Information Standard 18: Information Security - Implementation Guideline

Information Standard 18: Information Security - Implementation Guideline

QGEA

Information Standard 18: Information Security - Implementation Guideline

Final

July2011

v1.0.2

PUBLIC

Information Standard 18: Information Security - Implementation Guideline

QGEA

Document details

Security classification / PUBLIC
Date of review of security classification / July 2011
Authority / Queensland Government Chief Information Officer
Author / ICT Policy and Coordination Office
Documentation status / Working draft / Consultation release /  / Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Director, Policy Development
ICT Policy andCoordination Office

Acknowledgements

This version of the Information Standard 18: Information Security - Implementation Guideline was developed and updated by the ICT Policy and Coordination Office.

This guideline is based on Annex A Control objectives and controls of the AS/NZS ISO IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Reproduced with permission from SAI Global under Licence 0911-C028.

Feedback was also received from a number of agencies, including members of the Information Security Reference Group, which was greatly appreciated.

Copyright

Information Standard 18: Information Security - Implementation Guideline

Copyright © The State of Queensland (Department of Public Works) 2010

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1Introduction

1.1Purpose

1.2Audience

1.3Scope

1.4Document structure

2Background

3Policy, planning and governance

3.1Information security policy

3.2Information security plan

3.3Internal governance

3.4External party governance

4Asset management

4.1Asset protection responsibility

4.2Information security classification

5Human resources management

5.1Pre-employment

5.2During employment

5.3Post-employment

6Physical and environmental management

6.1Building controls and secure areas

6.2Equipment security

7Communications and operations management

7.1Operational procedures and responsibilities

7.2Third party service delivery

7.3Capacity planning and system acceptance

7.4Application integrity

7.5Backup procedures

7.6Network security

7.7Media handling

7.8Information exchange

7.9eCommerce

7.10Information processing monitoring

8Access management

8.1Access control policy

8.2Authentication

8.3User access

8.4User responsibilities

8.5Network access

8.6Operating system access

8.7Application and information access

8.8Mobile computing and telework access

9System acquisition, development and maintenance

9.1System security requirements

9.2Correct processing

9.3Cryptographic controls

9.4System files

9.5Secure development and support processes

9.6Technical vulnerability management

10Incident management

10.1Event/weakness reporting

10.2Incident procedures

11Business continuity management

11.1Business continuity

11.2Disaster recovery

12Compliance management

12.1Legal requirements

12.2Policy requirements

12.3Audit requirements

13Reporting requirements

13.1Event and incident information

13.2VRT communication alerts

Appendix AInformation security related legislation and standards

Finalv1.0.2, July 2011

Page 1 of 37

PUBLIC

PUBLIC

Information Standard 18: Information Security - Implementation Guideline

QGEA

1Introduction

1.1Purpose

This guideline provides information and advice for Queensland Government agencies to consider when implementing the mandatory principles of Information Standard 18: Information security(IS18). The requirements of IS18 and this supporting guideline, are based on the three elements of information security:

• confidentiality – ensuring that information is accessible only to those authorised to have access
• integrity – safeguarding the accuracy and completeness of information and processing methods
• availability – ensuring that authorised users have access to information and associated assets when required.

These guidelines do not form the mandatory component of IS18 and are for information only, however they are based on best practice and agencies are strongly recommended to consider the advice provided in this document.

1.2Audience

This document is primarily intended for:

• information security governance bodies
• information security strategic areas
• information security operational areas.

1.3Scope

This guideline supports IS18.

1.4Document structure

The Queensland Government Information Security Policy Framework(QGISPF) represents information security at two levels of detail. This guideline has been similarly divided into two levels of domains, with the ten level one domains corresponding with the ten mandatory principles in IS18. Please note a ‘reporting requirements’ heading has also been included to align with IS18. Headings are as follows:

• policy, planning and governance
• asset management
• human resources management
• physical and environmental management
• communications and operations management
• access management
• system acquisition, development and maintenance
• incident management
• business continuity management
• compliance management
• reporting requirements.

2Background

IS18has been developed to provide agencies with the minimum requirements for information security management. However, some agencies may find that their particular agency requires more stringent information security controls to be implemented. In these cases it is suggested that agencies refer to the following for guidance:

• ISO/IEC 27000 series of standards (incorporating ISO 17799)– International Standard ISO/IEC 27000 series is available through Standards Australia (SAI Global distributors).
• Tools and templates (Queensland Government employees only) issued by Security Planning and Coordination, Queensland Police Service (function formerly residing in Department of Premier and Cabinet)
• Australian Government Protective Security Policy Framework ––the Australian Government Protective Security Policy Framework (PSPF) is issued by the Attorney-General’s Department. This standard is restricted to Government agencies and can be purchased by emailing PSPF has superseded the Australian Government Protective Security Manual (PSM)as of June 2010
• Australian Government Information Security Manual - the Australian Government Information Security Manual (ISM) is available through the Department of Defence – Defence Signals Directorate website.

