Information Security Policy - City of Gold Coast...Information Security Policy Printed copies are...

Information Security Policy

Printed copies are uncontrolled. It is the responsibility of each user to ensure that any copies of policy documents are the current issue

of 4

DETAILS Council Admin

Effective from: 19 August 2016 Contact officer: Policy Officer, Business Innovation and Technology Services Next review date: 30 June 2017 File reference: IM634/171/03(P4) iSpot #

This policy 23526603 Value Proposition 41643605

OBJECTIVES AND MEASURES Objectives Minimal information security incidents.

Information security management complies with legislation and contractual obligations.

Performance measures The number of reported information security incidents The number of legislation and contractual breaches

Risk assessment High

POLICY STATEMENT This policy and its attached standards (see Supporting Documents) are mandatory; and support the Enterprise Risk Management Policy and the Corporate Security Policy. Council of the City of Gold Coast (Council) will ensure the confidentiality, integrity and availability of Council’s information, ICT Services and ICT assets.

At a minimum this policy and the attached Standards direct that:

1. The Manager Business Innovation and Technology Services will establish, endorse and maintain standards, specifications and controls for the secure design, implementation, management and disposal of ICT services, assets (including information assets) and equipment.

2. The Manager Business Innovation and Technology Services will maintain a register of all standards relating to ICT policies.

3. The Manager Business Innovation and Technology Services will maintain a register of exceptions to ICT policies.

4. All Councillors and employees have an obligation to report Information Security breaches to the Manager Business Innovation and Technology Services.

5. All Councillors and employees have an obligation to understand the value and sensitivity of information they handle and to manage it accordingly.

6. All Councillors and employees have an obligation to not release information that they know, or should reasonably know, is information that is confidential to the Council.

7. Council Officers specifically listed in Council delegation 1407 are the only employees who have the authority to:

a. Determine a document is confidential b. Accept a document under conditions of confidentiality c. Determine a document is no longer confidential d. To make accessible or to disclose information that is either confidential or not confidential

For matters concerning Access Management refer to Attachment A. For matters concerning Security Incident Management refer to Attachment B. For matters concerning Information Security Classification refer to Attachment C.



of 4

SCOPE This policy encompasses all information, ICT Services and ICT assets (refer Appendix B – Definitions) that are owned, managed or operated by the Council, and applies to all Council employees and Councillors for the duration of their employment or term of office with Council. Note while the policy is now Administrative any amendments to the policy as it applies to the Councillors will need to be considered by Council. See Council Decision GA16.0125.007. This policy has an information security classification of PUBLIC.

http://creativecommons.org/licences/by/3.0/au This work is licensed under a Creative Commons Attribution 3.0 Australia Licence. To attribute this material, cite Council of the City of the Gold Coast (Council), Information Security Policy. DEFINITIONS See Appendix B for definition of terms used in this policy. SUPPORTING DOCUMENTS Appendix A – Roles and Responsibilities Appendix B – Definitions Attachment A – Information Security Access Management Standard Attachment B – Information Security Incident Management Standard Attachment C – Information Security Classification Standard Related Procedures, Standards and Guidelines Information and Communication Technology (ICT) Resource Usage Standards Physical Security Classification Standards and Guidelines Remote Access End User Guide Remote Access Service – Reference Document Queensland Government Information Standard 18 (IS18) and associated artefacts Queensland Government Authentication Framework (QGAF) AS/NZS ISO/IEC 27001-27005:2006 Information technology – Security techniques – (including Information security management systems – Requirements; Code of practice for information security management) Information Standard 38, Use of ICT Facilities and Devices (IS38) Queensland Government Counter-Terrorism Strategy 2008-2012 – Department of the Premier and Cabinet (function now residing in Queensland Police) Queensland Counter Terrorism Plan 2007 – Department of the Premier and Cabinet (function now residing in Queensland Police)

http://creativecommons.org/licenses/by/2.5/au/

http://creativecommons.org/licences/by/3.0/au

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/ICT%20Resource%20Usage%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/FraudPrevention/Documents0/Physical%20Security%20Standards.DRF

http://gcccintranet/Directorates/OrganisationalServices/FinancialServices/QMS0/Documents/TRACKS-31158961.DOC.DRF

http://gcccintranet/Directorates/OrganisationalServices/FinancialServices/QMS0/Documents/REFERENCE%20DOCUMENT-%20REMOTE%20ACCESS%20SERVICE%20(RAS).doc

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/Pages/security.aspx

http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-framework

http://infostore.saiglobal.com/store/




http://qgcio.qld.gov.au/shared/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx#u

http://qgcio.qld.gov.au/shared/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx#u

http://creativecommons.org/licenses/by/2.5/au/�



of 4

RELATED POLICIES AND DELEGATIONS Asset Custodianship Policy (Infrastructure and Land) Audit Committee Policy Business Continuity and Internal Incident Management Policy Management Policy Code of Conduct for Employees Policy Complaints (Administrative Actions) Policy Corporate Security Policy Delegated Power and Authorisations Policy Disciplinary Policy Enterprise Risk Management Policy Equitable Access Policy External Communication Policy Expenses Reimbursement and Provision of Facilities for Mayor and Councillors Policy Fraud and Corruption Control Policy ICT Resource Usage Policy Information Management and Information Privacy Policy Internal Audit Policy Portable and Attractive Items Policy Procurement Policy and Contract Manual Recruitment Selection and Appointment Policy Right to Information and Information Provision Policy Working from Home Policy Delegation Delegation Description

DE01407 To decide information as confidential to the Council, to accept information under conditions of confidentiality and to make accessible or to disclose information that is confidential.

LEGISLATION Queensland legislation: Crime and Misconduct Act 2001 Electronic Transactions (Queensland) Act 2001 Evidence Act 1997 Information Privacy Act 2009 Local Government Act 2009 Public Interest Disclosure Act 2010 Public Records Act 2002 Public Sector Ethics Act 1994 Right to Information Act 2009 Statutory Bodies Financial Arrangements Act 1982 Workplace Health and Safety Act 2011 Work Health and Safety Regulation 2011 Commonwealth legislation: Cybercrime Act 2001 Security Legislation Amendment (Terrorism) Act 2002 Spam Act 2003 Telecommunication Act 1997

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Asset%20Custodianship%20Policy%20(Infrastructure%20and%20Land).pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Audit%20Committee%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Business%20Continuity%20Management%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Code%20of%20Conduct%20For%20Employees%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Complaints%20(Administrative%20Actions)%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Corporate%20Security%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Delegated%20Power%20and%20Authorisations%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Disciplinary%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Enterprise%20Risk%20Management%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Equitable%20Access%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/External%20Communication%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Expenses%20Reimbursement%20and%20Provision%20of%20Facilities%20for%20Mayor%20and%20Councillors%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Fraud%20and%20Corruption%20Control%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/ICT%20Resource%20Usage%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Information%20Management%20and%20Information%20Privacy%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Internal%20Audit%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Portable%20and%20Attractive%20Items%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Procurement%20Policy%20and%20Standards.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Recruitment%20Selection%20and%20Appointment%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Right%20to%20Information%20and%20Information%20Provision%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Working%20From%20Home%20Policy.pdf

