Policy

ICT Security - Policy

Printer-friendly version
Body

1. Purpose and Objectives

The Information Security Policy is to enable organisational units of the University to meet their responsibilities for the security of UQ information held in electronic formats.

This policy must be read in conjunction with the Procedures for the Information Communication Technology Security and other associated Procedures and Guidelines.

2.  Definitions, Terms, Acronyms

ICT Asset - All applications and technologies that are owned, procured and/or managed by UQ.  These include desktop and productivity tools, application environments, hardware devices and systems software, network and computer accommodation, and management and control tools.

Information - Any collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form.

Information Asset - An identifiable collection of data stored on ICT Assets and recognised as having value for the purpose of enabling UQ to perform its business functions, thereby satisfying a recognised UQ requirement.

Information Security - Concerned with the protection of information from unauthorised use or accidental modification, loss or release.

Information Systems - The organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information.

NTSAF - Network Transmission Security Assurance Framework version 1.0.1

QGISCF - Queensland Government Information Security Classification Framework version 2.0.1

Secure Area -  Provides the highest integrity of access to, and audit of, Security Classified Information Assets to ensure restricted distribution and to assist in subsequent investigation if there is unauthorised disclosure or loss of information assets. The essential physical security features of a Secure Area include:

  • appropriately secured points of entry and other openings
  • tamper-evident barriers, highly resistant to covert entry
  • an effective means of providing access control during both operational and nonoperational hours
  • all persons to wear passes
  • all visitors escorted at all times
  • during non-operational hours a monitored security alarm system, providing coverage for all areas where Security Classified information assets are stored
  • an approved means of limiting entry to authorised persons.

Security Classified Information - Information which has been assessed against the Queensland Government Information Security Classification Framework (SGISCF) and assigned a classification.

SIMC - UQ’s Strategic Information Management Committee

Stakeholders - all staff, students, contractors, third parties, clinical and adjunct title holders, affiliates, alumni and all other individuals who access UQ’s systems and/or network.

System - A combination of Information Assets and ICT Assets supporting a business process.

The Guideline - The PPL ICT Security Guideline

The Procedure - The PPL ICT Security Procedure

3. Policy Scope/Coverage

This policy applies to system owners and staff responsible for implementation and maintenance of information assets and ICT assets.

4. Policy Statement

UQ sets policy on UQ information security in respect of policy, planning and governanance, asset management, human resources management, physical and environmental management, communications and operations management, access management, system acquisition, development and maintenance, incident management, business continuity management, and compliance management. Policy details on each of these aspects are outlined in sections 5-14 below.

The policy recognises that effective IT security involves the cooperation of organisational units across the University and depends on responsible use of the University's IT systems by its users.

This policy takes into account the State Government Information Standard on Information Security (IS18) (v5.0.0 November 2010).

In the environment of the University, security should be pragmatic and not unduly compromise the principle of providing students, staff and other authorised users with access to accurate, relevant and timely information.

In line with The Queensland Government Information Security Policy Framework, the University of Queensland's Information Security Policy is directed at the preservation of the following principles:

  • Confidentiality: ensuring that information is accessible only to those authorised to have access.
  • Integrity: safeguarding the accuracy and completeness of information and processing method.
  • Availability: ensuring that authorised users have access to information and associated systems when required.
  • Responsible use: ensuring that controls are in place so that users of UQ IT systems are not able to affect adversely other users or other systems.
  • Compliant Use: meeting legal and contractual obligations.

5. Policy, Planning and Governance

5.1 Information security policy

This policy will be communicated on an ongoing basis and be accessible to all stakeholders.

Exemptions to ICT policy statements require approval from SIMC (or a position delegated by SIMC).

5.2 Information security plan

The UQ ICT Information Security Plan must align with UQ’s Mission Statement, Strategic Plan and risk assessment findings. The Guideline provides further information.

A threat and risk assessment must be conducted for all ICT assets that create, store, process or transmit Security Classified Information.

5.3 Internal ICT governance

Roles and responsibilities to implement, maintain and control operational information security are detailed in The Procedure.

Endorsement for the information security internal governance arrangements must be obtained from SIMC.

5.4 External party ICT governance

Third party service level agreements, operational level agreements, hosting agreements or similar contracts must clearly articulate the level of security required.

