Information Security (IS18)



Information Standard 18: Information Security - Implementation Guideline

Final

July 2011

v1.0.2

PUBLIC

Document details

| | |

|Security classification |PUBLIC |

|Date of review of security |July 2011 |

|classification | |

|Authority |Queensland Government Chief Information Officer |

|Author |ICT Policy and Coordination Office |

Documentation statusWorking draftConsultation release(Final versionContact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Director, Policy Development

ICT Policy and Coordination Office

ICTPolicy@.au

Acknowledgements

This version of the Information Standard 18: Information Security - Implementation Guideline was developed and updated by the ICT Policy and Coordination Office.

This guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.

Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.

Copyright

Information Standard 18: Information Security - Implementation Guideline

Copyright © The State of Queensland (Department of Public Works) 2010

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1 Introduction 5

1.1 Purpose 5

1.2 Audience 5

1.3 Scope 5

1.4 Document structure 5

2 Background 6

3 Policy, planning and governance 8

3.1 Information security policy 8

3.2 Information security plan 8

3.3 Internal governance 10

3.4 External party governance 10

4 Asset management 11

4.1 Asset protection responsibility 11

4.2 Information security classification 12

5 Human resources management 12

5.1 Pre-employment 12

5.2 During employment 12

5.3 Post-employment 13

6 Physical and environmental management 15

6.1 Building controls and secure areas 15

6.2 Equipment security 15

7 Communications and operations management 17

7.1 Operational procedures and responsibilities 17

7.2 Third party service delivery 17

7.3 Capacity planning and system acceptance 17

7.4 Application integrity 17

7.5 Backup procedures 19

7.6 Network security 20

7.7 Media handling 22

7.8 Information exchange 23

7.9 eCommerce 24

7.10 Information processing monitoring 24

8 Access management 26

8.1 Access control policy 26

8.2 Authentication 26

8.3 User access 26

8.4 User responsibilities 27

8.5 Network access 27

8.6 Operating system access 27

8.7 Application and information access 28

8.8 Mobile computing and telework access 28

9 System acquisition, development and maintenance 29

9.1 System security requirements 29

9.2 Correct processing 29

9.3 Cryptographic controls 29

9.4 System files 29

9.5 Secure development and support processes 30

9.6 Technical vulnerability management 30

10 Incident management 31

10.1 Event/weakness reporting 31

10.2 Incident procedures 31

11 Business continuity management 33

11.1 Business continuity 33

11.2 Disaster recovery 33

12 Compliance management 34

12.1 Legal requirements 34

12.2 Policy requirements 34

12.3 Audit requirements 34

13 Reporting requirements 35

13.1 Event and incident information 35

13.2 VRT communication alerts 35

Appendix A Information security related legislation and standards 36

Introduction

Purpose

This guideline provides information and advice for Queensland Government agencies to consider when implementing the mandatory principles of Information Standard 18: Information security (IS18). The requirements of IS18 and this supporting guideline, are based on the three elements of information security:

confidentiality – ensuring that information is accessible only to those authorised to have access

integrity – safeguarding the accuracy and completeness of information and processing methods

availability – ensuring that authorised users have access to information and associated assets when required.

These guidelines do not form the mandatory component of IS18 and are for information only, however they are based on best practice and agencies are strongly recommended to consider the advice provided in this document.

Audience

This document is primarily intended for:

information security governance bodies

information security strategic areas

information security operational areas.

Scope

This guideline supports IS18.

Document structure

The Queensland Government Information Security Policy Framework (QGISPF) represents information security at two levels of detail. This guideline has been similarly divided into two levels of domains, with the ten level one domains corresponding with the ten mandatory principles in IS18. Please note a ‘reporting requirements’ heading has also been included to align with IS18. Headings are as follows:

policy, planning and governance

asset management

human resources management

physical and environmental management

communications and operations management

access management

system acquisition, development and maintenance

incident management

business continuity management

compliance management

reporting requirements.

Background

IS18 has been developed to provide agencies with the minimum requirements for information security management. However, some agencies may find that their particular agency requires more stringent information security controls to be implemented. In these cases it is suggested that agencies refer to the following for guidance:

ISO/IEC 27000 series of standards (incorporating ISO 17799) – International Standard ISO/IEC 27000 series is available through Standards Australia (SAI Global distributors).

Tools and templates (Queensland Government employees only) issued by Security Planning and Coordination, Queensland Police Service (function formerly residing in Department of Premier and Cabinet)

Australian Government Protective Security Policy Framework –– the Australian Government Protective Security Policy Framework (PSPF) is issued by the Attorney-General’s Department. This standard is restricted to Government agencies and can be purchased by emailing pspf@.au. The PSPF has superseded the Australian Government Protective Security Manual (PSM) as of June 2010

Australian Government Information Security Manual - the Australian Government Information Security Manual (ISM) is available through the Department of Defence – Defence Signals Directorate website.

Agencies may also consider the application of various methods and industry frameworks for managing their agency information security.

Note that the Queensland Government is not legislatively obliged to comply with the PSPF and ISM. However, the Queensland Government is a signatory to a Memorandum of Understanding that commits it to engage in practices consistent with these manuals.

There are a number of other documents that support implementation of IS18 that have been produced by the ICT Policy and Coordination Office. These documents are referred to throughout this document and also in Figure 1 (page 7).

[pic]

Figure 1 IS18: Information security supporting documents organised by mandatory principle

Policy, planning and governance

Information security policy

The agency information security policy serves as the foundation for information security management within the agency. The development of this policy is the first step in establishing management commitment and the responsibilities for information security within the agency and should therefore be concise and clear. The Information Security Policy – Mandatory Clauses has been developed to assist agencies in the development of their information security policy and details the minimum set of mandatory requirements and quality criteria that must be included within the agency policy and makes suggestions for agency specific considerations.

Information security plan

The level of detail contained in the agency’s information security plan should be commensurate with the complexity of the agency’s information environment, its business functions and the information security risks that it faces. The suggested approach for the development of the plan is to:

develop an overarching information security plan, which outlines the security program for the agency as a whole

support this information security plan with a number of detailed plans for each separate entity/agency portfolio and/or significant or high risk agency information systems and processes.

