’s international relations, significant political and economic relations with international organisations and foreign governments

law and governance, including:

interstate/ territory relations

– law enforcement operations where compromise could hamper or make useless national crime prevention strategies or investigations, or endanger personal safety

– economic, scientific or technological matters vital to Australia’s stability, integrity and wellbeing



– heritage or culture.

The source of most national security information is the federal government.

National security information and systems above PROTECTED must be dealt with according to the arrangements outlined in the Memorandum of Understanding on the Protection of National Security Information between the Commonwealth and States and Territories.

These arrangements are specified in the Queensland Manual for Protecting National Security Information. You can obtain copies from the Queensland Police Service: Security and Counter-Terrorism Group 07 3364 4549 or email [email protected]

In addition to the above guideline, agency officers responsible for handling national security information will need to meet handling instructions or agreements between their own agency and source federal agencies. This may include: Physical Security; Personnel Security; Information Security and Security Governance. Familiarity with the Australian Government Protective Security Policy Framework (PSPF) and related documents is also helpful. These are available from the Australian Government Attorney-General’s Department.

Limiting the duration of information security classification levels

When information is classified, it may be possible to determine a specific date or event, after which the consequences of compromise might change.

It is important to note that an event may trigger an increase in the confidentiality level of information, for example a human resource form may become ‘SENSITIVE (when complete)’. Alternatively, an archive may become available after a certain number of years. This may change the business impact for the information. Over time, the information may require safe guards for confidentiality reasons, but later it may be that loss of integrity is the primary business impact, or indeed availability.

Some information may require time limited controls because it is under embargo until a specific public policy statement, after which it is published and enters the public domain. If a future date cannot be determined, it is essential to ensure that the date the information assets were created or classified is noted. The date can be recorded either in the document metadata, or the classified asset register if it exists, so that the date be used for future assessment of classification levels, and for Right to Information purposes.

Data quality

Data quality is an additional information integrity consideration which may be considered in determining business impact. The Australian Bureau of Statistics has released the ABS Data Quality Framework which includes seven dimensions related primarily to information integrity:

1. institutional environment

2. relevance

3. timeliness

4. accuracy

5. coherence

6. interpretability

7. accessibility.

The framework can be used for multiple purposes including declaring quality, assessing quality and identifying gaps in data sets. There are also online tools for assessing data quality, including one provided by the National Statistical Service.



Understanding basic business requirements

It is important to establish some basic business requirements for confidentiality, availability and integrity of the information asset. For example, it is difficult to assess the business impact of a compromise of confidentiality if you are not aware who the authorised or unauthorised group of users are. A patient’s health record is subject to confidentiality requirements contained in the My Health Record Act (Cth 2012), this means that there is a different business impact if it is shared with a registered medical professional; compared to sharing with a member of the public. Departments should determine the detail this activity should cover. The following questions may assist:

Who could by default have access to this information (regardless of how they use it) before it creates a negative business impact? We are open by default, so it might help to start with the widest audience and narrow from there. For example, could the public have access to the information without a negative business impact to Queensland?

– If yes, everyone could have access.

– If no, then ask could Queensland Government employees have access to the information without a negative business impact?

– If yes, no one outside of the Queensland Government should have access.

– If no, then could everyone in your Agency have access without a business impact? If no, then should everyone in your team have access?

What is the minimum accuracy required to prevent a business impact? For example, does all information need to be 100% accurate or is 90% accuracy enough to perform an operation without business impact?

What is the minimum availability required to prevent a business impact? For example, does all information need to be available in real-time 24/7. Or is the information only required during business hours and work days?

Are there any legislative or regulatory requirements that must be met? There will also always be exceptions which may be considered on a case by case basis. It is also important that the answers to these questions are revisited regularly as you learn more about how (positive or negative) the information is being used.



