information security guideline

8/19/2019 Information Security Guideline

1/21

Information Security

Guideline(Supports: Information and Communication Technology (ICT)Procedure)

1


2/21

Document details

Item Description

Document title Information Security Guideline

Trim no. 14/33019

Publication coordinator Manager Information Policy

3034 4313

Date of com!letion 9 "!ril #014

Statu$ %inal

&o!y number '4.0

Revisions

Version Date of change Reason for change

'4.0 ( "!ril #014 &om!lete re)rite to reduce content. &*anged )ording$ to reflect ne) I&T

Procedure t*at re!laced t*e Maintaining t*e Security of De!artment

Information and Sy$tem$ Procedure and )it* a focu$ on *o) t*e de!artment

)ill im!lement t*e IS1+,$ mandatory clau$e$. -ame c*anged from

Information Security Im!lementation "dice on Mandatory &lau$e$ '3.0 to

Information Security Guideline TIM 14/33019.

2ndor$ed by Information Steering &ommittee on #0 %ebruary #014 and by

t*e 2ecutie Management oard on ( "!ril #014.

'3.0 n/a Details not available.

'#.0 "ugu$t #01# "dded IS1+ Information Security Standard '5 Mandatory &lau$e$ and minor

u!date$

Trim ref. 1#/#4#(#0 "ttac*ment to I%M6P6007 )it* Trim ref. 11/#377+# and

later D2T Information Security Management Policy TIM 1#/#04490.

'1.0 15/01/#010 "!!roed I%M6P6007 Im!lementation "dice

Trim -o. 10/179714.

Information security classification

T*e audience for t*i$ guideline i$ t*e em!loyee$ of t*e De!artment of 2ducation and Training only. It *a$ an

information $ecurity cla$$ification of !ublic. It i$ !ubli$*ed to t*e internet )it*in t*e Policy and Procedure

egi$ter a$ !art of t*e de!artment,$ !roactie relea$e of information under t*e ight to Information !ct "##$.

eader$ eternal to t*e de!artment are to under$tand t*at many lin8$ )ill not be aailable for t*eir u$e. "ny

reue$t$ for furt*er information can be made under a formal ig*t to Information and Information Priacy

"!!lication.

Review and update

T*i$ guideline )ill be reie)ed and rei$ed to reflect de!artmental c*ange$ or any ma:or c*ange in bu$ine$$

direction$ and ob:ectie$ or at lea$t eery t)o year$ )*ic*eer come$ fir$t.

*tt!;//creatiecommon$.org/licen$e$/by/3.0/au/

< State of =ueen$land De!artment of 2ducation and Training #01#

Uncontrolled copy. efer to t*e De!artment of 2ducation and Training Policy and Procedure egi$ter at *tt!;//!!r.det.ld.go.au to

en$ure you *ae t*e mo$t current er$ion of t*i$ document. Page # of #1

http://deta.qld.gov.au/right-to-information/make-a-request.htmlhttp://deta.qld.gov.au/right-to-information/make-a-request.htmlhttp://creativecommons.org/licenses/by/3.0/au/http://creativecommons.org/licenses/by/3.0/au/http://ppr.det.qld.gov.au/http://creativecommons.org/licenses/by/3.0/au/http://ppr.det.qld.gov.au/http://deta.qld.gov.au/right-to-information/make-a-request.htmlhttp://deta.qld.gov.au/right-to-information/make-a-request.html


3/21

Table of contents

1. Policy !lanning and goernance...................................................................................5

#. "$$et management........................................................................................................73. >uman re$ource management......................................................................................(

4. P*y$ical and enironmental management....................................................................+

5. &ommunication$ and o!eration$ management...........................................................10

7. "cce$$ management...................................................................................................1#

(. Sy$tem acui$ition deelo!ment and maintenance...................................................14

+. Incident management..................................................................................................15

9. u$ine$$ continuity management................................................................................17

10. &om!liance management...........................................................................................1(

&ommon information $ecurity term$....................................................................................1+


en$ure you *ae t*e mo$t current er$ion of t*i$ document. Page 3 of #1

http://ppr.det.qld.gov.au/http://ppr.det.qld.gov.au/


4/21

Introduction

T*e De!artment of 2ducation and Training D2T underta8e$ information $ecurity im!lementation t*roug*

$!ecified and targeted information $ecurity bu$ine$$ o!eration$ and t*e day6to6day actiitie$ of all

em!loyee$. T*e$e actiitie$ are guided by =ueen$land Goernment,$ Information Security 6 IS1+ information

$tandard and are articulated t*roug* t*e de!artment,$ Information and Communication Technology (ICT)

Procedure and t*i$ document. T*e information )it*in t*i$ document i$ $tructured to $u!!ort com!liance )it*IS1+,$ Information Security Policy ? Mandatory &lau$e$ 1.0.#.

T*e aim of t*i$ document i$ to !roide all de!artmental em!loyee$ )it* guidance to under$tand and find t*e

re$ource$ to ea$ily fulfil t*eir re$!on$ibilitie$ for information $ecurity.

Information security guideline

"ll em!loyee$ *ae a re$!on$ibility to en$ure t*ey under$tand and ad*ere to information $ecurity

reuirement$ )it*in t*e de!artment for t*e acui$ition *andling and di$!o$ing of all de!artmental

information information a$$et$ and I&T bu$ine$$ $y$tem$.

