Skip links and keyboard navigation

Information security classification framework (QGISCF)

Document type:
Framework
Version:
Final v5.0.1
Status:
CurrentMandated
Owner:
QGCDG
Effective:
February 2020–current
Security classification:
OFFICIAL-Public
Category:
Cyber security

Executive summary

The Queensland Government Information Security Classification Framework (QGISCF) supports the Information security policy (IS18:2018).

Agencies should classify their information and information assets according to business impact and implement appropriate controls according to the classification.

To apply information classification at the enterprise level an organisation needs to:

  • determine its business impact levels (BILs) from the loss, compromise, and misuse of information for the agency in terms of the impact to confidentiality (C), integrity (I) and availability (A)
  • analyse the organisation's information and information assets against the business impact levels it has created and assign C, I, A values
  • determine and apply appropriate controls to safeguard the information and information assets in a consistent manner
  • regularly assess whether the controls assigned for C, I and A values are adequate to maintain the organisation within its chosen risk tolerance level.

An assessment tool is available to assist agencies in determining their BILs.

Information that has been assessed as having a high business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:

  • has undertaken a risk assessment related to the C, I and A business impacts
  • accountable officer or delegate has documented his or her acceptance of the off shored information risk assessment.

The Confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact). Where an agency has determined high confidentiality information to be at the PROTECTED level, an agency must consider the PROTECTED controls outlined in the current Australian Government Information security manual (Opens in new window) (Opens in new window) published by the Australian Cyber Security Centre (Opens in new window) .

Where an information asset is shared between government agencies, partner agencies should apply equivalent controls to those determined by the information-owning agency to be adequate.

Introduction

Purpose

This document, the Queensland Government Information Security Classification Framework (QGISCF), supports the Information Security Policy (IS18:2018). It sets the minimum requirements for information security classification.

Information security (IS18:2018) Policy Requirement 3: Agencies must meet minimum security requirements states that To ensure a consistent security posture and promote information sharing, Queensland Government departments must comply with the Queensland Government Information Security Classification Framework (QGISCF).

Consistent classification of information helps Queensland Government agencies make more informed and timely decisions about how they should capture, store, maintain, transmit, process, use and share information to best deliver services to Queenslanders.

The confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact).

Agencies must:

  • determine impact from loss of confidentiality, integrity and availability to information on a risk basis and assign the relevant security classifications
  • apply appropriate controls to safeguard confidentiality, integrity and availability of information
  • label all new information with a higher confidentiality level than OFFICIAL.

Information that has been assessed as having a 'high' business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:

  • has undertaken a risk assessment related to the C, I and A business impacts
  • accountable officer or delegate has documented acceptance of the off shored information risk assessment.

Where an agency has determined information has a 'High' Confidentiality Business Impact and warrants the PROTECTED label, the agency must consider applying the PROTECTED controls outlined in the current Australian Government Information Security Manual (Opens in new window) (Opens in new window) published by the Australian Cyber Security Centre.

Agencies should:

  • record gaps between the agency treatment of PROTECTED information and the current ASD information security manual in the agency risk register and share this with partner agencies
  • apply labels to all information to signify confidentiality levels
  • document the maximum security classification levels and other usage restrictions for their information assets
  • educate users about responsibilities and handling requirements for handling and use of information over its lifecycle.

Custodians of information should maintain a control environment deemed adequate by the information owner.

Scope

This framework provides a process and direction for determining the security classification of information considering the three elements of information security.


ElementDefinition
Confidentiality Risk of unauthorised/inappropriate disclosure or release
Integrity Risk to information quality
Availability Risk to information not being available to authorised users

Information security consideration descriptions

National security

The QGISCF does not provide specific guidance for handling national security information, classified material or systems that are assessed to have confidentiality requirements above PROTECTED. Where an agency has cause to handle such material/systems, it should refer to the Australian Government (Opens in new window) Protective Security Policy Framework and the Security and Counter-Terrorism Command in Queensland Police Service. Telephone 07 3364 3665 or email counter.terrorism@police.qld.gov.au

Audience

Queensland Government information must be security assessed. This document is intended for the use of employees and contractors within Queensland Government agencies.

It will be relevant to:

  • information owners, information asset custodians and users who are responsible for classification and control of Queensland Government information assets
  • users of the information for any relevant and responsible purposes, including sharing or processing the information
  • any people who are designing agency services such as business process specialists, service designers and system architects
  • business managers, external third parties and service stakeholders
  • information security managers and auditors who may assess the security of services
  • records managers and others who have responsibility for managing classified information assets over time
  • chief information officers and other ICT managers and employees responsible for the supply and operation of information systems.

