click here and type document title web view · 2017-08-222.1why was the information...
TRANSCRIPT
Queensland Government Enterprise Architecture
Information security incident category guideline
Final
August 2013
v2.0.0
PUBLIC
QGEA PUBLIC Information security incident category guideline
Document details
Security classification PUBLIC
Date of review of security classification
June 2013
Authority Queensland Government Chief Information Officer
Author Queensland Government Chief Information Office
Documentation status Working draft Consultation release Final version
Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:
Queensland Government Chief Information Office [email protected]
AcknowledgementsThis version of the Information security incident category guideline was developed and updated by Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.
CopyrightInformation security incident category guideline Copyright © The State of Queensland (Queensland Government Chief Information Office) 2013
Licence
Information security incident category guideline by the Queensland Government Chief Information Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope of this licence, contact [email protected].
To attribute this material, cite the Queensland Government Chief Information Office.
Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Final | v2.0.0 | August 2013 Page 2 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Contents1 Introduction.............................................................................................................................4
1.1 Purpose...........................................................................................................................4
1.2 Audience..........................................................................................................................4
1.3 Scope...............................................................................................................................4
2 Background.............................................................................................................................4
2.1 Why was the Information security incident category guideline developed?....................4
2.2 Relationship to other documents.....................................................................................5
2.3 How is the Information security incident category guideline structured?.........................6
3 Information security event and incident definitions...........................................................8
4 Information security event and incident categories............................................................8
4.1 Incident classification.......................................................................................................8
4.2 Incident impact..............................................................................................................10
4.3 Incident cause...............................................................................................................10
4.4 Incident origin................................................................................................................10
4.5 Severity and severity type.............................................................................................10
5 Information security incident severity matrix....................................................................11
5.1 Severity type..................................................................................................................16
5.2 Example incident severity assessment..........................................................................18
Figures Figure 1: Queensland Government Incident Management Documents.............................................5Figure 2: Information Security Incident Definition, Categories and Severity......................................7Figure 3: Information Security Incident Definition, Categories and Severity mapped to DSD categories...........................................................................................................................................8Figure 4: Information security incident severity matrix.....................................................................16
Final | v2.0.0 | August 2013 Page 3 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
1 Introduction 1.1 Purpose
The Information security incident category guideline provides guidance to achieve a consistent approach to categorising information security incidents. It assists agencies in the internal management of information security events and incidents and in the external reporting of those incidents, when required. The consistency in categorising information security events and incidents resulting from the use of this guideline will also facilitate information sharing across Queensland Government agencies. This document provides guidance in determining information security incident severity by providing a matrix for that purpose. This matrix is based on the impact assessment matrix documented in the Queensland Government Information Security Classification Framework (QGISCF) .
1.2 AudienceThis document is primarily intended for:
departmental staff and operational areas involved in information security incident management
information governance bodies Queensland Government Virtual Incident Response Team.
1.3 Scope This guideline relates to incident management and compliance management domains within the information security slice of the Queensland Government Enterprise Architecture (QGEA).
2 Background2.1 Why was the Information security incident category
guideline developed?The Auditor General of Queensland’s Report to Parliament No. 4 for 2009 detailed a number of key network security issues outlined in Section 4.2 – Information Technology Network Security. With regards to information security incident management, the report found that: there is no centrally coordinated reporting and monitoring process for government IT
security incidents no mandatory standards that require agencies to report such incidents exists formal processes for security incident and problem management are not in place agencies should monitor their networks for potential security breaches.
The Incident category guideline has been developed to provide a consistent and structured approach to defining and categorising information security events and incidents within agencies and at a whole-of-government level which will assist agencies in managing their information security events and incidents internally and when external reporting is required.
Final | v2.0.0 | June 2013 Page 4 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
The Information security incident category guideline will: establish consistent terminology relating to information security incidents across the
Queensland Government provide a method of accurately assessing the severity of information security incidents facilitate information sharing and consistency across Queensland Government
agencies allow easier business risks and impact analysis across Queensland Government
agencies allow consistent response plans from the whole-of-government virtual response team address issues raised in the Auditor General of Queensland’s Report to Parliament No.
4 for 2009 enable consistency with Australian Standard ISO 27001.
2.2 Relationship to other documentsThe Information security incident category guideline supports the implementation of Information Standard 18: Information Security (IS18). In particular, it supports the principles relating to incident management and compliance management. It is part of a suite of documents that assist agencies to meet their internal incident management requirements and external incident reporting requirements (see figure 1).
Figure 1: Queensland Government Incident Management Documents
Final | v2.0.0 | June 2013 Page 5 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
The Information security incident category guideline is the overarching document which provides consistent definitions, categories and severity scales across all agencies within the Queensland Government. However, the management of agency internal information security events and incidents and agency external reporting requirements are outside the scope of this guideline and are covered in the Information security incident management guideline.
2.3 How is the Information security incident category guideline structured?As illustrated in Figure 2 , the QGISICG provides information security: event/incident definitions incident categories incident severity matrix.
Final | v2.0.0 | June 2013 Page 6 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Figure 2: Information security incident definition, categories and severity
Final | v2.0.0 | June 2013 Page 7 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
3 Information security event and incident definitions
Term Description
Event An identified occurrence or activity that threatens to adversely affect the security of information, or indicates a potential vulnerability within the agency, but is currently unsuccessful in its attempt.
Incident An identified occurrence or activity that has been successful in adversely affecting the security of information.
4 Information security event and incident categories
4.1 Incident classificationTerm Description
Theft/loss of assets The theft or loss of any information or technology asset/device (including portable and fixed media) that might have been or has been used to either process or store Queensland Government information.
Unauthorised access to information/systems
Unauthorised access from internal and external sources to Queensland Government information and systems.
Unauthorised release of or disclosure of information
Unauthorised release or disclosure of Queensland Government information to an unknown environment.
Malware infections Software programs designed to cause damage to Queensland Government systems.
Intrusions against networks
Intrusions specifically targeting Queensland Government internal infrastructure. This includes but is not limited to: denial-of-service (DoS)/distributed denial-of-service (DDoS) website defacements brute force attempts.
Intrusion that cannot be attributed, after analysis, to what is considered consistent with Internet noise. For example intrusion attempts that consistently target internal network infrastructure, users or services provided for external use such as web applications.
Abuse of privileges Changes to privilege use settings on stand-alone or networked equipment including network profiles, local user or device configuration files that have not been approved through the agency’s change management process.
Unauthorised changes to information,
Any unauthorised changes to an organisation’s file system, including media, through insertion, modification or deletion. For example, changes
Final | v2.0.0 | June 2013 Page 8 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
applications, systems or hardware
to standard operating environments (SOEs), addition of executables or the modification of an executable’s configuration.
Any unauthorised installation of additional processing, communications or storage equipment into the IT network. This includes but is not limited to:
modems portable games units smart phones PDAs wireless access points.
Violation of information security policy
Any violation of information security policy or the information security related aspects of the code of conduct.
Suspicious system behaviour or failure (hardware/software) or communications)
Unknown network activities affecting/degrading network performance with increased network bandwidth usage and decreased response time, using excessive CPU, increased suspicious network requests or increased Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts leading to application crashes.
Includes a malfunction within the electronic circuits, electromechanical components of a computer/communications system, or malfunction/inability of a program to continue processing due to erroneous logic.
Password confidentiality
Sharing/stealing/loss of passwords or other authentication token.
Sabotage/physical damage
Any damage or destruction of physical information or electronic devices.
Other events Natural events and other events which result in damage to information and systems. This includes but is not limited to:
fire flood excessive heat storms biological agents toxic dispersion riots power outage.
Final | v2.0.0 | June 2013 Page 9 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
4.2 Incident impactTerm Description
Confidentiality The confidentiality of Queensland Government information has been compromised as a result of the incident. e.g. Unauthorised access to information.
Integrity The integrity of Queensland Government Information has been compromised as a result of the incident. e.g. Resulting in inaccurate/incomplete information.
Availability The availability of Queensland Government information has been compromised as a result of the incident. e.g. Information assets cannot be accessed by authorised users
4.3 Incident causeTerm Description
Deliberate Where a person causes an information security incident intentionally with a desired result or a particular purpose specified.