T*e adice !roided *ere6in i$ a guide to a$$i$t in under$tanding and o!erationali$ing information $ecurity

)it*in bu$ine$$ unit$ and $c*ool$. T*i$ adice doe$ not re!lace any $!ecific re$!on$ibilitie$ or o!eration$

reuired a$ !art of defined information $ecurity role de$cri!tion$ )it*in t*e de!artment. u$ine$$ unit$ and

$c*ool$ $*ould u$e t*i$ guide in con:unction )it* t*eir area,$ ei$ting information $ecurity !roce$$e$.


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page 4 of #1

http://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/http://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/


5/21

1 Policy planning and go!ernancePolicy !lanning and goernance i$ concerned )it* t*e a!!ro!riate !ractice$ and !roce$$e$ t*e de!artment

*a$ in !lace to en$ure information $ecurity remain$ an integral con$ideration in all o!eration$ a$!ect$.

T*e De!artment of 2ducation and Training D2T *a$ ado!ted t*e follo)ing !olicy documentation to

communicate and goern information $ecurity reuirement$ to it$ em!loyee$1;

• Information Security %rame&or' " !roide$ a *ig*6leel outline and

direction on t*e main a$!ect$ t*e de!artment i$ reuired toim!lement to en$ure $ecure information and I&T bu$ine$$ $y$tem$.

• Information Communication and Technology (ICT) Procedure and

Information anagement (I) Procedure articulate$ 8ey a$!ect$ oft*e de!artment,$ information $ecurity reuirement$.

• Information Security Plan3 !roide$ guidance oer a t)o year !eriod

on a$!ect$ of )*ole of goernment com!liance t*at reuire$ furt*eraction including reie)ing $trengt*ening etc.. u$ine$$ area$ )it*$!ecific delierable$ )it*in t*i$ !lan *ae a!!roed t*i$ commitmentand are im!lementing t*e$e action$.

• Mandatory induction cour$e )it*in @ey$ to Managing Information on

information $ecurity.

"hat is your responsibility as a departmental employee#

"ll de!artmental em!loyee$ *ae a re$!on$ibility to en$ure t*ey ad*ere to information $ecurity

!olicie$/!rocedure$ )it*in t*e de!artment.

Resources

• AnePortal,$ Information $ecurity )eb !age !roide$ a uic8

oerie) of 8ey information $ecurity adice.

•

T*e School Security Procedure identifie$ re$!on$ibilitie$ andrecommended $trategie$ regarding $ecurity management of !*y$icala$$et$ in $c*ool$.

• Stay Smart Anline )eb$ite i$ an "u$tralian Goernment )eb$ite t*at

!roide$ information for $afe internet u$e to !rotect your !er$onaland financial information online.

• Information Security Plan !roide$ t*e reuirement$ !laced on t*e

de!artment to !rotect and $ecure t*e de!artment,$ information andinformation a$$et$.

• =ueen$land Goernment,$ Information Security 6 IS1+ information

$tandard !roide$ t*e reuirement$ for a con$i$tent a!!roac* toinformation $ecurity im!lementation and o!eration acro$$

=ueen$land Goernment.

General ad!ice

$e!er disclose your u$er ID and !a$$)ord een if reue$ted.

$e!er lend your $y$tem acce$$ to anot*er !er$on een to yourmanager or a tru$ted colleague.

• Do not respond to email$ reue$ting your !er$onal information

u$er ID or !a$$)ord e$!ecially if claiming to be from your I&T or ITadmini$tration em!loyee$ and ne!er respond to email$ reue$tingyour ban8ing or financial detail$.

Report all suspicious email$ and ina!!ro!riate online be*aiour

immediately to your $u!eri$or manager !rinci!al or aboe.

1 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 1.1.1 -o #010 1.0.## Bate$t co!y i$ aailable t*roug* TIM.3 Bate$t co!y i$ aailable t*roug* TIM.



http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/informationtechnology/informationsecurity/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/informationtechnology/informationsecurity/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttp://www.staysmartonline.gov.au/http://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/informationtechnology/informationsecurity/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttp://www.staysmartonline.gov.au/http://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/


6/21

2n$ure t*at you complete t*e online induction training cour$e @ey$

to Managing Information on information $ecurity.

$eed further ad!ice on policy planning and go!ernance#

If you *ae any ue$tion$ in relation to information $ecurity !olicy !lanning and goernance !lea$e contact

I&T Goernance Strategy and Policy Information and Tec*nologie$ ranc* IT on !*one 0( 3034 4313.



https://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/https://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/


7/21

1. %sset managementP*y$ical and enironmental control$ are in !lace to en$ure t*e confidentiality integrity and acce$$ibility of

information and information a$$et$ in accordance )it* t*eir information $ecurity cla$$ification uncla$$ified

!ublic C6in confidence !rotected and *ig*ly !rotected.

Information a$$et$ are an identifiable collection of data $tored in any manner and are recogni$ed a$ *aingalue for t*e !ur!o$e of enabling t*e de!artment to !erform it$ bu$ine$$ function$ e.g. file$ databa$e$

!a!er6ba$ed and electronic document$ record$ *ard)are item$ $oft)are or ot*er infra$tructure item$.


2ery em!loyee of t*e de!artment i$ re$!on$ible for en$uring information a$$et$ remain $ecure. T*i$

include$ re!orting $ecurity incident$ )*ere information $ecurity *a$ been or i$ li8ely to be breac*ed.