Implementation

This framework must be used by all Queensland Government agencies to assess the information security of their information and information assets.

The classification assessment levels are as follows.

Confidentiality-integrity-availability

Information security confidentiality, integrity and availability

The organisation should identify and apply assessment levels for confidentiality, integrity and availability impact to their information. The assessment levels are used to identify which controls are appropriate to safeguard that information.

Where an agency shares information with partner agencies, there is an expectation that the partner agencies will apply equivalent controls. It is good practice to document the business impact levels for information and relevant control expectations between agencies when they share information. In some cases, a classification guide may be useful. Guides give users greater clarity in determining classification levels using specific examples relevant to the subject matter.

There is not always a direct relationship between confidentiality, integrity and availability.
For example, information might have a low or negligible confidentiality requirement and be assigned an OFFICIAL classification level. However, it might also have a high integrity and medium availability assessment.

In that case, the control selection would skew towards a control set that enhanced integrity as much as possible, did not unnecessarily restrict availability, and met the departments minimum control requirements for confidentiality.

Information offshore data storage and processing

Information that has been assessed as having a 'high' business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:

  • has undertaken a risk assessment related to the C, I and A business impacts; and
  • accountable officer or delegate has documented his/her acceptance of the off shored information risk assessment.

The risk assessment related to the C, I and A business impacts should consider the following threat areas:

Integrity assessment

Information integrity refers to how well the information reflects its underlying subject. ISO/IEC 27000:2016 defines integrity as the property of accuracy and completeness. (2.40)

Information integrity may be compromised by accident or by a (semantic) attack. Such attacks can be especially destructive against financial systems (e.g. Fraud) and SCADA[1](e.g. Stuxnet). With the rise of the Internet of Things, information integrity, including data quality, will be an increasing concern.

For example, an organisation maintains a list of widget quantities stored in its warehouse. The information integrity of the list relates to the accuracy and completeness of the list relative to the number of actual physical widgets held in the warehouse.

Following an assessment of business impact levels for the list. The list is assessed to have a high integrity BIL requirement. Because of the high BIL, the organisation identifies controls which ensure that when audited during the annual physical stocktake, the list of widget quantities is highly accurate and complete.

The business impact of inadequate information integrity may differ for different information assets. Inadequate information integrity in a financial system will almost certainly have significant financial and/or legal consequences; whereas inadequate information integrity in an email distribution list may only result in inconvenience and slight embarrassment.

The integrity level of 'low or none', 'medium' or 'high' should describe the business impact given a hazard event where inappropriate or unauthorised changes have reduced the integrity of the information. The higher the integrity requirement, the more control should be implemented to safeguard information against inappropriate or unauthorised change.

The outcome of information security integrity assessment should be an indication of the business impact should the integrity of information be compromised. Information integrity levels are determined by the agency business needs, but at a minimum, information should be stored, handled and disposed of in accordance with the Public Records Act 2002 (Qld). Other specific legislation, such as the Information Privacy Act 2009 (Qld) (Opens in new window) (Opens in new window) and financial accountability regulations may also create information integrity requirements for agencies.

Appendix A is an example of how a business impact assessment can be used to assess integrity levels.

Availability assessment

For information to be useful and serve the organisation's purpose, it must reliably be available when it is needed and, in a form that is able to be consumed by users. Information availability refers to how accessible information is for an intended user or audience at the time the information is required.

Agencies must determine the availability requirements of information that they own and manage and the business impact if the information is not available to the right people or systems at the right time.

For example, inadequate information availability of a patients electronic health record can have significant impacts to a clinicians ability to deliver quality health care. In an emergency department, the information needs to be available to clinicians within a short time of being required. The information needs to have a High availability assessment.

The same information, where it is accessed within a billing system, may have a Low availability requirement.

The outcome of Information security availability assessment of 'high', 'medium' or 'low' is based on the business impact should the information availability be compromised. Information availability assessment levels are determined by the agency business needs.

Information availability can be compromised because of both human directed (intentional) and non-directed (unintentional) events. Unintentional events include failure of equipment due to lack of maintenance or a natural occurrence such as a cyclone. Intentional attacks, such as denial of service attacks cause disruption of normal functioning of information systems, leading to availability compromise over varying timescales.

Agencies should assess the risk that loss of information availability might cause damage to the organisation and consider whether specific controls are warranted. In many cases, planned and tested business continuity and disaster recovery processes will provide significant mitigation to information availability risk, however, where information is assessed to have a high availability impact, there may be a need for additional controls or approaches to ensure information is available to the right people and systems within the time tolerance required.