Appendix E Mapping between old and new confidentiality classifications

The following table provides a default mapping between old and new classification labels

QGISCF Federal Current (2017) QGISCF 2018 Federal (2018)

indicative Notes on QGISCF 2018

PUBLIC

UNCLASSIFIED OFFICIAL OFFICIAL

Official information is the day-to-day information of government. It may have low confidentiality impacts. OFFICIAL information may not have Confidentiality requirements, but may have Integrity or Availability requirements when controlled e.g. on public website. Protect as normal government information.

UNCLASSIFIED Additional labels such as the Creative Commons Licence should be used to signify the information is Publication ready.

COMMERCIAL-IN-CONFIDENCE

FOUO

SENSITIVE OFFICIAL: Sensitive

Commercial information may be OFFICIAL depending on Impact FOUO information may be OFFICIAL depending on impact

IN-CONFIDENCE SENSITIVE

SENSITIVE may be used where there is a need to restrict the audience that can access the information (e.g. a need to know basis). This could include the Privacy Act or secrecy provisions in other legislation. For internal use, Agencies may wish to use additional labelling eg Privacy/Clinical, but not required ExamplesLegal professional privileged information;

LEGAL-IN-CONFIDENCE

SENSITIVE: Legal

Sensitive personal information as recognised by the Queensland Information Privacy Act 2009 – religion, sexual orientation, political affiliation

X-IN-CONFIDENCE

SENSITIVE: Personal

CABINET-IN-CONFIDENCE

SENSITIVE: Cabinet, PROTECTED

PROTECTED PROTECTED

“The Queensland Cabinet Handbook – Governing Queensland” dictates security classification, markings and handling for Queensland Cabinet material.

PROTECTED PROTECTED PROTECTED information has high confidentiality requirements ie Direct actual risk to individual life / lives. Example: Identities of undercover officers

HIGHLY PROTECTED

(HP)

HP removed in 2010. Federal Agencies either

reclassified to PROTECTED or

SECRET depending on risk assessment

or SECRET (depending on

risk assessment)

or SECRET (depending on

risk assessment)

HIGHLY PROTECTED material must be assessed by the owner to PROTECTED or SECRET depending on risk. This could be via domain classification. Refer to PSPF and Queensland Police where appropriate.

Classification mappings Australian Government classification system mapping to the 2013 Queensland Government

classification schema and Simplified Queensland Government classification schema



Appendix F Frequently asked questions about security classification, publishing and Creative Commons licensing

If an information asset has no security classification or Creative Commons licence, what process should I follow?

All information assets should undergo a security classification assessment. They may inherit a classification from the previous QGISCF, in which case, mapping may be used.

As the Creative Commons licensing process can only be applied to published information, generally only OFFICIAL information that is, or will be, published is a candidate for a Creative Commons licence.

Therefore, in addition to a security assessment the information will need to go through your department’s publication or information release process.

The security classification helps to understand the confidentiality, integrity and availability needs of the information asset, so that the appropriate controls can be implemented during the preparation and publishing process.

Should the information asset be suitable for publication, a Creative Commons licensing review can be conducted and, if appropriate, a licence applied.

If an information asset has a security classification (e.g. OFFICIAL, SENSITIVE or PROTECTED) do I need to apply a Creative Commons licence?

A Creative Commons licence can only be applied to information that is published because it implies that the information can be shared publicly and potentially reused. Where an information asset has been published it can be assessed using the Creative Commons licensing review process.

OFFICIAL information is generally suitable for sharing with other government agencies, as there are low/negligible confidentiality requirements. OFFICIAL information that is intended to be published publicly requires further consideration by the department (e.g. under their publishing and information release processes) to ensure the implications are fully understood.

But what if the information asset has the old security classification PUBLIC but no Creative Commons licence?

Existing information assets that have previously been classified as PUBLIC under the old scheme, can undergo a CC licencing review and be licensed using one of the six CC Licences.

If an information asset already has a Creative Commons licence, what should its security classification be?

If a licence already exists, then it is assumed that the information has been purposefully prepared for publication and is able to be shared with the public under the terms of the cc licence.

