Académique Documents
Professionnel Documents
Culture Documents
Guideline
(Supports: Information and Communication Technology (ICT)
Procedure)
Document details
Item
Description
Document title
Trim no.
14/33019
Publication coordinator
Date of completion
9 April 2014
Status
Final
Copy number
V4.0
Revisions
Version
Date of change
V4.0
7 April 2014
V3.0
n/a
V2.0
August 2012
V1.0
15/01/2010
http://creativecommons.org/licenses/by/3.0/au/
State of Queensland (Department of Education and Training) 2012
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 2 of 21
Table of contents
1.
2.
Asset management........................................................................................................6
3.
4.
5.
6.
Access management...................................................................................................12
7.
8.
Incident management..................................................................................................15
9.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 3 of 21
Introduction
The Department of Education and Training (DET) undertakes information security implementation through
specified and targeted information security business operations and the day-to-day activities of all
employees. These activities are guided by Queensland Government's Information Security - IS18 information
standard and are articulated through the department's Information and Communication Technology (ICT)
Procedure and this document. The information within this document is structured to support compliance with
IS18's Information Security Policy Mandatory Clauses v1.0.2.
The aim of this document is to provide all departmental employees with guidance to understand and find the
resources to easily fulfil their responsibilities for information security.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 4 of 21
Resources
General advice
1 Queensland Government Information Security Policy Mandatory Clauses 1.1.1, Nov 2010, v1.0.2
2 Latest copy is available through TRIM.
3 Latest copy is available through TRIM.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 5 of 21
Ensure that you complete the online induction training course Keys
to Managing Information on information security.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 6 of 21
1. Asset management
Physical and environmental controls are in place to ensure the confidentiality, integrity and accessibility of
information and information assets in accordance with their information security classification (unclassified,
public, X-in confidence, protected and highly protected).
Information assets are an identifiable collection of data stored in any manner and are recognised as having
value for the purpose of enabling the department to perform its business functions e.g. files, databases,
paper-based and electronic documents, records, hardware items, software or other infrastructure items.
Resources
Once the information classification level has been assigned, you can
then determine the correct means of handling, transfer,
disposal, etc.
General advice
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 7 of 21
During the post-employment process, steps should be taken to ensure the security of the department's
information remains by following the departmental separation procedure 7.
Resources
General advice
4 Queensland Government Information Security Policy Mandatory Clauses 3.2.1, Nov 2010, v1.0.2
5 Queensland Government Information Security Policy Mandatory Clauses 3.1.1, Nov 2010, v1.0.2
6 Queensland Government Information Security Policy Mandatory Clauses 3.2.2, Nov 2010, v1.0.2
7 Queensland Government Information Security Policy Mandatory Clauses 3.3.1, Nov 2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 8 of 21
ensuring they only access secure areas and use equipment that they
have been approved to do so within their position
Information custodians are responsible for ensuring information assets are classified correctly and apply the
appropriate ICT physical and environmental controls.
Resources
All unattended computers should be locked (clear screen) with all Xin confidence, protected and highly protected documents
properly secured (clear desk).
General advice
8 Queensland Government Information Security Policy Mandatory Clauses 4.1.1 and 4.1.2, Nov 2010,
v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 9 of 21
Don't leave mobile devices in cars. If this is not possible, lock the
mobile devices in the boot. In station wagons and vans, employees
can safeguard mobile devices by placing it out of sight of passers-by.
Do not leave mobile devices in cars overnight or for long periods of
time or during extreme cold or hot weather.
Travel:
employees are to avoid checking-in a laptop as baggage when travelling by air, rail or bus
employees at the airport secure checkpoint are to hold onto their laptop until they are ready to pass
through the metal detector checkpoint
in hotels and motels, employees are to secure laptops in the safe rather than the hotel room, if possible.
If this is not possible store the laptop in a lockable cupboard, drawer or suitcase, or at least out of sight.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 10 of 21
understanding the risks with malicious code when using the internet
and/or connecting devices to the department's network
Resources
General advice
incremental and full weekly backups of all data, operating system and applications
the complete operating system on a monthly basis.
Handle different media formats according to the Information
Security Classification and Handling Guideline.
14 Queensland Government Information Security Policy Mandatory Clauses 5.4.4, Nov 2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 12 of 21
5. Access management
Access to departmental information and ICT business systems are maintained through risk mitigation,
controlled user access and authentications15.
Resources
General advice
15 Queensland Government Information Security Policy Mandatory Clauses 6.8.1 Nov 2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 13 of 21
Remote access:
Management processes will include registering all persons with remote access privileges, logging all
remote access attempts and activities, and ensuring all users are authenticated before access to the
network is granted.
