Information security classification controls guideline
Purpose
The Information security classification controls guideline provides practical controls guidance to agencies on information security controls to apply to their information according to business impact level (BIL). It supports the Queensland Government Information security classification framework (QGISCF) and Information and cyber security policy (IS18).
Background
The Information security classification controls guideline (controls guideline) supports agencies meeting the requirements of the Queensland Government Information security classification framework (QGISCF).
The QGISCF requires agencies to assess the business impact levels (BIL) of their agencies and to apply appropriate protection. It also requires application of the ACSC Information Security Manual (ISM) at PROTECTED level for high confidentiality information.
Agencies are also required to meet the Australian Signals Directorate’s (ASD) Essential Eight which form eight of the 37 strategies under the Information and cyber security policy (IS18). The controls guideline provides additional recommendations on maturity level dependent on the BIL of the information being protected.
This controls guideline is based on the 37 Strategies to Mitigate Cyber Security Incidents, issued by the ASD. The strategies guidance addresses targeted cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’, and industrial control systems.
Guidance
Referring to the 37 strategies, for each confidentiality classification level (PROTECTED, SENSITIVE, OFFICIAL), this controls guideline:
- makes recommendations about the maturity level that the Essential Eight should be implemented at relative to the classification level.
- recommends implementing additional controls of the remaining 29 mitigation strategies on a risk basis.
In summary across the full 37 mitigation strategies:
| Confidentiality classification level | Recommended Essential Eight implementation level | Remaining 29 mitigation strategies implementation | Total |
|---|---|---|---|
| OFFICIAL | Maturity Level 1 | 9 * | 17 |
| SENSITIVE | Maturity Level 2 | 25 * | 33 |
| PROTECTED | Maturity Level 3 | ALL 29 * | 37 |
*see tables below for details on the specific strategies to implement across each classification level.
OFFICIAL information
Agencies should implement the Essential Eight at Maturity Level 1 (ML1)
Achieving Maturity Level 1 for the Essential Eight controls for systems that store, transmit or manipulate OFFICIAL information reflects the criticality of information meeting a low BIL threshold.
Agencies should implement the following 9 of the remaining 27 mitigation strategies
| Category | Title | Mitigation strategy |
|---|---|---|
| Mitigation strategies to prevent malware delivery and execution | Antivirus software using heuristics and reputation ratings | Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. |
| Mitigation strategies to prevent malware delivery and execution | Block spoofed emails | Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. |
| Mitigation strategies to recover data and system availability | Business continuity and disaster recovery plans | Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. |
| Mitigation strategies to limit the extent of cyber security incidents | Disable local administrator accounts | Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. |
| Mitigation strategies to prevent malware delivery and execution | Email content filtering | Email content filtering. Allow only approved attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. |
| Mitigation strategies to prevent malware delivery and execution: | Operating system generic exploit mitigation | Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). |
| Mitigation strategies to limit the extent of cyber security incidents | Protect authentication credentials | Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Windows Defender Credential Guard. Change default passphrases. Require long complex passphrases. |
| Mitigation strategies to prevent malware delivery and execution | User education | User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. |
| Mitigation strategies to prevent malware delivery and execution: | Web content filtering | Web content filtering. Allow only approved types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. |
SENSITIVE information
Agencies should implement the Essential Eight at Maturity Level 2 (ML2)
Achieving Maturity Level 2 for the Essential Eight controls for systems that store, transmit or manipulate SENSITIVE information reflects the criticality of information meeting a medium BIL threshold.
Agencies should implement the following 25 of the remaining mitigation strategies
| Category | Title | Mitigation Strategy |
|---|---|---|
| Mitigation strategies to prevent malware delivery and execution | Antivirus software using heuristics and reputation ratings | Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. |
| Mitigation strategies to prevent malware delivery and execution | Antivirus software with up-to-date signatures | Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. |
| Mitigation strategies to prevent malware delivery and execution | Automated dynamic analysis of email and web content run in a sandbox | Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (e.g. network traffic, new or modified files, or other system configuration changes). |
| Mitigation strategies to prevent malware delivery and execution | Block spoofed emails | Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. |
| Mitigation strategies to recover data and system availability | Business continuity and disaster recovery plans | Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. |
| Mitigation strategies to detect cyber security incidents and respond | Capture network traffic | Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. |
| Mitigation strategies to prevent malware delivery and execution | Deny corporate computers direct internet connectivity | Deny corporate computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server and an authenticated web proxy server for outbound web connections. |
| Mitigation strategies to limit the extent of cyber security incidents | Disable local administrator accounts | Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. |
| Mitigation strategies to prevent malware delivery and execution | Email content filtering | Email content filtering. Allow only approved attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. |
| Mitigation strategies to detect cyber security incidents and respond | Endpoint detection and response software | Endpoint detection and response software on all computers to centrally log system behaviour and facilitate cyber security incident response activities. Microsoft’s free SysMon tool is an entry level option. |
| Mitigation strategies to detect cyber security incidents and respond | Host-based intrusion detection/prevention system | Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution (e.g. process injection, keystroke logging, driver loading and persistence). |
| Mitigation strategies to limit the extent of cyber security incidents | Network segmentation | Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance (e.g. BYOD and IoT). Restrict access to network drives and data repositories based on user duties. |
| Mitigation strategies to detect cyber security incidents and respond | Network-based intrusion detection/prevention system | Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. |
| Mitigation strategies to limit the extent of cyber security incidents | Non-persistent virtualised sandboxed environment, | Non-persistent virtualised sandboxed environment, denying access to important (sensitive/high-availability) data, for risky activities (e.g. web browsing, and viewing untrusted Microsoft Office and PDF files). |
| Mitigation strategies to prevent malware delivery and execution | Operating system generic exploit mitigation | Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). |
| Mitigation strategies to prevent malware delivery and execution | Operating system hardening | Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality (e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD). |
| Mitigation strategies to limit the extent of cyber security incidents | Outbound web and email data loss prevention. | Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. |
| Mitigation strategies to limit the extent of cyber security incidents | Protect authentication credentials | Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Windows Defender Credential Guard. Change default passphrases. Require long complex passphrases. |
| Mitigation strategies to prevent malware delivery and execution | Server application hardening | Server application hardening especially internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive/high-availability) data. |
| Mitigation strategies to limit the extent of cyber security incidents | Software-based application firewall, blocking incoming network traffic | Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default (e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic). |
| Mitigation strategies to limit the extent of cyber security incidents | Software-based application firewall, blocking outgoing network traffic | Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. |
| Mitigation strategies to recover data and system availability | System recovery capabilities | System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. |
| Mitigation strategies to prevent malware delivery and execution | TLS encryption between email servers | TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. |
| Mitigation strategies to prevent malware delivery and execution | User education | User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. |
| Mitigation strategies to prevent malware delivery and execution | Web content filtering | Web content filtering. Allow only approved types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. |
PROTECTED information
Agencies should implement the Essential Eight at Maturity Level 3 (ML 3)
Achieving Maturity Level 3 for the Essential Eight controls for systems that store, transmit or manipulate PROTECTED information reflects the criticality of information meeting a high BIL threshold.
