Click here and type document title - Home | Queensland ... · Web viewOperating system access This domain includes all activities that ensure access to operating systems is restricted

QGCIO

Document details

Security classification PUBLIC

Date of review of security classification

November 2009

Authority QGCIO

Author Queensland Government Chief Information Office (Enterprise Architecture & Strategy)

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:

Director, Enterprise Architecture and StrategyQueensland Government Chief Information [email protected]

CopyrightQueensland Government Information Security Policy Framework

Copyright © The State of Queensland (Department of Public Works) 2009

AcknowledgmentThis guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.

Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

PUBLIC

Queensland Government Information Security Policy Framework FinalNovember 2009V1.0.1PUBLIC

Final V1.0.1, November 2009 Page 2 of 14

PUBLICQueensland Government Information Security Policy Framework

mailto:[email protected]

QGCIO

Contents1 Introduction...........................................................................................4

1.1 Purpose.............................................................................................................................. 41.2 Audience............................................................................................................................ 41.3 Scope................................................................................................................................. 4

2 Background............................................................................................42.1 What is the Information Security Policy Framework?.........................................................42.2 What is Information Security?.............................................................................................42.3 Why was the Information Security Policy Framework developed?.....................................42.4 How was it derived?...........................................................................................................52.5 How can the Information Security Policy Framework be used?..........................................72.6 How is the Information Security Policy Framework structured?..........................................7

3 Queensland Government Information Security Policy Framework..............8

4 Information Security Policy Framework Domain Definitions.......................94.1 Policy, planning and governance........................................................................................94.2 Asset management............................................................................................................94.3 Human resources management.......................................................................................104.4 Physical and environmental management........................................................................104.5 Communications and operations management................................................................104.6 Access management........................................................................................................114.7 System acquisition, development and management........................................................124.8 Incident management.......................................................................................................134.9 Business continuity management.....................................................................................134.10 Compliance management.................................................................................................13

FiguresFigure 1 Queensland Government Information Management Policy Framework...................................5Figure 2 Queensland Government Information Management Strategic Framework...............................6Figure 3 Queensland Government Information Security Policy Framework...........................................8

PUBLICFinal V1.0.1, November 2009 Page 3 of 14


QGCIO

1 Introduction1.1 Purpose

The Queensland Government Information Security Policy Framework (QGISPF) identifies and defines the various areas (domains) which contribute to effective information security management. It serves as an organising framework for ensuring appropriate policy coverage at an agency and whole-of-Government level and avoiding overlaps which may occur without such a framework.

1.2 AudienceThis document is primarily intended for:

information governance bodies

departmental staff and operational areas involved in information security policy development, management and implementation.

1.3 ScopeThis document will be of value to all departments.

2 Background2.1 What is the Information Security Policy Framework?

The QGISPF defines the generic classification scheme for information security policies, and does so with a perspective that is independent of the physical implementation models chosen by departments, agencies and offices.

Not all domains are applicable to all departments within the Queensland Government, but agency information security policy should consider all domains, even if it is simply to acknowledge that some domains are not applicable.

2.2 What is Information Security?Information security activities are concerned with the protection of information from unauthorised use or accidental modification, loss or release. Information security is based on three elements:

confidentiality – ensuring that information is only accessible to those with authorised access;

integrity – safeguarding the accuracy and completeness of information and processing methods; and

availability – ensuring that authorised users have access to information when required.

2.3 Why was the Information Security Policy Framework developed?The QGISPF was developed to provide a consistent approach to organising information security activities across Queensland Government agencies. The framework also helps to ensure consideration is given to all aspects of information security by agencies.

The QGISPF forms part of the broader, Queensland Government Information Management Policy Framework (see Figure 1). Together, the Queensland Government Information Management Policy



QGCIO

Framework and QGISPF identify and define the various areas which contribute to effective information management and serve as an organising framework for ensuring appropriate policy coverage and avoiding overlaps which may occur without such a framework.