Appendix B may assist in identifying availability objectives to support business impact requirements.

Confidentiality assessment

An information security confidentiality assessment examines the impact should the information be inappropriately released. A confidentiality level can be applied to individual documents or information assets. The information security (confidentiality) level applied to a document or data element flags how access to the information should be restricted and the efforts that should be made in doing so.

Confidentiality classification labels

The confidentiality classification labels are considered in relation to the increasing confidentiality business impact, should information be compromised or shared inappropriately.

The confidentiality classification labels for Queensland Government information are:

  • OFFICIAL
  • SENSITIVE
  • PROTECTED

A Confidentiality classification label should not be applied to information in order to either:

  • restrain competition
  • hide violations of law, inefficiency, or administrative error to prevent embarrassment to an individual, organisation or entity
  • prevent or delays the release of information that does not need protection.

The QGISCF does not deal with National Security Information (NSI) that is assessed to be classified above PROTECTED, however the framework integrates into the broader Australian Government approach to allow interoperability.

Agencies must undertake an information security confidentiality (business impact) assessment to determine the appropriate confidentiality level (OFFICIAL, SENSITIVE, PROTECTED).

An agency must apply security controls which are commensurate with the assessed business impact.

This framework does not mandate specific controls - agencies should select the controls best suited to their business and technology needs.

The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.

For PROTECTED information, an agency must consider the controls outlined for PROTECTED information in the current Australian Government information security manual. (Opens in new window) (Opens in new window)

Where the controls applied to PROTECTED information are not equivalent to those outlined in the information security manual, the agency accountable officer must accept any resulting risk. The risk should be recorded in the agency risk register and shared with partner agencies.

OFFICIAL

OFFICIAL represents most Queensland Government information by volume, but lowest business impact per document if compromised or lost. However, where information is aggregated on an information asset such as an ICT server, the impact of compromise may increase and with it, the controls.

OFFICIAL information is routine information without special sensitivity or handling requirements. All routine public-sector business, operations and services is treated as OFFICIAL. At the OFFICIAL classification there is a general presumption that data may be shared across government. Security measures should be proportionate and driven by the business requirement.

Most OFFICIAL information is subject to the Public Records Act 2002 (Qld).

SENSITIVE

The use of the SENSITIVE indicates that information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost.

SENSITIVE information must be labelled.

Examples of SENSITIVE information may include:

  • government or agency business, whose compromise could affect the governments capacity to make decisions or operate, the publics confidence in government, the stability of the market place and so on
  • commercial interests, whose compromise could significantly affect the competitive process and provide the opportunity for unfair advantage
  • legal professional privilege
  • law enforcement operations whose compromise could adversely affect crime prevention strategies, particular investigations or adversely affect personal safety
  • personal information, which is required to be safeguarded under the Information Privacy Act 2009 (Qld), or other legislation.

Most SENSITIVE information is subject to the Public Records Act 2002 (Qld).

PROTECTED

PROTECTED information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the State, the Government, commercial entities or members of the public.

PROTECTED information must be labelled.

Cabinet information is PROTECTED. Cabinet documents (CABINET information) can be damaging to the public policy agenda and the government generally, and to the public interest. Unlawful disclosure of Cabinet information may constitute an offence under the Criminal Code Act 1899 (Qld) , Public Sector Ethics Act 1994 (Qld) and may constitute official misconduct under the Crime and Misconduct Act 2001 (Qld). The primary guidance document to support these processes, including the handling of Cabinet material, is the Queensland Cabinet Handbook.

Most PROTECTED information is subject the Public Records Act 2002 (Qld).

Sharing information and the need to know

The need to share information must be balanced with the need to know information to perform official tasks. Access to some information needs to be restricted because it could harm government interests or the people of Queensland. Applying a security classification to information signals that the agency has assessed the business impact arising from loss of the informations confidentiality and expects those that access it to secure it appropriately.

Both over-classification and under-classification of information can be detrimental to government:

  • over classification of information results in agencies misallocating their resources to spend more money on security than might otherwise be required
  • under classification results in agencies exposing themselves to risk because they do not allocate security resources to the information requiring additional safeguards.

All government information must be:

  • handled with due care and in accordance with authorised procedures, regulation and legislation
  • assessed against the impact that loss of confidentiality would cause to the agency
  • released in accordance with the policies, legislative requirements and directives of the Queensland Government and the courts.