As Creative Commons licences generally only apply to information assets that are published, it would be expected that the information would have a classification of OFFICIAL (i.e. the lowest security classification). However, it is best not to guess, and undertake a security assessment just in case anything was overlooked during the decision to publish



We used to use the old security classification of ‘PUBLIC’ to identify when an information asset can be published – what do I do now?

While a security classification of PUBLIC doesn’t exist, it doesn’t mean you can’t use the term to identify that a decision to publish has been made. For example, you could add a public label alongside the classification level (eg. OFFICIAL – Public).

Alternatively, you may want to just use the cc licence as an indication – it’s up to you.



Appendix G Use of additional descriptors for information

To support specific business requirements and compartmentalise information, organisations may apply an optional additional descriptor to information.

Agencies may decide to use further descriptors when handling, processing and storing their information; however, it should be noted that any additional descriptors may not be understood outside the organisation and therefore the information may not be handled and protected in the required manner, unless it has been agreed beforehand.



Appendix H Additional resources This framework has been developed to align with the following Queensland Government legislation and regulation, Australian Government standards, Australian Standards, and Queensland Government ICT strategy and policy. Relevant resources are listed below

Author Resources

Queensland Government Legislation and Standards

Public Records Act 2002

Right to Information Act 2009

Information Privacy Act 2009

Queensland Government Information and ICT Policy and Guidelines

Information Security Policy – IS18:2018

Information security assurance and classification guideline

Retention and Disposal of Public Records (IS31)

Information access and use policy (IS33)

Recordkeeping (IS40)

Information Asset Custodianship (IS44)

Queensland Government Enterprise Architecture (QGEA)

Queensland Government Open Data Policy Statement

Australian Government

PSPF - Protective Security Policy Framework

Cyber Security Manual (formerly ISM)

Australian Privacy Act (1988, amended 2017)

Australian Standards AS/NZS 27000 series Information Technology Security Techniques

QLD Government Departments may be able to access the ISO27000 documents via the QGCIO whole of government arrangement. Please contact [email protected] for more information

AS/NZS ISO 31000 series Risk management

Other Queensland Government policy and resources

Right to Information (RTI) information

QLD Guide to Risk Management

Table 8 - QGISCF related information



Appendix I Glossary

Assessment: Assessment is the process of determining the confidentiality, integrity or availability level of information.

Availability Property of being accessible and usable upon demand by an authorised entity. 2.9, ISO/IEC 27000:2016 The risk to information not being able to be accessed by the right people within a defined time limit.

Business Impact Level (BIL)

The assessment of predicted effect on an organisation’s ability to operate, resulting from the compromise/reduction of confidentiality, loss/reduction of integrity or loss/reduction of availability of people, information or assets.

Classification Information classification is the outcome of the assessments of confidentiality, integrity and availability.

Confidentiality Property that information is not made available or disclosed to unauthorized individuals, entities, or processes 2.12, ISO/IEC 27000:2016 Risk of unauthorised or inappropriate disclosure or release.

Control Measure that is modifying risk, 2.16, ISO/IEC 27000:2016.

Control Objective

A control objective is an aim, reason or purpose for which one or more internal controls should be implemented.

Criticality The combined impact levels for confidentiality, integrity and availability BILs will provide an indication of criticality of information (High, Medium, Low).

CSM Cyber Security Manual - new name for the Australian Government Information Security Manual.


Hazard A hazard is something that can cause harm, e.g. computer viruses. Hazards and threats are sources of risk in that they have the potential to harm. If you have a hazard you may or may not be vulnerable to it and therefore may not be at risk.

Impact Assessment

Impact assessment is the process of assessing the probabilities and consequences of risk events if they are realised from the perspective of confidentiality, integrity or availability. The assessment results in a level of high, medium or low for confidentiality, integrity and/or availability.

Integrity The property of accuracy and completeness 2.40, ISO/IEC 27000:2016 Risk to information quality.