Regardless of the development or format of the plan, information security planning should be integrated into the agency’s culture through its strategic and organisational plans and operational practices. Security considerations should be incorporated into the agency corporate planning process and ICT strategic resource planning, to ensure that the agency information security plan meets the business and operational needs of the agency and its clients.

Suggested steps for developing an information security plan

There are a number of steps which should be used to develop the agency information security plan.

Step 1: Identify agency goals and objectives for information security

Identify linkages between the agency information security policy and all agency corporate plans, strategies, goals and objectives to establish the key areas which may impact on the current or future information security environment of the agency.

Step 2: Identify major information assets and business critical ICT assets

This information may be sourced from the agency’s disaster recovery register. Agencies are required to establish this register under IS18.

Step 3: Conduct a risk assessment

Conduct a risk assessment on the major information assets with the assigned owners of these assets on an annual basis or after any significant change has occurred (eg. machinery-of-Government).

The process or methodology used by the agency to assess security risks should be based on the agency’s preferred risk management processes. In the absence of an agency risk methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk management – Principles and guidelines.

Step 4: Current situation

Gather information regarding existing agency security policies, procedures and controls and map these against the:

data obtained from the risk assessment process

mandatory principles of IS18 and/or any other security standards that the agency uses

agency’s security architecture targets.

Step 5: Analysis of any gaps and the effectiveness of existing controls

Conduct an analysis of any gaps and the effectiveness of the existing controls against the information obtained from step 4 above.

Step 6: Develop recommendations and strategies

Develop and document recommended controls and prioritised plan of actions/strategies which need to be implemented or maintained to achieve the desired level of agency security, how this is to be achieved and who is responsible. Information security plans should provide for treatments that are both cost-effective and appropriate to the level of risk. Where agencies identify a high level of risk in their information environment (based on the information security classification of information assets in its care) it is suggested that it consult with specialist information security agencies or industry professional bodies for advice or technical assistance in developing their strategies and plans.

Step 7: Identify outstanding/residual risks that will not be treated

Document any ongoing risks that will remain untreated or assessed as acceptable risks.

Step 8: Obtain agreement on risks and strategies

To ensure that the information security plan meets the requirements of the business it is important to gain agreement from the information asset owners. This will ensure that the strategies and plan adequately reflects the protection of the assets from a business perspective and will also inform the prioritisation process for treatment.

Step 9: Develop actions and timetable

Document and develop a detailed plan of activities and actions along with timeframes for implementing the controls and strategies agreed on.

Step 10: Determine resourcing

Document and detail the resourcing requirements for the implementation of the controls and strategies including the personnel, materials and budget for its implementation.

Step 11: Endorsement and publishing of the information security plan

Gain endorsement of the information security plan from the appropriate governance body and senior executive on an annual basis.

Step 12: Implementation of the information security plan

To facilitate a systematic and co-ordinated approach to security and risk management, agencies should establish a structure or framework to help develop and implement the agency information security plan.

Step 13: Ongoing monitoring and review

To ensure that security controls in the agency continue to remain relevant to the agency goals, objectives and operational and business environments, the agency’s information security plan should be reviewed, monitored and reported on, on an ongoing basis. The information gained from these activities is used to inform future agency security plans and strategies.

It is suggested that agencies review their security plan at least annually to identify changes to the risk profile and to assess the effectiveness of existing controls. Further to this, the agency should ensure that security planning becomes an integral component of all agency management, projects and activities rather than an isolated and once a year planning activity.

General agency security plan

Whilst the ICT Policy and Coordination Office works with agencies to improve information security practices across the Queensland Government, protective security and counter-terrorism issues throughout Queensland are coordinated by the Queensland Police Service.

The Government Asset Protection (GAP) Project has produced the Guide for general security planning which agencies should refer to when developing their general agency security plan. Enquiries about this document can be directed to the Queensland Police Service’s Security Planning and Coordination team on 07 3406 3677 or by emailing security.planning@police..au.

Internal governance

The Information Security Internal Governance Guideline provides implementation advice for this domain.

Information on internal governance arrangements for ICT and information management are available in the following documents respectively:

Information Standard 2: ICT Resources Strategic Planning

Information Security Internal Governance Guideline.

External party governance

See the Information Security External Party Governance Guideline.

Asset management

Asset protection responsibility

Information assets

It is a requirement of Information Standard 44, Information asset custodianship (IS44) that agencies:

identify their information assets

establish and maintain an information asset register.

Agencies may wish to use this register or establish a separate one, to record the information security classification of its information assets. The following documents provide agencies with implementation guidance:

IS44

Identification and classification of information assets guideline

Queensland Government Information Security Classification Framework (QGISCF)

Queensland Government Information Security Controls Standard (QGISCS).

Disposal of information assets

For information assets that are public records, their retention and disposal must be managed in accordance with a retention and disposal schedule approved by the state archivist, under the Public Records Act 2002. For further information regarding the disposal of records agencies should refer to Information Standard 31: Retention and disposal of public records (IS31).

For all other information assets agencies should refer to the QGISCF and the QGISCS.

Refer to section 4.2 below for guidance on the disposal of equipment.

Control of technology devices

It is a requirement of IS18 and the Information Security Policy – Mandatory Clauses that agencies identify their ICT assets, document them and assign owners for the maintenance of information security controls. ICT assets must be assigned information security controls commensurate with the highest level of security classification applied to the information assets contained within or transmitted via the ICT asset. The following documents provide agencies with further implementation requirements and guidance:

Queensland Government Information Security Classification Framework

Queensland Government Network Transmission Security Assurance Framework (NTSAF).

In the absence of advice within these documents, agencies should consider guidance from the:

PSPF

ISM.

Information security classification

Agencies should refer to the QGISCF which provides detailed implementation requirements and guidance with respect to the information security classification and control of information assets. Additional advice is available within the QGISCS.

Agencies should be mindful that the information security classification of an information asset, does not limit the operation of legislation. For example, a policy document classified as PROTECTED may be assessed as suitable for release under the Right to Information Act 2009. In this situation, the information would need to be reclassified as PUBLIC.