Discrete information (unstructured data)

Discrete information, such as documents or emails, may receive an information security confidentiality assessment to indicate the business impact should the information be compromised or made available to the wrong individuals. Agencies should create guidance and procedures to assist employees to classify discrete information correctly.

Information assets (structured data)

For information assets, a systems confidentiality assessment provides an indication of the maximum sensitivity and confidentiality of information that the system is accredited to handle by the agency's accountable officer. Any assessment must also consider the aggregate sensitivity of the data held in the system.

Australian Government Protective Security Policy Framework

QGISCF is intended to be compatible with the Australian Government Protective Security Policy Framework and Australian Government Information Security Manual. Queensland has adopted the security classification levels OFFICIAL, SENSITIVE and PROTECTED to align with the federal government approach.

Confidentiality business impact levels

Departments should identify on a risk basis which business impacts should be considered when identifying whether loss of information confidentiality has a high, medium or 'low or negligible' impact. The business impact level (confidentiality) will determine the classification label.

Appendix C may assist in identifying confidentiality objectives to support business impact requirements.

Confidentiality impact and classification levels

Information asset confidentiality control summary

This section contains summary details of the controls relevant for the various levels.

OFFICIAL

Information with a low or negligible confidentiality business impact level

Majority of government information.

Should be labelled OFFICIAL

OFFICIAL information is routine information without special sensitivity or handling requirements. Compromise may cause limited damage to national security, government agencies, commercial entities or members of the public.

The unauthorised disclosure or compromise of OFFICIAL information assets may undermine public confidence in government operations.

OFFICIAL information has confidentiality requirements, unless it is being published.

It may be helpful to mark assets with this classification level so that it is known that an assessment has been made. Information assets which may not be assessed in a timely manner and do not have a default domain classification established may be best marked.

Store, handle, archive and disposal

For minimum requirements:

Refer to Queensland Government Authentication Framework and Data encryption standard. The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.

SENSITIVE

Information with a medium confidentiality business impact level requiring additional care in handling

Must be labelled SENSITIVE

SENSITIVE information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost.

Examples may be:

  • government or agency business, whose compromise could affect the government's capacity to make decisions or operate, the public's confidence in government, the stability of the marketplace and so on
  • commercial interests, whose compromise could affect the competitive process and provide the - opportunity for unfair advantage
  • legal professional privilege
  • law enforcement operations, whose compromise could hamper or render less useful crime prevention strategies or investigations or adversely affect personal safety
  • personal information, which is required to be safeguarded under the Information Privacy Act 2009 (Qld), the Public Records Act 2002 (Qld) or other legislation.

Store, handle, archive and disposal

For minimum requirements:

Refer to Queensland Government Authentication Framework and Data encryption standard

The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information.

PROTECTED

Must be labelled PROTECTED

Green folder, yellow stripe

Information with a 'High' confidentiality business impact level, whose compromise could cause actual damage to the State, the Government, commercial entities or members of the public. For instance, compromise could:

  • endanger individuals' lives and private entities;
  • work substantially against government finances or economic and commercial interests;
  • substantially undermine the financial viability of major organisations; and/or
  • impede the investigation or facilitate the commission of serious crime.

Information passed by other governments that is marked PROTECTED

Cabinet information

The Queensland Cabinet Handbook dictates security classifications, markings and handling for Queensland Cabinet material.

Preparation and handling

Markings

Distinct markings on document or information asset. Centre of top and bottom of each page, in capitals, 5mm (20 point) bold and red if possible.

SCI Register

Desirable

Store, handle, archive and disposal

In accordance with authorised retention and disposal schedule issued under the Public Records Act 2002 (Qld).

Information security assessment process

It is necessary to ensure that the information security assessment is a living process, that is, information security needs to be periodically and regularly reassessed as part of the Information Security Management System (ISMS).

Each of the steps identified below is expanded in more detail in the following sub-sections.

Information security assessment process

Information security assessment process

Identify information

Agencies must identify any information assets that they hold.

The Information asset custodianship policy states the Queensland Government will identify its information assets and assign appropriate custodianship roles and responsibilities to ensure these assets are managed throughout their lifecycle.

Information assets can be documents, electronic messages, a row in a database (or the database table itself), collections of metadata, or a table or figure within a document. An information asset may hold information in multiple formats or media types.

Information assets can be identified by a range of agency processes, including during application of the Digital and ICT Strategic Planning Framework and ICT profiling standard (Queensland Government employees only).

In some cases, it may be prudent to logically segment an information asset to be able to assign different business impact levels to the information it contains. Segmentation is discussed further in the appendices.