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_C.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_E.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_E.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_I.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_L.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htmhttp:/www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm



http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_R.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_S.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_W.htm

http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_W.htm



of 4

RESPONSIBILITIES Sponsor Director Organisational Services

Owner Manager Business Innovation and Technology Services

VERSION CONTROL

Document Date Approved Amendment

23526603 v5 19.08.16 GA16.0125.007 / G16.0129.008 Major amendments

23526603 v4 12.12.14 GA14.1209.012 / G14.1212.015 Council approval

23526603 v3 16.09.13 GA11.1012.001 / G11.1017.014 Council approval

23526603 v2 26.10.11 iSpot #30835825 Minor change

23526603 v1 15.02.11 CGC07.0704.009 iSpot 30505544

Information Security Policy Appendix A – Roles and Responsibilities


Page 1 of 2

Chief Executive Officer (CEO) The CEO is ultimately accountable for information security in the Gold Coast (Council) and will:

• Ensure that a policy is in place and a “security aware” culture is established. • Approve changes to the policy that do not change the intent or impact the governance of the

policy. Policy Owner Is responsible for high level leadership of the policy, ensuring policy governance is adequately implemented.

Manager Business Innovation and Technology Services

a. is accountable for ensuring the coordination, communication, and implementation of this policy b. will provide advice on Information Security Policy c. will approve information security architecture, standards, and processes and recommends

changes to this policy and supporting documentation d. is responsible for providing exemptions to this policy e. is responsible for the establishment of a Security Incident Response Team and Security Incident

Management f. is responsible for the performance of information risk assessments g. monitors and reports on compliance and performance as required h. leads investigations into alleged Information Security breaches that are not likely to result in official

misconduct proceedings i. ensures coordination of corporate policy awareness j. approves changes to standards, guidelines and procedures that do not change the intent or impact

the governance of the policy

Executive Coordinator Business Engagement a. will ensure policy implementation, maintenance and the application of information security as part

of the Council’s Information Management Strategy b. recommends information security architecture, standards, policies and processes c. approves compliant designs d. facilitates information security risk assessments e. is responsible for the provision of advice regarding confidentiality maintenance on external

information provided to Council f. will lead Security Incident Response Teams when the Manager Business Innovation and

Technology Services is unavailable Executive Coordinator Information Solutions will lead Security Incident Response Teams when the Executive Coordinator Business Engagement (EC-BE) is unavailable. Directors

a. will provide leadership, and within their Directorate, ensure directorate strategy is in place, and that a “security aware” culture is promoted through Corporate and on the job training

b. ensure that all ICT systems have an information asset custodian identified and recorded in the Configuration Management Database (CMDB)

c. co-operate with the CEO and other Directors to implement the Information Security Policy d. notify the Executive Coordinator Business Engagement to update the Information Asset Register

with any changes in Information Asset Custodians e. must ensure that an appropriate level of resources is available, or Council is made aware of the

need for additional resources to implement security controls that manage information security risks

Information Security Policy Appendix A – Roles and Responsibilities


Page 2 of 2

Managers

a. will ensure that staff under their direction comply with the Information Security Policy and attend relevant training or information sessions

b. will ensure that all adopted guidelines, standards and procedures relevant to their staff, business functions and services, are implemented with their branches

c. responsible for disciplinary matters resulting from the findings of information security breach investigations. This excludes matters that may result in official misconduct proceedings

Manager Internal Audit

a. will act in accordance with the Internal Audit Policy and the Audit Advisory Committee Policy

b. will be engaged by the policy owner and areas of Council to ensure compliance to standards referred to in the Information Security Policy on a risk-based rotational basis

Executive Coordinator Integrity and Ethical Standards Is responsible for all matters that result in official misconduct proceedings. Information Asset Custodians

a. will specify information security classifications under delegation for information and information management requirements. Custodians with delegation 1407 will also grant access to confidential information and only they can authorise disclosure of confidential information (see Attachment C Information Security Classification Standard of this Information Security Policy). Additional roles and responsibilities for Information Asset Custodians are also defined in the Management and Information Privacy Policy

b. are accountable for the management and protection of information assets/systems. This includes ensuring appropriate system security controls are implemented and all procedures are documented, maintained and followed. Conducts ‘Threat and Risk’ assessments on the relevant information assets/systems. Responsibilities may be delegated but the accountability remains with the Custodian

System Administrators Will develop, implement and monitor security procedures on systems in their charge. Monitor the security of their information and systems, and where necessary advise the Information Asset Custodian of security problems. ICT Security Officers Will research, develop, recommend, implement, maintain and monitor security systems and procedures on Council systems in consultation with the Business Innovation and Technology Services Branch. Enterprise Architecture Team Will develop information security architecture, approve information security design documentation, assist in planning and transitioning to required information security and ensure alignment to overall business needs and architecture. Asset Data Manager Will perform roles as set out in the Asset Custodianship Policy (Infrastructure and Land) Information Users (including Councilors) – will ensure that:

a. Council’s information systems and associate processes are used in a security conscious manner according to relevant information security policies and instruments and the Code of Conduct – Standards of Conduct Part 3 (iv) Privacy.

b. Report an information security incident in accordance with this Information Security Policy Attachment B – Information Security Incident Management Standard.

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Information%20Security%20Classification%20Standards.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Asset%20Custodianship%20Policy%20(Infrastructure%20and%20Land).pdf



Information Security Policy Appendix B – Definitions


Page 1 of 4

Terms, abbreviations and acronyms

Meaning

Accountability Public authorities and their employees must be able to account to regulatory authorities, ministers, clients and the public to meet statutory obligations and community expectations.

Access Authorisation The system controls and surrounding processes that provide or deny parties the capability and opportunity to access systems (i.e. gain knowledge of or to alter information or material on systems). In practice, the act of authorising access usually occurs after authentication has been successful. Authentication checks if the party is who they claim to be. Access authorisation checks what the party is allowed to do.

Availability Ensuring that authorised users have access to information or equipment and services when and where required.

Authentication Process that verifies the claimed identity of an individual as established by an identification process.

Authorised Use Use by individuals who have received authorisation before operating the relevant device or service and agreed to abide by the policies, guidelines and local practice arrangements for use of the relevant facility or device, and who have appropriately acknowledged this agreement where required.

Business Area A generic term that includes a group, division, branch, section, or unit of Council.

Business Continuity Plan

A plan that describes a sequence of actions, and the parties responsible for carrying them out, in response to a series of identified risks, with the objective of restoring normal business operation as soon as possible.

Cloud Computing A utility model for gaining access to processing and storage capacity without having to own any hardware. A capacity on demand model where you pay someone else for the use of their capacity and you do not necessarily care how or where it is delivered.

Confidentiality Ensuring that information is accessible only to those authorised and is protected from unauthorized disclosure or intelligible interception.

Confidential Information

Information that requires protection from unauthorised disclosure. It includes information determined to be IN-CONFIDENCE, PROTECTED, HIGHLY PROTECTED.

Council Council of the City of Gold Coast

Data Unprocessed, or raw information that is collected for a prescribed business function. Data can take many forms, such as computer and hard copy records or sets of figures, as well as data materials from which data may be derived, such as rock or core samples, laboratory specimens or seismic logs.

Document Document includes any: 1. paper or other material on which there is writing; 2. paper or other material on which there are marks, figures, symbols or

perforations having a meaning for a person qualified to interpret them;



Page 2 of 3


Meaning

3. disc, tape or other article or any material from which sounds, images, writings or messages are capable of being produced or reproduced (with or without the aid of another article or device).

Employee All temporary and permanent staff, consultants, contractors, students or any other person who provides services on a paid or voluntary basis to Council.

Evidence The records of a business transaction which can be shown to have been created in the normal course of business activity and which are inviolate and complete.

ICT Information and Communication Technology.

ICT Assets ICT hardware, software, systems and services used in the Council’s operations including physical assets used to process, store or transmit information.

ICT Products and/or Services

ICT products and/or services generally cover all types of technology (data, voice, video, etc.) and associated resources, which relate to the capture, storage, retrieval, transfer, communication or dissemination of information through the use of electronic media. All resources required for the implementation of ICT are encompassed, namely equipment, software, facilities and services, including telecommunications products and services that carry voice and/or data.

Information Information is defined as: 1. A collection of data or documents that are processed, analysed,

interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form.

2. A message, usually in the form of a document or an audible or visible communication, meant to change or inform the way a receiver perceives something and to influence judgment or behaviour; data that makes a difference.

3. Patterns in data. 4. That which reduces uncertainty.

Information Asset An identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling the Council to perform its business functions, thereby satisfying a recognised Council requirement. Note: Data or information from an external source does not need to be managed as the council’s information asset. However, any modification of this information will create a new information asset that will require management.



Page 3 of 3


Meaning

Information Asset Custodian (Information Custodian)

A custodian of an information asset is preferably a manager and is responsible for ensuring corporate information is collected and maintained according to specifications and priorities determined by consultation with the user community, and made available to that community and in a format that conforms with Council’s standards and policies. Custodianship is assigned using the following criteria.

• Have sole statutory responsibility for the capture and maintenance of the information.

• Have the greatest operational need for the information.

• Are the first to record changes to the information.

• Are the most competent to capture and/or maintain the information.

• Are in the best position to justify collection of the information at source.

• Requires the highest integrity of the information.

• Where consensus cannot be reached the Manager Business Innovation and Technology Services will allocate custodianship.

Information Security Preservation of confidentiality, integrity and availability of information, in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

Information Security Incident

A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

Information Security Management

Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

IS18 Queensland Government Information Standard 18.

Integrity The assurance that information has been created, amended or deleted only by the intended authorised person and/or means and that the accuracy, and that the information is complete and processing methods are safeguarded.

Network A communications capability that enables one user to connect to another user or system.

Security Controls Hardware, procedures, policies and physical safeguards that are put into place to assure the integrity and protection of information and the means of processing and accessing it.

Third Party An individual or an organisation external to Council that provides labour or services to Council.

Information Security Policy Attachment A – Information Security Access Management Standard


Page 1 of 7

Purpose and Scope Access Management uses different measures to protect the Council of City of Gold Coast (Council) information from theft, unauthorised use or malicious/accidental destruction; whilst at the same time providing the appropriate levels of access to this same information in a timely and effective manner. This standard specifies the Access Management controls that must be applied to Council’s information assets and ICT assets. General Controls By protecting their information assets Council can maintain the required levels of confidentiality, integrity and availability required of, and over their information assets. Control mechanisms based on business requirements and assessed/accepted risks for controlling access to all information assets and ICT assets must be established. Access control rules must be consistent with business requirements, information classification, and legal/legislative obligations. Controls must be applied that will include monitoring and logging of activity on information networks and systems, and restrict access to the information based on the information’s security classification and requirements for access. Access to information assets and systems will be granted to users based on their role requirements and duties. Councillors and Council employees must ONLY access CONFIDENTIAL information that relates to their role requirements or duties while in the course of performing their role requirements or duties. Segregation of duties Duties, roles and areas of responsibility must be segregated in order to minimise the risk of misconduct, unauthorised access, modification or compromise of information assets and systems. Access rights will be aligned with the segregation of duties. User Access Management User responsibilities The responsibilities of users accessing Council’s resources include but are not limited to:

a. User logins will be unique and used to monitor actions related to the use of Council resources, Information, Services, equipment and assets.

b. ICT users are personally responsible and accountable for their use of Council's information systems, networks, Internet and e-mail, including usage under their login account (user name and password) i.e. password protection.

c. Complying with Council policies, standards, processes and guidelines, – especially in relation to information and information system access.

d. Securing Council equipment, especially while it is unattended; maintaining a clear desk and electronically locking a display screen where information is classified as CONFIDENTIAL.

Councillors and Council employees must comply with the local government principles identified in s4 of the Local Government Act 2009. Council employees are further required to comply with the Council Code of Conduct for Employees.

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Code%20of%20Conduct%20for%20Employees%20Policy.pdf

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Code%20of%20Conduct%20for%20Employees%20Policy.pdf



Page 2 of 7

Authorisation of Access Information

Requirement for access to be validated Regardless of the format of the information (e.g. paper, applications, electronic documents), user access rights should be assigned based on the requirements of their role. The user’s manager must confirm the requirement for the user to access the information as part of their job prior to actioning an access request. Requests for external parties acting as agents of Council to deliver or assist in delivering Council services to access Council’s non-PUBLIC information must be validated by the Council Contract Representative (CCR) or the manager responsible for engaging the external party. Refer to the Right to Information and Information Provision Policy for requests from external parties not acting as agents of Council to access to access non-public information. Requirement for special network access to be validated Special network access (sometimes also known as special privileges) is defined as elevated rights or privileges that allow some or all technical controls to be bypassed or over-ridden within all or a portion of Council’s IT environment. The provision of Special network access to an individual or role automatically means the person or role is operating in a “Position of Trust”. Where possible, special network access will be allocated to roles rather than individuals. Examples include: • The ability to install software locally. • Administrator rights to an application, system, operating system, device, appliance or

similar. • Microsoft Active Directory Domain administrator privileges. • Network management utilities and network infrastructure. • Security management utilities and security infrastructure.

Requirement for information asset custodians to approve access to CONFIDENTIAL information The information asset custodian will approve the user’s request to access CONFIDENTIAL information or special network access. Where multiple information assets are involved or the information asset custodian is unavailable, the Manager Business Innovation and Technology Services may approve access requests and special network access requests. Access requests and special network access requests maybe pre-approved for particular roles, positions or types of access requests. Pre-approval must be recorded. An information asset custodian may authorise suitably qualified individuals to grant access requests on their behalf. Authorisation and any conditions placed on the approval or how the approval is to be performed must be recorded. Requirement for timely notification of changes to access or network special access to be reviewed periodically All changes to an employee’s duties must be reflected in their access rights which include the review of access controls to all information assets and ICT assets. User access must be disabled or modified when users change jobs, or leave Council permanently, or are on leave for three months or longer. Changes must be carried out on a timely basis. When a user changes roles within Council, the user’s old manager is responsible for revoking access and special network access prior to the user moving into a new role. When a user enters a new role, the user’s manager is responsible for ensuring the employee’s access and network special access is adequate and correct.



Page 3 of 7

Requirement for access and special network access to be monitored and reviewed periodically User access rights will be regularly reviewed by Information System Custodians to ensure that any unnecessary privileges will be removed and any unauthorised use of privileges will be detected and addressed. Refer to the Information Management and Information Privacy Policy for more detail on Information Asset Custodians. Manager Business Innovation and Technology Services may revoke Information Access and Special Network Access Information Access and Special Network Access may be revoked at any time by the Manager Business Innovation and Technology Services, if they form a reasonable suspicion that continued provision of access or special network access is not in the overall interests of the organisation or the public.

Password Management User Responsibilities

• Computer users with logon authorisation to Council’s computer network or information systems are to maintain the security of their login accounts (user name and password).

• Users will maintain the confidentiality of their own password and ensure that passwords are not shared, or disclosed or disclosed to any other party.

• Users must not record their passwords in a format that may be viewed or identified by an unauthorised party (including notebooks or ‘reminders’ on computers).

• User names (with the exception of payroll number based user names) are classified as ‘CONFIDENTIAL’. All passwords are classified as ‘CONFIDENTIAL’.

• Under no circumstance are users to disclose their password to another person or to use the password of another person.

Implementation The following controls will be implemented to minimise the risk of unauthorised access to information assets and ICT assets:

• Users will be required to change temporary passwords at the first logon; • Users will be required to change their password after 60 days and will not be able to reuse a

password for at least 3 cycles; • Users must keep a new password for 2 days before it can be changed; • Passwords must not contain the user’s account name or parts of the user’s full name that

exceed two consecutive character; • Passwords must be at least 8 characters in length; • Passwords must contain characters from at least three of the following four categories:

o English uppercase characters (A through Z); o English lowercase characters (a through z); o Base 10 digits (0 through 9); o Non-alphabetic characters (for example !, $, #, %);

• User access will be locked after 10 rejected attempts to logon; • Users will be educated in selecting and using passwords; • All vendor and default passwords must be changed prior to an application or system going into

operation; • Council workstations, servers, laptops and mobile devices must enforce a password protected

screensaver after 20 minutes of in-activity to ensure that computers are not utilised by another party;

• Councillor’s Smart phones are subject to password protection lock after 60 minutes of in-activity.



Page 4 of 7

Network Access Controls Access to Council’s networks will be provisioned using standardised mechanisms. Network access will be controlled and monitored to prevent unauthorised access, modification or destruction of Council information assets, ICT services and ICT assets. Council’s network will be divided up into Local Network Zones based on the type of services being provided and the associated risk. Firewalls and routing technology will be used to control the communication between different networks. Access to network management utilities and network and security infrastructure will be restricted to ensure that network controls cannot be modified by unauthorised users. Gateway and firewall technology will be used to filter and control network communications Controls will be implemented to protect Council’s information and ICT assets from external threats originating through remote access technology. Council will provide secure authentication methods for remote users. Operating System Access Controls Council will minimise the risk of unauthorised access to operating systems by:

• Providing secure log-on procedures for operating systems. • Ensuring that minimal information is disclosed about the system. • The log-on is properly validated only upon correct input of all data. • Assigning all users with a unique identifier (user ID) and suitable authentication techniques to

substantiate their identity. • Disabling the user IDs when they are no longer required, rather than re-assigning or removing

them. • Restricting and controlling the use of systems/software that may have the capability of

overriding system and application controls. Authentication Management Council will ensure that identity of an individual who requests access to, or the amendment of, his or her confidential information held by Council will be authenticated before access is provided or the information is amended. The Queensland Government Authentication Framework (QGAF) will be used by Council to evaluate the risk associated with the services Council offer and determine the level of authentication assurance required. Customer Registration Customer registration is a process that allows a customer to provide credentials to Council for confirming their identity. Registration provides added security for the customer in terms of protecting their personal and confidential information from access by unauthorised persons. A customer must register at a Council Administration Centre or Branch over the counter by completing the appropriate Council form. As Council increases access to on-line services, on-line registration may be required to securely enable increased levels of access by customers to their information. If an assessment under the QGAF indicates registration is required the following should be considered:



Page 5 of 7

Customer Registration – Method 1

• full name • residential address • postal address • email address (if applicable) • phone number (if applicable) • date of birth • sex • the customer must also provide at least one of the following:

− rate account number − property description − animal registration number − Council licence or permit number (e.g. food licence)

Customer Registration – Method 2 A customer may register over the counter by producing a driver’s licence, Passport or other suitable evidence of identity (EOI).

EOI documents must be returned to the customer once their registration information has been recorded. A note is to be made that the document has been sighted. Documents are not to be copied or retained by Council. Once registered, the customer may be provided with identifiers such as a username, password, customer reference number. A secret question and answer is highly desirable but optional.

Customer Authentication Customer authentication confirms that the customer using a service to request access to or amendment of information is in fact the customer who is registered with Council and is authorised to use the service.

If a customer is registered they should provide information that has been provided during the registration process (e.g. customer reference number, date of birth or password), before being permitted to access or amend any confidential information.

If a customer is not registered with Council, the customer must provide the following information for authentication purposes:

a. QGAF Low Level Authentication requirement:

Requirements as documented in Contact Centre Reference Document (CC-R6) b. QGAF Other than Low Authentication requirement.

The Information Asset Custodian/Information System Custodian should consider: i. full name ii. sex iii. residential address iv. postal address v. email address (if applicable) vi. phone number (if applicable) vii. the customer must also provide at least one of the following: viii. rate account number ix. property description x. animal registration number xi. Council licence or permit number (e.g. food licence) xii. date of birth if available to Council

http://gcccintranet/Directorates/OrganisationalServices/FinancialServices/QMS0/Documents/Confirm%20Authority%20Contact%20Centre.DOC



Page 6 of 7

A customer may be authenticated by providing the appropriate EOI (see above). Information Disclosure

• Customer authentication is not required for the disclosure of information that is classified as PUBLIC (some personal information is classified as PUBLIC).

• Customer authentication is required when a customer requests access to, or the amendment of, information that is classified as CONFIDENTIAL.

• Disclosure of Information that is classified CONFIDENTIAL must not be disclosed without the recorded consent of the Information Asset Custodian.

• Unclassified information must be assessed by the relevant information asset custodian and classified before it can be disclosed.

Information Privacy

• The provisions of the Information Privacy Act 2009 (IP Act) are covered by the Information Management and Information Privacy Policy. Refer to the Information Management and Information Privacy Policy for detailed information.

• Council must give an individual access to their personal information if requested and ensure that personal information is only used and disclosed in accordance with the purpose for which it was collected.

• When registering or authenticating the identity of a customer, Council can only collect the information that is necessary for customer registration authentication purposes and provision of the service.

• The customer must be provided with a collection notice stating that the information will be used for registration and authentication purposes.

• Unless exemptions apply, personal information collected for registration and/or authentication must only be used and disclosed in accordance with the collection notice.

Non Repudiation The registration and some authentication processes may require undeniable proof that the transaction has occurred involving a specific identity. Non-repudiation controls must be applied to prevent the party or Council from being able to deny receipt or transmission of information or participation in a transaction. Where this is the case, the registration and authentication processes must be sufficiently rigorous to be able to provide evidence to prevent a party from repudiating any transactions, that is, to claim that they were not the person that Council was dealing with at the time. False Statements Parties should be advised that to make false, misleading or deceptive representations can amount to a criminal offence. Remote Access Service Remote Access Service (RAS) is the ability to access the Council network from another location (i.e. home or non-networked site). It is used by Council staff (across all directorates) to access their network files, applications and email. RAS supports Working from Home Policy and Expenses Reimbursement and Provision of Facilities for Mayor and Councillors Policy. Information on how to obtain remote access service is provided in the Remote Access Service – Reference Document

http://gcccintranet/Directorates/OfficeOfTheCEO/CorpPlanPerfomance/Policies/Documents/Working%20From%20Home%20Policy.pdf







Page 7 of 7

Remote Access User Responsibility

• All users must comply with this standard, other relevant policies and supporting policy instruments.

• All remote access users must notify their manager and the Manager Business Innovation and Technology Services, immediately they no longer require access privileges.

• A remote access user must keep their remote access login and authentication details secure at all times. These details are issued to an authorised user for their authorised use only. Any loss must be immediately reported to Business Innovation and Technology Services Service Desk.

• Council computers must be switched off when not in use, to prevent unauthorised access to the Council network and to support sustainable business practices.

• Council computers must be secured to the vehicle or out of public view when a vehicle is unattended.

• Users may be held personally responsible for the cost of any loss or damage of computers and accessories when such loss or damage exceeds normal wear and tear and can be attributed to negligence. All loss or damage must to be reported to the Service Desk and an Information Security Incident Report (ISIR) lodged into the Online Safety Management System (HandS) in line with the requirements of the Portable and Attractive Items Policy.

More detail for users is available in the Remote Access End User Guide.



http://gcccintranet/Directorates/OrganisationalServices/FinancialServices/QMS0/Documents/TRACKS-31158961.DOC.DRF

Information Security Policy Attachment B – Information Security Incident Management Standard


Page 1 of 5

Introduction An information security incident has a significant probability of compromising business operations and threatening information security. It may be an act of unauthorised access, disclosure, modification, misuse, damage, loss or destruction. Information security incident management ensures information security events and incidents associated with information systems are communicated in a manner allowing timely corrective action to be taken. It is a breach of Council’s Information Security Policy to not report information security incidents as defined in this standard. In cases where there is reasonable suspicion that a security incident may or has occurred, the incident should be reported. The Corporate Security Policy (Principle 8 Security Breaches & Incidents) also requires that there be a central corporate system for security breach and incident reporting. Responsibilities and Procedures Incident management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents, and are to be documented in Information Security Incident Response Plans (ISIRPs). The Manager Business Innovation and Technology Services is responsible for approving all ISIRPs. The Manager Business Innovation and Technology Services will be the chair of the Information Security Incident Response Team (ISIRT). In the event that the Manager Business Innovation and Technology Services is unavailable the Executive Coordinator Business Engagement shall become the chair of the ISIRT. The most serious security incidents will need to be escalated to Corporate Risk to determine if a coordinated effort is required by business units, business areas and possibly the business owners of affected systems or applications. In the event of an information security incident the Manager Business Innovation and Technology Services will make a decision to form ISIRT, and a decision to escalate to Corporate Risk for activation of the Internal Incident Management Plan. If the Internal Incident Management Plan is activated the Manager Corporate Risk becomes the Incident Controller. ISIRT will still be required to fulfil its function under the coordination of the Internal Incident Management Plan. Business Innovation and Technology Services Branch shall have approved Information Security Incident Response Plans (ISIRPs) to guide the team in the management of the incident response throughout its lifecycle. Learning from Information Security Incidents All ‘lesson learned’ from information security incidents shall be documented in accordance this Standard and provided to the Manager Business Innovation and Technology Services. Collection of Evidence It must initially be assumed that follow-up action against a person or organization after an information security incident will involve legal action (either civil or criminal). Evidence must be collected, retained, documented and managed in accordance with documented Policy standards. Care must be taken to establish and maintain a “chain of custody’ for all evidence gathered. Evidence collection should be conducted in consultation with the Corporate Security Advisor and the Integrity and Ethical Standards advisor in Corporate Assurance.



Page 2 of 5

If an individual is not confident on how to do this, the individual must ask for assistance from the Manager Business Innovation and Technology Services rather than compromise the evidence or chain of custody of the evidence.

Information Security Incidents Vulnerability and exposure are key factors to determine the severity of an incident and any disruption-related risks to Council’s business. The table below provides a guide to rate incident severity according to impact. Staff members will use this guide to assist them to determine the incident severity rating and response.

Incident levels two and three represent significant and major concern to Council. Where required, further advice on corporate level incidents may be sought from Council’s Corporate Safety and Risk Branch.


Printed copies are uncontrolled. It is the responsibility of each user to ensure that any copies of policy documents are the current issue Page 3 of 5

INFORMATION SECURITY INCIDENT MANAGEMENT BY LEVEL OF SEVERITY

Rating Level 0 Level 1 Level 2 Level 3

Severity Impact

None / Negligible Minor Significant Major

Description Little or no effect or impact on the ICT operations, infrastructure or property May consist of identified attempts to actively breach Information Security

May affect operations, information assets or cause minor infrastructure failure or interruption to work flow for a short period of time These types of incidents are normally limited to the immediate area and can usually be resolved within existing organisational arrangements and available resources A small number of information assets critical to Council services temporarily unavailable (less than one day)

Level 2 incidents significantly affect the confidentiality, availability and integrity of information assets through theft, loss or destruction. Several business services or information assets are adversely affected. Multiple critical operations disrupted for an extended period of time Requires an escalated level of response from Information Security decision makers.

Large scale infrastructure failure, affects the whole-of-Council (people and property). Complex scenario/s due to cascading consequences which may involve issues of life safety Resources may be either inadequate, unavailable or at risk of being overwhelmed Critical operations substantially disrupted which may lead to legal liability

Possible Triggers

Abuse of privileges or password confidentiality by a Councillor or Council employee (not extending to super user or root or administration privileges). Attempt to gain unauthorised access to ICT resources, either from within or outside of the computing network. Inappropriate content on a device. Unauthorised modification to ICT system hardware or software without the custodian’s knowledge or permission. Virus/Trojan/worm found on more than one system, or an inability to contain and remove the code from a single system. Targeted unsuccessful attack against COGC systems.

Minor asset/infrastructure failure that causes an interruption to work flow. A privacy breach that is the result of in-confidence information assets being wrongfully disclosed, lost or stolen A small number of information assets critical to Council services are temporarily unavailable (less than one day) Potential for local media to be involved Potential for critical operations to be disrupted for a relatively short period

Several business services impacted significantly by an ICT security incident. A privacy breach that is the result of protected or highly protected information assets being wrongfully disclosed, lost or stolen. Several information assets critical to Council services destroyed, lost or stolen Council’s reputation could be seriously impacted with state-wide news coverage Multiple critical operations disrupted for an extended period of time

Large scale infrastructure failures, acts of terrorism Council’s reputation will be seriously impacted with nation-wide news coverage Several information assets critical to Council services destroyed, lost or stolen Whole of Council affected (people, property) Critical operations substantially disrupted leading to legal liability

Incident Controller

Manager Business Innovation and Technology Services

MANAGER CORPORATE RISK

ISIRT Information Security Incident Response Team members include Manager Business Innovation and Technology Services; Exec Coordinator Business Engagement; Exec Coordinator Information Solutions; Corporate Security

Advisor; Mgr Internal Audit If required Exec Coordinator (Lawyer) Integrity & Ethical Standards; Exec Coordinator Corporate Risk

Response Service Desk - Business as Usual for Incident management. Monitor – Is the Incident still Ongoing?

The ISIRT may need to be formed. Media management Chain of evidence required for potential forensic investigation. Monitor – Is the Incident still Ongoing?

The ISIRT usually needs to be formed Media management Potential mobilisation of business resources and deployment of staff Potential activation of Internal Incident Management Plan Chain of evidence required for potential forensic investigation. Monitor – Is the Incident still Ongoing?

The ISIRT will be formed Media management Mobilisation of business resources and deployment of staff Activation of Internal Incident Management Plan Chain of evidence required for potential forensic investigation Political intervention may be instigated Monitor – Is the Incident still Ongoing?

Steps a. Create a Security Incident Record using the Business Innovation and Technology Services Service Desk incident response procedures (Service Now)

a. Immediate registration in the Notable Incident Register (HandS) by Incident Owner

b. Initial Assessment by Notifier and their

Immediate registration in the Notable Incident Register (HandS) by Incident Owner

Initial Assessment by Notifier and their Executive

Immediate registration in the Notable Incident Register (HandS) by Incident Owner.

Initial Assessment by Notifier and their Executive



b. Registration : Within two (2) days of being detected, complete a Security Incident Report (HandS) and forward to Manager Business Innovation and Technology Services

c. Initial Assessment by Notifier and their Supervisor

d. Ongoing Assessment, if required, by Manager Business Innovation and Technology Services and Executive Coordinators

Executive Coordinator

c. Ongoing Assessment by Manager Business Innovation and Technology Services and Executive Coordinators.

Coordinator.

Ongoing Assessment by Manager Business Innovation and Technology Services, Manager Corporate Risk and Executive Coordinators / ISIRT.

Coordinator

Ongoing assessment by Manager Business Innovation and Technology Services, Manager Corporate Risk and ISIRT.

Escalation / De-Escalation

Prioritised and escalated using Business Innovation and Technology Services- Service Desk incident management process.

The Manager Business Innovation and Technology Services determines severity level and escalation / de-escalation. Manager Corporate Risk is notified

The Manager Business Innovation and Technology Services determines severity level and escalation / de-escalation. Manager Corporate Risk is notified.

Manager Corporate Risk confirms business impact and activates the Internal Incident Management Plan if appropriate. Manager Corporate Risk can determine to de-escalate to Manager Business Innovation and Technology Services.

Reporting Detail periodic reviews within HandS. Cross reference with Service Now.

IS Contact List

IS Business Continuity Plan includes Key Contacts (Critical and Back-Up persons) TRACKS-#18740312-BUSINESS CONTINUITY PLAN (BCP) - OS - Business Innovation and Technology Services- APPLICATION, DATA AND VOICE SERVICES

pcdocs://TRACKS/18740312/R

pcdocs://TRACKS/18740312/R

Information Security Policy Attachment B – Information Security Classification Standard


CLARIFICATION OF INCIDENTS AND EVENTS Events differ from incidents in both the severity of the problem and the potential risk. Events may become incidents; however, not all events will require incident management.

Council’s incident management process requires that events be reported and logged.

The following are some sample scenarios to demonstrate the logic behind the distinction made between “Incidents” and “Events”. Events that do not result in an incident do not need to be logged in the Online Safety Management System (HandS).

Malicious code attacks

Event – User reporting that their computer may have been infected with a virus. Potential incident – Their system exhibits behaviours typical for a virus effecting service.

Denial of resources

Event – User reporting that they can’t access a service. Potential incident – Many users reporting that they can’t access a service.

Intrusions

Event – A system administrator thinks a system has been the target of an unauthorised access. Potential incident – A system administrator finds a log indicating suspicious activities took place and unauthorised access to confidential information has been gained.

Misuse

Event – Web proxy log indicates a user has attempted to access a web site which is not permitted by Council’s ICT Resource Usage Policy and Internet filtering software. Potential incident – Web proxy log indicates a user has attempted to access such sites on a number of occasions.

Misconduct

Event –Frequent communications to an unapproved external application or website. Potential incident – User is running their own business while they are supposed to be working for Council.

Unauthorised use

Event – Accessing a document that is allowed by system permissions, but is obviously not required for the execution of one’s duties. Just because a person can access something doesn’t mean they should. Possible incident – Systematic search and access for documents not specifically related to an individual’s tasks, irrespective of the documents being confidential or not.

Hoaxes

Event – User sends an email containing false information usually associated with chain emails. Possible incident – User sends an email containing false information usually associated with chain emails asking the recipient to do the same.

Information Security Policy Attachment C – Information Security Classification Standard

Printed copies are uncontrolled. It is the responsibility of each user to ensure that any copies of policy documents are the current issue Page 1of 7

Reference / Related Documents Local Government Act 2009, Current as at 7 November 2013. Chapter 6 Administration, Part 2 Councillors, s171 Use of information by councillors, Item (3). Part 5 Local government employees, s200 Use of information by local government employees, Items (5)(a), (5)(b) https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/L/LocalGovA09.pdf [12 December 2013]

Standards Australia – AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management.

Objectives The objective of this standard is to provide a set of directives to ensure a consistent, standardised and valid approach to fulfil the requirements of the Information Security Policy statement:

These information security controls and processes will include measures to assess and protect information from misuse and loss, and from unauthorised access, modification or disclosure.

As well as providing guidance on how to fulfil the Information Security Policy directive that: All Councillors and employees have an obligation to understand the value and sensitivity of information they handle and to manage it accordingly.

Scope and Exemptions This standard covers all information within the “effective control” of Council. All ICT activities must identify and classify the information assets stored within or transmitted through ICT services or solutions.

Prior to disclosure, all information must be classified according to this standard. Disclosure of confidential information requires the recorded exercise of delegation 1407.

The effective protection of information assets is managed through the application of appropriate controls. The mapping and definition of these controls is outside the scope of the Information Security Classification Standard.

Introduction The Information security classification standard describes the assessment of information and the assigning a value to the information in order to organise and protect it according to its sensitivity to loss, unavailability, disclosure or compromise. The application of a security classification label to information identifies the assessed level of sensitivity.

The Council creates and receives a significant amount of information that is essential to the fulfilment of its functions. This public information is held in safe custody and used in trust on behalf of the Council. Labelling the information with its security classification conveys the level and nature of protective security to be applied to persons who handle or are entrusted with the information. Whether or not information is marked with a security classification label, Councillors and employees must be vigilant and exercise sound judgment before accessing, using or releasing Council information. The Local Government Act 2009 places an obligation on Councillors and employees to undertake reasonable steps to determine if information is confidential.

https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/L/LocalGovA09.pdf



Applying the Information Security Classification Standard The Council, through the CEO, has delegated authority to Council officers under Delegation 1407 to:

a. Determine a document is confidential

b. Accept a document under conditions of confidentiality

c. Determine a document is no longer confidential

d. to make accessible or to disclose information that is either confidential or not confidential

Refer to Delegations and Authorisations Register, Delegation 1407 - (available on the intranet, administered by Legal Services).

A classification label is used to describe the level of sensitivity that should be accorded to information and is one of four terms:

• UNCLASSIFIED

• INTERNAL

• CONFIDENTIAL

• PUBLIC

Information Security classification is the process by which the value of information is assessed by performing a risk assessment in accordance with the Enterprise Risk Management Manual that considers the consequences that may result from the unauthorised release or misuse of information. In this case the likelihood of disclosure is assumed to be 100%.

a. If the unauthorised disclosure of an information asset would result in a Moderate, Major or Catastrophic consequence, then the information is should be classified as CONFIDENTIAL.

b. If the unauthorised disclosure of an information asset would result in a Minor or Insignificant consequence, then it is preferable that the information should be classified as PUBLIC.

c. The use of the INTERNAL classification should be used as a last resort for information that is neither CONFIDENTIAL nor PUBLIC as it is preferable to classify information as PUBLIC.

TRIGGERS TO CLASSIFY INFORMATION

There are a number of events that trigger the need to classify or review the classification of information which are listed below:

• A proposal to disclose information not classified as PUBLIC.

• A request to access UNCLASSIFIED information.

• A change to a service, process or solution that stores or transmits information.

• The creation of a new information asset.

• The establishment of business rules or workflows to allow pre-approved rights to create, access, update or delete an information asset or attributes of an information asset or the ability to change the business rules to approve the create, access, update or delete rights to an information asset.

OPEN DATA

All information assets can be considered for OPEN DATA suitability regardless of their Information Security Classification.

Where it is found that only part of an information asset is suitable for OPEN DATA release, the information asset must be remodelled and reclassified; CONFIDENTIAL or INTERNAL for those parts that will not be released, and PUBLIC for those parts that can be released.



INFORMATION CLASSIFICATIONS

“UNCLASSIFIED” Information

Information that has not been assessed is considered to be UNCLASSIFIED (literally nobody has classified the information yet). A large number of the Council’s information holdings have not been classified using this standard and are considered to be UNCLASSIFIED.

Information labelled UNCLASSIFIED must not be disclosed without assessing and changing the classification of the information via Delegation 1407.

Once assessed, an information asset cannot be left with an information security classification of UNCLASSIFIED, it must be changed to one and only one of PUBLIC, INTERNAL or CONFIDENTIAL.

“CONFIDENTIAL” Information Notwithstanding the’ Council’s commitment to open and transparent government and the obligation under the Right to Information Act 2009 to create an organisational culture that proactively releases information, some information must be treated as confidential to the organisation. This includes information that, if disclosed to the public or accessed in an unauthorised manner within the organisation, could seriously impede the organisation's operations or breach a legislative or contractual obligation.

Such information must not be copied or removed from the organisation's operational control without the Information Asset Custodian’s approval.

Unless described in a more granular sense, confidential information equates to a “PROTECTED” level of security from an Information Technology Solution Design perspective.

Confidential information assets and communications relating to confidential information must be clearly labelled CONFIDENTIAL.

Information classified CONFIDENTIAL must not be disclosed to the public.

Access to CONFIDENTIAL information is on a need to know basis.

Access must be justified by a specific work related purpose. For example accessing confidential information to fulfil a specific task is justified. Accessing confidential information out of curiosity even though task related access is approved is not justified.

“PUBLIC” Information Public information is information that has been authorised for disclosure to the public including Council publications, web sites or social media. Such information assets must be clearly labelled PUBLIC. This also includes documents on the Disclosure Log released under Right to Information Access Requests once the 24 hour embargo period has expired. Whilst public information has no confidentiality requirements it is still important to ensure its accuracy and completeness (integrity) prior to its release. A statement should be included to concerning the fitness for purpose of any information that is considered to be PUBLIC. Information assets must be specifically classified as PUBLIC before their release. Where information has not yet been classified, it should be treated as UNCLASSIFIED and not as PUBLIC.



“INTERNAL” Information This is information that is not approved for general circulation outside the organisation, where its loss would inconvenience the organisation but where disclosure will not attract sanction for example, under a contractual or legislative obligation.

Information classified INTERNAL is not secret, it will be disclosed under Right To Information application. It is preferable to classify information as PUBLIC rather than INTERNAL.

LABELLING OF MEDIA CONTAINING CONFIDENTIAL OR PUBLIC INFORMATION ASSETS

Confidential emails must include the word Confidential as the first word in the subject of emails and if possible a confidential flag on the email should be enabled.

Media used to disseminate or hold CONFIDENTIAL or PUBLIC information assets must be clearly and legibly labelled with the word CONFIDENTIAL when the content contained is confidential or PUBLIC when the content contained is public.

For example:

A document (electronic or otherwise), detailing confidential information must clearly display a label marked CONFIDENTIAL displayed in both the header and the footer in the document body and in the footer of any cover page and the end page of the document. This ensures the parts remain clearly labelled even in the event they may become separated.

Electronic media such as a DVD or CD must be clearly labelled when digitised content is either CONFIDENTIAL or PUBLIC.

Some information classified as CONFIDENTIAL may be released under a relevant Right to Information request.

RECORDING RESULTS OF ASSESSMENT

Once an information asset has been assessed, the assessment must be documented and stored in the record management system. The information asset must be created in the Information Asset Register or an existing entry must be updated to reflect the most recent approved classification.

Confidential information must be recorded by the Manager Business Innovation and Technology Services or their delegate in the REGISTER OF CONFIDENTIAL INFORMATION.

Information Security Classification Directives

To minimise the chance of inadvertently creating a risk where none previously existed or increasing the likelihood of a known risk occurring, the following directives must be followed.

CLASSIFY INFORMATION ASSETS BY DOMAIN It is not practical to individually assess the security classification of every document created as part of a documented procedure or workflow. Therefore an information security “domain” approach is applied to the information security classification process. This helps the Information Custodian to ensure similar information is managed consistently.



A domain is a logical grouping of information. Domains are approved by the Information Custodian(s) responsible for the assets to which the domain applies. Domains allow a security classification to be automatically assigned to a group of information assets. For example:

All personnel files and related document have been included in a domain by the Information Custodian and all documents are security classified as CONFIDENTIAL due to the nature of the information they may contain.

However, an individual information security classification process may override any domain classification, e.g. a specific document may be assessed by the information custodian as having a different classification.

CLASSIFY AS PUBLIC IF POSSIBLE Council is committed to govern in an open and transparent manner. Information should be created and managed in a manner that allows the maximum amount of information to be disclosed to the public. If possible, information should be clearly separated into PUBLIC and non-Public components to allow the public components to be disclosed.

See the Right to Information and Information Provision Policy for a complete publication checklist that should be completed in addition to classifying information as PUBLIC prior to disclosing the information.

AVOIDING OVER-CLASSIFICATION Information should only be classified to CONFIDENTIAL when the consequences of loss, disclosure or compromise clearly warrant the expense of increased security protection. Over-classification of information also has detrimental effects, these are:

• unnecessary and costly administrative arrangements; • the volume of security classified information is too large to adequately protect; • the devaluation of information with security classifications; • the unnecessary limiting of employee and/or public access to information.

AUTOMATICALLY CHANGES TO SECURITY CLASSIFICATION An Information Custodian may determine that a security classification may change if a particular condition is met, such as Council adopting the budget, completing an application from with personal information, awarding of a contract, expiration of a period of time, passing of a specific date or approval of a development application. In such cases the security classification label will automatically change from one classification to another once the condition is satisfied. The information must be clearly labelled with the initial Classification and must clearly state the condition to be satisfied and final classification.

INFORMATION CUSTODIANS TO ACCEPT INFORMATION ON CONDITIONS OF CONFIDENTIALITY Making any commitments to external parties to maintain confidentiality of information passed to Council requires the exercise of delegation 1407. Commitments should be reasonable in the circumstances and not bind Council to an unsustainable confidentiality arrangement.



An appropriate security classification should be considered where information is security classified by another government agency, or confidentiality conditions are imposed by law, or written or oral agreement. INFORMATION TO BE PROTECTED APPROPRIATELY Approved measures must be applied to protect information. INFORMATION CUSTODIANS TO APPROVED ACCESS TO CONFIDENTIAL INFORMATION Personnel must be authorised by the Information Custodian to access confidential information on the basis of a strict “need to know” requirement, i.e. there is a legitimate need to know the information in order to perform their official duties or responsibilities. Information Custodians may authorise individuals, positions or organisational groups to access confidential information. Such approvals should be recorded in position descriptions or registers maintained by on behalf of Information Custodians.

CONFIDENTIAL INFORMATION NOT TO BE ACCESSED INAPPROPRIATELY

Information that is confidential in nature must not be accessed or used contrary to a law or policy, e.g. browsing or viewing customer details, complaints, legal, contractual or personal information for personal or non-work reasons.

Even though a Councillor or employee may be authorised to access confidential information as part of their job, unless specifically noted otherwise, access is only authorised to perform their job. For example, when actioning a service request it is acceptable for an employee to look up the contact details of persons directly related to the service request. It is not acceptable for the same employee in the same position to access contact details of persons not directly related to matters they are performing as part of their job.

CONFIDENTIAL INFORMATION NOT TO BE DISCLOSED INAPPROPRIATELY Public access to confidential information may be facilitated by law, e.g. through the Right to Information Act 2009. For more information relating to information that must under legislation be released, please contact Legal Services branch. The classification of information must be considered prior to disclosure. Information must not be disclosed without appropriate authorisation from the Information Custodian. The Local Government Act 2009 Current as at 7 November 2013 prohibits misuse or unauthorised release of confidential information by Councillors and employees. Where confidential information is authorised for release to another party, reasonable precautions must be taken to ensure the continued protection of that information, e.g. applying a security classification label, verifying they are capable of appropriately protecting the information and requiring a written undertaking.



Roles and Responsibilities Information Custodian The definition of an Information Custodian is found in the Information Security Policy. The security classification responsibilities of an Information Custodian include:

• conducting a periodic review of security classified information assets. The period to be based on the sensitivity of the information;

• ensuring information asset security domain classifications are reviewed at least annually or when changes have occurred to the internal controls used to protect the information assets;

• ensuring that Service Level Agreements or Operating Level Agreements between Council Directorates and/or private entities managing Council information assets, include appropriate service levels and targets relating to information being accurately security classified, and managed in accordance with the controls described in this standard and/or other relevant Council policy;

• budgeting for and providing resources to support Council’s security classification and control requirements;

• approving classifications or re-classifications of information assets as recommended by user/editor/author or business subject matter expert.

Information User/ Editor/ Author or business subject matter expert Anyone who uses, edits, modifies or originates information can be considered an information user/editor or author. An information user, editor or author is required to adhere to relevant Council policies regarding the use of information, including applying the controls specified by the security classification standard. For a classification recommendation to be credible the recommender must have a reasonable knowledge of the business services, rules and processes that the information relates to. In many cases, where a user is creating new information, or receives information into the Council from another source which has not been security classified, the user will be required to make the initial recommendation to the information custodian as to the security classification of the information asset.

Information Security Policy - City of Gold Coast...Information Security Policy Printed copies are...

Documents

Transcript of Information Security Policy - City of Gold Coast...Information Security Policy Printed copies are...