QGCIO
Document details
Security classification PUBLIC
Date of review of security classification
November 2009
Authority QGCIO
Author Queensland Government Chief Information Office (Enterprise Architecture & Strategy)
Documentation status Working draft Consultation release Final version
Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:
Director, Enterprise Architecture and StrategyQueensland Government Chief Information [email protected]
CopyrightQueensland Government Information Security Policy Framework
Copyright © The State of Queensland (Department of Public Works) 2009
AcknowledgmentThis guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.
Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
PUBLIC
Queensland Government Information Security Policy Framework FinalNovember 2009V1.0.1PUBLIC
Final V1.0.1, November 2009 Page 2 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Contents1 Introduction...........................................................................................4
1.1 Purpose.............................................................................................................................. 41.2 Audience............................................................................................................................ 41.3 Scope................................................................................................................................. 4
2 Background............................................................................................42.1 What is the Information Security Policy Framework?.........................................................42.2 What is Information Security?.............................................................................................42.3 Why was the Information Security Policy Framework developed?.....................................42.4 How was it derived?...........................................................................................................52.5 How can the Information Security Policy Framework be used?..........................................72.6 How is the Information Security Policy Framework structured?..........................................7
3 Queensland Government Information Security Policy Framework..............8
4 Information Security Policy Framework Domain Definitions.......................94.1 Policy, planning and governance........................................................................................94.2 Asset management............................................................................................................94.3 Human resources management.......................................................................................104.4 Physical and environmental management........................................................................104.5 Communications and operations management................................................................104.6 Access management........................................................................................................114.7 System acquisition, development and management........................................................124.8 Incident management.......................................................................................................134.9 Business continuity management.....................................................................................134.10 Compliance management.................................................................................................13
FiguresFigure 1 Queensland Government Information Management Policy Framework...................................5Figure 2 Queensland Government Information Management Strategic Framework...............................6Figure 3 Queensland Government Information Security Policy Framework...........................................8
PUBLICFinal V1.0.1, November 2009 Page 3 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
1 Introduction1.1 Purpose
The Queensland Government Information Security Policy Framework (QGISPF) identifies and defines the various areas (domains) which contribute to effective information security management. It serves as an organising framework for ensuring appropriate policy coverage at an agency and whole-of-Government level and avoiding overlaps which may occur without such a framework.
1.2 AudienceThis document is primarily intended for:
information governance bodies
departmental staff and operational areas involved in information security policy development, management and implementation.
1.3 ScopeThis document will be of value to all departments.
2 Background2.1 What is the Information Security Policy Framework?
The QGISPF defines the generic classification scheme for information security policies, and does so with a perspective that is independent of the physical implementation models chosen by departments, agencies and offices.
Not all domains are applicable to all departments within the Queensland Government, but agency information security policy should consider all domains, even if it is simply to acknowledge that some domains are not applicable.
2.2 What is Information Security?Information security activities are concerned with the protection of information from unauthorised use or accidental modification, loss or release. Information security is based on three elements:
confidentiality – ensuring that information is only accessible to those with authorised access;
integrity – safeguarding the accuracy and completeness of information and processing methods; and
availability – ensuring that authorised users have access to information when required.
2.3 Why was the Information Security Policy Framework developed?The QGISPF was developed to provide a consistent approach to organising information security activities across Queensland Government agencies. The framework also helps to ensure consideration is given to all aspects of information security by agencies.
The QGISPF forms part of the broader, Queensland Government Information Management Policy Framework (see Figure 1). Together, the Queensland Government Information Management Policy
PUBLICFinal V1.0.1, November 2009 Page 4 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Framework and QGISPF identify and define the various areas which contribute to effective information management and serve as an organising framework for ensuring appropriate policy coverage and avoiding overlaps which may occur without such a framework.