Determine the owner of the information

All agencies must assign roles and responsibilities to information assets as per the Information asset custodianship policy. This should include the role of 'delegated owner' as defined in the Information management roles and responsibilities guideline .

Ownership of an information asset or discrete segment of information should reside with only one individual with authority to make decisions about how the information should be handled.

Information ownership must be documented and kept current.

Information ownership may be delegated by the accountable officer (agency head) on a risk basis.

The information owner is accountable for establishing the overall confidentiality, integrity and availability assessments of their information.

The information owner may delegate the responsibility (custodianship) for maintaining asset information controls which must be clearly documented in line with the Information asset custodianship policy.

Undertake Business impact level assessment and Assign C.I.A levels

Example business impact assessment tables for confidentiality, integrity and availability are in the appendices. These list in tabular form impacts which agencies might consider as low, medium or high.

Using your departments business impact levels, information must be assessed to determine confidentiality, integrity and availability levels.

It should be noted that the outcome of a Business Impact Level (BIL) assessment may result in a mixture of high, medium and low business impacts. For Confidentiality business impacts, this then guides the confidentiality label that is applied. However, the label applied is not automatic and is a decision that rests with the information owner.

Other agency, regulatory or legislative issues including those arising from the Public Records Act 2002 (Qld) may also impact on the impact assessment of the information, and need to be considered at this point.

Select and apply controls

Appropriate controls must be applied to ensure that safeguards are applied to information assets commensurate with the assessed business impact levels. In limited cases, the controls are mandated (e.g. high confidentiality information), but in most cases, agencies are encouraged to identify suitable better practice control sets from reputable sources such as Australian Signals Directorate, ISO/IEC 27002, National Institute of Standards and Technology or ENISA that meet their needs on a risk basis.

Ongoing activities

Continuous review

As environments and circumstances change, information owners should review confidentiality levels to ensure controls remain appropriate. The impact from loss, compromise, or damage to information may reduce or increase over time.

The decision to change the business impact level for information rests with the information owner.

De-identification, aggregation and redaction techniques can be used to support proactive information release under right to information and Information access and use policy. However, care and expertise is required to ensure these are effective and do not introduce risk.

Due care is required to ensure privacy is preserved with data derived from information about individuals.

Assurance

The information security assessment in each category are determined by the Business Impact Level (BIL) of the information or asset. In turn, the BIL guides the level of assurance that should be sought by the organisation relative to the assessed information.

At higher business impact levels, more robust assurance should be sought by the business.

More detail is provided in the Information security assurance and classification guideline.

Education and awareness

The ongoing education and awareness of all employees regarding the importance of classifying information is critical to the success of the overall agency security environment.

Agencies should ensure that all employees have a clear understanding of the agency information security classification policies and procedures, their responsibilities, and principles. Employees who create, process or handle security classified information assets should be trained in how to assess and handle classified information.

Education and awareness programs will likely vary across an agency and between agencies and depend on the type of work and types of information assets dealt with.

Information custodians should be given assistance to understand their roles and responsibilities.

Guides to help employees work through the assessment and classification process should be developed. These are of use where information security assessment is not routinely part of an employees duties with agency specific examples used to assist.

Business impact levels

Putting it all together

Information security assessment has traditionally been solely an assessment of the confidentiality of an information asset or the information it contains. Whilst emphasis is legitimately placed on the determination of confidentiality, it is important to also recognize and assess integrity and availability requirements for information on agency operations.

Many Queensland Government information assets have significant requirements for information integrity and availability. The use of the business impact levels can assist those agencies to classify assets against their integrity and availability, as well as confidentiality. Importantly, where information is found to have high availability or high integrity requirements, agencies should assign proportionate controls based on the BILs.

The information owner must classify the information they are responsible for against the three dimensions of information security.

When determining the correct information security level for an information asset or domain, a range of factors must be considered. Where information assets can be security classified according to legislation, regulation, policy, contractual or other pre-determined means, it should be so classified. For example, breach of proper undertakings to maintain the confidentiality of information provided by third parties and breach of statutory restrictions on the management and disclosure of information need to be considered, and these may influence the overall control selection.

Business impact may be affected by information aggregation. Aggregation of information may change business impact against confidentiality, integrity and/or availability of information.

Controls commonly treat more than one risk. Control selection should aim to mitigate the highest impact risks and if possible, more than one area of the C.I.A. triad.

In this way, information security adds value and can be balanced more effectively against the needs of the organisation that it serves.

There are other methodologies for determining business impact levels such as those outlined in the Digital and ICT strategic planning framework.

