Information security incident reporting standard
Purpose
A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government agencies on the recommended practices for a given topic area. They are intended to help agencies understand the appropriate approach to addressing a particular issue or doing a particular task. Unlike a guideline, which is better practice advice, a standard is enforced by policy.
The Information security incident reporting standard was developed to outline agency actions required to meet information security incident reporting requirements under the Information security policy (IS18). This standard should be read in conjunction with the Information security incident management guideline.
Scope
This document is intended for agency staff and operational areas involved in information security incident management, response, and reporting.
Definitions
Information security event
An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that may be security relevant [ISO/IEC 27000:2018].
Information security incident
An information security incident is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security [ISO/IEC 27000:2018].
Sub-definition - Information security false positive
False positives occur when a response was triggered, but further investigation determines there was no incident.
Background
This standard has been developed to centrally coordinate reporting and monitoring processes for information security incidents within Queensland Government. The Queensland Government Cyber Security Unit (QGCSU) houses the Cyber Defence Centre (CDC). The CDC are responsible for receiving information security incident reports from Queensland Government agencies and lead technical incident response coordination for information security incidents that affect more than one agency. The reporting and response function of the CDC was previously known as the Queensland Government information security virtual response team.
The reporting of information security incidents provides significant benefits for both Queensland Government agencies and the QGCSU.
Better practice cyber defence includes the rapid and proactive sharing of information revealed as part of incident response activities. This helps to limit the attackers reuse of their techniques against others, thus undermining the attacker's business model.
The timely reporting of incidents within agencies as soon as they occur or are discovered provides agency leadership with the opportunity to assess the impact of any incident, seek timely advice, and oversee any incident response activities and communications.
The QGCSU uses received incident reports as the initial basis for aiding reporting agencies with incident response and recovery activities. The QGCSU also works collaboratively with agencies to identify trends, protect others, and maintain an accurate threat environment picture in Queensland. This includes ensuring that the learnings from incidents are identified, and securely shared, to provide better protection from future cyber security threats and risks.
Using this information, the QGCSU, CDC and Australian Government partners like the Australian Cyber Security Centre (ACSC) work together to develop new and updated advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. Reporting benefits include:
- ensuring information is provided in a timely manner to the appropriate channel and audience
- being able to provide or seek expert advice on how to contain/limit the impact from an incident
- mandatory incident reporting fields that ensure information is accurate, consistent, complete, and actionable
- building a comprehensive security risk profile which can be used for trend analysis
- continuous improvement of incident response processes and appropriate control selection through the application of lessons learned.
Mandatory reporting
Reporting obligations
The business impact level (BIL) reporting table determines agency reporting obligations in relation to information security incidents.
BILs are determined by the business owners of both the information and system. This is done on a risk basis by assessing the potential or actual impact from a loss of confidentiality, integrity and availability to information and assign the relevant security classifications and controls.
If a BIL is not already assigned to an impacted system and/or information asset, the business owners must be consulted to determine the appropriate BIL.
Agencies must report:
- immediately for information security incidents affecting information / a system with a Medium or High BIL (across either confidentiality, integrity, and/or availability)
- immediately for information security incidents affecting multiple systems / agencies
- within five days for information security incidents affecting information / a system with a Low BIL.
Agencies should record notable or trending information security events and report them where there is demonstrated value in sharing the captured information with others.
Incident business impact level reporting table
Breadth of incident | Business impact level | ||
---|---|---|---|
Impact to confidentiality, integrity or availability | Low | Medium | High |
Single agency/information asset | Report within 5 days | Report immediately | |
Multiple agencies/information assets | Report immediately |
What to record and report
Agencies must:
- document and maintain all information security incidents (including false positives) within an auditable information security incident register
- report incidents as per the BIL reporting table to the CDC in an approved format, addressing all mandatory information security incident reporting fields
- ensure that information security incident reports submitted to the CDC are approved by the Accountable Officer or delegated suitably senior equivalent - a Chief Information Security Officer or Chief Information Officer are examples of a suitably senior delegate
- provide a copy of a post incident report for agency coordinated incidents with a BIL of medium or high that required QGCSU and/or CDC assistance.
When and how to report
Immediate reporting
For immediate reporting, agencies must report incidents at the point they are determined to correspond with an immediate requirement in the BIL reporting table (see reporting obligations) to the CDC.
For low business impact reporting, agencies must report incidents to the CDC within five days.
For both immediate and low business impact reporting, agencies must report using the following communications channels:
- incident reporting portal (primary reporting channel)
- email using manual reporting form (only to be used if agencies are unable to access the reporting portal) CyberDefenceCentre@cyber.qld.gov.au
- phone 07 3215 3951
- phone notifications will see the CDC work with the reporting agency to complete and submit an incident report.
The use of other mechanisms outside of those noted above (e.g., other online chat channels and direct calls to QGCSU and CDC staff) to report or communicate on current or potential information security incidents and events are strongly discouraged. It promotes inconsistency, creates data integrity and process issues, and may result in incidents not being triaged and handled in a prompt manner.
The approved reporting channels ask agencies to identify if their report is for noting, or if support is being requested.
Reporting incidents allows the QGCSU and CDC to effectively triage any requests for support and allocate internal or external resources on a priority basis. Should an agency be impacted by a third-party supplier incident, business impact should still be assessed, and an incident reported in accordance with the BIL reporting table.
Agencies requesting urgent assistance for an incident outside of ordinary business hours should ensure that any report submission is followed up by a phone call to the above phone number to ensure timely awareness and action.
Oral notifications made by phone for incidents must be accompanied by a formal incident report as soon as reasonably practicable.