Queensland Government Information Management Policy FrameworkVersion 1.0.1Information Management = Management of Data, Information Assets and Knowledge

Recordkeeping

Information Asset Access and Use Management

Information Asset

Management

Data Management

Knowledge Management

Information Asset Classification

Metadata

Licensing and Rights

Management

Pricing

Access and Accessibility

Intellectual Property

Search and Discovery

Publishing

Data Quality & Integrity

Data Cleansing

Redress Mechanisms

Data Modelling

Data Integration

Data De-Duplication

Data Migration

Data Conversion and Transformation

Business Intelligence

Analytics

ReportingData Warehousing

Privacy

Archiving

Knowledge Transfer

Data Mining

Meta-knowledge

Collection Management

Registration

Exchange

Retrieval & Access Digital Continuity

Conservation & Preservation

Retention & Disposal

Record Creation & Capture

Record Management

Data Capture

Information Custodianship

Copyright

Information Governance

Information and IM Strategy and Planning

Information and IM Policy, Principles and

Architecture

IM Workforce Management

Information and IM Risk Management

Information and IM Quality Management

Information Governance Processes

Information Security

Policy, Planning and Governance

Compliance Management

Physical and Environmental Management

Human Resources Management

Asset Management

System Acquisition, Development and

Management

Incident Management

Communications and Operations

Management

Business Continuity Management

Access Management

Figure 1 Queensland Government Information Management Policy Framework

The policy frameworks will assist to progress information management capability and practice, thereby supporting the Queensland Government’s information vision, principles, policies and goals as articulated in the Queensland Government Information Management Strategic Framework (Figure 2).

2.4 How was it derived?The QGISPF has been directly derived from, and is substantially similar to, the Control Objectives and Controls table from AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001). This alignment recognises the pre-eminent position that ISO 27001 holds in the information security arena, and will



QGCIO

ensure that the Queensland Government is poised to take advantage of best practice in information security.

Information Standard 18: Information Security (IS18) aligns with the new ISO 27000 series, and whilst this framework has been developed to also align with ISO 27001, some modification have been undertaken to better reflect the structure of IS18. Minor modifications of domain titles have also been made for improved usability within the QGEA context.

Terms used in this document are defined in ISO 27001and retain their meanings as defined unless specifically redefined here.



QGCIO

Figure 2 Queensland Government Information Management Strategic Framework

2.5 How can the Information Security Policy Framework be used? The QGISPF will:

provide an overview of the breadth of controls that should be considered within agency information security policy

provides a consistent approach to organising information security policy and activities

organise whole-of-Government information security policy, positions, guidelines and tools by domain, making agency requirements in a specific areas clearer and related assistance more accessible

inform the development of whole-of-Government information security maturity models

provide a consistent understanding of the breadth of information security activities undertaken across Queensland Government

builds a consistent terminology relating to information security across the Queensland Government.

enable consistency with ISO 27001.

2.6 How is the Information Security Policy Framework structured?The QGISPF represents information security domains at two levels of detail. Level 1 domains are the highest level domains and are grouped into ten categories:

Policy, planning and governance

Asset management

Human resources management

Physical and environmental management

Communications and operations management

Access management

System acquisition, development and management

Incident management

Business continuity management

Compliance management

Each level 1 domain is segmented into a number of Level 2 domains, which define a coarse segmentation of the functions within each Level 1 domain.

The level 2 domains may be further segmented into a number of Level 3 domains which define a more granular set of activities. AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001) (from which the QGISPF is primarily derived) defines the control domains to three levels, but the QGISPF has only defined its domains to 2 levels, as this is sufficient for the needs of the QGEA.

Further information on the domains and decomposition to level 3 is available from ISO 27001.