6. Asset Management

6.1 ICT asset protection responsibility

All ICT assets that create, store, process or transmit Security Classified Information must be assigned appropriate controls in accordance with the QGISCF. A brief overview of the controls applicable to the security classifications of the majority of UQ’s Information is contained in The Guideline.

All ICT assets that provide underpinning (core) and ancillary services must be protected from internal and external threats (e.g. mail gateways, domain name resolution, time, reverse proxies, remote access and web servers).

6.2 Information security classification

All ICT Information Assets must be assigned an appropriate security classification and control in accordance with the QGISCF. Timeframes for implementation are outlined in The Guideline.

Classification schemes do not limit the applicability of relevant legislation under which UQ operates.

7. Human Resources Management

7.1 During employment

All employees must be made aware of UQ’s ICT information security policy, their security responsibilities, and associated security processes. Employees with access to HIGHLY PROTECTED information (as defined in QGISCF section 2.4) must acknowledge this has occurred.

Responsibilities must be documented and communicated for employees with access to HIGHLY PROTECTED information or performing specific security related roles.

7.2 Post-employment (transfer or termination)

Procedures for ensuring security during the separation of employees from (termination), or movement within UQ (transfer) are detailed in HUPP 5.80.10 Internal and External Staff Secondments and Job Exchange.

8. Physical and Environmental Management

8.1 Building controls and secure areas

Building and entry controls for areas used in the processing and storage of Security Classified ICT Information must be established and maintained in line with the QGISCF as outlined in section 6 of The Guideline.

8.2 Equipment security

All ICT assets that store or process information must be located in Secure Areas with control mechanisms in place to restrict access to authorised personnel only.

Policies and processes must be implemented to monitor and protect the use and/or maintenance of Information Assets and mobile ICT Assets away from UQ premises. (Ref FMPM 6.1.7 Portable and Attractive Items).

Policies and processes must be implemented to securely dispose and/or reuse ICT assets as referenced in The Procedure.

9. Communications and Operations Management

9.1 Operational procedures and responsibilities

All information assets and ICT assets (including networks and methods for exchanging information within UQ) must be managed securely and consistently (in accordance with the level of security required).

Operational change control procedures must be implemented to ensure that changes to information processing facilities or systems are appropriately approved and managed.

9.2 Third party ICT service delivery

Third party service delivery agreements must comply with UQ’s Information Security Policy.

9.3 Capacity planning and system acceptance

System acceptance must include confirmation of the application of appropriate security controls and of the capacity requirements of the system.

System capacity must be regularly monitored to ensure risks of system overload or failure which could lead to a security breach are avoided.

9.4 Application integrity

Adequate controls must be defined and implemented for the prevention, detection, removal and reporting of attacks by malicious code on all ICT assets.

Vulnerability/integrity scans of core software must be conducted regularly to ensure detection of unauthorised changes.

Anti malicious-code software must be regularly updated with new definition files and scanning engines.

Employees must be educated about malicious code, the risks posed, virus symptoms and warning signs including what processes should be followed in the case of a suspected virus.

9.5 Backup procedures

Comprehensive information and system backup procedures must be implemented.

9.6 Network security

A procedure on scanning must be implemented to ensure that traffic entering and leaving the University network is appropriately scanned for malicious or unauthorised content.

9.7 Media handling

Media handling procedures must be in line with the requirements of the QGISCF as outlined in section 6 of The Guideline.

9.8 Information exchange

Methods for exchanging information within UQ, through online services, and/or with third parties must be compliant with legislative requirements and must be consistent with the QGISCF and the NTSAF which are outlined in section 6 of The Guideline.

The type and level of encryption must be compliant with the requirements of the QGISCF and the NTSAF.

9.9 eCommerce

All critical online services must have penetration testing performed periodically.

Authorisation for publicly available eCommerce systems is outlined in the responsibilities section of The Procedure.

9.10 Information processing monitoring

ICT assets must be synchronised to a trusted time source.

Operator and audit/fault logs must be implemented on Information Systems.

10. Access Management

10.1 Access control policy

Control mechanisms based on business requirements and assessed/accepted risks for controlling access to all corporate information assets and ICT assets must be established.

Access control rules must be consistent with UQ business requirements, information classification, and legal/legislative obligations.

10.2 Authentication

Authentication requirements including on-line transactions and services must be appropriate for the security classification of the information.

10.3 User access

Access to information systems requires specific authorisation and each user must be assigned an individually unique personal identification code and secure means of authentication.

10.4 User responsibilities

Users are responsible for complying with The Procedure and the Use of ICT Resources Policy and related documents.

10.5 Network access

Authorisation from Information Technology Services Division must be obtained and documented for access (including new connections) to UQ networks.

Authorisation from Information Technology Services Division must be obtained to modify or extend UQ networks.

All wireless communications must have appropriate configured product security features and afford at least the equivalent level of security of wired communications.

Remote access to UQ core business systems requires authentication and use of encrypted tunnelling technology.

10.6 Operating system access

ICT assets utilising UQ Central sign-in have standard user registration, authentication management, access rights and privileges implemented.

10.7 Application and information access

Restricted access and authorised use only warnings must be displayed upon access to all systems which have this capability.

Access to all confidential/sensitive systems requires authorised approval.

10.8 Mobile computing and telework access

Processes must be established for mobile technologies and teleworking facilities.

11. System Acquisition, Development and Maintenance

11.1 System security requirements

Security controls must be commensurate with the Security Classifications of the information contained within, or passing across information systems, network infrastructures and applications.

Security requirements must be addressed in the specifications, analysis and/or design phases and internal and/or external audit must be consulted when implementing new or significant changes to financial or critical business information systems.

Security controls must be established during all stages of system development, as well as when new systems are implemented and maintained in the operational environment.

Appropriate change control, acceptance and system testing, planning and migration control measures must be carried out when upgrading or installing software in the operational environment.

11.2 Cryptographic controls

Cryptographic control must be consistent with those of the NTSAF.

11.3 System files

Access to system files must be controlled to ensure integrity of the business systems, applications and data.

11.4 Secure development and support processes

Processes (including data validity checks, audit trails and activity logging) must be established in business critical applications to ensure development and support processes do not compromise the security of applications, systems or infrastructure.

11.5 Technical vulnerability management

Processes to manage software vulnerability risks must be developed and implemented.

A patch management program for operating systems, firmware and applications of all ICT assets must be implemented to maintain vendor support, increase stability and reduce the likelihood of threats being exploited.

12. ICT Incident Management

12.1 Event/weakness reporting

An information security incident register must be maintained and all incidents recorded .

All information security incidents must be reported and escalated (where applicable) through appropriate management channels and/or authorities.

Where a deliberate violation or breach of UQ information security policy or subordinate processes has occurred, this must be investigated and appropriate action taken.

Responsibilities and procedures for the timely reporting of security events and incidents including breaches, threats and security weaknesses, must be communicated to all employees including contractors and third parties.

12.2 Incident procedures

Information security incident management procedures must be established to ensure appropriate responses in the event of information security incidents, breaches or system failures.

13. Business Continuity Management

13.1 ICT disaster recovery

Methods must be developed to reduce known risks to information and ICT assets.

14. Compliance Management

14.1 Legal requirements

All legislative obligations relating to ICT information security must be complied with and managed appropriately.

All information security policies, processes and requirements including contracts with ICT third parties, must be reviewed for legislative compliance on a regular basis.

14.2 Policy requirements

All reporting obligations relating to ICT information security must be complied with and managed appropriately.

The Information Security Compliance Checklist must be submitted annually to SIMC.

14.3 Audit requirements

All reasonable steps must be taken to monitor, review and audit UQ’s ICT information security compliance, including the engagement of internal and/or external auditors and specialist organisations where required.

Custodians
Chief Information Officer
Mr Rob Moffatt

Procedures

ICT Security - Procedures

Printer-friendly version
Body

1. Purpose and Objectives

This procedure details the specific actions and process that must be followed to implement the Information Security Policy.

2. Definitions, Terms, Acronyms

SIMC - Strategic Information Management Committee

Telecommunications Network - The University of Queensland telecommunications network is a centrally-managed, logical entity, providing services required for the business operations of the University of Queensland.

The network includes all wired and wireless telecommunications infrastructure up to and including the wall outlet. The wireless network includes access from non-University of Queensland sites such as the City Cat.

3. Procedures Scope/Coverage

This procedure applies to all individuals accessing UQ information.

The procedure also applies to Heads of organisational units.

This procedure also applies to system owners and staff responsible for implementation and maintenance of Information Assets and ICT Assets.

4. Procedures Statement

This procedure provides additional detail on UQ information security in respect of policy, planning and governance, physical and environmental management, communications and operations management, access management, system acquisition, development and maintenance, incident management, business continuity management, and compliance management. Details on each of these aspects are outlined in sections 5-11 below.

5. Policy, Planning and Governance

5.1 Responsibilities of the Strategic Information Management Committee.

The Strategic Information Management Committee is responsible to the Vice-Chancellor for the following:

  • Arranging for an assessment of risk at major system levels across the University and reporting to the Vice-Chancellor on the adequacy of the University's Business Continuity Planning for meeting these risks.
  • Reviewing and recommending IT security policy and assignment of overall responsibilities for IT security.
  • Reviewing IT security incidents and reporting to the Vice-Chancellor on significant changes to the exposure of the University's information assets to major threats.
  • Approving standards and operating procedures necessary for the implementation of the ICT Security Policy.
  • Establishing, if SIMC deems it necessary, forums, sub-committees or working parties to encourage a whole of university approach to IT security.

5.2 Responsibilities of Heads of all Organisational Units

Heads are responsible for the security of all information technology assets under their control. Such assets include:

  • Information Assets e.g. databases and files, user training and support material, risk assessment documents and continuity plans.
  • Software Assets e.g. applications and systems software, development tools and utilities.
  • Physical Assets e.g. computer and communications equipment, associated equipment and magnetic media.

A Head may delegate a staff member to be responsible for day-to-day management of the security of IT assets. These duties should be included in the job description of the staff member. The name of the nominated staff member should be advised to the Director ITS and to the Manager Properties and Facilities Division and be published in such a way as to enable contact by users and intending users.

The Head may request the Director ITS to provide an IT security service for assets under the Head's control on a facilities management basis. No work relating to IT security is to be outsourced to an external provider.

A Head or delegate will report all incidents or suspected incidents relating to IT security immediately to the Director ITS and cooperate with personnel of ITS in taking remedial action. If a security incident involves a breach of physical security controls, the head or delegate will also advise the Manager Properties and Facilities Division.

The Head will maintain a Business Continuity Plan for information assets under the Head's control. A copy of the Plan will be provided to each staff position required to take action under the plan and to the University's Internal Auditor.

Heads may define "conditions of use" for information systems under their control. These conditions must be consistent with University policies particularly the "Internet Code of Practice" but may provide fuller explanations, guidelines and restrictions. Such local "conditions of use" should include advice of any penalties which may apply to non-conforming use and be published in a form available to users and potential users.

5.3 Responsibilities of end users

Staff, students and other users of the University's IT resources are responsible for the following:

  • Complying with University policies (in particular with Policy 6.20 Acceptable Use of ICT Resources) and with published "conditions of use" governing access and use of the University's IT assets authorised by a Head of the relevant Organisational Unit or higher authority.
  • Reporting loss or malfunction of any University IT asset or suspected security violation to the Head of the organisational unit responsible for the IT resource or to  an officer delegated by the Head or to the University Security Office.

5.4 Responsibilities of the Director Information Technology Services

In addition to the responsibilities of Heads of Organisational Units, the Director ITS is responsible for the following:

  • Providing specialist information security advice to the Vice-Chancellor, Senior Officers of the University, and to Heads of organisational units of the University.
  • Developing technical and operating standards relevant to the implementation and operation of the ICT Security Policy.  These will include, but not be limited to, processes for user authorisation, authentication procedures associated with access rights and privileges, allocation of network addresses and procedures for reporting and classifying security incidents.
  • Providing an IT security training program for users, including the correct use of information processing facilities to minimise possible security risks.
  • Receiving all reports of incidents, threats, weaknesses or malfunction that may have an impact on information security in the University.
  • Taking or oversighting remedial action on all reported or detected security incidents. The Director ITS may remove a system from the University network until such time as the problem is corrected.
  • Advising organisational units of the University of security advices and possible security threats.
  • Advising the Chief Operating Officer and Chairperson of SIMC of serious incidents likely to result in disciplinary action, loss of information, additional cost, or provide adverse publicity.
  • Acting as the University's representative to liaise with external organisations, including law enforcement agencies, on matters relating to IT security.
  • Providing a report to SIMC on IT security incidents as at 31 December each year. Such report will include an analysis of the impact of the incidents on the operation of the University and if necessary recommendations for a review of policy.
  • Designing, installing and managing all University network and telecommunications infrastructure and associated carriage services, subject to University policies, University standards approved by SIMC, and State and Federal laws
  • Making recommendations to SIMC on operating requirements and University technical standards for the University's telecommunications infrastructure
  • Communicating with external governing bodies, authorities or licensed carriers regarding UQ’s Telecommunications Network.

5.5 Responsibilities of the Internal Auditor

In addition to the responsibilities of the heads of organisational units, the University Internal Auditor will be responsible for the following:

  • Assessing and reporting on the adequacy of security procedures within organisational units and centrally provided infrastructure in relation to particular security incidents that may be referred to it by the Chief Operating Officer.
  • Reviewing and reporting to the Vice Chancellor and the SIMC Chair the adequacy of business continuity plans in relation to the IT assets of the University at least every two years.

6. Physical and Environmental Management

6.1 Equipment security

Secure disposal of ICT assets is covered in PPL 6.30.02c Corporate Printer Security - Guidelines.

7. Communications and Operations Management

7.1 Network security

The Director, ITS (or nominee) is authorised to advise University Senior Management Committee members (or their delegate) of non-compliance to UQ Network Standards, and to request that the matter be corrected. In cases where non-compliance may place the University in a situation of liability, the Director ITS (or nominee) is authorised to disconnect any system without notice, provided subsequent advice is provided to the relevant University Senior Management Committee member (or their delegate), and the Chief Operating Officer.

If no standard exists within the University for the use of particular network equipment or software, then any proposed installation of such equipment or software is subject to the approval of the Director ITS (or nominee).

Under no circumstances are new local area wired or wireless networks to be established, or the technology of existing University networks varied, without the approval of the Director, ITS (or nominee).

Data cabling is to be installed conforming to the "Information and Communication Technology (ICT) Cabling Specification", any variations to the standard is subject to the approval of the Director ITS.

8. Access Management

8.1 Access control policy

Access to critical business applications is authorised as follows:

  • Student System – requests for access are signed by the staff member and their manager, then approved by the SI-net coordinator for the organisational unit
  • Finance System – requests for access are authorised by the head of the relevant organisational unit
  • HR System – requests for view access are authorised by the Head of School or School Manager of the relevant organisational unit. Access for power users is authorised by the Associate Director HR Systems and Business Analysis.

8.2 Authentication

User identity is confirmed at the time of enrolment or commencement of employment.

8.3 User access

Access to information systems is granted by passwords.

Removal of information system access is driven by the employee exit procedures and graduation or exclusion of students.

8.4 User responsibilities

User responsibilities for access and passwords are outlined in the acceptable use of ICT resources documents.

Temporary passwords are valid for a limited time, and algorithms are embedded into the password change mechanism ensuring good security practices in the selection and use of passwords.

9. System Acquisition, Development and Maintenance

9.1 Technical vulnerability management

Patches are applied to test and development ICT systems for evaluation before being applied to production.

10. ICT Incident Management

10.1 Event/weakness reporting

The Director ITS maintains and collates the ICT security incident register for reporting to SIMC.

Escalation of ICT Information Security Incidents is through SIMC or the chair of SIMC (between meetings).

10.2 Incident procedures

All identified ICT security incidents must be reported to the Director ITS.

11. Business Continuity Management

11.1 Business continuity and ICT disaster recovery

Critical UQ Business systems (HR, Finance and Student and underpinning and ancillary services) are delivered on redundant ICT assets deployed in physically separate locations to reduce risk of localised events e.g. power loss to a facility.

Custodians
Chief Information Officer
Mr Rob Moffatt

Guidelines

ICT Security - Guidelines

Printer-friendly version
Body

1.  Purpose and Objectives

This Guideline details the specific actions and process that must be followed to implement the Information Security Policy.

2.  Definitions, Terms, Acronyms

ICT Asset - All applications and technologies that are owned, procured and/or managed by UQ.  These include desktop and productivity tools, application environments, hardware devices and systems software, network and computer accommodation, and management and control tools.

Information - Any collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form.

Information Asset - An identifiable collection of data stored on ICT Assets and recognised as having value for the purpose of enabling UQ to perform its business functions, thereby satisfying a recognised UQ requirement.

Information Security - Concerned with the protection of information from unauthorised use or accidental modification, loss or release.

Information Systems - The organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information.

NTSAF - Network Transmission Security Assurance Framework version 1.0.1

QGISCF - Queensland Government Information Security Classification Framework version 2.0.1

Secure Area -  Provides the highest integrity of access to, and audit of, Security Classified Information Assets to ensure restricted distribution and to assist in subsequent investigation if there is unauthorised disclosure or loss of information assets. The essential physical security features of a Secure Area include:

  • appropriately secured points of entry and other openings
  • tamper-evident barriers, highly resistant to covert entry
  • an effective means of providing access control during both operational and nonoperational hours
  • all persons to wear passes
  • all visitors escorted at all times
  • during non-operational hours a monitored security alarm system, providing coverage for all areas where Security Classified information assets are stored
  • an approved means of limiting entry to authorised persons.

Security Classified Information - Information which has been assessed against the Queensland Government Information Security Classification Framework (SGISCF) and assigned a classification.

SIMC - UQ’s Strategic Information Management Committee

Stakeholders - all staff, students, contractors, third parties, clinical and adjunct title holders, affiliates, alumni and all other individuals who access UQ’s systems and/or network.

System - A combination of Information Assets and ICT Assets supporting a business process.

The Guideline - The PPL ICT Security Guideline

The Procedure - The PPL ICT Security Procedure

3.  Guideline Scope/Coverage

This guideline applies to system owners and staff responsible for implementation and maintenance of Information Assets and ICT Assets.

4.  Guidelines Statement

This guideline provides additional detail on UQ information security in respect of policy, planning and governance and asset management. Details on each of these aspects are outlined in sections 5-6 below.

5  Policy, Planning and Governance

5.1 Information security plan

The level of detail contained in UQ’s information security plan should be commensurate with the complexity of its information environment, business functions and the information security risks that it faces. The suggested approach for the development of the plan is to:

  • develop an overarching information security plan, which outlines the security program for the University as a whole
  • support this information security plan with relevant subordinate plans for  significant or high risk University information systems and processes.

Regardless of the development or format of the plan, information security planning should be integrated into the University’s culture through its strategic and organisational plans and operational practices. Security considerations should be incorporated into University corporate planning process and ICT strategic resource planning, to ensure that the University’s Information Security Plan meets its business and operational needs.

5.2 Suggested steps for developing an information security plan

There are a number of steps which should be used to develop UQ’s Information Security Plan. These are described in detail in the Queensland Government’s Information Standard 18: Information Security – Implementation Guideline section 3.2.

Step 1: Identify agency goals and objectives for information security

Step 2: Identify major information assets and business critical ICT assets

Step 3: Conduct a risk assessment

Step 4: Assess current situation

Step 5: Analysis of any gaps and the effectiveness of existing controls

Step 6: Develop recommendations and strategies

Step 7: Identify outstanding/residual risks that will not be treated

Step 8: Obtain agreement on risks and strategies

Step 9: Develop actions and timetable

Step 10: Determine resourcing

Step 11: Endorsement and publishing of the information security plan

Step 12: Implementation of the information security plan

6 Asset Management

6.1 Information classifications

The Queensland Government defines the following information classifications:

All Information Used in Government

Public Information

Non-Public Information

Unclassified Information

Security Classified Information

Non-National Security Information

National Security Information

 

TOP SECRET

HIGHLY PROTECTED

SECRET

PROTECTED

CONFIDENTIAL

X-IN-CONFIDENCE

RESTRICTED

Explanations of these classifications and details on the classification process are contained within Queensland Government Information Security Classification Framework (QGISCF) sections 2 & 3.

It is expected that UQ Information Assets will largely fall into either the Unclassified or X-IN-CONFIDENCE classifications.

6.2 Controls for unclassified information

Unclassified information assets still need to be protected and controlled, and is not to be considered public information.