Human resources management

Pre-employment

Depending on the nature of the agency’s business, consideration should be given as to whether:

specific information security clauses should be included in terms and conditions of employment (eg. responsibilities and disciplinary processes)

additional scrutiny is required during the recruitment and selection phase for positions involving exposure to classified or sensitive information or where relevant legislation is in place (eg. security assessments and criminal history checks). When dealing with employment for these types of positions the following include examples of what requirements the agency needs to consider:

the availability of satisfactory character referees

the completeness and accuracy of resume and qualifications

security and criminal history checks (where required under legislation or where clearly identified risks can be reduced by such checks)

the PSPF for further information on employing staff who will be dealing with national security classified information.

During employment

Induction, training and awareness programs

The information security induction, training and awareness program should:

address all levels of staff and all areas of the agency

cover the following:

general employee responsibilities (see Information Security Internal Governance Guideline)

information security responsibilities concerned with particular roles (see Information Security Internal Governance Guideline)

the correct operation of information systems and ICT facilities and devices (see also Information Standard 38: Use of ICT Facilities and Devices (IS38))

reporting of information security events, weaknesses and incidents

information security related responsibilities within the agency code of conduct and the disciplinary penalties for breaches.

be updated regularly to include changes in the information security plan and policy

include regular refresher training.

Examples of mechanisms that agencies may consider when developing information security induction, training and awareness programs include:

addressing information security responsibilities within the agency’s code of conduct

briefing sessions

online tutorials

regular distribution of educational material (eg. security updates, log-on notices, factsheets, newsletter articles and posters)

distributing copies of the agency’s information security policy and obtaining a signed acknowledgement of understanding from each employee (especially those that handle classified information).

It is the responsibility of:

managers to ensure that their employees undertake information security induction training and regular refresher training

agency employees to understand and follow information security policy and processes.

Roles and responsibilities

High level information security roles and responsibilities are defined within the Information Security Internal Governance Guideline. Agencies should use this guideline as a basis for developing, documenting and assigning information security roles and responsibilities within their environment.

Disciplinary processes

The disciplinary actions and processes for misconduct and official misconduct should be determined under the Public Service Act 2008 and/or other relevant legislation, regulation and policy that apply to the agency. These should be documented in the agency’s terms and conditions of employment.

For guidance on information security incident management, agencies should refer to Section 10 – Incident Management in this document

Post-employment

The Public Service Commission’s Directive No. 2/09: Employment separations procedures, requires agencies to establish separation procedures in all cases where an employee is separating employment from the Queensland Public Service. Implementation of this directive is supported by an Employment separation checklist.

In addition the Information Security Policy – Mandatory Clauses requires agencies to set up procedures for ensuring the security of the agency during the separation of employees from, or movement within the agency. It is recommended that agencies also ensure that procedures are in place for termination of employment.

To meet this requirement, it is suggested that agencies implement:

exit interviews that ensure the employee understands their continuing responsibilities for maintaining information confidentiality and privacy (especially when the employee has had access to classified information), and respecting the Queensland Government’s intellectual property rights – this should include the consequences of non compliance with these responsibilities

separation checklists that confirm:

exit interview has been conducted

all Queensland Government property has been returned (eg. access cards/keys, credit cards, mobile phones, personal digital assistants)

the employee’s user ID has been disabled and access rights revoked.

As is the case with many personnel security issues, the responsibility for employee separation procedures does not remain with one area of the agency but requires a coordinated approach across the agency.

Physical and environmental management

Agency information security should work with those responsible for protective security within their agency to ensure that appropriate physical and environmental management controls are implemented.

Building controls and secure areas

The level of building and secure area controls to be implemented would depend on the classification of information assets stored therein under the QGISCF. The QGISCF and the QGISCS provide some guidance with regard to building controls and secure areas.

In the absence of advice within these documents, agencies should refer to:

Guides and tools (Queensland Government employees only) issued by the Security Planning and Coordination unit within the Queensland Police Service

AS 2834-1995 Computer accommodation

PSPF

ISM.

Equipment security

The level of controls to be applied to agency equipment would depend on the classification of the information assets the equipment stores or transmits under the QGISCF. The QGISCF provides some guidance with regard to the following controls:

preparation and handling

removal from workplace and monitoring

discussing classified information (including telephone and video conference)

copying and storage

electronic transmission

archive and disposal.

Additional advice is available within the QGISCS.

Agency risk assessments may identify the need for additional information security controls for equipment.

In the absence of advice within the above documents, agencies should refer to the:

PSPF

ISM.

Note: the Queensland Government is not legislatively obliged to comply with the PSPF and ISM. However, the Queensland Government is a signatory to a Memorandum of Understanding that commits it to engage in practices consistent with these manuals.

Offsite equipment

When developing policies and processes for the use and/or maintenance of offsite equipment, agencies should ensure:

a risk assessment is conducted prior to locating equipment offsite

Equipment and media taken off the premises are not left unattended in public places. This extends to ensuring that portable equipment is carried as hand luggage and disguised where possible during travel

manufacturers’ instructions for protecting equipment are followed

teleworking arrangements are determined by risk assessment and suitable controls are applied as appropriate (eg. backup, virus protection)

adequate insurance cover for offsite equipment.[1]

Maintenance of equipment

To ensure availability and integrity of information, equipment should always be maintained according to manufacturers’ maintenance guidelines. Maintenance processes cover a wide range of activities including preventative, repair and upgrade maintenance, which may be the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate policies and processes are in place to protect agency information, during any maintenance process.

Agencies should be mindful of the risks of continuing to use equipment that is no longer supported by a vendor. Unsupported equipment are subject to increased information security risks as patches for new vulnerabilities identified will not be available.

Disposal of equipment

The QGISCF and the QGISCS provide some guidance on appropriate controls for disposal of electronic media and equipment commensurate with security classification levels.

In accordance with Information Standard 13: Procurement and disposal of ICT products and services (IS13) disposal of government-owned ICT resources must be:

conducted with approval from the accountable officer or delegated personnel

supervised and certified upon completion by a person delegated by the accountable officer.