QGCIO

3 Queensland Government Information Security Policy Framework

Policy, Planning and Governance

Information security plan

Information security policy

Compliance Management

Policy requirements

Legal requirements

Audit requirements

Physical and Environmental Management

Human Resources Management

Asset Management

System Acquisition, Development and

Maintenance

Access Management

Communications and Operations

Management

Post-employment

During employment

Pre-employment

Equipment security

Building controls and secure areas

Information processing monitoring

e-commerce

Information exchange

Media handling

Network security

Backup procedures

Application integrity

Capacity planning and system acceptance

Third party service delivery

Operational procedures and responsibilities

Access control policy

User access

User responsibilities

Network access

Operating system access

Mobile computing and telework access

Application and information access

Technical vulnerability management

Secure development and support processes

System files

Cryptographic controls

Correct processing

System security requirements

Information securityclassification

Asset protection responsibility

Business Continuity Management

Incident Management

Incident procedures

Event/weakness reporting

ICT disaster recovery

Business continuity

Internal governance

External party governance

Authentication

Information Security Policy Framework



QGCIO

Figure 3 Queensland Government Information Security Policy Framework

4 Information Security Policy Framework Domain Definitions

4.1 Policy, planning and governanceThis domain includes all activities related to the development of information security policy, planning of information security activities, and the governance of information security arrangements both within the organisation and externally.

Domain Definition

Information security policy This domain includes all aspects of management direction and support for information security in accordance with business, legislation and regulatory requirements.

Activities within this domain will include policy around compliance, but actual compliance actions should be mapped to Compliance management.

Information security plan This domain includes all activities relating to developing and maintaining information security plans, and ensuring that plans are communicated and accessible to employees as necessary.

Internal governance This domain includes all activities related to the governance, authorisation and auditing of information security arrangements within the organisation. Roles and responsibilities relating to information security within the agency should also be defined.

External party governance This domain includes all activities related to the governance, authorisation and auditing of information security arrangements for external parties that handle organisational information.

4.2 Asset managementThis domain includes all activities that ensure information security aspects relating to asset management and information security classification of information.

Domain Description

Asset protection responsibility This domain includes all activities that implement and maintain appropriate protection of organisational assets.

Information security classification

This domain includes all activities that ensure information is appropriately classified.



QGCIO

4.3 Human resources managementThis domain includes all activities that ensure that information security issues are addressed related to employment of personnel.

Domain Definition

Pre-employment This domain includes all pre-employment activities that ensure employees, contractors and third party users will not compromise information security arrangements. Activities within this domain include information security role and responsibility definition, screening and employment terms and conditions.

During employment This domain includes all activities that ensure employees, contractors and third party users are aware of information security threats and concerns, their information security responsibilities and liabilities, are equipped to support organisational information security policy and reduce the risk of human error. Activities within this domain include information security awareness and training, disciplinary processes and setting of management responsibilities.

Post-employment This domain includes all activities that seek to ensure that during changes or termination of employment, information security is not compromised.

4.4 Physical and environmental managementThis domain includes all arrangements relating to prevention of unauthorised physical access, and the loss, damage, theft or interference to premises, information and activities.

Domain Definition

Building controls and secure areas

This domain includes all activities that ensure information security is not compromised by unauthorised physical access, damage or interference to premises or information.

Equipment security This domain includes all activities that ensure information security is not compromised by loss, damage, theft or other compromise of the organisation's physical equipment assets.

4.5 Communications and operations managementThis domain includes all activities that ensure the correct and secure operation of ICT to meet information security requirements. This includes efforts to ensure information security requirements are met in areas such as operational procedures and responsibilities, third party service delivery management, system planning and acceptance, protection against malicious and mobile code, back up, network management, media handling, information exchange, electronic services and monitoring.



QGCIO

Domain Definition

Operational procedures and responsibilities

This domain includes all activities that ensure the correct and secure operation of information processing facilities.

Third party service delivery This domain includes all activities that implement and maintain information security in line with service delivery agreements.

Capacity planning and system acceptance

This domain includes all activities that monitor resources and set criteria for system changes to reduce the risk of system failure.

Application integrity This domain includes all activities that protect the integrity of applications and information from malicious or mobile code.

Backup procedures This domain includes all activities that maintain the integrity and availability of information and applications through the use of backup activities.