*en *andling de!artmental information em!loyee$ determine or are to be a)are of it$ information $ecurity

cla$$ification and em!loy t*e a!!ro!riate leel of $ecurity control$ a$ outlined in t*e de!artmental

Information anagement (I) Procedure.

Resources• Information anagement (I) Procedure,$ information $ecurity

cla$$ification $ection !roide$ em!loyee$ )it* direction on t*ecorrect cla$$ifying labelling and *andling of information a$$et$)*ic* are o)ned managed or *andled by t*e de!artment and it$$erice !roider$.

• Information anagement (I) Procedure,$ information a$$et$

$ection !roide$ !roce$$e$ to manage information a$$et$ t*roug*t*eir lifecycle including ad*erence to intellectual !ro!erty rig*t toinformation and all ot*er legi$latie and regulatory obligation$.


$tandard !roide$ t*e reuirement$ for a con$i$tent a!!roac* toinformation $ecurity im!lementation and o!eration acro$$=ueen$land Goernment.

General ad!ice

• "ll information collected by you for t*e de!artment are to be

assigned an information security classification.

• Ance t*e information cla$$ification leel *a$ been a$$igned you can

t*en determine the correct means of handling transferdisposal etc.

T*e Information Security Classification and andling *uideline

!roide$ a matri for t*e *andling of information and information

a$$et$. 2n$ure all information a$$et$ created are a!!ro!riately classified

stored and disposed of )*en reuired.

$eed further ad!ice on information asset management#

%or furt*er adice on information a$$et management contact Information Management Serice$ and

Su!!ortE Information and Tec*nologie$ ranc* IT !*one 0( 3#4+ 4757.


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page ( of #1

http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/


8/21

&. 'uman resource managementT*e de!artment im!lement$ !re during and !o$t6em!loyment !roce$$e$ including $ecurity c*ec8$

a)arene$$ rai$ing and $ecure control$ acro$$ t*e em!loyment lifecycle4.


*ile recruiting em!loyee$ a bu$ine$$ area determine$ t*e information $ecurity reuirement$ of t*e !o$ition

and *ae t*e a!!ro!riate detail$ outlined in t*e !o$ition aderti$ement and role de$cri!tion 5.

An em!loyment and during em!loyment em!loyee$ are to be !roided )it* induction including t*e

de!artment,$ mandatory cour$e @ey$ to Managing Information ongoing information $ecurity training and

a)arene$$ rai$ing !rogram$ t*at *ig*lig*t t*e information $ecurity reuirement$ of t*eir role7.

"ll em!loyee$ are to;

• ad*ere to information $ecurity reuirement$ )*en underta8ing

o!eration$ for t*e de!artment

• fully under$tand and o!erationali$e any additional information

$ecurity o!eration$ $!ecific to t*eir role• ad*ered to information $ecurity reuirement$ acro$$ t*eir entire

em!loyment life $tyle.

During t*e !o$t6em!loyment !roce$$ $te!$ $*ould be ta8en to en$ure t*e $ecurity of t*e de!artment,$

information remain$ by follo)ing t*e de!artmental $e!aration !rocedure(.

Resources

• Criminal istory Chec's Procedure outline$ t*e !rocedure to

conduct criminal *i$tory c*ec8$ on current and intending em!loyee$.

• +mployee Separation Procedure outline$ t*e reuirement$ on

manager$ !rinci!al$ and em!loyee$ )*en cea$ing em!loyment )it*

t*e de!artment including t*e return of de!artmental !ro!ertyreocation of t*e net)or8 and I&T deice acce$$ and finali$ation ofout$tanding finance and admini$tratie matter$.

• State Sc*ool$ Dii$ion,$ formerly 2ducation =ueen$land,$ role

de$cri!tion$ )eb !age for t*e de!artment !roide$ all a!!roed rolede$cri!tion$ including any $ecurity reuirement$.

• AnePortal,$ *uman re$ource$ form$ tool$ and tem!late$ )eb !age

include$ role de$cri!tion$ )or8force !lanning and inductiondocument$.


$tandard !roide$ t*e reuirement$ for a con$i$tent a!!roac* toinformation $ecurity im!lementation and o!eration acro$$

=ueen$land Goernment.

General ad!ice

• "ll em!loyee$ are to underta8e t*e mandatory induction training

on @ey$ to Managing Information )*ic* include$ information$ecurity reuirement$.

$eed further ad!ice on human resource management#

If you *ae any ue$tion$ in relation to information $ecurity reuirement$ for *uman re$ource management

contact >uman e$ource$ ranc* !*one 0( 3#3( 0915.