Agencies may also consider the application of various methods and industry frameworks for managing their agency information security.

Note that the Queensland Government is not legislatively obliged to comply with the PSPF and ISM. However, the Queensland Government is a signatory to a Memorandum of Understanding that commits it to engage in practices consistent with these manuals.

There are a number of other documents that support implementation of IS18 that have been produced by the ICT Policy andCoordination Office. These documents are referred to throughout this document and also in Figure 1 (page 7).

Figure 1IS18: Information security supporting documents organised by mandatory principle

3Policy, planning and governance

3.1Information security policy

The agency information security policy serves as the foundation for information security management within the agency.The development of this policy is the first step in establishing management commitment and the responsibilities for information security within the agency and should therefore be concise and clear. The Information Security Policy – Mandatory Clauseshas been developed to assist agencies in the development of their information security policy and details the minimum set of mandatory requirements and quality criteria that must be included within the agency policy and makes suggestions for agency specific considerations.

3.2Information security plan

The level of detail contained in the agency’s information security plan should be commensurate with the complexity of the agency’s information environment, its business functions and the information security risks that it faces.The suggested approach for the development of the plan is to:

• develop an overarching information security plan, which outlines the security program for the agency as a whole
• support this information security plan with a number of detailed plans for each separate entity/agency portfolio and/or significant or high risk agency information systems and processes.

Regardless of the development or format of the plan, information security planning should be integrated into the agency’s culture through its strategic and organisational plans and operational practices.Security considerations should be incorporated into the agency corporate planning process and ICT strategic resource planning, to ensure that the agency information security plan meets the business and operational needs of the agency and its clients.

3.2.1Suggested steps for developing an information security plan

There are a number of steps which should be used to develop the agency information security plan.

Step 1: Identify agency goals and objectives for information security

Identify linkages between the agency information security policy and all agency corporate plans, strategies, goals and objectives to establish the key areas which may impact on the current or future information security environment of the agency.

Step 2: Identifymajor informationassets and business critical ICT assets

This information may be sourced from the agency’s disaster recoveryregister. Agencies are required to establish this register underIS18.

Step 3: Conducta risk assessment

Conduct a risk assessment on the major information assets with the assigned owners of these assets on an annual basis or after any significant change has occurred (eg. machinery-of-Government).

The process or methodology used by the agency to assess security risks should be based on the agency’s preferred risk management processes. In the absence of an agency risk methodology agencies are encouraged to utilise AS/NZS ISO 31000:2009 Risk management – Principles and guidelines.

Step 4: Currentsituation

Gather information regarding existing agency security policies, procedures and controls and map these against the:

• data obtained from the risk assessment process
• mandatory principles ofIS18 and/or any other security standards that the agency uses
• agency’s security architecture targets.

Step 5: Analysisof any gaps and the effectiveness of existing controls

Conduct an analysis of any gaps and the effectivenessof the existing controls against the information obtained from step 4 above.

Step 6: Developrecommendations and strategies

Develop and document recommended controls and prioritised plan of actions/strategies which need to be implemented or maintained to achieve the desired level of agency security, how this is to be achieved and who is responsible.Information security plans should provide for treatments that are both cost-effective and appropriate to the level of risk.Where agencies identify a high level of risk in their information environment (based on the information security classification of information assets in its care) it is suggested that it consult with specialist information security agencies or industry professional bodies for advice or technical assistance in developing their strategies and plans.

Step 7: Identifyoutstanding/residual risks that will not be treated

Document any ongoing risks that will remain untreated or assessed as acceptable risks.

Step 8: Obtainagreement on risks and strategies

To ensure that the information security plan meets the requirements of the business it is important to gain agreement from the information asset owners. This will ensure that the strategies and plan adequately reflects the protection of the assets from a business perspective and will also inform the prioritisation process for treatment.

Step 9: Developactions and timetable

Document and develop a detailed plan of activities and actions along with timeframes for implementing the controls and strategies agreed on.

Step 10: Determineresourcing

Document and detail the resourcing requirements for the implementation of the controls and strategies including the personnel, materials and budget for its implementation.

Step 11: Endorsementand publishing of the information security plan

Gain endorsement of the information security plan from the appropriate governance body and senior executive on an annual basis.

Step 12: Implementationof the information security plan

To facilitate a systematic and co-ordinated approach to security and risk management, agencies should establish a structure or framework to help develop and implement the agency information security plan.

Step 13: Ongoingmonitoring and review

To ensure that security controls in the agency continue to remain relevant to the agency goals, objectives and operational and business environments, the agency’s information security plan should be reviewed, monitored and reported on, onan ongoing basis. The information gained from these activities is used to inform future agency security plans and strategies.

It is suggested that agencies review their security plan at least annually to identify changes to the risk profile and to assess the effectiveness of existing controls.Further to this, the agency should ensure that security planning becomes an integral component of all agency management, projects and activities rather than an isolated and once a year planning activity.