Network security This domain includes all activities that ensure the security of information being passed over networks.

Media handling This domain includes all activities that protect media both electronic and printed information from unauthorised disclosure, modification, removal or destruction.

Information exchange This domain includes all activities that maintain the security of information exchanged (internally or externally).

e-Commerce This domain includes all activities that ensure the security of e-commerce services and their use.

Information processing monitoring

This domain includes all activities that detect unauthorised information processing activities including the use of auditing and logging.

4.6 Access managementThis domain includes all management and control efforts to ensure that access to information, and the supporting technology infrastructure, meet information security governance requirements.

Domain Definition

Access control policy This domain includes all activities that set access and control policies.

Authentication This domain includes all activities and measures that ensure users are the persons they claim to be.



QGCIO

Domain Definition

User access This domain includes all activities that ensure authorised access to information and applications.

User responsibilities This domain includes all activities that ensure users understand their responsibilities to prevent unauthorised access, compromise or theft of information and ICT assets.

Network access This domain includes all activities that ensure network access is restricted to authorised users.

Operating system access This domain includes all activities that ensure access to operating systems is restricted to authorised users.

Application and information access

This domain includes all activities that ensure access to information and applications is restricted to authorised users.

Mobile computing and telework access

This domain includes all activities that ensure information security is maintained when using mobile computing and telework facilities.

4.7 System acquisition, development and managementThis domain includes all efforts to ensure that information security is an integral part of system acquisition, development and maintenance.

Domain Definition

System security requirements This domain includes all activities that ensure security requirements are articulated during the development of new systems, or when planning enhancements to existing systems.

Correct processing This domain includes all activities that prevent errors, loss, unauthorised modification or misuse of information in systems.

Cryptographic controls This domain includes all activities that protect the integrity, confidentiality and authenticity of information by using cryptographic controls.

System files This domain includes all activities that ensure system files are adequately protected.

Secure development & support processes

This domain includes all activities that ensure the ongoing security of applications.

Technical vulnerability management

This domain includes all activities that reduce risks arising from the exploitation of technical vulnerabilities.



QGCIO

4.8 Incident managementThis domain includes all aspects relating to information security incident management activities that ensure security events and weaknesses are communicated, and timely corrective action taken. It also includes arrangements that ensure a consistent and effective approach is applied to managing information security incidents.

Domain Definition

Event/weakness reporting This domain includes all activities that ensure information security events and weaknesses are communicated to allow remedial action to be taken.

Incident procedures This domain includes all activities that ensure a consistent and effective approach is applied to the management of information security incidents.

4.9 Business continuity managementThis domain includes all aspects of business continuity management.

Domain Definition

Business continuity This domain includes all activities that counteract interruptions to business activities and to protect critical business processes from the effect of interruptions or failures of ICT systems or disasters and to ensure their timely resumption.

This domain includes business continuity risk assessment, developing and implementing plans to address continuity management, and testing and maintenance of business continuity plans.

ICT disaster recovery This domain includes all activities related to ensuring the availability of ICT systems and services including the restoration of ICT systems and services following an event which disrupts their delivery, or the continued operation of ICT systems and services despite the loss of operational ICT equipment.

ICT disaster recovery supports business continuity activities, but is distinct in focussing on the restoration of ICT services rather than on the restoration of business services themselves (which even if heavily dependent on ICT can often be maintained for short periods using manual systems).

4.10Compliance managementThis domain includes all activities that ensure compliance with internal and external legal, policy and standards requirements, and ongoing audit activities. Policy that sets out compliance policy for an



QGCIO

organisation should be mapped to Information security policy.

Domain Definition

Legal requirements This domain includes all information security activities relating to compliance with legal requirements.

Policy requirements This domain includes all information security compliance activities relating to information security policies and standards.

Audit requirements This domain includes all audit activities relating to information security activities.



Click here and type document title - Home | Queensland ... · Web viewOperating system access This domain includes all activities that ensure access to operating systems is restricted

Documents