4 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 3.#.1 -o #010 1.0.#5 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 3.1.1 -o #010 1.0.#7 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 3.#.# -o #010 1.0.#( =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 3.3.1 -o #010 1.0.#


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page + of #1

https://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Criminal-History-Checks.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Criminal-History-Checks.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Employee-Separation.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Employee-Separation.aspxhttp://education.qld.gov.au/hr/recruitment/role-descriptions/index.htmlhttp://education.qld.gov.au/hr/recruitment/role-descriptions/index.htmlhttp://education.qld.gov.au/hr/recruitment/role-descriptions/index.htmlhttps://oneportal.deta.qld.gov.au/Services/HumanResources/Forms/default.aspxhttps://oneportal.deta.qld.gov.au/Services/HumanResources/Forms/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/https://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Criminal-History-Checks.aspxhttp://ppr.det.qld.gov.au/corp/hr/hr/Pages/Employee-Separation.aspxhttp://education.qld.gov.au/hr/recruitment/role-descriptions/index.htmlhttp://education.qld.gov.au/hr/recruitment/role-descriptions/index.htmlhttps://oneportal.deta.qld.gov.au/Services/HumanResources/Forms/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://ppr.det.qld.gov.au/


9/21

(. Physical and en!ironmental managementP*y$ical control$ $*ould be !ut in !lace for building$ identified $ecure area$ and eui!ment. T*e leel of

control !laced )it*in an area e.g. $ecure loc8ed $ecurity !a$$ acce$$ i$ defined by t*e leel of $ecurity

cla$$ification a$$igned to t*e information and !*y$ical a$$et$ *ou$ed in t*e area or location +. Guidance on

t*i$ i$ aailable )it*in t*e ,ueensland *overnment Information Security Classification %rame&or'

=GIS&%.


"ll em!loyee$ are re$!on$ible for;

• en$uring t*ey only acce$$ $ecure area$ and u$e eui!ment t*at t*ey

*ae been a!!roed to do $o )it*in t*eir !o$ition

• maintaining $ecure entrie$ including en$uring $ecure door$ clo$e

be*ind t*em$ele$ and unaut*ori$ed !eo!le do not enter t*e$earea$

• *andling correctly de!artmental eui!ment )it*in t*e $!ecific

information $ecurity cla$$ification leel reuirement$.Information cu$todian$ are re$!on$ible for en$uring information a$$et$ are cla$$ified correctly and a!!ly t*e

a!!ro!riate I&T !*y$ical and enironmental control$.

Resources

• !sset aintenance Procedure identifie$ re$!on$ibilitie$ for t*e "$$et

Maintenance Program "MP and S!ecial Maintenance Program$SMP for t*e de!artment,$ facilitie$.

• +-uipment anagement for usiness /nits Procedure !roide$ t*e

de!artment,$ !rocedure for acui$ition recording $toc8ta8e loanand di$!o$al )rite6off of de!artmental eui!ment )it*in bu$ine$$unit$.

• +-uipment anagement for Schools Procedure !roide$ t*e

de!artment,$ !rocedure for acui$ition recording $toc8ta8e loanand di$!o$al )rite6off of de!artmental eui!ment )it*in $c*ool$.

• School Security Procedure identifie$ re$!on$ibilitie$ and

recommended $trategie$ regarding $ecurity management of !*y$icala$$et$ in $c*ool$.

• Sc*ool Security Program,$ Security De$ign euirement$ for u$e in

t*e de$igning and u!grading of ne) $c*ool building$.

• School Security for ICT ard&are *uide !roide$ an oerie) for

!urc*a$ing and managing I&T *ard)are )it*in $c*ool$.



General ad!ice

)ollo* building and secure area control$ to en$ure t*at only

aut*ori$ed !er$onnel are allo)ed acce$$.

"ll unattended com!uter$ $*ould be loc+ed clear $creen )it* all ,-

in confidence protected and highly protected documentsproperly secured clear de$8.

2m!loyee$ are to secure mobile de!ices *hen lea!ing their des+

for etended !eriod$. "!!ro!riate $ecurity mea$ure$ include loc8ingeui!ment in filing cabinet$ dra)er$ or cu!board$ and u$ing$ecurity cable/$ loc8do)n$.

+ =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 4.1.1 and 4.1.# -o #0101.0.#



http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/Asset-Maintenance.aspxhttp://ppr.det.qld.gov.au/corp/finance/asset/Pages/Equipment-Management-for-Business-Units.aspxhttp://ppr.det.qld.gov.au/corp/finance/asset/Pages/Equipment-Management-for-Schools.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/Security-Design-Guidelines.pdfhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/Security-Design-Guidelines.pdfhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/SecurityforICThardware.pdfhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/SecurityforICThardware.pdfhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/Asset-Maintenance.aspxhttp://ppr.det.qld.gov.au/corp/finance/asset/Pages/Equipment-Management-for-Business-Units.aspxhttp://ppr.det.qld.gov.au/corp/finance/asset/Pages/Equipment-Management-for-Schools.aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/School-Security.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/Security-Design-Guidelines.pdfhttps://oneportal.deta.qld.gov.au/Services/Facilities/Forms/Documents/SecurityforICThardware.pdfhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/


10/21

• Dont lea!e mobile de!ices in cars. If t*i$ i$ not !o$$ible loc8 t*e

mobile deice$ in t*e boot. In $tation )agon$ and an$ em!loyee$can $afeguard mobile deice$ by !lacing it out of $ig*t of !a$$er$6by.Do not leae mobile deice$ in car$ oernig*t or for long !eriod$ oftime or during etreme cold or *ot )eat*er.

• Tra!el/

− employees are to avoid checking-in a laptop as baggage when travelling by air, rail or bus

− employees at the airport secure checkpoint are to hold onto their laptop until they are ready to pass

through the metal detector checkpoint

− in hotels and motels, employees are to secure laptops in the safe rather than the hotel room, if possible.

If this is not possible store the laptop in a lockable cupboard, drawer or suitcase, or at least out of sight.