Queensland Government Information Management Policy FrameworkVersion 1.0.1Information Management = Management of Data, Information Assets and Knowledge
Recordkeeping
Information Asset Access and Use Management
Information Asset
Management
Data Management
Knowledge Management
Information Asset Classification
Metadata
Licensing and Rights
Management
Pricing
Access and Accessibility
Intellectual Property
Search and Discovery
Publishing
Data Quality & Integrity
Data Cleansing
Redress Mechanisms
Data Modelling
Data Integration
Data De-Duplication
Data Migration
Data Conversion and Transformation
Business Intelligence
Analytics
ReportingData Warehousing
Privacy
Archiving
Knowledge Transfer
Data Mining
Meta-knowledge
Collection Management
Registration
Exchange
Retrieval & Access Digital Continuity
Conservation & Preservation
Retention & Disposal
Record Creation & Capture
Record Management
Data Capture
Information Custodianship
Copyright
Information Governance
Information and IM Strategy and Planning
Information and IM Policy, Principles and
Architecture
IM Workforce Management
Information and IM Risk Management
Information and IM Quality Management
Information Governance Processes
Information Security
Policy, Planning and Governance
Compliance Management
Physical and Environmental Management
Human Resources Management
Asset Management
System Acquisition, Development and
Management
Incident Management
Communications and Operations
Management
Business Continuity Management
Access Management
Figure 1 Queensland Government Information Management Policy Framework
The policy frameworks will assist to progress information management capability and practice, thereby supporting the Queensland Government’s information vision, principles, policies and goals as articulated in the Queensland Government Information Management Strategic Framework (Figure 2).
2.4 How was it derived?The QGISPF has been directly derived from, and is substantially similar to, the Control Objectives and Controls table from AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001). This alignment recognises the pre-eminent position that ISO 27001 holds in the information security arena, and will
PUBLICFinal V1.0.1, November 2009 Page 5 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
ensure that the Queensland Government is poised to take advantage of best practice in information security.
Information Standard 18: Information Security (IS18) aligns with the new ISO 27000 series, and whilst this framework has been developed to also align with ISO 27001, some modification have been undertaken to better reflect the structure of IS18. Minor modifications of domain titles have also been made for improved usability within the QGEA context.
Terms used in this document are defined in ISO 27001and retain their meanings as defined unless specifically redefined here.
PUBLICFinal V1.0.1, November 2009 Page 6 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Figure 2 Queensland Government Information Management Strategic Framework
2.5 How can the Information Security Policy Framework be used? The QGISPF will:
provide an overview of the breadth of controls that should be considered within agency information security policy
provides a consistent approach to organising information security policy and activities
organise whole-of-Government information security policy, positions, guidelines and tools by domain, making agency requirements in a specific areas clearer and related assistance more accessible
inform the development of whole-of-Government information security maturity models
provide a consistent understanding of the breadth of information security activities undertaken across Queensland Government
builds a consistent terminology relating to information security across the Queensland Government.
enable consistency with ISO 27001.
2.6 How is the Information Security Policy Framework structured?The QGISPF represents information security domains at two levels of detail. Level 1 domains are the highest level domains and are grouped into ten categories:
Policy, planning and governance
Asset management
Human resources management
Physical and environmental management
Communications and operations management
Access management
System acquisition, development and management
Incident management
Business continuity management
Compliance management
Each level 1 domain is segmented into a number of Level 2 domains, which define a coarse segmentation of the functions within each Level 1 domain.
The level 2 domains may be further segmented into a number of Level 3 domains which define a more granular set of activities. AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001) (from which the QGISPF is primarily derived) defines the control domains to three levels, but the QGISPF has only defined its domains to 2 levels, as this is sufficient for the needs of the QGEA.
Further information on the domains and decomposition to level 3 is available from ISO 27001.
