click here and type document title web view · 2017-08-222.1why was the information...

Queensland Government Enterprise Architecture

Information security incident category guideline

Final

August 2013

v2.0.0

PUBLIC

QGEA PUBLIC Information security incident category guideline

Document details

Security classification PUBLIC

Date of review of security classification

June 2013

Authority Queensland Government Chief Information Officer

Author Queensland Government Chief Information Office

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:

Queensland Government Chief Information Office [email protected]

AcknowledgementsThis version of the Information security incident category guideline was developed and updated by Queensland Government Chief Information Office.

Feedback was also received from a number of agencies, which was greatly appreciated.

CopyrightInformation security incident category guideline Copyright © The State of Queensland (Queensland Government Chief Information Office) 2013

Licence

Information security incident category guideline by the Queensland Government Chief Information Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope of this licence, contact [email protected].

To attribute this material, cite the Queensland Government Chief Information Office.

Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Final | v2.0.0 | August 2013 of 27PUBLIC

mailto:[email protected]

http://creativecommons.org/licenses/by/3.0/au

mailto:[email protected]

http://creativecommons.org/licenses/by/3.0/au/


Contents1 Introduction.............................................................................................................................4

1.1 Purpose...........................................................................................................................4

1.2 Audience..........................................................................................................................4

1.3 Scope...............................................................................................................................4

2 Background.............................................................................................................................4

2.1 Why was the Information security incident category guideline developed?....................4

2.2 Relationship to other documents.....................................................................................5

2.3 How is the Information security incident category guideline structured?.........................6

3 Information security event and incident definitions...........................................................8

4 Information security event and incident categories............................................................8

4.1 Incident classification.......................................................................................................8

4.2 Incident impact..............................................................................................................10

4.3 Incident cause...............................................................................................................10

4.4 Incident origin................................................................................................................10

4.5 Severity and severity type.............................................................................................10

5 Information security incident severity matrix....................................................................11

5.1 Severity type..................................................................................................................16

5.2 Example incident severity assessment..........................................................................18

Figures Figure 1: Queensland Government Incident Management Documents.............................................5Figure 2: Information Security Incident Definition, Categories and Severity......................................7Figure 3: Information Security Incident Definition, Categories and Severity mapped to DSD categories...........................................................................................................................................8Figure 4: Information security incident severity matrix.....................................................................16



1 Introduction 1.1 Purpose

The Information security incident category guideline provides guidance to achieve a consistent approach to categorising information security incidents. It assists agencies in the internal management of information security events and incidents and in the external reporting of those incidents, when required. The consistency in categorising information security events and incidents resulting from the use of this guideline will also facilitate information sharing across Queensland Government agencies. This document provides guidance in determining information security incident severity by providing a matrix for that purpose. This matrix is based on the impact assessment matrix documented in the Queensland Government Information Security Classification Framework (QGISCF) .

1.2 AudienceThis document is primarily intended for:

departmental staff and operational areas involved in information security incident management

information governance bodies Queensland Government Virtual Incident Response Team.

1.3 Scope This guideline relates to incident management and compliance management domains within the information security slice of the Queensland Government Enterprise Architecture (QGEA).

2 Background2.1 Why was the Information security incident category

guideline developed?The Auditor General of Queensland’s Report to Parliament No. 4 for 2009 detailed a number of key network security issues outlined in Section 4.2 – Information Technology Network Security. With regards to information security incident management, the report found that: there is no centrally coordinated reporting and monitoring process for government IT

security incidents no mandatory standards that require agencies to report such incidents exists formal processes for security incident and problem management are not in place agencies should monitor their networks for potential security breaches.

The Incident category guideline has been developed to provide a consistent and structured approach to defining and categorising information security events and incidents within agencies and at a whole-of-government level which will assist agencies in managing their information security events and incidents internally and when external reporting is required.