$eed further ad!ice on physical and en!ironmental management#

If you *ae any ue$tion$ in relation to information $ecurity reuirement$ for I&T !*y$ical and enironmental

management contact I&T Goernance Strategy and Policy Information and Tec*nologie$ ranc* IT on

!*one 0( 3034 4313.





11/21

0. ommunications and operations managementT*e de!artment document$ and im!lement$ o!erational !rocedure$ and control$ $uc* a$ ca!acity !lanning

a!!lication integrity bac8u!$ net)or8 $ecurity including aligning )it* t*e =ueen$land Goernment,$

0et&or' Transmission Security !ssurance %rame&or' -TS"% guideline$9 media *andling information

ec*ange and ecommerce for all information and information a$$et$ !roce$$ing facilitie$10. T*ey are to be

managed $ecurely and con$i$tently in accordance )it* t*e leel of $ecurity reuired 11.

T*e$e re$!on$ibilitie$ are al$o to be ca!tured t*roug* contract$ or agreement$ )it* com!anie$ and

organi$ation$ t*at !roide t*ird !arty $erice deliery for t*e de!artment including I&T !rocurement and

eui!ment management1#.


"ll em!loyee$ are re$!on$ible for;

• *andling and managing any information information a$$et and/or

I&T bu$ine$$ $y$tem according to it$ information $ecuritycla$$ification and t*e Information Security Classification and

andling *uideline10

• en$uring t*ey are a)are of and ad*ere to all information $ecurity

o!eration$ acce$$ control$ data bac8u! etc. and !urc*a$ing!rocedure$

• under$tanding t*e ri$8$ )it* maliciou$ code )*en u$ing t*e internet

and/or connecting deice$ to t*e de!artment,$ net)or8

• u$ing t*e *overnment Information and Technology Contracting

GIT& %rame)or8 for contract $!ecification$ and engaging GIT&a!!roed $u!!lier$13.

Resources

•

Information and Communication Technology (ICT) Procedure,$ I&T$ecurity $ection !roide$ t*e reuirement$ !laced on em!loyee$ to!rotect and $ecure t*e de!artment,$ information and I&T bu$ine$$$y$tem$.

• !sset aintenance Procedure identifie$ re$!on$ibilitie$ for t*e "$$et

Maintenance Program "MP and S!ecial Maintenance Program$SMP for t*e de!artment,$ facilitie$.

• Information anagement (I) Procedure,$ information $ecurity

cla$$ification $ection !roide$ em!loyee$ )it* direction on t*ecorrect cla$$ifying labelling and *andling of information )*ic* areo)ned managed or *andled by t*e de!artment and it$ $erice!roider$.

•Purchasing and Procurement Procedure for !urc*a$ing good$ and$erice$ from $u!!lier$ eternal to t*e de!artment and funded byde!artmental or $c*ool ban8 account$ regardle$$ of t*e $ource oft*o$e fund$ including for eam!le fund$ from $tudent$ !arent$ andfundrai$ing. 2clude$ real !ro!erty tran$action$ but include$ ca!ital)or8$ and infra$tructure.

9 =G&IA Information $ecurity 6 IS1+ Policy ? Princi!al 5 -o #010 5.0.010 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.1.1 -o #010 1.0.#11 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.1.# -o #010 1.0.#1# =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.#.1 5.#.# 5.#.3 -o #0101.0.#13 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.#.3 -o #010 1.0.#



http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/Asset-Maintenance.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/infrastructure/facilities/Pages/Asset-Maintenance.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Management.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/


12/21

• AnePortal,$ Purc*a$eIT i$ an online $*o!!ing tool )*ic* allo)$ ea$y

com!ari$on of $u!!lier$ $!ecification$ !rice$ and )arrantyinformation ? aailable to all em!loyee$. T*e !roduct range include$de$8to!$ la!to!$ !rinter$ *ard)are acce$$orie$ and "!!lecom!uter$. Ardering i$ underta8en t*roug* t*e de!artment,$ finance$y$tem$ AneSc*ool and S"P.

• State Procurement Policy !roide$ guidance on maimi$ing alue for

money and reducing t*e co$t$ of !rocurement acro$$ =ueen$landGoernment.

• AnePortal,$ $oft)are load !erformance and $ecurity te$ting $erice$

li$t$ t*e de!artment,$ a!!roed $u!!lier$ under D2TPS"6100(++ for load !erformance te$ting and $ecurity/!enetration te$ting.

• *overnment Information and Technology Contracting (*ITC)

%rame&or' !roide$ $tandard contractual term$ and condition$ foru$e and acui$ition of I&T !roduct$ and/or $erice$.



• =ueen$land Goernment,$ Procurement and Di$!o$al of I&T

Product$ and Serice$ ? IS13 information $tandard !roide$ t*e!rinci!le$ a!!licable to t*e acui$ition management maintenanceand di$!o$al of I&T !roduct$ and $erice$ acro$$ t*e =ueen$landGoernment. " $u!!orting guide !roide$ an oerie) of t*e I&T!rocurement !roce$$.

General ad!ice

• Fnderta8e t*e mandatory induction training on @ey$ to Managing

Information )*ic* )ill coer information $ecurity reuirement$14.

• e a)are of and ad*ere to all de!artmental information $ecurity and

!urc*a$ing !rocedure$.• *en contracting for ser!ice deli!ery through a third party

eternal to t*e de!artment u$e GIT appro!ed suppliers )*ere!o$$ible.

• 2ac+up cycles and procedures )ill be reie)ed and u!dated

relatie to t*e bu$ine$$ ri$8 freuency )it* )*ic* data and $oft)arei$ modified and t*e criticality of t*e $y$tem to t*e de!artment,$o!eration$. T*i$ include$ t*e follo)ing at a minimum;

− incremental and full weekly backups of all data, operating system and applications

− the complete operating system on a monthly basis.

>andle different media formats according to t*e Information

Security Classification and andling *uideline.

$eed further ad!ice on communications and operations management#

If you *ae any ue$tion$ in relation to information $ecurity reuirement$ for communication$ and o!eration$

management contact I&T Goernance Strategy and Policy Information and Tec*nologie$ ranc* IT on

!*one 0( 3034 4313.

14 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.4.4 -o #010 1.0.#


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page 1# of #1

https://oneportal.deta.qld.gov.au/Services/Procurement_Purchasing/PurchaseIT/Pages/default.aspxhttp://education.qld.gov.au/smartclassrooms/working-digitally/oneschool.htmlhttps://oneportal.deta.qld.gov.au/SERVICES/FINANCE/SAP/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/ProcurementPolicyGuidance/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2501-procurement-and-disposal-of-ict-products-and-services-is13http://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2501-procurement-and-disposal-of-ict-products-and-services-is13http://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2489-better-practice-guide-for-procurement-and-disposal-of-ict-products-and-serviceshttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/https://oneportal.deta.qld.gov.au/Services/Procurement_Purchasing/PurchaseIT/Pages/default.aspxhttp://education.qld.gov.au/smartclassrooms/working-digitally/oneschool.htmlhttps://oneportal.deta.qld.gov.au/SERVICES/FINANCE/SAP/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/ProcurementPolicyGuidance/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2501-procurement-and-disposal-of-ict-products-and-services-is13http://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2501-procurement-and-disposal-of-ict-products-and-services-is13http://www.qgcio.qld.gov.au/products/qgea-documents/547-business/2489-better-practice-guide-for-procurement-and-disposal-of-ict-products-and-serviceshttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/humanresources/projects/Professionaldevelopment/keystomanaginginformation/Pages/default.aspxhttp://www.hpw.qld.gov.au/supplydisposal/GovernmentProcurement/GITCFramework/Pages/default.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/corp/ict/management/Procedure%20Attachments/Information%20Communication%20and%20Technology/information-security-guideline.DOCXhttp://ppr.det.qld.gov.au/


13/21

3. %ccess management "cce$$ to de!artmental information and I&T bu$ine$$ $y$tem$ are maintained t*roug* ri$8 mitigation

controlled u$er acce$$ and aut*entication$15.


2m!loyee$ are !roided acce$$ to t*e de!artment,$ I&T bu$ine$$ $y$tem$ )it* aut*ori$ation from t*eir

direct $u!eri$or. "l)ay$ be a)are of t*e leel of acce$$ you are allo)ed. T*i$ al$o a!!lie$ to $tudent$

!arent$ member$ of P&$ and community grou!$ )it* a!!roal $oug*t t*roug* t*e $c*ool !rinci!al.

*ere you *ae de!artmental information and/or information a$$et$ t*at you a!!roe acce$$ follo)

de!artmental !rocedure$ and only allo) em!loyee$ acce$$ )*ere needed a$ !art of t*eir !o$ition.

Resources

• Information and Communication Technology (ICT) Procedure,$

identity ID and acce$$ management $ection outline$ t*at t*ede!artment !roide$ acce$$ to it$ information re$ource$ ba$ed ont*e information $ecurity cla$$ification of t*e $y$tem/content. T*ede!artment !roide$ $ecure acce$$ to information in de!artmentalI&T bu$ine$$ $y$tem$ to aut*ori$ed u$er$ t*roug* t*e !roi$ion ofelectronic identitie$.

• Information and Communication Technology (ICT) Procedure,$ u$e

of I&T facilitie$ and deice$ $ection adi$e$ all de!artmental net)or8u$er$ of t*eir re$!on$ibilitie$ and t*e con$euence$ of t*eirbe*aiour )*en u$ing t*e de!artment,$ net)or8 and related$y$tem$ and !roide$ guideline$ for en$uring t*e accountabilitytran$!arency and $afe o!eration of t*e net)or8.

• Information and Communication Technology (ICT) Procedure,$ I&T

$ecurity $ection !roide$ t*e reuirement$ !laced on em!loyee$ to!rotect and $ecure t*e de!artment,$ information and I&T bu$ine$$

$y$tem$.



General ad!ice

• User access rig*t$ )ill be in accordance )it* t*e reuirement$ of

t*e business process being underta8en and )ill be authorised byt*e u$er,$ re$!on$ible super!isor .

• User access )ill be !roided on a need to +no* basis.

• Pri!ileged users *ill strictly adhere to the le!el of securityrelated to t*e information a$$et and I&T bu$ine$$ $y$tem t*ey *aeacce$$. reac* of t*e granted acce$$ leel *ill be reported andin!estigated.