ISM: Australian Government Information Security Manual.


Label: In the context of the QGISCF: Labels can be used in conjunction with classification levels, to assist readers to signify additional considerations. For example, this could include a label of ‘public’ or the application of a



creative commons licence on information to indicate it has gone through a publication decision making process. Labels can also be used to restrict the audience that should access a piece of information.

Level In the context of the QGISCF: A confidentiality classification level indicates that the information has undergone an impact assessment and level determined allows authorised individuals, entities or processes to gain understanding of its value and, in turn, protect the information at the level deemed to be adequate by the classifier. Queensland has adopted the three classification levels of OFFICIAL, SENSITIVE and PROTECTED.

NSI National security information relates to:

protection from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia’s defence system, acts of foreign interference and the protection of Australia’s territorial and border integrity from serious threats; and

defence capability.

NTSAF Queensland Government Network Transmission Security Assurance Framework (part of IS18).

OFFICIAL A confidentiality level indicating that information has received a confidentiality impact assessment of LOW / NEGLIGIBLE.

PSPF Australian Government Protective Security Policy Framework

www.protectivesecurity.gov.au.

PROTECTED A confidentiality level indicating that information has received a confidentiality impact assessment of HIGH.

QGAF Queensland Government Authentication Framework (part of IS18).

Risk The effect of uncertainty on objectives (ISO 31000). The outcome of a risk event can be either positive or negative. The management of risk is the coordinated set of activities and methods that are used to minimise that uncertainty to acceptable levels. The purpose of risk management is to create and protect organisational value.

Semantic attack

A semantic attack is one in which the attacker modifies information in such a way that the result is incorrect, but, in their ideal, looks correct to the viewer. Social engineered semantic attacks manipulate human users’ perceptions and interpretations of computer-generated data to obtain valuable information.

SENSITIVE A confidentiality level indicating that information has received a confidentiality impact assessment of MEDIUM.

Threat: Potential cause of an unwanted incident, which may result in harm to a system or organisation 2.83, ISO/IEC 27000:2016. A source of harm.

Vulnerability: Weakness of an asset or control that can be exploited by one or more threats 2.89, ISO/IEC 27000:2016. A flaw, bug or misconfiguration that can be exploited to gain unauthorised access to a network or information.



Appendix J Implementation Timing Suggested implementation dates

Guidance Only. For mandatory timings, see IS18:2018

August 2018 Policy Approved, new system published

Agencies may use new system

30 December 2018

Stop using the old scheme

Revisit BILs

During 2019 Roll out classification processes for active records

Identify control sets for different CIA levels for new information assets

Revise SLAs

Educate users

Decide what to do with legacy information (if anything)

1 June 2020 Agencies have new scheme fully in place

- seek exceptions as necessary



Document history

Version Date Author Key changes made

3.1.0 July 2013 QGCIO Approved published version

3.1.14 December 2017 QGCIO Informal consultation version

3.2.0 February 2018 QGCIO Formal consultation version

3.3.0 March 2018 QGCIO Incorporating Comments from HPW Open Data

3.3.2 April 2018 QGCIO Incorporating comments from meeting with agencies. Glossary updated

3.3.4 May 2018 QGCIO Comments from feedback incorporated

3.3.5 May 2018 QGCIO Internal QA

3.3.6 May 2018 QGCIO Version for DG Council

3.4.0 June 2018 QGCIO Governance review

3.4.1 June 2018 QGCIO Incorporating comments from QGEA Reference Group

3.4.2 June 2018 QGCIO Consultation with departments

3.4.3 July 2018 QGCIO Consultation with departments

3.4.4 August 2018 QGCIO Added CC licensing appendix

3.4.5-9 August 2018 QGCIO Consideration of split document reqs/guidance

3.5.0 August 2018 QGCIO Version for DG Council Single doc, updated ASD website ref cyber.gov.au

4.0.0 September 2018 QGCIO Approved and published

queensland government information security classification ... · the queensland government...

Documents