Accidental Where a person causes an information security incident or event unexpectedly, unintentionally, without design or by chance.
Error A malfunction, error, flaw, mistake, failure, fault or bad code in an ICT facility, device or software program that prevents it from behaving as intended.
Unknown Incident cause is unable to be identified. Requires further investigation.
4.4 Incident originTerm Description
Internal (agency) Existing, occurring or originating with the agency.
Internal (Queensland Government)
Existing, occurring or originating within the Queensland Government.
External Existing, occurring or originating outside the Queensland Government.
Unknown Origin is unable to be clearly identified. Requires further investigation
4.5 Severity and severity typeRefer to section 5 for event and incident severity matrix and severity type definitions
Final | v2.0.0 | June 2013 Page 10 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
5 Information security incident severity matrixThe Information security incident severity matrix (see figure 4, page 13) should be used to determine the severity of an information security incident. This will result in a consistent approach to both the process and the terminology across Queensland Government agencies. It should be noted that this matrix is intended as a guide only, and the impact types and their evaluation may need to be modified to suit individual agencies. Agencies should avoid making a severity assessment solely on the basis of the security classification of the information involved. For example, the unauthorised modification of publicly available information such as a public health notice may still have a high impact on individuals and agencies.
Note that it is the highest security incident severity rating as determined for a particular incident that will be indicative of the overall severity of the incident. For example if an incident as assessed has scores in a range from ‘none/negligible’ to ‘high’, it is the highest severity rating identified that should be applied to the incident.
See Section 5.1 below for an example of how to apply the severity matrix.
Final | v2.0.0 | June 2013 Page 11 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Impact Type Severity
Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest
None/negligible Minor Moderate High Very high
Risk to individual safety
None/negligible Any risk to personal safety
Threatens life directly
Distress caused to any party
None/negligible Short term distress Limited long term distress
Substantial long term distress
Damage to any party’s standing or reputation
None/negligible Minor local impact and/or limited short
term damage
Moderate embarrassment and/or
short term damage
Significant embarrassment, loss of
public confidence and/or limited long
term damage
Severe embarrassment, loss of
public confidence and/or substantial long
term damage
Inconvenience to any party
None/negligible Minor inconvenience Moderate inconvenience
Significant inconvenience
Substantial inconvenience
Public order None or negligible Measurable impact Prejudice Seriously prejudice
Unauthorised disclosure of personally or
commercially sensitive information
No or negligible disclosure of sensitive
information
Minor impact Measurable impact, breach of regulations
or commitment to confidentiality
Significant impact to person, agency or
business
Substantial impact to person, agency or
business
Impact on Government finances or economic
and commercial interests
No or negligible impact Cause financial loss or loss of earning
potential
Work significantly against
Substantial damage
Final | v2.0.0 | August 2013 Page 12 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Impact Type Severity
Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest
None/negligible Minor Moderate High Very high
Financial loss to any client1 of the service
provider or third party
No or negligible loss Minor loss Moderate loss Significant loss Substantial loss
Financial loss to agency/service
provider
No or negligible Loss Minor
< 2% of monthly agency budget
Moderate
2% – < 5% of monthly agency budget
Significant
5% – < 10% of monthly agency budget
Substantial
≥ 10% of monthly agency budget
Disruption to agency business operations
No or negligible disruption
Agency business operations impaired in
any way
Agency business halted or significantly
impaired for a sustained period
Service delivery disruption
None or negligible Minor interruptions or delays
Loss of transactions in progress
Significant interruptions or delays
Loss of completed transactions
Unable to continue to deliver service in
current form.
Systems/network affected
None or negligible Few non-critical systems in a stand-alone or networked
environment
Many non-critical systems in a stand-alone or networked
environment
Any critical system in a networked environment
Multiple critical systems in a networked
environment.
Assistance to crime or impact on its detection
Would be of no or negligible assistance or
Prejudice investigation or facilitate
Impede investigation or facilitate commission of
Prevent investigation or directly allow
1 In order to assist in the determination of the appropriate level of impact, the following is suggested: Minor <$50, Moderate $50- <$200, High $200 - <$2000 and Very High >=$2000. These figures are guidelines only, and are based on an ‘average’ individual. Where the client is known to be a corporation of other similar entity, these figures would need to be adjusted to something more akin to the figures used for financial loss to the service provider. If multiple clients will suffer the loss, the impact level should be adjusted accordingly to reflect the total losses to clients.
Final | v2.0.0 | August 2013 Page 13 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Impact Type Severity
Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest
None/negligible Minor Moderate High Very high
hindrance to detection of unlawful activity
commission of violations that will be
subject to enforcement efforts
serious crime commission of serious crime
Agencies affected Small areas within a single agency
Most areas within a single agency
Multiple agencies Whole-of-government
Propagation None or negligible Easily contained within a single system or network segment
Contained within a single agency
Likely to propagate (or has propagated) to
other agencies
Likely to propagate (or has propagated)
beyond Queensland Government networks. Cannot be detected by anti-virus products and intrusion vector can’t
be established.
Ease of recovery No/negligible recovery required
Handled by routine tools and procedures
Requires additional resources (e.g. staff
overtime, engagement of third parties or purchase of tools)
Requires substantial additional resources (e.g. engagement of
additional staff or contractors or
significant investment)
Not directly recoverable (significant irreversible damage or
loss)
Impact on development or
operation of major government policy
No or negligible impact Minor impact Impede effective development or
operation
Seriously Impede Substantially impede
Final | v2.0.0 | August 2013 Page 14 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Impact Type Severity
Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest
None/negligible Minor Moderate High Very high
Impact on risk of litigation
No or negligible impact Minor impact Measurable impact Significant impact Substantial impact
Figure 3: Information security incident severity matrix
Final | v2.0.0 | August 2013 Page 15 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
5.1 Severity typeTo provide some assistance in completing the severity matrix, the following table (based on the QGISCF approach) provides examples of considerations when assessing impacts.
Impact type Possible considerations
A. Risk to individual safety
Consider any risk of any injury or impact on safety at all, as well as the possibility of loss of life. An example could include release of names or locations of under-cover officers, people under protection orders.
B. Distress caused to any party
From the client’s or public’s point of view, distress could be caused by many things, including the release of private information. From a service provider’s point of view, potential impacts could include stress impacts on employees and possible loss of jobs or major reorganisation forced by the inappropriate release of information.
C. Damage to any party’s standing or reputation
Issues to consider include potential for adverse publicity, either locally or wider, and the potential to damage occurring to either the service provider's or client’s ongoing reputation. If inappropriate access to information was granted, would it be of interest to the media?
D. Inconvenience to any party
Consider factors such as releasing information which could lead to identity fraud being perpetrated.
E. Public order Need to consider whether disclosure of information could pose a threat to community relations and public order. This may occur when information is released that can cause ‘alarm’ in a way that then results in damage to public order. An example would be disclosure of an offender’s identity or whereabouts where the community could then react and disturb public order.
F. Unauthorised disclosure of personally or commercially sensitive information.
Would disclosure of information which should not be made public have an impact on any party, or would it violate legislative or regulatory guidelines such as information privacy principles? Examples include medical records and other personal information and commercially sensitive information that could impact on current or future business.
G. Impact on government finances or economic and commercial interests
Would disclosure of information result in financial or economic consequences to government. Release of information may result in financial gain or loss. Disclosure of planning decisions which could result in changing valuations would be an example
H. Financial loss to any client of the service provider or third party.
Consider this from the service providers perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using the provided information to establish an identity which is not theirs, and then changing ownership details).
I. Financial loss to agency/service provider
Consider this from the service providers perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using the provided information to establish an identity which is not theirs, and then changing ownership details).
J. Disruption to Would unauthorised release of this information have the potential to reduce or prevent an agency or external party conducting their business?
Final | v2.0.0 | August 2013 Page 16 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Impact type Possible considerations
agency business operations
For how long would this reduction/prevention last?
K. Service delivery disruption
Would unauthorised release of this information have the potential to disrupt agency delivery of services to internal or external clients/stakeholders? How long would this disruption last?
L. Systems affected How many systems have been affected by the incident? Are these critical systems?
M. Assistance to serious crime or hindrance of its detection
Would release of this information have the potential to assist in the conduct of a crime or terrorist activity? This could include release of information enabling the planning of a crime or terrorist activity, or the creation of a false identity.
N. Agencies affected How many agencies have been affected? To what extent have they been affected?
O. Propagation How quickly is this incident spreading? How wide is the spread? To what extent is it affecting agencies? Can the incident be contained quickly?
P. Ease of recovery How long until systems are back to normal? How many systems are affected?
Q. Impact on development or operation of major government policy
Would inappropriate disclosure cause embarrassment to government in the stages where policy is being formulated or implemented? The impact may be that a major policy initiative will not proceed.
Final | v2.0.0 | August 2013 Page 17 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
5.2 Example incident severity assessmentThe following tables provide examples of how to apply the categories and impact matrix for the following events and incidents:Example 1
The chair of an interview panel accidentally left a disk on a train which contains copies of job applications for an advertised position. The applications contain personal applicant details such as names, addresses, contact numbers, work history.
Category type Selection Rationale
Definition Incident The occurrence was successful in adversely affecting the security of the information contained on the disk
Category Theft/loss of assets The disk was lost which contained Queensland Government information
Compromises Confidentiality The confidentiality of the information on the disk has been compromised, as it is viewable by anyone who obtains it
Cause Accidental This loss was not intended or deliberate
Origin Internal The occurrence was caused by a staff member within the agency
Severity type A. High: Any risk to personal safety
The job applicant details (address/ contact numbers) can be used to locate individuals, which poses a risk to their safety
B. Moderate: Short term distress
The job applicants may suffer distress as a result of the loss of their information.
C. Minor: Minor local impact and/or limited short term damage
The agency’s reputation has not been greatly affected amongst the general public. However, it has had a negative impact on the reputation amongst the job applicants.
D. None/Negligible These details can be easily retrieved from other electronic sources/devices (original emails, original file locations)
Final | v2.0.0 | August 2013 Page 18 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Category type Selection Rationale
F. Moderate: Measurable impact, breach of regulations or commitment to confidentiality.
The loss of the disk means that the details of the job applicants have been released to other parties without the individuals’ authorisation
Severity High (Determined by highest severity rating)
The occurrence was successful in adversely affecting the security of the information contained on the disk
Example 2
A denial of service attack has occurred on an agency website, causing downtime and disruption to critical public services. This attack left the agency unable to continue to deliver the service for the duration of a working day, which caused inconvenience to consumers of the service, and public embarrassment for the agency.
Category type Selection Rationale
Definition Incident The denial of service attack caused downtime and disruption – it has affected the availability of information.
Category Intrusions against networks
Since the attack was successful in causing service disruption, it has been classified as a network intrusion, because agency firewalls were penetrated.
Compromises Availability The availability of public services was disrupted during the downtime of the website.
Cause Deliberate The denial of service attack was a persistent and focused attack which illustrates it was deliberate in intent.
Origin External The attack came from outside the agency network, with the aim of infiltrating it.
Severity type C. Moderate: Moderate embarrassment and/or short term damage
The agency’s reputation has been damaged by the subsequent disruption of public services.
Final | v2.0.0 | August 2013 Page 19 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Category type Selection Rationale
D. High: Significant inconvenience
The incident has caused a large amount of inconvenience to the agency, as they attend to attack. The public has been inconvenienced by the disruption to services.
J. High: Agency business operations impaired in any way.
The agency’s business operations have been disrupted whilst they attend to the network intrusion.
K. Very High: Unable to continue to deliver service in current form.
The agency’s service delivery has been disrupted as a result of website downtime.
Severity Very High The highest severity rating is recorded (Severity Type K – Very High)
Example 3
An agency has detected an attempted network intrusion from an external source. This particular attempt was unsuccessful in adversely affecting the security of agency information, as the agency’s security controls prevented an intrusion from occurring.
Category type Selection Rationale
Definition Event The attempted intrusion was unsuccessful, as the controls in place prevented the occurrence.
Category Intrusion against network
The agency controls detected an attempted network intrusion.
Cause Unknown Further investigation is required to determine the exact cause.
Origin External The occurrence is from an external source, outside of the agency network.
Final | v2.0.0 | August 2013 Page 20 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Example 4
An agency has detected a network intrusion from an external source. This particular attempt was successful in adversely affecting the security of agency information, as the agency’s security controls were not able to prevent the intrusion from occurring. As a result of the attack, the agency’s website was defaced, with the attacker’s removing the existing content, and replacing it with offensive material. The incident is under investigation to identify where the attack has come from.
Classification: This occurrence has been classified as two separate incidents, as both incidents that have arisen as a result require different responses i.e. the network intrusion requires action to increase the security controls, and the website defacement requires the agency to restore their website and its content.
Incident 1 – Network Intrusion
Category type Selection Rationale
Definition Incident The agency controls were not able to prevent the intrusion attempt.
Category Intrusion against network
Agency controls were breached, leading to a network intrusion.
Compromises Confidentiality; Integrity
Once the network intrusion has occurred, agency information is viewable, compromising its confidentiality. The subsequent website defacement has led to a compromise of information integrity.
Cause Deliberate The intrusion has been deliberate, because it has led to website defacement.
Origin External The intrusion has occurred from outside the agency network.
Severity type C. High: Significant embarrassment, loss of public confidence and/or limited long term damage.
The network intrusion has caused damage to the agency’s reputation (as a result of the subsequent website defacement)
D. Moderate: Moderate inconvenience
The agency has been inconvenienced as a result of the efforts required to respond to the attack.
J. High: Agency business operations impaired in any way
The agency’s business operations have been impacted on following the intrusion of their network.
N. Minor: Small areas within a single agency
The incident affected a small number of areas within the agency.
Final | v2.0.0 | August 2013 Page 21 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Category type Selection Rationale
P. Moderate: Requires additional resources (e.g. staff overtime, engagement of third parties or purchase of tools)
In the affected area staff had to work extra hours to resolve the incident.
Severity High The highest severity rating is recorded
Incident 2 – Website Defacement
Category type Selection Rationale
Definition Incident The agency website was defaced.
Category Defacement of public information
The website contained publicly accessible information, which was modified without authorisation.
Compromises Integrity; Availability The integrity and availability of the website content was compromised, as it was altered and/or removed from the website. Downtime to restore the website further compromised availability.
Cause Deliberate The attack was deliberate – the website was defaced indicating malicious intent.
Origin External The intrusion occurred from outside the agency network.
Severity type B. Moderate: Short term distress
Distress was caused to the public, since the web service was unavailable. In addition, the public were exposed to offensive material.
C. High: Significant embarrassment, loss of public confidence and/or limited long term damage.
The incident has caused damage to the agency’s reputation amongst the public.
Final | v2.0.0 | August 2013 Page 22 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Category type Selection Rationale
D. Moderate: Moderate inconvenience
Service downtime causes inconvenience to both the agency and the public.
J. High: Agency business operations impaired in any way.
The agency business operations are disrupted while they restore the website.
K. High: Significant interruptions or delays. Loss of completed transactions.
The services provided on the agency website are adversely affected during the downtime.
P. Moderate: Requires additional resources (eg. staff overtime, engagement of third parties or purchase of tools)
Efforts to restore the website to full functionality can be done with relative ease. Some staff from the affected area were required to work overtime to resolve the issue,
Severity High The highest severity rating is recorded
Final | v2.0.0 | August 2013 Page 23 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Example 5
An agency staff member has been caught viewing and editing confidential files that belong to a senior staff member, without the authorisation to do so. The documents, which were classified ‘X-In Confidence’, were removed from a filing cabinet located in the senior staff members’ office, and replaced with alternative copies. In the process of searching for the desired files, the employee also went through other documents containing personal details of the senior staff member. It was later revealed the employee edited the document’s content for personal gain.
Classification: This occurrence has been classified as two separate incidents, as both incidents that have arisen have compromised different aspects of agency information, i.e. unauthorised access, and unauthorised changes to agency documents.
Incident 1 – Unauthorised access to agency documents
Category type Selection Rationale
Definition Incident The staff member has accessed confidential information without authorisation.
Category Unauthorised access to information/systems
The staff member has accessed confidential documents from a senior staff members’ filing cabinet.
Compromises Confidentiality The unauthorised access to senior staff documents has compromised the confidentiality of the information.
Cause Deliberate The employee deliberately accessed the document, in search of particular information.
Origin Internal The incident occurred from within the agency.
Severity type B. Moderate: Short term distress
Distress has been caused to the senior staff member, whose filing cabinet was opened and searched.
D. Moderate: Moderate inconvenience
The incident has caused inconvenience to the senior staff member.
F. Very High: Substantial impact to person, agency or business
The confidential documents have had their contents disclosed to other parties, without the authorisation of the owner.
Severity Very High The highest severity rating is recorded
Final | v2.0.0 | August 2013 Page 24 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Incident 2 – Unauthorised changes to agency documents
Category type Selection Rationale
Definition Incident The staff member has compromised the integrity of the information, by developing a fraudulent copy of a document.
Category Unauthorised changes to information, applications, systems or hardware
Changes have been made to an agency document, without authorisation.
Compromises Confidentiality; Integrity
The incident compromises the confidentiality of the original document (and additional ones searched), as well as the integrity of the edited document.
Cause Deliberate The employee deliberately edited the document.
Origin Internal The incident occurred from within the agency.
Severity type B. High: Limited long term distress
Distress has been caused to the senior staff member, whose filing cabinet was opened and searched, and documents were edited.
D. High: Significant inconvenience
The incident has caused inconvenience to the senior staff member.
F. Very High: Substantial impact to person, agency or business
The confidential documents have had their contents disclosed to other parties, without the authorisation of the owner.
Severity Very High The highest severity rating is recorded
Final | v2.0.0 | August 2013 Page 25 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Example 6
An agency staff member has been caught viewing confidential documents that belong to a senior staff member, without authorisation. The documents, which were not marked as classified, were left unattended on a public desk. The staff member claims he was unaware that he did not have the appropriate authority to view the documents.
Category type Selection Rationale
Definition Incident The confidentiality of the document has been compromised as a result of this occurrence.
Category Unauthorised access to information/ systems
The staff member did not have authorisation to view the contents of the document.
Compromises Confidentiality The document had confidential material, which was viewed by a staff member without authorisation.
Cause Accidental The employee was unaware of the documents confidentiality. The employee assumed it was suitable to read, since the document was left in a public place, without specifying the correct licensing.
Origin Internal The incident has occurred within the agency from an employee.
Severity type B. Moderate: Short term distress
There was some short term distress to the employee who accessed the information.
F. Very High: Substantial impact to person, agency or business
The employee who viewed the document was not authorised to do so. The owner of the document has allowed for the contents to be viewed by employees who do not have authorisation to do so. It has caused a substantial impact to the party that was the subject of the document.
Severity Very High The highest severity rating is recorded
Final | v2.0.0 | August 2013 Page 26 of 27PUBLIC
QGEA PUBLIC Information security incident category guideline
Example 7
A staff member has incorrectly sent an email with confidential agency information to another staff member. The email recipient was incorrectly selected by the sender, and as a result, the confidential content was not sent to the intended person, but instead read by the unauthorised staff member. It was determined by the agency that the recipient had no prior involvement in the leaking of this information i.e. did not instigate the email, and was not in breach of any agency information security policy. The sender confirmed that the incident was a result of an error on their behalf.
Category type Selection Rationale
Definition Incident Through the distribution of a misguided email, the confidentiality of agency information was compromised.
Category Unauthorised disclosure of personally or commercially sensitive information
The staff member has disclosed agency information to another staff member, without authorisation.
Compromises Confidentiality The confidentiality of agency information was compromised.
Cause Accidental The sender of the email has made an error when distributing the information. It was not intentional.
Origin Internal The incident has occurred between two staff members within the agency.
Severity type B. Moderate: Short term distress
The incident has caused short term distress for the employee who sent the email, as they were responsible for the unauthorised distribution of confidential material.
F. Moderate: Measurable impact, breach of regulations or commitment to confidentiality
The sender of the email has disclosed confidential information without authorisation.
P. Minor: Handled by routine tools and procedures
The incident was handled by routine procedures
Severity Moderate The highest severity rating is recorded
Final | v2.0.0 | August 2013 Page 27 of 27PUBLIC