Agencies should implement all remaining 29 mitigation strategies
| Category | Title | Mitigation Strategy |
|---|---|---|
| Mitigation strategies to prevent malware delivery and execution | Antivirus software using heuristics and reputation ratings | Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. |
| Mitigation strategies to prevent malware delivery and execution | Antivirus software with up-to-date signatures | Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. |
| Mitigation strategies to prevent malware delivery and execution | Automated dynamic analysis of email and web content run in a sandbox | Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (e.g. network traffic, new or modified files, or other system configuration changes). |
| Mitigation strategies to prevent malware delivery and execution | Block spoofed emails | Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. |
| Mitigation strategies to recover data and system availability | Business continuity and disaster recovery plans | Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. |
| Mitigation strategies to detect cyber security incidents and respond | Capture network traffic | Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. |
| Mitigation strategies to detect cyber security incidents and respond | Continuous incident detection and response | Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of allowed and denied computer events, authentication, file access and network activity. |
| Mitigation strategies to prevent malware delivery and execution | Control removable storage media and connected devices | Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G/5G devices. |
| Mitigation strategies to prevent malware delivery and execution | Deny corporate computers direct internet connectivity | Deny corporate computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server and an authenticated web proxy server for outbound web connections. |
| Mitigation strategies to limit the extent of cyber security incidents | Disable local administrator accounts | Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. |
| Mitigation strategies to prevent malware delivery and execution | Email content filtering | Email content filtering. Allow only approved attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. |
| Mitigation strategies to detect cyber security incidents and respond | Endpoint detection and response software | Endpoint detection and response software on all computers to centrally log system behaviour and facilitate cyber security incident response activities. Microsoft’s free SysMon tool is an entry level option. |
| Mitigation strategies to detect cyber security incidents and respond | Host-based intrusion detection/prevention system | Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution (e.g. process injection, keystroke logging, driver loading and persistence). |
| Mitigation strategies to detect cyber security incidents and respond | Hunt to discover incidents | Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. |
| Mitigation strategies to limit the extent of cyber security incidents | Network segmentation | Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance (e.g. BYOD and IoT). Restrict access to network drives and data repositories based on user duties. |
| Mitigation strategies to detect cyber security incidents and respond | Network-based intrusion detection/prevention system | Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. |
| Mitigation strategies to limit the extent of cyber security incidents | Non-persistent virtualised sandboxed environment | Non-persistent virtualised sandboxed environment, denying access to important (sensitive/high-availability) data, for risky activities (e.g. web browsing, and viewing untrusted Microsoft Office and PDF files). |
| Mitigation strategies to prevent malware delivery and execution | Operating system generic exploit mitigation | Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). |
| Mitigation strategies to prevent malware delivery and execution | Operating system hardening | Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality (e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD). |
| Mitigation strategies to limit the extent of cyber security incidents | Outbound web and email data loss prevention | Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. |
| Mitigation strategy specific to preventing malicious insiders | Personnel management | Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. |
| Mitigation strategies to limit the extent of cyber security incidents | Protect authentication credentials | Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Windows Defender Credential Guard. Change default passphrases. Require long complex passphrases. |
| Mitigation strategies to prevent malware delivery and execution | Server application hardening | Server application hardening especially internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive/high-availability) data. |
| Mitigation strategies to limit the extent of cyber security incidents | Software-based application firewall, blocking incoming network traffic | Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default (e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic). |
| Mitigation strategies to limit the extent of cyber security incidents | Software-based application firewall, blocking outgoing network traffic | Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. |
| Mitigation strategies to recover data and system availability | System recovery capabilities | System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. |
| Mitigation strategies to prevent malware delivery and execution | TLS encryption between email servers | TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. |
| Mitigation strategies to prevent malware delivery and execution | User education | User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. |
| Mitigation strategies to prevent malware delivery and execution | Web content filtering | Web content filtering. Allow only approved types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. |
Advice
This guideline should be read in conjunction with: