The Queensland Government’s information and cyber security policy (IS18) aims to improve the security of services to Queenslanders. It strives to make organisations more robust by continuously improving information security.
The policy helps to ensure that the Queensland Government uses a risk-based approach that’s consistent in its implementation. Ultimately, it strives to maintain confidentiality, integrity and availability.
IS18 is split up into:
- Five policy requirements
- Two reporting requirements
- Advice
- Scope
- Applicability
- Implementation
- Policy benefits
The five policy requirements:
1: Agencies must implement an ISMS based on ISO 27001
This requires agencies to implement and operate an information security management system (ISMS) that’s based on the latest version of ISO 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. This is one of the global standards that defines ISMS requirements. ISO 27001 guides organizations in how to establish, implement, maintain and continually improve their ISMSs. Agencies must ensure that their ISMS is scoped to include security for all:
- Services
- Information
- Applications
- Technology assets
2: Agencies must apply a systematic and repeatable approach to security risk management
Risk management is central to effectively implementing and operating an ISMS. The information security risks faced by an agency need to be taken into account so that it is responsive to the constant changes of the threat landscape. It’s important for agencies to consider the risks associated with operational technology (OT) and ensure that it is governed holistically.
3: Agencies must meet minimum information security requirements
Queensland Government agencies are required to comply with the:
- Queensland Government Information security classification framework (QGISCF)
- Data encryption standard (DES)
- Queensland Government authentication framework (QGAF)
They also need to implement the Australian Signals Directorate’s (ASD) Essential Eight Strategies.
4: Accountable officers must obtain security assurance for systems
Accountable officers, such as CEOs, must obtain security assurance for each system to ensure that it adheres to policy and has the appropriate protections in place. The level of assurance required is determined by the a system’s criticality and significance.
5: Accountable officers must attest to the appropriateness of agency information security
Accountable officers need to endorse the information security annual return through the corporate audit and risk committee. They also need to attest to the agency’s information security posture and that its ISMS is compliant. This attestation must be published in the agency’s annual report.
Reporting requirements
- Agencies must submit an information security annual return for each financial year. It is due each September 30.
- When there is an applicable incident, an agency must engage with the Cyber Security Unit (CSU) as soon as possible. The specifics are outlined in the QGEA Information Security Incident reporting standard.
Advice
The IS18 policy should be read alongside the Cyber Security Policy documents for further information.
Scope
IS18’s scope includes:
- Where information, apps, and other tech can impact the business of the QLD Government or service delivery to Queenslanders.
- Activities affected by information security.
Applicability and implementation
IS18 applies to all QLD Government departments, accountable officers and statutory bodies. When implementing this policy, agencies should complete a gap analysis and develop a transition plan that’s based on a risk assessment. This needs to be signed off by the accountable officer.
IS18 policy benefits
Among other benefits, IS18:
- Helps the QLD Government align with international best practices.
- Uses a risk-based approach to improve decision making.
- Provides a flexible approach.
- Supports timely incident reporting.