3.2.2General agency security plan

Whilst theICT Policy and Coordination Officeworks with agencies to improve information security practices across the Queensland Government, protective security and counter-terrorism issues throughout Queensland are coordinated by the Queensland Police Service.

The Government Asset Protection (GAP) Project has produced theGuide for general security planning which agencies should refer to when developing their general agency security plan.Enquiries about this document can be directed to the Queensland Police Service’s Security Planning and Coordination team on 07 3406 3677 or by emailing .

3.3Internal governance

The Information Security Internal Governance Guidelineprovides implementation advice for this domain.

Information on internal governance arrangements for ICT and information management are available in the following documents respectively:

• Information Standard 2: ICT Resources Strategic Planning
• Information Security Internal Governance Guideline.

3.4External party governance

See the Information Security External Party Governance Guideline.

4Asset management

4.1Asset protection responsibility

4.1.1Information assets

It is a requirement of Information Standard 44, Information asset custodianship (IS44)that agencies:

• identify their information assets
• establish and maintain an information asset register.

Agencies may wish to use this register or establish a separate one, to record the information security classification of its information assets. The following documents provide agencies with implementation guidance:

• IS44
• Identification and classification of information assets guideline
• Queensland Government Information Security Classification Framework(QGISCF)
• Queensland Government Information Security Controls Standard(QGISCS).

Disposal of information assets

For information assets that are public records, their retention and disposal must be managed in accordance with a retention and disposal schedule approved by the state archivist, under the Public Records Act2002. For further information regarding the disposal of records agencies should refer to Information Standard 31: Retention and disposal of public records (IS31).

For all other information assets agencies should refer to the QGISCFand the QGISCS.

Refer to section 4.2belowfor guidance on the disposal of equipment.

4.1.2Control of technology devices

It is a requirement of IS18and the Information Security Policy – Mandatory Clausesthat agencies identify their ICT assets, document them and assign owners for the maintenance of information security controls.ICT assets must be assigned information security controls commensurate with the highest level of security classification applied to the information assets contained within or transmitted via the ICT asset.The following documents provide agencies with further implementation requirements and guidance:

• Queensland Government Information Security Classification Framework
• Queensland Government Network Transmission Security Assurance Framework (NTSAF).

In the absence of advice within these documents, agencies should consider guidance from the:

• PSPF
• ISM.

4.2Information security classification

Agencies should refer to the QGISCF which provides detailed implementation requirements and guidance with respect to theinformation security classification and control of information assets. Additional advice is available within the QGISCS.

Agencies should be mindful that the information security classification of an information asset, does not limit the operation of legislation. For example, a policy document classified as PROTECTED may be assessed as suitable for release under the Right to Information Act 2009.In this situation, the information would need to be reclassified as PUBLIC.

5Human resources management

5.1Pre-employment

Depending on the nature of the agency’s business, consideration should be given as to whether:

• specific information security clauses should be included in terms and conditions of employment (eg. responsibilities and disciplinary processes)
• additional scrutiny is required during the recruitment and selection phase for positions involving exposure to classified or sensitive information or where relevant legislation is in place (eg. security assessments and criminal history checks).When dealing with employment for these types of positions the following include examples of what requirements the agency needs to consider:

–the availability of satisfactory character referees

–the completeness and accuracy of resume and qualifications

–security and criminal history checks (where required under legislation or where clearly identified risks can be reduced by such checks)

–the PSPF for further information on employing staff who will be dealing with national security classified information.

5.2During employment

5.2.1Induction, training and awareness programs

The information security induction, training and awareness program should:

• address all levels of staff and all areas of the agency
• cover the following:

–general employee responsibilities (see Information Security Internal Governance Guideline)

–information security responsibilities concerned with particular roles(see Information Security Internal Governance Guideline)

–the correct operation of information systems and ICT facilities and devices (see also Information Standard 38: Use of ICT Facilities and Devices (IS38))

–reporting of information security events, weaknesses and incidents

–information security related responsibilities within the agency code of conduct and the disciplinary penalties for breaches.

• be updated regularly to include changes in the information security plan and policy
• include regular refresher training.

Examples of mechanisms that agencies may consider when developing information security induction, training and awareness programs include:

• addressing information security responsibilities within the agency’s code of conduct
• briefing sessions
• online tutorials
• regular distribution of educational material (eg. security updates, log-on notices, factsheets, newsletter articles and posters)
• distributing copies of the agency’sinformation security policy and obtaining a signed acknowledgement of understanding from each employee (especially those that handle classified information).

It is the responsibility of:

• managers to ensure that their employees undertake information security induction training and regular refresher training
• agency employees to understand and follow information security policy and processes.

5.2.2Roles and responsibilities

High level information security roles and responsibilities are defined within the Information Security Internal Governance Guideline.Agencies should use this guideline as a basis for developing, documenting and assigning information security roles and responsibilities within their environment.