Information security policy (IS18:2018)
Purpose
The Queensland Government is responsible for a significant amount of information. To ensure trust and deliver business value it is critical that this information is protected appropriately.
This policy seeks to ensure all departments apply a consistent, risk-based approach, to the implementation of information security to maintain confidentiality, integrity and availability.
Policy statement
The Queensland Government will identify and manage risks to information, applications and technologies, through their life cycle, using Information Security Management Systems (ISMS).
Policy benefits
The implementation of this policy will:
- enable the Queensland Government to predict and respond to the changing threat environment
- enable Queensland Government to align to international best practice approaches
- facilitate a systematic approach to risk and improve decision making
- provide a flexible and tailored approach to meet individual department business needs and different risk appetites in an increasingly complex ICT and business environment
- allow for independent security system reviews to provide an increased level of confidence and trust in government
- support better allocation of time and resources to security challenges relevant to specific departments
- leverage increasing industry adoption of ISO 27001 which will assist in aligning requirements and improve transparency when using cloud and managed services.
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
Policy requirements
Policy requirement 1: Departments must implement an ISMS based on ISO 27001
Departments must implement and operate an ISMS based on the current version of ISO 27001 Information technology - Security techniques - Information security management systems Requirements. The scope of the ISMS will include the protection of all information, application and technology assets.
Policy requirement 2: Departments must apply a systematic and repeatable approach to risk management
Risk management is an integral part of operating an ISMS where risks must be considered at a business level. Departments must adopt a risk management framework by integrating their ISMS into their corporate risk management processes.
Policy requirement 3: Departments must meet minimum security requirements
To ensure a consistent security posture and promote information sharing, Queensland Government departments must comply with the:
- Queensland Government Information Security Classification Framework (QGISCF)
- Data encryption standard
- Queensland Government Authentication Framework (QGAF)
- Australian Signals Directorate (ASD) Essential Eight Strategies
Policy requirement 4: Departments accountable officers must obtain security assurance for systems
Every system is unique and security assurance should be applied sensibly and appropriately. Accountable officers must obtain security assurance to establish an understanding of information security protections and adherence to information security policy.
The level of security assurance applied to systems must be based on the criticality/significance of the system, using the business impact levels determination methodology outlined in the QGISCF.
See the Queensland Government information security assurance and classification guideline for more information.
Policy requirement 5: Accountable officers must attest to the appropriateness of departmental information security
Departmental accountable officers (CEO/Director-General or equivalent) must:
- endorse the Information security annual return.
- attest to the department information security posture and compliance of its ISMS.
Endorsement must be obtained from the department's accountable officer through corporate audit and risk committee.
Departments must publish the attestation in the department's annual report and should consider publishing it in further publicly accessible locations such as the department website.
Issue and review
Issue date: 17 June 2019
Next review date: June 2020
This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group. It was developed by the QGCIO Cyber-Security Unit and approved by the Queensland Government Chief Information Officer.
Implementation
This policy came into effect on 1 October 2018.
Reporting requirements
This policy has specific reporting requirements:
# | Reporting requirement | Date |
---|---|---|
1 | a) For the financial year ending 30 June 2019:
| 30 October 2019 |
b) From 2020, for each financial year ending 30 June:
| From 2020 annual at 30 September | |
2 | Communicate incident response activities and threat intelligence to the Queensland Government Information Security Virtual Response Team as per the QGEA Information security incident reporting standard. | Ongoing |