Agencies should have a repeatable and consistent process to identify business impacts of threats to information in their organisation and that this should consider confidentiality, integrity and availability.

.

Example assessment of business impacts to confidentiality, integrity and availability

This shows an example of an assessment, and in this case the asset has been assessed as high BIL based on integrity, medium availability and low for confidentiality. An assessment tool is available to assist agencies in determining their BILs.

The agency should consider existing controls required by the Information Security Policy (IS18:2018) and whether these mandatory requirements treat assessed risk to a level that is tolerable to the information owner.

If not, consider additional integrity controls. Note that establishing cumulative control sets for CIA high-low may simplify architecture.

For example, an agency may choose to assess risk above baseline controls or create controls standards for classification, as follows:

 LowMediumHigh
Confidentiality Assess Baseline Controls Baseline + Risk Assess need for any additional agency controls ASD Cyber Security Man. + Risk Assess need for any additional agency controls
Integrity Assess Baseline Controls Baseline + Risk Assess need for any additional agency controls Baseline + Risk Assess need for any additional agency controls
Availability Assess Baseline Controls Baseline + Risk Assess need for any additional agency controls Baseline + Risk Assess need for any additional agency controls

Or, it may be efficient for agencies create controls standards for some/all of the CIA configurations:

 LowMediumHigh
Confidentiality C Controls Standard Low C Controls Standard Med C Controls Standard High (ASD - Cyber Security Man. Controls, plus agency controls)
Integrity I Controls Standard Low I Controls Standard Med I Controls Standard High
Availability A Controls Standard Low A Controls Standard Med A Controls Standard High

Appendix A

Integrity - Business impact assessment - example

Click on the thumbnail below to download

Appendix B

Availability - Business impact assessment - example

Click on the thumbnail below to download

Appendix C

Confidentiality - Business impact assessment - example

Click on the thumbnail below to download

Appendix D

Security classification by domain

It is often not practical to individually apply a full security assessment process to every document, record or other information asset in use in an agency. Particularly where there are large quantities of legacy documents.

Agencies should therefore consider an information asset security domain[1] approach to information security classification.

Agencies may choose to use this approach with legacy information classified under earlier classification schemes using the mappings diagram at APPENDIX E.

Information asset security domain classifications are not mandatory and should only be established where a logical grouping and standard impact assessment can be identified. It should also be noted that an individual information asset security classification will override any broad domain classification.

An information asset security domain is a grouping of related information assets that share a security classification. The assessment may be based on higher confidentiality, higher integrity, higher availability or a combination of more than one requirement.

Security domains allow a defined level of security assessment to be automatically assigned to assets of the domain. This helps to ensure consistency and reduce owner and user workloads. Domain security classifications must be approved by the information owner/s responsible for the assets that the domain will apply to.

An example of an existing domain classification is Cabinet documents, which are pre-determined as being CABINET-IN-CONFIDENCE with High integrity requirements and are treated as PROTECTED information assets. Any new information needs only to be individually assessed by exception, and the appropriate controls applied.

The domain security classification scope will be determined by the ability to group information assets with similar impact assessment results. Often domains will be related to business functions such as human resource management, strategy or procurement functions. Business classification schemes such as those developed for document and records management systems may be useful tools for identifying potential domain security classification areas.

Domain security classifications should be reviewed by agency information owners regularly to ensure they remain appropriate.

Information classified under previous schemes

Agencies may choose to apply a domain approach to legacy information classified under earlier classification schemes using the mappings diagram at Appendix E.

Segmentation of information assets by impact levels

In cases where information is assessed as having different business impact levels, it requires differential confidentiality, information integrity or availability controls.

Identifying, segmenting and/or segregating high business impact or data from other agency information and applying appropriate controls can be an efficient approach that is superior to raising the security of all information holdings.

Generally segmenting information so that higher impact information sets are safeguarded from the broader information holdings will work best for Queensland agencies. This approach might be applied where the agency holds relatively small amounts of information that has a higher confidentiality classification, or integrity and availability requirements. Examples include credit card data (PCI-DSS) or information subject to specific legislation, such as the Privacy Act.

Public information

PUBLIC is not a security classification level under the new classification framework. However, there is no restriction on an information owner choosing to label information PUBLIC, noting that where the information is held on an information system, it will be subject to Integrity and Availability requirements.

Public information is OFFICIAL information that has undergone an agency authorised publication process to identify that it was suitable to be published. Some of these processes are not security related including relevant copyright identification processes.