• The departments net*or+ pass*ord is reset e!ery 45 days. To

c*ange your !a$$)ord !re$$ and *old t*e &TBH"BTHDelete 8ey$t*en $elect ,&*ange a !a$$)ord, or u$e t*e Self Serice Pa$$)orde$et SSP $y$tem to re$et your !a$$)ord. "lternatiely!a$$)ord re$et reue$t$ are made by !*oning t*e Serice &entreon !*one 1+00 7+0 445. 'alidation of reue$t$ )ill be conducted)*en reuired.

15 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 7.+.1 -o #010 1.0.#



http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://passmgt.deta.qld.gov.au/PasswordReset/default.aspxhttps://passmgt.deta.qld.gov.au/PasswordReset/default.aspxhttp://ppr.det.qld.gov.au/http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://passmgt.deta.qld.gov.au/PasswordReset/default.aspxhttps://passmgt.deta.qld.gov.au/PasswordReset/default.aspxhttp://ppr.det.qld.gov.au/


14/21

• Select a secure or strong pass*ord becau$e t*ey are difficult to

crac8 and !roide t*e !rimary met*od for $ecuring eui!ment andacce$$ control een if biometric acce$$ control e.g. finger!rint$canner i$ !roided on t*e !articular deice. " $trong/$ecure!a$$)ord;

− is at least 8-characters long

− does not exceed 32-characters, and

− at a minimum contain at least one upper and lowercase character e.g. a-!, "-#

one digit e.g. $-%

one punctuation character e.g.&'()*+/01-45679:;?@,.

Ane $ource for deelo!ing a $ecure !a$$)ord i$ t*e Micro$oft )eb$ite

*tt!;//))).micro$oft.com/$ecurity/online6!riacy/!a$$)ord$6create.a$!.

• 2n$ure !a$$)ord$ u$ed to gain acce$$ to a !er$onal mobile deice

are uniue i.e. not t*e $ame a$ t*o$e u$ed for gaining acce$$ to t*ede!artmental net)or8 or encry!ting/decry!ting $en$itie folder$ orfile$ on t*at deice.

• 6ulti-functional de!ices )ill *ae an a!!roed a!!ro!riate $ecurity

loc8ing mec*ani$m ba$ed on a $ecurity ri$8 a$$e$$ment to !reentintru$ion of t*e $y$tem ia t*e tele!*one net)or8.

• 6edia including any remoable media $uc* a$ memory $tic8$ and

eternal FS memory drie$ t*at contain$ de!artmental informationare to be !rotected again$t unaut*ori$ed acce$$ mi$u$e orcorru!tion in accordance )it* t*e ,ueensland *overnmentInformation Security Classification (,*ISC%) %rame&or' during u$eand tran$!ortation beyond t*e de!artment,$ !*y$ical boundarie$.

%or adice on mobile de!ice configuration contact t*e Serice

&entre on !*one 1+00 7+0 445 or ia Serice &entre Anline.

• Remote access/

−

Aanagement processes will include registering all persons with remote access privileges, logging allremote access attempts and activities, and ensuring all users are authenticated before access to thenetwork is granted.

− Bsing departmental devices and personal mobile devices will reCuire appropriate authorisation refer to

Information and Communication Technology (ICT) Procedure=s use of IDE facilities and devicessection/.

• De!ices used for remote access;

− Faptops are configured according to the current department=s managed operating environment AGH/ to

meet reCuirements for encryption, authentication and security locking including session time-outs.

− or personal mobile devices, a condition of approval for access reCuires that the device be based on

business reCuirements and a risk assessment to meet Queensland Government Authentication Framework (QGAF) reCuirements for encryption, authentication and security locking including sessiontime-outs. "t a minimum, the device will need to meet the department=s security reCuirements seeiJecurity intranet site for details/ at a minimum installing, running and updating anti-virus softwareKL.

− "ll wireless communications are to include appropriate configured product security features that is

eCuivalent to or of higher level to the security of wired communications.

− Metwork connections of all devices used for remote access will be cancelled upon termination of

employment and can be revoked at any time.

$eed further ad!ice on access management#

%or furt*er adice to reue$t acce$$ to t*e de!artment,$ I&T net)or8 contact t*e Serice &entre Anline or

t*e Serice &entre on 1+00 7+0 445.

%or furt*er !olicy adice contact I&T Goernance Strategy and Policy Information and Tec*nologie$ ranc*

IT on !*one 0( 3034 4313.

17 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 5.4.1 5.4.3 7.5.3 7.5.4 -o#010 1.0.#



http://www.microsoft.com/security/online-privacy/passwords-create.aspxhttp://www.microsoft.com/security/online-privacy/passwords-create.aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-frameworkhttps://isecurity.eq.edu.au/Pages/Home.aspxhttps://isecurity.eq.edu.au/Pages/Home.aspxhttps://qlddet.service-now.com/sco/http://ppr.det.qld.gov.au/http://www.microsoft.com/security/online-privacy/passwords-create.aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2417-queensland-government-information-security-classification-frameworkhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2415-queensland-government-authentication-frameworkhttps://isecurity.eq.edu.au/Pages/Home.aspxhttps://qlddet.service-now.com/sco/http://ppr.det.qld.gov.au/


15/21

4. System ac7uisition de!elopment and maintenanceDuring I&T bu$ine$$ $y$tem acui$ition deelo!ment and maintenance actiitie$ are underta8en to

determine $ecurity control$ cry!togra!*ic control$ !rotection of $y$tem file$ !reent error$ lo$$

unaut*ori$ed or mi$u$e of information and actiitie$ t*at reduce ri$8$ ari$ing from t*e e!loitation of

tec*nical ulnerability.