Although not specifically required, unclassified information assets may be marked as Internal use only, University internal use only, or unclassified.

Unclassified information assets should be filed in accordance with normal records management practices

Unclassified documents may be removed from the workplace only on a basis of need.

There is no restriction on unclassified information being discussed in meetings on the basis of ‘need-to-know’.

Unclassified information can be discussed over unencrypted communications technologies

Copying of unclassified information should be kept to a minimum in accord with business requirements

Physical unclassified information may be stored in an unsecured compactus or cabinet. No building or entry controls are required.

Electronic unclassified information may be stored on common access drives or directories.

6.3 Controls for X-IN-CONFIDENCE information

X-IN-CONFIDENCE Information Assets are those whose compromise could cause limited damage, and which could:

  • cause distress to individuals or private entities.
  • cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals or private entities.
  • prejudice the investigation or facilitate the commission of crime.
  • breach undertakings to maintain the confidentiality of information provided by third parties.
  • impede the effective operation or reputation of the University.
  • breach statutory restrictions on the management and disclosure of information.
  • disadvantage the University in commercial or policy negotiations with others.
  • undermine the proper management of the public sector and its operations.

This protective marking is accompanied by a notification of the subject matter which alludes to its audience and the need-to-know principle.

Examples include:

  • STAFF-IN-CONFIDENCE, Includes all official staff records where access would be restricted to HR personnel and nominated authorised staff. For example, personal files, recruitment information, grievance or disciplinary records.
  • EXECUTIVE-IN-CONFIDENCE Information associated with executive management of the University that would normally be restricted to the executive and nominated authorised staff, for example, sensitive financial reports, strategic plans, Senate matters, staff matters, etc.
  • COMMERCIAL-IN-CONFIDENCE Procurement/contract or other commercial details such as sensitive intellectual property. For example, draft request for offer information, tender responses, tender evaluation records, designs and University owned research.
  • AUDIT-IN-CONFIDENCE Information related to audit activities where access would be restricted to officers of the Audit department or nominated authorised staff. For example, Audit and Risk reports which identify security and control weaknesses.

Physical X-IN-CONFIDENCE information assets should be labelled top and bottom and be filed in a distinctive file with an appropriate file cover sheet.

Electronic X-IN-CONFIDENCE information should be prepared in a drive or electronic document and records management system with restricted access.

X-IN-CONFIDENCE documents are to be secured while printing and the printing device not left unattended.

X-IN-CONFIDENCE documents may be removed from the workplace only on a basis of need, with the information owner’s authorisation. Removed documents are to be kept in personal custody with adequate storage arrangements in place.

Care should be taken with X-IN-CONFIDENCE information being discussed in meetings to ensure that people without a need-to-know are not able to overhear the discussion.

X-IN-CONFIDENCE information can be passed unencrypted over internal communication systems. Between sites, encryption is desirable but not mandatory.

Copying of X-IN-CONFIDENCE information is to be kept to a minimum in accord with operational requirements, or may be prohibited by the information owner.

Physical X-IN-CONFIDENCE information should be stored in a secured cabinet, and ‘Clear Desk’ policy used. No building or entry controls are required.

Electronic X-IN-CONFIDENCE information should have restricted logical access based on need-to-know.

X-IN-CONFIDENCE information may be manually transmitted in a single envelope. For internal transmission the envelope must indicate classification. For external transmission the envelope must not indicate classification and can be delivered by hand or authorised messenger including Australia Post.

X-IN-CONFIDENCE information may be electronically transmitted on the basis of ‘need‑to-know’ unencrypted over appropriately classified internal networks, but should be encrypted when sent externally. A receiving facsimile must be attended and receipt or non-receipt of the document must be advised.

X-IN-CONFIDENCE information documents may be shredded or recycled through lockable classified waste bins. Electronic media may be reused or disposed of using methods equivalent to paper waste advice.

6.4 ICT assets and information assets

All ICT assets (including hardware, software and services) and information assets must be identified, documented and assigned ICT asset custodians for the maintenance of security controls.

6.5 Information security classification timeframes

It is recognised that implementation of the QGISCF will be progressive in nature.

Custodians
Chief Information Officer
Mr Rob Moffatt
Custodians
Chief Information Officer
Mr Rob Moffatt