Agencies need to maintain their own processes to approve information for public release. Some information assets intended for public consumption may have time-limited confidentiality requirements before release (for example, budget papers). In this case, the information should be embargoed, marked and appropriately safeguarded until publication is authorised.

De-identification, de-aggregation and redaction techniques can be used to support proactive information release under right to information and open data goals. However, care and expertise are required to ensure these are effective. Special care is required to ensure privacy is preserved with data derived from information about individuals. The Office of the Information Commissioner Queensland has some useful guidance on Dataset publication and de-identification techniques and risks surrounding re-identification.

Further information - QGEA Information access and use policy (IS33).

National security information

National security information (NSI) is not a confidentiality classification as different NSI may need different levels of safeguarding. NSI is any official resource (including equipment) that records information about, or is associated with, Australia's:

  • protection from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia's defence system, acts of foreign interference and the protection of Australia's territorial and border integrity from serious threats
  • defence capability

In some cases, the risk may dictate that national interest information requires the same safeguards as national security information. National interest information comprises official resources (including equipment) that records information about, or is associated with:

  • Australia's international relations, significant political and economic relations with international organisations and foreign governments
  • law and governance, including:
  • interstate/ territory relations
    • law enforcement operations where compromise could hamper or make useless national crime prevention strategies or investigations, or endanger personal safety
    • economic, scientific or technological matters vital to Australia's stability, integrity and wellbeing
    • heritage or culture.

The source of most national security information is the federal government.

National security information and systems above PROTECTED must be dealt with according to the arrangements outlined in the Memorandum of Understanding on the Protection of National Security Information between the Commonwealth and States and Territories.

These arrangements are specified in the Queensland Manual for Protecting National Security Information. You can obtain copies from the Queensland Police Service: Security and Counter-Terrorism Command. Telephone 07 3364 3665 or email counter.terrorism@police.qld.gov.au

In addition to the above guideline, agency officers responsible for handling national security information will need to meet handling instructions or agreements between their own agency and source federal agencies. This may include: physical security; personnel security; information security and security governance. Familiarity with the Australian Government Protective Security Policy Framework and related documents is also helpful. These are available from the Australian Government Attorney-Generals Department.

Limiting the duration of information security classification levels

When information is classified, it may be possible to determine a specific date or event, after which the consequences of compromise might change.

It is important to note that an event may trigger an increase in the confidentiality level of information, for example a human resource form may become 'SENSITIVE (when complete)'. Alternatively, an archive may become available after a certain number of years. This may change the business impact for the information. Over time, the information may require safeguards for confidentiality reasons, but later it may be that loss of integrity is the primary business impact, or indeed availability.

Some information may require time limited controls because it is under embargo until a specific public policy statement, after which it is published and enters the public domain. If a future date cannot be determined, it is essential to ensure that the date the information assets were created or classified is noted. The date can be recorded either in the document metadata, or the classified asset register if it exists, so that the date be used for future assessment of classification levels, and for right to information purposes.

Data quality

Data quality is an additional information integrity consideration which may be considered in determining business impact. The Australian Bureau of Statistics has released the ABS Data Quality Framework which includes seven dimensions related primarily to information integrity:

  1. institutional environment
  2. relevance
  3. timeliness
  4. accuracy
  5. coherence
  6. interpretability
  7. accessibility.

The framework can be used for multiple purposes including declaring quality, assessing quality and identifying gaps in data sets. There are also online tools for assessing data quality, including one provided by the National Statistical Service.

Understanding basic business requirements

It is important to establish some basic business requirements for confidentiality, availability and integrity of the information asset. For example, it is difficult to assess the business impact of a compromise of confidentiality if you are not aware who the authorised or unauthorised group of users are. A patients health record is subject to confidentiality requirements contained in the My Health Record Act 2012 (Cth), this means that there is a different business impact if it is shared with a registered medical professional; compared to sharing with a member of the public. Departments should determine the detail this activity should cover. The following questions may assist:

  • Who could by default have access to this information (regardless of how they use it) before it creates a negative business impact? We are open by default, so it might help to start with the widest audience and narrow from there. For example, could the public have access to the information without a negative business impact to Queensland?
    • If yes, everyone could have access.
    • If no, then ask could Queensland Government employees have access to the information without a negative business impact?
    • If yes, no one outside of the Queensland Government should have access.
    • If no, then could everyone in your Agency have access without a business impact? If no, then should everyone in your team have access?
  • What is the minimum accuracy required to prevent a business impact? For example, does all information need to be 100% accurate or is 90% accuracy enough to perform an operation without business impact?
  • What is the minimum availability required to prevent a business impact? For example, does all information need to be available in real-time 24/7. Or is the information only required during business hours and work days?
  • Are there any legislative or regulatory requirements that must be met?