Agencies should ensure that these policies and processes include employee training.

Further implementation guidance is available within the ISM which provides detailed instructions on product and media sanitisation and disposal.

Communications and operations management

Operational procedures and responsibilities

When documenting operational procedures agencies should at a minimum ensure that detailed operating instructions are in place for all processes outlined in the mandatory principles of IS18.

In terms of assigning operational responsibilities agencies should consider the separation of operational functions and duties where procedures involve activities, which could be susceptible to unauthorised activity, misuse of information or pose a conflict of interest, such as security audits.

Third party service delivery

Agencies should ensure that third party services are managed and operated according to service level or operating level agreements. Further advice is available within the Information Security External Party Governance Guideline and the Information Security Internal Governance Guideline.

Capacity planning and system acceptance

To minimise threats to the operational environment agencies should at a minimum ensure:

adequate testing and change control mechanisms are in place for the migration of new or modified systems into the operational environment

that the information environment is managed in a way that will easily accommodate changes or future expansions so as to not adversely impact the operational environment.

Application integrity

Agencies are required to implement controls for the prevention, detection and removal of malicious and mobile code.

Malicious code

Malicious code includes, but is not limited to, viruses, spyware, worms, Trojan horses and logic bombs. The following controls are recommended:

anti-malware software

software authorisation policy and processes

education and awareness

infection handling procedures.

Anti-malicious code software

Agencies should ensure that current anti-malicious code software is installed. The following points summarise some of the considerations an agency should make when implementing anti-malicious code software.

when selecting a product agencies should consider:

the vendor’s track record and frequency of updates

using more than one product to ensure maximum protection.

the anti-malicious code software should be configured to:

run whole of server scans daily

sit inside the agency firewall in real time mode to ensure malicious and mobile code infections are identified and cleaned immediately upon detection

deal with both spam and instant messaging.

a separate server or computer should be configured to sit inside the agency firewall in real-time mode – this server should be configured with appropriate software to check for malicious code (if a virus is detected and all incoming and outgoing email attachments can be cleaned then the message can be distributed or if attachments cannot be cleaned then the message should be blocked)

the anti-malicious code software must be updated with new definition files and scanning engines as soon as possible after vendors make them available

the implemented anti-malicious code software should be regularly reviewed

agencies should ensure that virus protection and recovery strategies are included in risk management and business continuity plans.

Software authorisation policy

Agencies should establish a policy outlining the prohibited use and installation of software not authorised by the agency including user responsibilities with regards to downloading software from the internet, email or media devices. In order to reduce the risk of malicious code being introduced into agencies systems via these mechanisms. See also IS38.

Education and awareness

Users must be educated about malicious code in general, the risks posed, virus symptoms and warning signs including what processes should be followed in the case of a suspected virus. Agencies should consider network broadcasts or a system for alerting users of virus attacks. Ensuring that personnel are aware of their responsibilities when using the Internet and the agency’s software authorisation policy will also reduce the risk of the introduction of malicious code.

Further implementation guidance is available within:

ISM

IS38.

Infection handling procedures

The ISM provides some instructions on the handling of malicious code infections.

Mobile code

The AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management defines mobile codes as…

‘software code which transfers from one computer to another computer and then executes automatically and performs a specific function with little or no user interaction. Mobile code is associated with a number of middleware services. In addition to ensuring that mobile code does not contain malicious code, control of mobile code is essential to avoid unauthorised use or disruption of system, network, or application resources and other breaches of information security.’

The following controls are recommended:

blocking

education and awareness.

Blocking

Agencies may wish to consider blocking the use and receipt of mobile code. However, this should be balanced against the potential loss of business functionality. A middle ground may be the blocking of mobile code for selected websites only. This approach must be consistent with the agency’s internet acceptable use policy. See further IS38.

Agencies should be mindful that active content filters must be installed on a gateway/firewall if they are to be effective.

Education and awareness

Users should be educated about mobile code in general including the risks posed.

Further implementation advice on mobile code controls is available in AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management.

Reporting malicious and mobile code incidents

In addition agencies are required to establish reporting procedures for malicious and mobile code incidents. For further advice on reporting of malicious and mobile code incidents see:

Information Security Incident Category Guideline

Information Security Event and Incident Management Guideline (not yet approved)

AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques – Information security incident management.

Backup procedures

When establishing backup procedures and processes, agencies should consider the following factors to minimise threats to the integrity and availability of information:

backup information should be afforded appropriate controls (including physical and environmental) commensurate with the information security classification of the information assets involved

backup cycles should be based on analysis of the business risk, frequency with which data and software is changed and the criticality of the system to business operations. The cycle should include, as a minimum:

incremental daily backups of data and full weekly backups of all data, operating system and applications - backups of data on a cycle deemed appropriate by the IT Manager, but as a minimum, on a weekly basis

backups of the complete operating system, and applications on a cycle deemed appropriate by the IT Manager, but as a minimum, on a monthly basis.

a register of backups, including verification of their success, should be maintained

restoration procedures should be documented and available to those that require it and at the location that the information is backed up

the means to recover the information is stored at its back up location or is at least available from an identified source as required

a cycle of backup media should be used for all backups (see also below regarding business continuity and ICT disaster recovery)

in addition to regular back up cycles, a system backup should be performed before and after major changes to the operating system, system software, or applications

consideration should be taken when upgrading technologies to ensure that backup data is able to read in the new environment

a cycle of regular tests should be implemented to verify that the system can be recovered from the backups produced (see also below regarding business continuity and ICT disaster recovery)

a cycle of backup media should be retained of all information required to meet customer service, legal or statutory obligations.

effective backup procedures are important to ensure business continuity and the ability to recover from disasters – for business continuity and ICT disaster recovery purposes:

at least one copy in each backup cycle and restoration procedures should be stored off-site and in accordance with the business continuity and relevant ICT disaster recovery plans

regular tests (at least annually) should ensure that backup procedures meet the requirements of business continuity and ICT disaster recovery plans

see further section 11.