Additional reporting requirements
Critical infrastructure
Agencies who own or operate critical infrastructure or systems of national significance (as defined and captured by the Security of Critical Infrastructure Act 2018 (Cth)) should also be aware of legislative obligations to report applicable incidents to the ACSC.
This obligation complements and does not replace agency obligations to report incidents to the QGCSU. A correctly completed QGCSU incident report will meet ACSC reporting needs, and the same information can be supplied to the ACSC with minimal impost.
The QGCSU will work with agencies to submit and escalate reporting to the ACSC.
Data breaches
Agencies who experience a data breach during an incident may be subject to mandatory data breach notification to the Office of the Australian Information Commissioner (OAIC) and/or the Queensland Office of the Information Commissioner (OIC).
Agencies should be aware of legislative obligations and undertake a risk and harm assessment to understand and act on notification obligations in identified timeframes.
Applicable legislation may include, but not be limited to the:
- Privacy Act 1988 (Cth)
- Information Privacy Act 2009
- Human Rights Act 2019
- My Health Records Act 2012 (Cth) - where applicable.
Law enforcement referral
Where necessary, the ACSC refers reported cyber incidents to the Australian Federal Police (AFP) and/or the Queensland Police Service (QPS) for law enforcement investigation. The QGCSU will work with agencies experiencing a cyber incident requiring investigation to report the incident to the ACSC so that this referral can occur and be logged through the correct channels. The QGCSU can assist agencies with reporting to the ACSC and initiate early law enforcement awareness but cannot refer incidents directly to the AFP or QPS.
Information security incident assessment
Information security events are still important (e.g., a delay in patching a vulnerability – the information security event - may lead to an information security incident), but the types of information security incidents that QGCSU want to hear about include:
- suspicious privileged account lockouts
- suspicious remote access authentication events
- service accounts suspiciously communicating with internet-based infrastructure
- compromise of data (unauthorised access, alteration, destruction and/or theft – including where this is due to a failure of protective security controls)
- unauthorised access or attempts to access a system
- emails with suspicious attachments or links
- denial-of-service attacks
- ransomware attacks
- suspected tampering of electronic devices.
The QGCSU has provided a sample overview of ticket priority (aligned with Australian Government guidance, IS18 and this reporting standard) that may help agencies assess impact and prioritise incidents based on their severity. QGCSU recommend that agencies use their risk frameworks to contextualise this further.
Priority 1 (P1)
A complete business down situation or single critical system down with high financial impact. The agency is unable to operate e.g., high - critical business impact P1 incident might be:
- most staff (or several critical staff/teams) unable to work
- critical systems offline
- high risk or definite breach of data assessed as having the potential to cause serious harm (to individuals or the agency/assets)
- financial impact greater than $100,000
- severe reputational damage (likely to impact long term).
Priority 2 (P2)
A major component of an agency’s ability to operate is affected. Some aspects of the business can continue but it’s a major problem e.g., high business impact P2 incident might be:
- 50 per cent or more staff unable to work
- non-critical systems affected
- possible breach of data assessed as having the potential to cause serious harm (to individuals or the agency/assets)
- financial impact greater than $50,000
- potential for serious reputational damage.
Priority 3 (P3)
Agency core business is unaffected, but the issue is affecting efficient operation by one or more people e.g., medium business impact P3 incident might be:
- 20 per cent of personnel unable to work
- small number of non-critical systems affected
- possible breach of data assessed as not having the potential to cause serious harm (to individuals or the agency/assets)
- financial impact greater than $25,000
- low risk to reputation.
Priority 4 (P4)
The issue is an inconvenience but there are clear workarounds or alternates e.g., low business impact P4 incident might be:
- 10 per cent or less of non-critical personnel experience short term disruption
- minimal, if any, business impact
- one or two non-critical/non-sensitive machines impacted
- no breach of data.
Information security incident mandatory reporting fields
Information security incident management can involve making critical business decisions. To support these decisions, information must be timely, accurate and complete. Incident reports also need to be consistent, as they are also used to identify trends, protect others, and maintain an accurate threat environment picture in Queensland.
The Vocabulary for Event Recording and Incident Sharing (VERIS) framework is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. This standard incorporates elements of the VERIS framework to enable the QGCSU to better capture, structure, and safely share de-identified incident data more thoroughly and consistently.
This enables better analysis and tracking of trends in security incidents impacting Queensland Government and integrates with various threat understanding and intelligence frameworks that capture adversarial tactics, techniques, and procedures (TTP’s).
The incident reporting portal, manual report form, and CDC triage processes all use the same mandatory information security incident reporting fields to standardise the minimum incident information that must be captured by agencies when reporting to the CDC. Further guidance on the use of the VERIS framework fields in incident reporting is linked below.
When submitting an incident report to the CDC, agencies must either:
- complete all identified fields in the incident reporting portal
- manual reporting form.
The QGCSU recognise that depending on the stage of the incident lifecycle, not all information may be available to submit in an incident report. Reporting agencies must fill in as much as possible utilising the provided field guidance and identify if information is unknown or not yet confirmed.
Where information is identified as unknown or not yet available, agencies must:
- update the submitted report when it becomes available
- provide final closure when it is confirmed that the information is not available.
The QGCSU will also work with agencies to seek updates as new information becomes available over the incident management lifecycle or close out incident reports.
How the CDC uses incident information
The CDC will:
- collect and securely store information relating to information security incidents and events
- safely and securely share de-identified threat intelligence gathered during an incident, such as indicators of compromise, unless the information is likely to identify an agency (or other organisation), or the information owner specifically requests that it not be shared.
The CDC will not provide information to any entities which may identify a Queensland Government agency without their express permission.