PUBLICFinal V1.0.1, November 2009 Page 7 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
3 Queensland Government Information Security Policy Framework
Policy, Planning and Governance
Information security plan
Information security policy
Compliance Management
Policy requirements
Legal requirements
Audit requirements
Physical and Environmental Management
Human Resources Management
Asset Management
System Acquisition, Development and
Maintenance
Access Management
Communications and Operations
Management
Post-employment
During employment
Pre-employment
Equipment security
Building controls and secure areas
Information processing monitoring
e-commerce
Information exchange
Media handling
Network security
Backup procedures
Application integrity
Capacity planning and system acceptance
Third party service delivery
Operational procedures and responsibilities
Access control policy
User access
User responsibilities
Network access
Operating system access
Mobile computing and telework access
Application and information access
Technical vulnerability management
Secure development and support processes
System files
Cryptographic controls
Correct processing
System security requirements
Information securityclassification
Asset protection responsibility
Business Continuity Management
Incident Management
Incident procedures
Event/weakness reporting
ICT disaster recovery
Business continuity
Internal governance
External party governance
Authentication
Information Security Policy Framework
PUBLICFinal V1.0.1, November 2009 Page 8 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Figure 3 Queensland Government Information Security Policy Framework
4 Information Security Policy Framework Domain Definitions
4.1 Policy, planning and governanceThis domain includes all activities related to the development of information security policy, planning of information security activities, and the governance of information security arrangements both within the organisation and externally.
Domain Definition
Information security policy This domain includes all aspects of management direction and support for information security in accordance with business, legislation and regulatory requirements.
Activities within this domain will include policy around compliance, but actual compliance actions should be mapped to Compliance management.
Information security plan This domain includes all activities relating to developing and maintaining information security plans, and ensuring that plans are communicated and accessible to employees as necessary.
Internal governance This domain includes all activities related to the governance, authorisation and auditing of information security arrangements within the organisation. Roles and responsibilities relating to information security within the agency should also be defined.
External party governance This domain includes all activities related to the governance, authorisation and auditing of information security arrangements for external parties that handle organisational information.
4.2 Asset managementThis domain includes all activities that ensure information security aspects relating to asset management and information security classification of information.
Domain Description
Asset protection responsibility This domain includes all activities that implement and maintain appropriate protection of organisational assets.
Information security classification
This domain includes all activities that ensure information is appropriately classified.
PUBLICFinal V1.0.1, November 2009 Page 9 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
4.3 Human resources managementThis domain includes all activities that ensure that information security issues are addressed related to employment of personnel.
Domain Definition
Pre-employment This domain includes all pre-employment activities that ensure employees, contractors and third party users will not compromise information security arrangements. Activities within this domain include information security role and responsibility definition, screening and employment terms and conditions.
During employment This domain includes all activities that ensure employees, contractors and third party users are aware of information security threats and concerns, their information security responsibilities and liabilities, are equipped to support organisational information security policy and reduce the risk of human error. Activities within this domain include information security awareness and training, disciplinary processes and setting of management responsibilities.
Post-employment This domain includes all activities that seek to ensure that during changes or termination of employment, information security is not compromised.
4.4 Physical and environmental managementThis domain includes all arrangements relating to prevention of unauthorised physical access, and the loss, damage, theft or interference to premises, information and activities.
Domain Definition
Building controls and secure areas
This domain includes all activities that ensure information security is not compromised by unauthorised physical access, damage or interference to premises or information.
Equipment security This domain includes all activities that ensure information security is not compromised by loss, damage, theft or other compromise of the organisation's physical equipment assets.
4.5 Communications and operations managementThis domain includes all activities that ensure the correct and secure operation of ICT to meet information security requirements. This includes efforts to ensure information security requirements are met in areas such as operational procedures and responsibilities, third party service delivery management, system planning and acceptance, protection against malicious and mobile code, back up, network management, media handling, information exchange, electronic services and monitoring.
PUBLICFinal V1.0.1, November 2009 Page 10 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Domain Definition
Operational procedures and responsibilities
This domain includes all activities that ensure the correct and secure operation of information processing facilities.
Third party service delivery This domain includes all activities that implement and maintain information security in line with service delivery agreements.
Capacity planning and system acceptance
This domain includes all activities that monitor resources and set criteria for system changes to reduce the risk of system failure.
Application integrity This domain includes all activities that protect the integrity of applications and information from malicious or mobile code.
Backup procedures This domain includes all activities that maintain the integrity and availability of information and applications through the use of backup activities.
Network security This domain includes all activities that ensure the security of information being passed over networks.