Queensland State Archives provides advice on risks associated with relying on backups as evidence of business activity and the appropriate retention of backups. For further information refer to the Queensland State Archives Public Records Brief: Management of backups.

Network security

Network security management is critical to the overall security of the agency information environment. Agencies should ensure that appropriate governance and controls are in place to protect networks from internal and external threats including intrusion, disruption or exposure through malicious or accidental action. These controls should be commensurate with the highest level of security classification applied to the information assets contained within the network, and transported between agency gateways. Where possible the application and monitoring of network security controls should be automated in order to address scalability requirements and to reduce costs. Processes in place for secure network management include but are not limited to:

designing networks, including their infrastructure are designed with appropriate controls for that entity

for all ICT assets that provide services accessible outside Queensland Government’s internal networks it is recommended that:

these are isolated to a separate, security network domain, called a demilitarised zone (DMZ)

the DMZ is secured with controls commensurate with the highest level of information security classification for the information assets stored within or transiting the DMZ, including defence-in-depth deployments, firewalls, intrusion detection and prevention systems (IDP), monitoring and reporting

business requirements for access controls for all ICT assets within the DMZ are identified and implemented.

maintaining current documentation for network and gateway systems, including firewall and security device configurations and ensuring that only staff with a need to know have access to this documentation

security configuration management and software updates

monitoring and analysis of logs from firewalls for security breaches

alerts for detected breaches and intrusion attempts, and a documented response process

regular testing of network security.

Agencies are to note that the Queensland Government Consolidated Infrastructure (QGCI) as delivered by the Foundation Infrastructure Project (FIP), will be provisioning an IDP service and a multi-tenanted security information and event management solution, and offering these services to agencies that migrate to this new whole-of-Government solution. Agencies wishing to utilise these technologies within their own network management domain, should seek guidance from the QGCTO on the interoperability with the QGCI solution; however, the preference is for agencies to consume whole-of-Government services provided by CITEC.

Further implementation guidance is available within the NTSAF.

Firewalls

Agencies should implement firewalls:

at the network perimeter to prevent unauthorised access to agency networks

on the internal network and on servers (depending on the agency’s network security architecture).

Agencies should document tightly defined firewall rules that match network access requirements. This should be stored in a secure location and be known to those employees with a need to know. Agency change control and configuration processes must include consideration of any required changes to agency firewall rules to ensure ongoing appropriate firewall protection. Reviews of firewall rules should be scheduled on a regular basis.

Agency firewall and gateway architecture should also be subject to regular tests, to identify any security weaknesses. Agencies should report the results of these tests and any corrective actions to the information security governance body.

Firewall Warning Notice

It is recommended that agencies implement ICT system firewall warning notices for Queensland Government external facing ICT devices (eg. firewalls, intrusion prevention systems, bastion hosts, screening routers etc) to provide potential users with notice as to the private nature of the system and that monitoring and reporting activities may be conducted.

Crown Law has been consulted as part of the development of a standard warning notice to ensure the notice complies with statutory obligations while remaining as succinct as possible. The Commonwealth and Queensland Criminal Codes both prohibit unauthorised access to ICT systems and typically provide for offenders to be imprisoned for periods of time varying from two to ten years. Crown Law advised that there is no statutory requirement for a firewall notice to refer to any specific legislation and including references to legislation governing this area would only increase the length of the firewall without offering any substantial legal benefit.

As per Crown Law advice, the ways in which a firewall notice may have legal effect, if appropriately worded and implemented, include:

forming a contract, enforceable by legal action, obliging the user not to use the system for unauthorised purposes

providing notice to the user that their electronic communications may be accessed by third parties, to establish the ‘knowledge’ of the sender of a communication necessary to avoid contravening the Telecommunications (Interception and Access) Act 1979 through unlawful interception of the communication

making an individual aware of the use and disclosure of personal information for the purposes of compliance with the Information Privacy Act 2009.

The following notice is intended to meet the 265 character requirement and to secure the best chance of having the legal effects outlined above:

“This private ICT system is for authorised use only.

By using this system you agree to use it only as authorised. You consent to agency personnel monitoring or recording your use (including personal information and communications) and using or disclosing such records for disciplinary or law enforcement purposes.”

Crown Law has advised that at this time, users will not be required to actively ‘accept’ the terms of the firewall notice prior to entering their login details. However, agencies should consider this in light of other existing login notices they are using which require employees to acknowledge their responsibilities (such as employee use of ICT facilities and devices under Information Standard 38 (IS38)).

Media handling

The level of controls to be applied to agency media would depend on the security classification assigned to that media under the QGISCF. The QGISCF and the QGISCS provide some guidance with regard to the following controls:

preparation and handling

removal from workplace and monitoring

copying and storage

archive and disposal.

Agency risk assessments may identify the need for additional information security controls for media.

In the absence of advice within the QGISCF, agencies should refer to the ISM.

Note that the Queensland Government is not legislatively obliged to comply with the ISM. However, the Queensland Government is a signatory to a Memorandum of Understanding that commits it to engage in practices consistent with this manual.

Information exchange

To ensure the security of information exchanged within the agency and with external parties, including online information systems, the agency should ensure information handling and exchange procedures are established in line with the:

QGISCF

QGISCS

Queensland Government Authentication Framework (QGAF)

NTSAF.

See also IS44.

Email

Email has become a critical business enabler, with information included in emails often traversing public untrusted/uncontrolled networks such as the internet.

Agencies should ensure that information within emails is appropriately protected or does not reduce the risk profile of the agency by:

ensuring staff have clear guidelines regarding the use of email for sensitive or security classified information

ensuring that passwords are used on email systems (this may be achieved by use of a password at network login)

prohibiting the use of scanned signatures (they can be cut and pasted to give the appearance that a document was signed officially)

acknowledging that email communication is not private - any opinions expressed via external e-mail, where they are not related to the conduct of business, should be noted as individual opinions and not those of the organisation by inclusion of a disclaimer. For example:

“This email, together with any attachments, is intended for the named recipient/s only.