Using departmental devices and personal mobile devices will require appropriate authorisation (refer to
Information and Communication Technology (ICT) Procedure's use of ICT facilities and devices
section).
Devices used for remote access:
Laptops are configured according to the current department's managed operating environment (MOE) to
meet requirements for encryption, authentication and security locking including session time-outs.
For personal mobile devices, a condition of approval for access requires that the device be based on
business requirements and a risk assessment to meet Queensland Government Authentication
Framework (QGAF) requirements for encryption, authentication and security locking including session
time-outs. At a minimum, the device will need to meet the department's security requirements (see
iSecurity intranet site for details) at a minimum installing, running and updating anti-virus software 16.
All wireless communications are to include appropriate configured product security features that is
equivalent to or of higher level to the security of wired communications.
Network connections of all devices used for remote access will be cancelled upon termination of
employment and can be revoked at any time.
16 Queensland Government Information Security Policy Mandatory Clauses 5.4.1, 5.4.3, 6.5.3, 6.5.4 Nov
2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 14 of 21
Resources
Audit logs that are kept and security controls for segregation of the
ICT business system adhere to Queensland Government
Information Security Controls Standards (QGISCS)17.
General advice
For further advice on the acquisition, development and maintenance of an ICT business system, contact the
Service Centre or phone 1800 680 445.
For further project management advice visit OnePortal's ICT Portfolio, Program and Project Teamsite.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 16 of 21
7. Incident management
The department implements end-to-end information security incident management processes. Network and
system outages and issues are published when they occur on the homepage of Service Centre Online19.
Internally, the department will undertake event weakness reporting (through the security incident register)
and a clear escalation (and where required investigation) process. The department will report suspected
breach activity and information security incidents to the relevant authority. The escalation process will include
Internal Audit, Ethical Standards Unit and/or Legal and Administrative Law Branch, with any official
misconduct cases being reported to relevant regulatory authorities. 20
Breaches of information security that result in unsatisfactory audit and employee reports can lead to
disciplinary action (including dismissal) and/or action by relevant regulatory authorities. Disciplinary action
and process is determined under the Public Service Act 2008 where relevant.
Resources
19 Queensland Government Information Security Policy Mandatory Clauses 8.1.4 Nov 2010, v1.0.2
20 Queensland Government Information Security Policy Mandatory Clauses 8.2.1 Nov 2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 17 of 21
Resources
General advice
21 Queensland Government Information Security Policy Mandatory Clauses 9.1.2 Nov 2010, v1.0.2
22 Queensland Government Information Security Policy Mandatory Clauses 9.2.2, 9.2.3, 9.2.4 Nov 2010,
v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 18 of 21
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 19 of 21
9. Compliance management
Employees are to comply with departmental policies and procedures, Queensland Government policy,
legislative and audit requirements23. The department's planning and implementation controls on ICT security
are governed within the Information Security Framework and Information Security Plan (see Section 1 of this
guide for details).
The department provides advice on meeting these requirements through the Information and
Communication Technology (ICT) Procedure's ICT security section and this guideline.
Resources
23 Queensland Government Information Security Policy Mandatory Clauses 10.1.1 Nov 2010, v1.0.2
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 20 of 21
Encryption
The art or science concerning the principles, means, and methods for rendering
plain information unintelligible.
Firewall
A network device that filters incoming and outgoing network data, based on a
series of rules.
Hardware
ICT asset
Information asset
Information
custodian
Delegated by the information owner to set and define the rules of an information
asset to ensure the information asset is appropriately managed to maintain its
currency, integrity and availability. This includes identifying its information
security classification/s and, registering and maintaining its details within the
department's Information Asset Register.
Malicious code
Media
Privileged user
A user who can alter or circumvent system security protections. This may also
apply to users who may have only limited privileges, such as software
developers, who can still bypass security precautions. A privileged user may
have the capability to modify system configurations, account privileges, audit
logs, data files or applications for example, system administrators, ICT security
employees, helpdesk employees.
Remote access
Any access to a departmental practice system from a location not within the
physical control of the department.
Removable media
Storage media that can be easily removed from an ICT business system and is
designed for removal for example, hard disks, CDs, floppy disks, tapes,
smartcards and flashcards.
Risk
A risk is 'a future event' that impacts on organisational objectives. It may happen
or it may not. We can plan for risk based on its likelihood and potential impact
risks can be avoided completely, minimised, transferred to another party, or we
can meet them head on with strategies to deal with their effects.
Security incident
Server
A computer used to run programs that provide services to multiple users for
example, file servers, mail servers, and database servers.
System administrator
User
Any individual or entity accessing the department's ICT business systems and/or
applications including employees, students, adults (parents/caregivers),
business partners and/or the wider community.
Virus
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.Page 21 of 21