Media handling This domain includes all activities that protect media both electronic and printed information from unauthorised disclosure, modification, removal or destruction.
Information exchange This domain includes all activities that maintain the security of information exchanged (internally or externally).
e-Commerce This domain includes all activities that ensure the security of e-commerce services and their use.
Information processing monitoring
This domain includes all activities that detect unauthorised information processing activities including the use of auditing and logging.
4.6 Access managementThis domain includes all management and control efforts to ensure that access to information, and the supporting technology infrastructure, meet information security governance requirements.
Domain Definition
Access control policy This domain includes all activities that set access and control policies.
Authentication This domain includes all activities and measures that ensure users are the persons they claim to be.
PUBLICFinal V1.0.1, November 2009 Page 11 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
Domain Definition
User access This domain includes all activities that ensure authorised access to information and applications.
User responsibilities This domain includes all activities that ensure users understand their responsibilities to prevent unauthorised access, compromise or theft of information and ICT assets.
Network access This domain includes all activities that ensure network access is restricted to authorised users.
Operating system access This domain includes all activities that ensure access to operating systems is restricted to authorised users.
Application and information access
This domain includes all activities that ensure access to information and applications is restricted to authorised users.
Mobile computing and telework access
This domain includes all activities that ensure information security is maintained when using mobile computing and telework facilities.
4.7 System acquisition, development and managementThis domain includes all efforts to ensure that information security is an integral part of system acquisition, development and maintenance.
Domain Definition
System security requirements This domain includes all activities that ensure security requirements are articulated during the development of new systems, or when planning enhancements to existing systems.
Correct processing This domain includes all activities that prevent errors, loss, unauthorised modification or misuse of information in systems.
Cryptographic controls This domain includes all activities that protect the integrity, confidentiality and authenticity of information by using cryptographic controls.
System files This domain includes all activities that ensure system files are adequately protected.
Secure development & support processes
This domain includes all activities that ensure the ongoing security of applications.
Technical vulnerability management
This domain includes all activities that reduce risks arising from the exploitation of technical vulnerabilities.
PUBLICFinal V1.0.1, November 2009 Page 12 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
4.8 Incident managementThis domain includes all aspects relating to information security incident management activities that ensure security events and weaknesses are communicated, and timely corrective action taken. It also includes arrangements that ensure a consistent and effective approach is applied to managing information security incidents.
Domain Definition
Event/weakness reporting This domain includes all activities that ensure information security events and weaknesses are communicated to allow remedial action to be taken.
Incident procedures This domain includes all activities that ensure a consistent and effective approach is applied to the management of information security incidents.
4.9 Business continuity managementThis domain includes all aspects of business continuity management.
Domain Definition
Business continuity This domain includes all activities that counteract interruptions to business activities and to protect critical business processes from the effect of interruptions or failures of ICT systems or disasters and to ensure their timely resumption.
This domain includes business continuity risk assessment, developing and implementing plans to address continuity management, and testing and maintenance of business continuity plans.
ICT disaster recovery This domain includes all activities related to ensuring the availability of ICT systems and services including the restoration of ICT systems and services following an event which disrupts their delivery, or the continued operation of ICT systems and services despite the loss of operational ICT equipment.
ICT disaster recovery supports business continuity activities, but is distinct in focussing on the restoration of ICT services rather than on the restoration of business services themselves (which even if heavily dependent on ICT can often be maintained for short periods using manual systems).
4.10Compliance managementThis domain includes all activities that ensure compliance with internal and external legal, policy and standards requirements, and ongoing audit activities. Policy that sets out compliance policy for an
PUBLICFinal V1.0.1, November 2009 Page 13 of 14
PUBLICQueensland Government Information Security Policy Framework
QGCIO
organisation should be mapped to Information security policy.
Domain Definition
Legal requirements This domain includes all information security activities relating to compliance with legal requirements.
Policy requirements This domain includes all information security compliance activities relating to information security policies and standards.
Audit requirements This domain includes all audit activities relating to information security activities.
PUBLICFinal V1.0.1, November 2009 Page 14 of 14
PUBLICQueensland Government Information Security Policy Framework