If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer system network. Any form of disclosure, modification, distribution and/or publication of this email message is prohibited. Unless stated otherwise, this e-mail represents only the views of the Sender and not the views of the Department of xxxxx.”

ensuring email systems are backed-up and maintained in accordance with operational system management standards

ensuring the evidentiary value of electronic message transactions, and the general reliability and availability of the electronic messaging system is maintained. For Queensland Government policy on implementation advice on emails that are public records, agencies should refer to the Queensland State Archives’ Managing emails that are public records policy and guideline.

Agencies should refer to IS38 for further advice regarding email policy.

Further advice on email transmission is available within the references listed in section 7.8 above.

eCommerce

eCommerce and online transactions

All agency eCommerce and online transactions and services must be assessed against and consistent with the requirements of QGAF and NTSAF.

Further implementation advice is available within:

AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements

AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management

PCI Data Security Standard (PCI DSS) for payment account data security.

Publicly available information

Internet security is a critical current and ongoing security issue for agencies. The internet creates a window into the agency network that opens up the potential for unauthorised access and security threats to the confidentiality, integrity and availability of its information and all information facilities.

Agencies should assess their internet security requirements and develop policies and controls to manage all aspects of online and internet activities. The issues to take into consideration are numerous, however, a few of the points to assess include:

anonymity and privacy including the requirements of the Information Privacy Act 2009

data confidentiality

use of cookies

applications and plug-ins

type of language to be used

practices for downloading executables

web server security configuration and auditing

access controls

use of data encryption.

Impact and risk assessments should be conducted on all web security controls on a regular, if not on-going basis, and external expert advice should be sought where possible.

Information processing monitoring

Agencies are required to ensure that audit logs of user activities, exceptions and information security events are produced, maintained and monitored.

Agencies need to ensure that their system and user monitoring activities are in line with all legislative obligations and the risk the system or activities pose to the security of the environment. Agencies should refer to IS38 for further information regarding the monitoring of communications including email and the Information Privacy Act 2009 for obligations regarding the protection of personal information.

Audit, fault, administrator and operator logs should be produced, maintained and monitored on a regular basis to assist in maintaining the security of the agency information environment.

Logging facilities and log information should:

be protected against tampering and unauthorised access

collect at a minimum the auditing requirements specified in the QGISCS and may in addition consider collecting the following:

user ID’s

dates and times of key activities

the identity and location of the computer

network addresses and protocols

systems alerts or failures

activation of anti-virus and intrusion detection and prevention systems[2].

in the case of log information, retained as a record and/or in compliance with requirements to collect and retain evidence.

For further guidance agencies should refer to:

AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements

AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management

IS40 Recordkeeping

IS31 Retention and disposal of public records

HB 171-2003 Guidelines for the management of IT evidence.

Access management

Access control policy

The agency’s access control policy should address and detail access control rules and rights for each group of users. Generally these should be based on ‘what must be generally forbidden unless expressly permitted’, ensuring that business requirements are followed. Access controls need to be consistent with policy and legal requirements. The overall framework for access rights should be reviewed on a regular basis to determine that they remain appropriate.

Authentication

Authentication codes should be changed when there is an indication of possible system security or authentication code compromise.

QGAF provides a process and a set of definitions which will allow agencies, as service providers, to evaluate the risk associated with their services and determine the appropriate level of authentication assurance required. Agencies should refer to the QGAF series of documents for detailed information regarding authentication management.

Agencies are also required to align with the Identity and Access Management Policy and meet the targets within its accompanying position.

User access

User registration

User access rights should be in accordance with information owner requirements and should be authorised by the user’s manager before the user is granted access to the information or system. The manager should ensure that the user has a sufficient understanding of the system before approving access rights.

Access control mechanisms should be used to restrict access to all computer systems, including hardware, software and data.

If user authentication is based upon passwords the following controls should be considered:

the user should be required to change temporary passwords at the first logon (temporary passwords only being valid for one day)

users should be required to change their authentication code after a predetermined period of time, through either automatic or manual means and should not be allowed to reuse an authentication code for at least 13 cycles

user access should be rejected after three rejected attempts to logon

where passwords are used as authorisation, users should be educated in selecting and using passwords.

All access control privileges of users should default to denial of access when there is a malfunction in the computer or network access control system.

All changes to an employee’s user duties should be reflected in their access control rights. Changes should be carried out on a timely basis. Access privileges should be disabled or modified when users change jobs, or leave the agency permanently, or are on leave for a prolonged period.

User access rights should be subject to regular review using a formal process. Agencies should consider reviewing and possibly disabling access rights which have not been used within the last 30 calendar day period.

Privilege management

The use of special privileges should be restricted and controlled as the unnecessary allocation or unauthorised use of special privileges can be a major factor to system security failure. Special privileges include:

high privilege users (for example administrator/supervisor access rights)

security administration (for example security administrator)

root access/operating system access

network management access

database administration.

User responsibilities

Users should be made aware of their responsibilities with regard to system access including:

following the password policy and processes

securing unattended equipment

keeping a clear desk and screen[3].

Network access

In relation to controlling unauthorised network access agencies should consider implementing:

network access control policies and software

gateway and firewall technologies for filtering and controlling traffic.

Remote network access

To minimise risks from external connections, agency remote access processes should at a minimum register all persons with remote access privileges and log all remote access attempts and activity and ensure all users are authenticated before access to the network is granted.

Operating system access

Agencies should implement controls to prevent unauthorised access to operating systems. The following should be considered:

implementation of secure log-on procedures for operating systems, including:

ensuring that minimal information is disclosed about the system

the log-on is validated only upon correct input of all data.

assigning all users with a unique identifier (user ID) and a suitable authentication technique to substantiate identity claims

not reassigning user IDs, instead disabling the user ID when no longer required

managing password quality with a formal system

restricting and controlling the use of systems that may have the capability of overriding system and application controls

shutting down sessions after a defined period of inactivity

limiting user connection times where appropriate.

Further implementation advice is available within AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management.

Application and information access

Agencies should consider implementing controls that assist in restricting access to information within applications, by the use of menus and controlling access rights (eg. read, write, delete).

Access to system utilities that may be used to alter data or program code should be kept to a minimum with all system master passwords restricted to, and maintained by system owners or applicable appointee.