Final | v2.0.0 | June 2013 of 27PUBLIC

http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-framework


The Information security incident category guideline will: establish consistent terminology relating to information security incidents across the

Queensland Government provide a method of accurately assessing the severity of information security incidents facilitate information sharing and consistency across Queensland Government

agencies allow easier business risks and impact analysis across Queensland Government

agencies allow consistent response plans from the whole-of-government virtual response team address issues raised in the Auditor General of Queensland’s Report to Parliament No.

4 for 2009 enable consistency with Australian Standard ISO 27001.

2.2 Relationship to other documentsThe Information security incident category guideline supports the implementation of Information Standard 18: Information Security (IS18). In particular, it supports the principles relating to incident management and compliance management. It is part of a suite of documents that assist agencies to meet their internal incident management requirements and external incident reporting requirements (see figure 1).

Figure 1: Queensland Government Incident Management Documents


http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2704-information-security-is18

http://infostore.saiglobal.com/store2/Details.aspx?ProductID=1119299


The Information security incident category guideline is the overarching document which provides consistent definitions, categories and severity scales across all agencies within the Queensland Government. However, the management of agency internal information security events and incidents and agency external reporting requirements are outside the scope of this guideline and are covered in the Information security incident management guideline.

2.3 How is the Information security incident category guideline structured?As illustrated in Figure 2 , the QGISICG provides information security: event/incident definitions incident categories incident severity matrix.


https://portal.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2392-information-security-incident-management-guideline

https://portal.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2392-information-security-incident-management-guideline


Figure 2: Information security incident definition, categories and severity



3 Information security event and incident definitions

Term Description

Event An identified occurrence or activity that threatens to adversely affect the security of information, or indicates a potential vulnerability within the agency, but is currently unsuccessful in its attempt.

Incident An identified occurrence or activity that has been successful in adversely affecting the security of information.

4 Information security event and incident categories

4.1 Incident classificationTerm Description

Theft/loss of assets The theft or loss of any information or technology asset/device (including portable and fixed media) that might have been or has been used to either process or store Queensland Government information.

Unauthorised access to information/systems

Unauthorised access from internal and external sources to Queensland Government information and systems.

Unauthorised release of or disclosure of information

Unauthorised release or disclosure of Queensland Government information to an unknown environment.

Malware infections Software programs designed to cause damage to Queensland Government systems.

Intrusions against networks

Intrusions specifically targeting Queensland Government internal infrastructure. This includes but is not limited to: denial-of-service (DoS)/distributed denial-of-service (DDoS) website defacements brute force attempts.

Intrusion that cannot be attributed, after analysis, to what is considered consistent with Internet noise. For example intrusion attempts that consistently target internal network infrastructure, users or services provided for external use such as web applications.

Abuse of privileges Changes to privilege use settings on stand-alone or networked equipment including network profiles, local user or device configuration files that have not been approved through the agency’s change management process.

Unauthorised changes to information,

Any unauthorised changes to an organisation’s file system, including media, through insertion, modification or deletion. For example, changes



applications, systems or hardware

to standard operating environments (SOEs), addition of executables or the modification of an executable’s configuration.

Any unauthorised installation of additional processing, communications or storage equipment into the IT network. This includes but is not limited to:

modems portable games units smart phones PDAs wireless access points.

Violation of information security policy

Any violation of information security policy or the information security related aspects of the code of conduct.

Suspicious system behaviour or failure (hardware/software) or communications)

Unknown network activities affecting/degrading network performance with increased network bandwidth usage and decreased response time, using excessive CPU, increased suspicious network requests or increased Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts leading to application crashes.

Includes a malfunction within the electronic circuits, electromechanical components of a computer/communications system, or malfunction/inability of a program to continue processing due to erroneous logic.

Password confidentiality

Sharing/stealing/loss of passwords or other authentication token.

Sabotage/physical damage

Any damage or destruction of physical information or electronic devices.

Other events Natural events and other events which result in damage to information and systems. This includes but is not limited to:

fire flood excessive heat storms biological agents toxic dispersion riots power outage.



4.2 Incident impactTerm Description

Confidentiality The confidentiality of Queensland Government information has been compromised as a result of the incident. e.g. Unauthorised access to information.

Integrity The integrity of Queensland Government Information has been compromised as a result of the incident. e.g. Resulting in inaccurate/incomplete information.

Availability The availability of Queensland Government information has been compromised as a result of the incident. e.g. Information assets cannot be accessed by authorised users

4.3 Incident causeTerm Description

Deliberate Where a person causes an information security incident intentionally with a desired result or a particular purpose specified.

Accidental Where a person causes an information security incident or event unexpectedly, unintentionally, without design or by chance.

Error A malfunction, error, flaw, mistake, failure, fault or bad code in an ICT facility, device or software program that prevents it from behaving as intended.

Unknown Incident cause is unable to be identified. Requires further investigation.

4.4 Incident originTerm Description

Internal (agency) Existing, occurring or originating with the agency.

Internal (Queensland Government)

Existing, occurring or originating within the Queensland Government.

External Existing, occurring or originating outside the Queensland Government.

Unknown Origin is unable to be clearly identified. Requires further investigation

4.5 Severity and severity typeRefer to section 5 for event and incident severity matrix and severity type definitions



5 Information security incident severity matrixThe Information security incident severity matrix (see figure 4, page 13) should be used to determine the severity of an information security incident. This will result in a consistent approach to both the process and the terminology across Queensland Government agencies. It should be noted that this matrix is intended as a guide only, and the impact types and their evaluation may need to be modified to suit individual agencies. Agencies should avoid making a severity assessment solely on the basis of the security classification of the information involved. For example, the unauthorised modification of publicly available information such as a public health notice may still have a high impact on individuals and agencies.

Note that it is the highest security incident severity rating as determined for a particular incident that will be indicative of the overall severity of the incident. For example if an incident as assessed has scores in a range from ‘none/negligible’ to ‘high’, it is the highest severity rating identified that should be applied to the incident.

See Section 5.1 below for an example of how to apply the severity matrix.



Impact Type Severity

Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest

None/negligible Minor Moderate High Very high

Risk to individual safety

None/negligible Any risk to personal safety

Threatens life directly

Distress caused to any party

None/negligible Short term distress Limited long term distress

Substantial long term distress

Damage to any party’s standing or reputation

None/negligible Minor local impact and/or limited short

term damage

Moderate embarrassment and/or

short term damage

Significant embarrassment, loss of

public confidence and/or limited long

term damage

Severe embarrassment, loss of

public confidence and/or substantial long

term damage

Inconvenience to any party

None/negligible Minor inconvenience Moderate inconvenience

Significant inconvenience

Substantial inconvenience

Public order None or negligible Measurable impact Prejudice Seriously prejudice

Unauthorised disclosure of personally or

commercially sensitive information

No or negligible disclosure of sensitive

information

Minor impact Measurable impact, breach of regulations

or commitment to confidentiality

Significant impact to person, agency or

business

Substantial impact to person, agency or

business

Impact on Government finances or economic

and commercial interests

No or negligible impact Cause financial loss or loss of earning

potential

Work significantly against

Substantial damage




Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest


Financial loss to any client1 of the service

provider or third party

No or negligible loss Minor loss Moderate loss Significant loss Substantial loss

Financial loss to agency/service

provider

No or negligible Loss Minor

< 2% of monthly agency budget

Moderate

2% – < 5% of monthly agency budget

Significant

5% – < 10% of monthly agency budget

Substantial

≥ 10% of monthly agency budget

Disruption to agency business operations

No or negligible disruption

Agency business operations impaired in

any way

Agency business halted or significantly

impaired for a sustained period

Service delivery disruption

None or negligible Minor interruptions or delays

Loss of transactions in progress

Significant interruptions or delays

Loss of completed transactions

Unable to continue to deliver service in

current form.

Systems/network affected

None or negligible Few non-critical systems in a stand-alone or networked

environment

Many non-critical systems in a stand-alone or networked

environment

Any critical system in a networked environment

Multiple critical systems in a networked

environment.

Assistance to crime or impact on its detection

Would be of no or negligible assistance or

Prejudice investigation or facilitate

Impede investigation or facilitate commission of

Prevent investigation or directly allow

1 In order to assist in the determination of the appropriate level of impact, the following is suggested: Minor <$50, Moderate $50- <$200, High $200 - <$2000 and Very High >=$2000. These figures are guidelines only, and are based on an ‘average’ individual. Where the client is known to be a corporation of other similar entity, these figures would need to be adjusted to something more akin to the figures used for financial loss to the service provider. If multiple clients will suffer the loss, the impact level should be adjusted accordingly to reflect the total losses to clients.




Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest


hindrance to detection of unlawful activity

commission of violations that will be

subject to enforcement efforts

serious crime commission of serious crime

Agencies affected Small areas within a single agency

Most areas within a single agency

Multiple agencies Whole-of-government

Propagation None or negligible Easily contained within a single system or network segment

Contained within a single agency

Likely to propagate (or has propagated) to

other agencies

Likely to propagate (or has propagated)

beyond Queensland Government networks. Cannot be detected by anti-virus products and intrusion vector can’t

be established.

Ease of recovery No/negligible recovery required

Handled by routine tools and procedures

Requires additional resources (e.g. staff

overtime, engagement of third parties or purchase of tools)

Requires substantial additional resources (e.g. engagement of

additional staff or contractors or

significant investment)

Not directly recoverable (significant irreversible damage or

loss)

Impact on development or

operation of major government policy

No or negligible impact Minor impact Impede effective development or

operation

Seriously Impede Substantially impede




Lowest -------------------------------------------------------------------------------------------------------------------------------- Highest


Impact on risk of litigation

No or negligible impact Minor impact Measurable impact Significant impact Substantial impact

Figure 3: Information security incident severity matrix



5.1 Severity typeTo provide some assistance in completing the severity matrix, the following table (based on the QGISCF approach) provides examples of considerations when assessing impacts.

Impact type Possible considerations

A. Risk to individual safety

Consider any risk of any injury or impact on safety at all, as well as the possibility of loss of life. An example could include release of names or locations of under-cover officers, people under protection orders.

B. Distress caused to any party

From the client’s or public’s point of view, distress could be caused by many things, including the release of private information. From a service provider’s point of view, potential impacts could include stress impacts on employees and possible loss of jobs or major reorganisation forced by the inappropriate release of information.

C. Damage to any party’s standing or reputation

Issues to consider include potential for adverse publicity, either locally or wider, and the potential to damage occurring to either the service provider's or client’s ongoing reputation. If inappropriate access to information was granted, would it be of interest to the media?

D. Inconvenience to any party

Consider factors such as releasing information which could lead to identity fraud being perpetrated.

E. Public order Need to consider whether disclosure of information could pose a threat to community relations and public order. This may occur when information is released that can cause ‘alarm’ in a way that then results in damage to public order. An example would be disclosure of an offender’s identity or whereabouts where the community could then react and disturb public order.

F. Unauthorised disclosure of personally or commercially sensitive information.

Would disclosure of information which should not be made public have an impact on any party, or would it violate legislative or regulatory guidelines such as information privacy principles? Examples include medical records and other personal information and commercially sensitive information that could impact on current or future business.

G. Impact on government finances or economic and commercial interests

Would disclosure of information result in financial or economic consequences to government. Release of information may result in financial gain or loss. Disclosure of planning decisions which could result in changing valuations would be an example

H. Financial loss to any client of the service provider or third party.

Consider this from the service providers perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using the provided information to establish an identity which is not theirs, and then changing ownership details).

I. Financial loss to agency/service provider

Consider this from the service providers perspective - what losses could they incur? Considerations include possibility of fraud, a party illegally transferring money, a party gaining control of assets they don't legally own (e.g. by using the provided information to establish an identity which is not theirs, and then changing ownership details).

J. Disruption to Would unauthorised release of this information have the potential to reduce or prevent an agency or external party conducting their business?


https://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2431-queensland-government-information-security-controls-standard


Impact type Possible considerations

agency business operations

For how long would this reduction/prevention last?

K. Service delivery disruption

Would unauthorised release of this information have the potential to disrupt agency delivery of services to internal or external clients/stakeholders? How long would this disruption last?

L. Systems affected How many systems have been affected by the incident? Are these critical systems?

M. Assistance to serious crime or hindrance of its detection

Would release of this information have the potential to assist in the conduct of a crime or terrorist activity? This could include release of information enabling the planning of a crime or terrorist activity, or the creation of a false identity.

N. Agencies affected How many agencies have been affected? To what extent have they been affected?

O. Propagation How quickly is this incident spreading? How wide is the spread? To what extent is it affecting agencies? Can the incident be contained quickly?

P. Ease of recovery How long until systems are back to normal? How many systems are affected?

Q. Impact on development or operation of major government policy

Would inappropriate disclosure cause embarrassment to government in the stages where policy is being formulated or implemented? The impact may be that a major policy initiative will not proceed.



5.2 Example incident severity assessmentThe following tables provide examples of how to apply the categories and impact matrix for the following events and incidents:Example 1

The chair of an interview panel accidentally left a disk on a train which contains copies of job applications for an advertised position. The applications contain personal applicant details such as names, addresses, contact numbers, work history.

Category type Selection Rationale

Definition Incident The occurrence was successful in adversely affecting the security of the information contained on the disk

Category Theft/loss of assets The disk was lost which contained Queensland Government information

Compromises Confidentiality The confidentiality of the information on the disk has been compromised, as it is viewable by anyone who obtains it

Cause Accidental This loss was not intended or deliberate

Origin Internal The occurrence was caused by a staff member within the agency

Severity type A. High: Any risk to personal safety

The job applicant details (address/ contact numbers) can be used to locate individuals, which poses a risk to their safety

B. Moderate: Short term distress

The job applicants may suffer distress as a result of the loss of their information.

C. Minor: Minor local impact and/or limited short term damage

The agency’s reputation has not been greatly affected amongst the general public. However, it has had a negative impact on the reputation amongst the job applicants.

D. None/Negligible These details can be easily retrieved from other electronic sources/devices (original emails, original file locations)




F. Moderate: Measurable impact, breach of regulations or commitment to confidentiality.

The loss of the disk means that the details of the job applicants have been released to other parties without the individuals’ authorisation

Severity High (Determined by highest severity rating)

The occurrence was successful in adversely affecting the security of the information contained on the disk

Example 2

A denial of service attack has occurred on an agency website, causing downtime and disruption to critical public services. This attack left the agency unable to continue to deliver the service for the duration of a working day, which caused inconvenience to consumers of the service, and public embarrassment for the agency.


Definition Incident The denial of service attack caused downtime and disruption – it has affected the availability of information.

Category Intrusions against networks

Since the attack was successful in causing service disruption, it has been classified as a network intrusion, because agency firewalls were penetrated.

Compromises Availability The availability of public services was disrupted during the downtime of the website.

Cause Deliberate The denial of service attack was a persistent and focused attack which illustrates it was deliberate in intent.

Origin External The attack came from outside the agency network, with the aim of infiltrating it.

Severity type C. Moderate: Moderate embarrassment and/or short term damage

The agency’s reputation has been damaged by the subsequent disruption of public services.




D. High: Significant inconvenience

The incident has caused a large amount of inconvenience to the agency, as they attend to attack. The public has been inconvenienced by the disruption to services.

J. High: Agency business operations impaired in any way.

The agency’s business operations have been disrupted whilst they attend to the network intrusion.

K. Very High: Unable to continue to deliver service in current form.

The agency’s service delivery has been disrupted as a result of website downtime.

Severity Very High The highest severity rating is recorded (Severity Type K – Very High)

Example 3

An agency has detected an attempted network intrusion from an external source. This particular attempt was unsuccessful in adversely affecting the security of agency information, as the agency’s security controls prevented an intrusion from occurring.


Definition Event The attempted intrusion was unsuccessful, as the controls in place prevented the occurrence.

Category Intrusion against network

The agency controls detected an attempted network intrusion.

Cause Unknown Further investigation is required to determine the exact cause.

Origin External The occurrence is from an external source, outside of the agency network.



Example 4

An agency has detected a network intrusion from an external source. This particular attempt was successful in adversely affecting the security of agency information, as the agency’s security controls were not able to prevent the intrusion from occurring. As a result of the attack, the agency’s website was defaced, with the attacker’s removing the existing content, and replacing it with offensive material. The incident is under investigation to identify where the attack has come from.

Classification: This occurrence has been classified as two separate incidents, as both incidents that have arisen as a result require different responses i.e. the network intrusion requires action to increase the security controls, and the website defacement requires the agency to restore their website and its content.

Incident 1 – Network Intrusion


Definition Incident The agency controls were not able to prevent the intrusion attempt.

Category Intrusion against network

Agency controls were breached, leading to a network intrusion.

Compromises Confidentiality; Integrity

Once the network intrusion has occurred, agency information is viewable, compromising its confidentiality. The subsequent website defacement has led to a compromise of information integrity.

Cause Deliberate The intrusion has been deliberate, because it has led to website defacement.

Origin External The intrusion has occurred from outside the agency network.

Severity type C. High: Significant embarrassment, loss of public confidence and/or limited long term damage.

The network intrusion has caused damage to the agency’s reputation (as a result of the subsequent website defacement)

D. Moderate: Moderate inconvenience

The agency has been inconvenienced as a result of the efforts required to respond to the attack.

J. High: Agency business operations impaired in any way

The agency’s business operations have been impacted on following the intrusion of their network.

N. Minor: Small areas within a single agency

The incident affected a small number of areas within the agency.




P. Moderate: Requires additional resources (e.g. staff overtime, engagement of third parties or purchase of tools)

In the affected area staff had to work extra hours to resolve the incident.

Severity High The highest severity rating is recorded

Incident 2 – Website Defacement


Definition Incident The agency website was defaced.

Category Defacement of public information

The website contained publicly accessible information, which was modified without authorisation.

Compromises Integrity; Availability The integrity and availability of the website content was compromised, as it was altered and/or removed from the website. Downtime to restore the website further compromised availability.

Cause Deliberate The attack was deliberate – the website was defaced indicating malicious intent.

Origin External The intrusion occurred from outside the agency network.

Severity type B. Moderate: Short term distress

Distress was caused to the public, since the web service was unavailable. In addition, the public were exposed to offensive material.

C. High: Significant embarrassment, loss of public confidence and/or limited long term damage.

The incident has caused damage to the agency’s reputation amongst the public.





Service downtime causes inconvenience to both the agency and the public.

J. High: Agency business operations impaired in any way.

The agency business operations are disrupted while they restore the website.

K. High: Significant interruptions or delays. Loss of completed transactions.

The services provided on the agency website are adversely affected during the downtime.

P. Moderate: Requires additional resources (eg. staff overtime, engagement of third parties or purchase of tools)

Efforts to restore the website to full functionality can be done with relative ease. Some staff from the affected area were required to work overtime to resolve the issue,

Severity High The highest severity rating is recorded



Example 5

An agency staff member has been caught viewing and editing confidential files that belong to a senior staff member, without the authorisation to do so. The documents, which were classified ‘X-In Confidence’, were removed from a filing cabinet located in the senior staff members’ office, and replaced with alternative copies. In the process of searching for the desired files, the employee also went through other documents containing personal details of the senior staff member. It was later revealed the employee edited the document’s content for personal gain.

Classification: This occurrence has been classified as two separate incidents, as both incidents that have arisen have compromised different aspects of agency information, i.e. unauthorised access, and unauthorised changes to agency documents.

Incident 1 – Unauthorised access to agency documents


Definition Incident The staff member has accessed confidential information without authorisation.

Category Unauthorised access to information/systems

The staff member has accessed confidential documents from a senior staff members’ filing cabinet.

Compromises Confidentiality The unauthorised access to senior staff documents has compromised the confidentiality of the information.

Cause Deliberate The employee deliberately accessed the document, in search of particular information.

Origin Internal The incident occurred from within the agency.


Distress has been caused to the senior staff member, whose filing cabinet was opened and searched.


The incident has caused inconvenience to the senior staff member.

F. Very High: Substantial impact to person, agency or business

The confidential documents have had their contents disclosed to other parties, without the authorisation of the owner.

Severity Very High The highest severity rating is recorded



Incident 2 – Unauthorised changes to agency documents


Definition Incident The staff member has compromised the integrity of the information, by developing a fraudulent copy of a document.

Category Unauthorised changes to information, applications, systems or hardware

Changes have been made to an agency document, without authorisation.

Compromises Confidentiality; Integrity

The incident compromises the confidentiality of the original document (and additional ones searched), as well as the integrity of the edited document.

Cause Deliberate The employee deliberately edited the document.

Origin Internal The incident occurred from within the agency.

Severity type B. High: Limited long term distress

Distress has been caused to the senior staff member, whose filing cabinet was opened and searched, and documents were edited.

D. High: Significant inconvenience

The incident has caused inconvenience to the senior staff member.


The confidential documents have had their contents disclosed to other parties, without the authorisation of the owner.




Example 6

An agency staff member has been caught viewing confidential documents that belong to a senior staff member, without authorisation. The documents, which were not marked as classified, were left unattended on a public desk. The staff member claims he was unaware that he did not have the appropriate authority to view the documents.


Definition Incident The confidentiality of the document has been compromised as a result of this occurrence.

Category Unauthorised access to information/ systems

The staff member did not have authorisation to view the contents of the document.

Compromises Confidentiality The document had confidential material, which was viewed by a staff member without authorisation.

Cause Accidental The employee was unaware of the documents confidentiality. The employee assumed it was suitable to read, since the document was left in a public place, without specifying the correct licensing.

Origin Internal The incident has occurred within the agency from an employee.


There was some short term distress to the employee who accessed the information.


The employee who viewed the document was not authorised to do so. The owner of the document has allowed for the contents to be viewed by employees who do not have authorisation to do so. It has caused a substantial impact to the party that was the subject of the document.




Example 7

A staff member has incorrectly sent an email with confidential agency information to another staff member. The email recipient was incorrectly selected by the sender, and as a result, the confidential content was not sent to the intended person, but instead read by the unauthorised staff member. It was determined by the agency that the recipient had no prior involvement in the leaking of this information i.e. did not instigate the email, and was not in breach of any agency information security policy. The sender confirmed that the incident was a result of an error on their behalf.


Definition Incident Through the distribution of a misguided email, the confidentiality of agency information was compromised.

Category Unauthorised disclosure of personally or commercially sensitive information

The staff member has disclosed agency information to another staff member, without authorisation.

Compromises Confidentiality The confidentiality of agency information was compromised.

Cause Accidental The sender of the email has made an error when distributing the information. It was not intentional.

Origin Internal The incident has occurred between two staff members within the agency.


The incident has caused short term distress for the employee who sent the email, as they were responsible for the unauthorised distribution of confidential material.

F. Moderate: Measurable impact, breach of regulations or commitment to confidentiality

The sender of the email has disclosed confidential information without authorisation.

P. Minor: Handled by routine tools and procedures

The incident was handled by routine procedures

Severity Moderate The highest severity rating is recorded