There will also always be exceptions which may be considered on a case by case basis. It is also important that the answers to these questions are revisited regularly as you learn more about how (positive or negative) the information is being used.


Appendix E

Mapping between old and new confidentiality classifications

Click on the thumbnail below to download

Appendix F

Frequently asked questions about security classification, publishing and Creative Commons licensing

If an information asset has no security classification or Creative Commons licence, what process should I follow?

All information assets should undergo a security classification assessment. They may inherit a classification from the previous QGISCF, in which case, mapping may be used.

As the Creative Commons licensing process can only be applied to published information, generally only OFFICIAL information that is, or will be, published is a candidate for a Creative Commons licence.

Therefore, in addition to a security assessment the information will need to go through your departments publication or information release process.

The security classification helps to understand the confidentiality, integrity and availability needs of the information asset, so that the appropriate controls can be implemented during the preparation and publishing process.

Should the information asset be suitable for publication, a Creative Commons licensing review can be conducted and, if appropriate, a licence applied.

If an information asset has a security classification (e.g. OFFICIAL, SENSITIVE or PROTECTED) do I need to apply a Creative Commons licence?

A Creative Commons licence can only be applied to information that is published because it implies that the information can be shared publicly and potentially reused. Where an information asset has been published it can be assessed using the Creative Commons licensing review process.

OFFICIAL information is generally suitable for sharing with other government agencies, as there are low/negligible confidentiality requirements. OFFICIAL information that is intended to be published publicly requires further consideration by the department (e.g. under their publishing and information release processes) to ensure the implications are fully understood.

But what if the information asset has the old security classification PUBLIC but no Creative Commons licence?

Existing information assets that have previously been classified as PUBLIC under the old scheme, can undergo a Creative Commons (CC) licencing review and be licensed using one of the six CC Licences.

If an information asset already has a Creative Commons licence, what should its security classification be?

If a licence already exists, then it is assumed that the information has been purposefully prepared for publication and is able to be shared with the public under the terms of the CC licence.

As Creative Commons licences generally only apply to information assets that are published, it would be expected that the information would have a classification of OFFICIAL (i.e. the lowest security classification).However, it is best not to guess, and undertake a security assessment just in case anything was overlooked during the decision to publish.

We used to use the old security classification of PUBLIC to identify when an information asset can be published what do I do now?

While a security classification of PUBLIC doesn't exist, it doesn't mean you can't use the term to identify that a decision to publish has been made. For example, you could add a public label alongside the classification level (e.g. OFFICIAL Public).

Alternatively, you may want to just use the CC licence as an indication it's up to your organisation to decide.

Appendix G

Use of additional descriptors for information

To support specific business requirements and compartmentalise information, organisations may apply an optional additional descriptor to information.

Agencies may decide to use further descriptors when handling, processing and storing their information.

However, it should be noted that any additional descriptors may not be understood outside the organisation and therefore the information may not be handled and protected in the required manner, unless it has been agreed beforehand.

Appendix H

Additional resources

This framework has been developed to align with the following Queensland Government legislation and regulation, Australian Government standards, Australian Standards, and Queensland Government ICT strategy and policy. Relevant resources are listed below

Author

Resources

Queensland Government Legislation and Standards

Queensland Government Enterprise Architecture

Australian Government

Australian Standards

QLD Government Departments may be able to access the ISO27000 documents via the QDCGD whole of government arrangement. Please contact cybersecurity@qld.gov.au for more information

Other Queensland Government policy and resources

Appendix I

Implementation Timing

Suggested implementation dates. These dates are for guidance only, shading indicates implementation dates which have passed.

For mandatory timings, see Information security policy (IS18:2018)

August 2018

  • Policy approved, new system published
  • Agencies may use new system

30 December 2018

  • Stop using the old scheme
  • Revisit BILs

During 2019

  • Roll out classification processes for active records
  • Identify control sets for different CIA levels for new information assets
  • Revise SLAs
  • Educate users
  • Decide what to do with legacy information (if anything)

1 June 2020

  • Agencies have new scheme fully in place
    • seek exceptions as necessary
[1] Supervisory Control and Data Acquisition - systems that monitor and control industrial, infrastructure, and facility-based processes that exist in the physical world

[2] It should be noted that the information security domain concept being discussed here is not intended to be the same as other domains that may be specified through the QGEA.