All remote access support applications and utilities should only be provided to authorised information systems support personnel. Policies should also be in place for the configuration of such systems.

All vendor and default passwords should to be changed prior to an application going into operation.

Mobile computing and telework access

Risk assessments and policies and processes for mobile computing and telework access should consider:

physical security of the site

security of the telecommunications link

lack of control of information, for example, access by family or friends

increased risk of disclosure or unauthorised use of information

increased risk of unauthorised access to agency network and systems

support and maintenance of hardware and software updates

backup procedures

access security aspects (such as writing down of instructions for login including passwords).

Further details on movement of information assets outside the agency can be found in the QGISCF.

Using privately owned equipment

To ensure the integrity of government networks privately owned devices (eg. home computers) should not be connected to agency networks unless either:

specific technology has been implemented to ensure security for the agency

detailed risk assessments are conducted to assess all security impacts.

Detailed risk assessments must include all aspects of information security including:

authentication measures

access controls

virus and malicious code

physical and personnel security.

System acquisition, development and maintenance

System security requirements

Security requirements and specifications should be addressed and agreed for any new or improved system in the initial stages of development, or acquisition. These requirements should identify and address any potential risks, vulnerabilities and/or conflicts with existing systems or business processes. Where possible, authentication should be managed through a separate enterprise directory product. Where appropriate agencies should also consider seeking independent evaluation or security certification of systems.

Agencies should ensure that applications which are to be implemented into the web environment undergo a stringent risk assessment process in the development phase and during the life of the application to ensure appropriate security controls are in place.

Agencies should also ensure that patch management issues are assessed and considered prior to the implementation of systems and, in the case of developed applications, that periodic code reviews are incorporated into security maintenance.

Correct processing

Agencies should ensure that implementation policies and processes outlining the practices for input validation, internal processing checks and controls, message authentication techniques and output data validation are in place to ensure appropriate security of all application and systems development. These processes should be in accordance with the risks associated with the system data and its security classification. Audit trails and activity logs should also be written into applications for the validation of data and internal processing.

Cryptographic controls

In order to provide a trusted communications channel over untrusted communication paths, cryptographic algorithms are a recommended control set. Further information on cryptographic controls can be located in the NTSAF.

System files

Operational software should be maintained at a level supported by the supplier and ideally maintained to the latest available patch level. Appropriate testing, planning and migration control measures should be carried out when upgrading patches or installing new software versions to ensure the overall security of the agency operational environment is not adversely impacted. The testing of systems and data should be controlled and monitored especially where operational data sets are used.

Access controls should be implemented to ensure restricted access to all systems and applications including system source code.

Agencies should be mindful that they must retire or replace software that is approaching end of mainstream support as per the Software currency policy and the targets within the Software currency position.

Secure development and support processes

Policies and processes should be in place for control of changes to operational applications including version control for software upgrades. To minimise threats to the operational environment agencies should consider but not limit activities to ensuring:

adequate testing and change control mechanisms are in place for the migration of new or modified systems into the operational environment

that the information environment is managed so that future expansions or changes can be accommodated and do not adversely impact the operational environment.

For further information on change management see the ICT Infrastructure change management guideline.

Technical vulnerability management

As a first step, agencies should ensure that they have a current and complete register of application and technology assets including vendor, version numbers, current state of deployment and contacts for persons responsible for the asset (agency ICT Baseline data may be a useful starting point). Agencies should refer to AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management which provides guidance on establishing effective management processes for technical vulnerabilities.

Agencies should be mindful that the Foundation Infrastructure Project (FIP) is investigating options for the supply of enterprise management software for the whole-of-Government ICT infrastructure, which includes patch vulnerability management software.

Incident management

When addressing information security incident management, agencies should be mindful that the Queensland Government Chief Technology Office (QGCTO) is establishing a virtual response team (VRT) that will include representatives from participating agencies. The VRT is being established to assist any agency requesting analysis and potential resolution of incidents of a significant nature only. Expertise may be drawn upon resources external to the Queensland Government if required.

It should be noted that the VRT is a consultative service only, and successful resolution, including payment for external resources, will be borne by the requesting agency.

CITEC, as the mandated whole-of-Government service provider, has also negotiated a Standing Offer Arrangement (SOA) for the procurement of Security Information and Event Management (SIEM) technology. A SIEM can be utilised for managing event and log information from all agency network devices, and offers the ability to assist with the analysis of events and incidents, as well as automating the process of generating reports. The SIEM technology can either be purchased by an agency or managed by CITEC on behalf of an agency

Event/weakness reporting

When agencies are developing their policies and/or procedures for information security event and weakness reporting, the following guidelines should be taken into consideration:

Information Security Incident Category Guideline

Information Security Event and Incident Management Guideline (not yet approved)

AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques – Information security incident management.

Incident procedures

When agencies are developing procedures to manage information security incidents, the following guidelines should be taken into consideration:

Information Security Event and Incident Management Guideline (not yet approved)

Information Security Incident Category Guideline

AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques – Information security incident management

Information Security Internal Governance Guideline

Australian Standards’ ‘HB 171-2003 Guidelines for the management of IT evidence.

For information security incidents that involve breaches of privacy, agencies should refer to the:

Information Privacy Act 2009

OICs Privacy breach management and notification guideline

Privacy Act 1988 (Cth)

Australian Government Office of the Privacy Commissioner’s Guide to handling personal information security breaches.

Under IS18 agencies must establish and maintain and information security incident and response register and record all incidents. The register may be created manually or linked with existing business process tools, such as an Information Technology Infrastructure Library (ITIL) compliant ticketing system.

QGCTO is currently implementing of a strategic whole-of-Government information security management service with CITEC, which will introduce new Security Information and Event Management (SIEM) technology to assist with the collation and summarisation of events and incidents, including the generation of reports. As part of the migration strategy for agencies to consume whole-of-Government services, QGCTO will work with agencies in understanding the benefits of adopting a SIEM service. This will include understanding the benefits of utilising a SIEM in maintaining a register and the ability to provide more accurate and timely reporting.

Business continuity management

Business continuity

Agency business continuity plans should be reviewed and tested on a regular basis to ensure that all current business and ICT systems and infrastructure are accounted for. When developing the agency testing strategy, the importance of each system to the business operations and the ability to recover it within the time frames required by users should determine the extent of the testing. Business continuity plans should ensure that information security controls are maintained and this should be within scope of the testing strategy.

Agencies should also undertake a review of their plans and strategies after any significant disruption to information services or failure to ascertain the cause, assess the remedy and ensure procedures are adjusted to reduce the likelihood of any repeat occurrence. For further information, please refer to

Business continuity plan documentation guideline (Queensland Government employees only)

Queensland Government guide for business continuity planning (Queensland Government employees only)

Australian Standards HB:221:2004 Business continuity management.

Disaster recovery

To ensure the availability of information, and ICT systems and services following a disaster, agencies need to document information and ICT disaster recovery plans.

When documenting agency information and ICT disaster recovery arrangements, agencies should refer to the ICT asset disaster recovery planning guideline. The plans should ensure that information security controls are recovered as part of the plan.

When developing information risk management strategies to assess the vulnerability of information and ICT assets and the impact on these assets as a result of a security failure or a disaster, agencies should consider adapting the AS/NZS ISO 31000:2009 Risk management – Principles and guidelines. Further information can also be found in the Information risk management best practice guide.

It is a requirement of IS18 that agencies ‘establish an information and ICT asset disaster recovery register to assess and classify systems to determine their criticality’. Note that this register does not need to be a new register, agencies are free to utilise existing registers that they may have provided that they assess and classify information and ICT assets to determine their criticality.

Requirements and advice regarding disaster recovery for public records is available from Queensland State Archives.

Compliance management

Legal requirements

A summary of information security related legal requirements is included in Appendix A. However, this is no replacement for agencies seeking legal advice on the specific legal requirements that apply to them from their internal legal section.

Policy requirements

Information security policies, procedures and compliance should be reviewed and reported on to appropriate management at least annually to ensure the reliability and overall effectiveness of the security controls for all information systems, networks infrastructures and applications.

Audit requirements

Agencies should ensure that appropriately qualified personnel are assigned to audit the compliance of the information environment against agency policies, processes and industry technical standards to ensure appropriate security levels are maintained. These personnel should, where practical, not be involved in the operational information or systems environment of the agency.

Reporting requirements

Event and incident information

Under IS18 agencies must submit their Security Event and Incident Management information to the QGCTO. Actual reporting requirements may evolve over time as the process matures.

In the interim, the QGCTO is in the process of establishing a Virtual Response Team and gathering business requirements for a whole-of-Government AusCERT subscription service. QGCTO is currently working with CITEC and a large agency to implement the SIEM technology chosen as part of the FIP tender.

As soon as these technologies, processes and services are in place, consultation with agencies will commence on determining the level of detail for events and incidents that will be reported to QGCTO on an ongoing monthly basis.

VRT communication alerts

Under IS18 agencies must send Virtual Response Team communication alerts to all agencies as directed by the QGCTO. Actual reporting requirements will evolve over time as the process matures. After the whole-of-Government Virtual Response Team is established, further information will be provided on the level of detail for events and incidents that will be reported to QGCTO.

The intent of this communication forum is to have agencies participate in the notification of observed security events and incidents and to share information in order to both contain and resolve incidents in a timely manner. There is no requirement to divulge any sensitive information that may cause distress to the participating agencies.

Information security related legislation and standards

This appendix provides a summary of some of the information security related obligations that apply to Queensland Government agencies.

The contents of this appendix do not constitute legal advice and should not be relied on as a comprehensive statement of information security legislative obligations.

Legislation

Criminal Code Act 1995 (Cth)

Electronic Transactions Act 1999 (Cth)

Electronic Transactions (Queensland) Act 2001 (Qld)

Evidence Act 1977

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2009 (Qld)

Information Privacy Act 2009 (Qld)

Privacy Act 1988 (Cth)

Public Records Act 2002 (Qld)

Public Sector Ethics Act 1994 (Qld)

Public Service Act 2008 (Qld)

Right to Information Act 2009 (Qld)

Telecommunications Act 1997 (Cth)

Telecommunications (Interception and Access) Act 1979 (Cth).

International /Australian standards and guidelines

AS 2834-1995 Computer accommodation

AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements

AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management

AS/NZS ISO/IEC 18044:2006 Information technology – Security techniques – Information security incident management

AS/NZS ISO 31000:2009 Risk management – Principles and guidelines

Australian Standards HB 171:2003 Guidelines for the management of IT evidence

Australian Standards HB:221:2004 Business continuity management

Queensland Government Counter Terrorism Strategy 2008-2012 – Department of Premier and Cabinet (function now residing in Queensland Police Service)

Queensland Government Counter Terrorism Plan 2007 – Department of Premier and Cabinet (function now residing in Queensland Police)

Government Asset Protection Framework – Queensland Treasury.

Australian Government standards

PSPF

ISM.

Queensland Government Enterprise Architecture

Business continuity plan documentation guideline

Directory services position

Information security external governance guideline

Identification and classification of information assets guideline

Identity management, authentication and authorisation services position

Implementing internal information security governance guideline

Information risk management best practice guide

Information security event and incident category guideline

Information security event and incident management guideline

Information Security external security governance guideline

Information Standard 2: ICT resources strategic planning

Information Standard 13: Procurement and disposal of ICT products and services

Information Standard 31: Retention and disposal of public records

Information Standard 38: Use of ICT facilities and devices

Information Standard 40: Recordkeeping

Information Standard 44: Information asset custodianship

Network management position

Network transmission security assurance framework

Patch management policy and position

Queensland Government authentication framework

Queensland Government ICT disaster recovery plan development guideline

Queensland Government information risk management guidelines

Queensland Government information security classification framework

Queensland Government information security policy - mandatory clauses.

-----------------------

[1] AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security management, p.35.

[2] AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management, p. 55-56.

[3] AS/NZS ISO/IEC 27002: 2006 Information technology – Security techniques – Code of practice for information security management, p. 63.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download