I&T bu$ine$$ $y$tem acui$ition deelo!ment and maintenance i$ mainly coordinated and controlled )it*in

t*e Information and Tec*nologie$ ranc* IT. 2m!loyee$ )*ere !o$$ible are to utili$e t*e de!artment,$

I&T net)or8 and $y$tem$ to underta8e t*e de!artment,$ bu$ine$$ !roce$$e$.

*ere indiidual bu$ine$$ unit$ or $c*ool$ acuire deelo! and maintain an I&T bu$ine$$ $y$tem to fulfil a

$!ecific bu$ine$$ !roce$$ of t*e de!artment t*ey )ill follo) t*e de!artmental information $ecurity

!rocedure$ and )ill be reuired to o!erate t*e$e $y$tem$ to t*e $tandard $et out for all State Goernment

de!artment$ in t*e Information Security 6 IS1+ information $tandard.

Resources

• Purchasing and Procurement Procedure for !urc*a$ing good$ and

$erice$ from $u!!lier$ eternal to t*e de!artment and funded byde!artmental or $c*ool ban8 account$ regardle$$ of t*e $ource oft*o$e fund$ including for eam!le fund$ from $tudent$ !arent$ andfundrai$ing. 2clude$ real !ro!erty tran$action$ but include$ ca!ital)or8$ and infra$tructure.


$ecurity $ection !roide$ t*e reuirement$ !laced on em!loyee$ to!rotect and $ecure t*e de!artment,$ information and I&T bu$ine$$$y$tem$.



General ad!ice

• *ere !o$$ible utili$e t*e de!artment,$ I&T net)or8 and $y$tem$.

• Prior to underta8ing a !ro:ect to acuire or deelo! an I&T bu$ine$$

$y$tem refer to t*e AnePortal,$ Portfolio$ !rogram$ !ro:ect andadice $ite.

• I&T bu$ine$$ $y$tem !ro:ect management documentation are to

include security controls AnePortal,$ Portfolio$ !rogram$ !ro:ectand adice and be im!lemented t*roug*6out $y$tem deelo!ment.

• %udit logs t*at are 8e!t and $ecurity control$ for $egregation of t*e

I&T bu$ine$$ $y$tem ad*ere to ,ueensland *overnmentInformation Security Controls Standards (,*ISCS)12 .

• " clear $ecurity intru$ion detection and incident re!orting !roce$$

are to be outlined a$ !art of !ro:ect deelo!ment and de!loyment.

• ryptographic controls are to com!ly )it* =ueen$land

Goernment,$ 0et&or' Transmission Security !ssurance%rame&or' (0TS!%) guideline$1+. T*e -TS"% outline$ t*at t*e!rimary goal of cry!togra!*ic control$ i$ to conceal data to !rotect itagain$t unaut*ori$ed t*ird6!arty acce$$ by a!!lying encry!tion.

$eed further ad!ice on system ac7uisition de!elopment andmaintenance#

1( =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ (.5.# -o #010 1.0.#1+ =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ (.3.1 -o #010 1.0.#



http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Information%20Security.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2431-queensland-government-information-security-controls-standardhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2431-queensland-government-information-security-controls-standardhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://ppr.det.qld.gov.au/http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Information%20Security.aspxhttp://ppr.det.qld.gov.au/corp/finance/procurement/Pages/Purchasing-and-Procurement.aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICTProjectsAndAdvice/Pages/ICTProjectsAndAdvice.aspxhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2431-queensland-government-information-security-controls-standardhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2431-queensland-government-information-security-controls-standardhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2401-network-transmission-security-assurance-frameworkhttp://ppr.det.qld.gov.au/


16/21

%or furt*er adice on t*e acui$ition deelo!ment and maintenance of an I&T bu$ine$$ $y$tem contact t*e

Serice &entre or !*one 1+00 7+0 445.

%or furt*er !ro:ect management adice i$it AnePortal,$ I&T Portfolio Program and Pro:ect Team$ite.



https://qlddet.service-now.com/sco/https://team.oneportal.deta.qld.gov.au/sites/P3O/default.aspxhttps://team.oneportal.deta.qld.gov.au/sites/P3O/default.aspxhttp://ppr.det.qld.gov.au/https://qlddet.service-now.com/sco/https://team.oneportal.deta.qld.gov.au/sites/P3O/default.aspxhttp://ppr.det.qld.gov.au/


17/21

8. Incident managementT*e de!artment im!lement$ end6to6end information $ecurity incident management !roce$$e$. -et)or8 and

$y$tem outage$ and i$$ue$ are !ubli$*ed )*en t*ey occur on t*e *ome!age of Serice &entre Anline19.

Internally t*e de!artment )ill underta8e eent )ea8ne$$ re!orting t*roug* t*e $ecurity incident regi$ter

and a clear e$calation and )*ere reuired ine$tigation !roce$$. T*e de!artment )ill re!ort $u$!ectedbreac* actiity and information $ecurity incident$ to t*e releant aut*ority. T*e e$calation !roce$$ )ill include

Internal "udit 2t*ical Standard$ Fnit and/or Begal and "dmini$tratie Ba) ranc* )it* any official

mi$conduct ca$e$ being re!orted to releant regulatory aut*oritie$.#0

reac*e$ of information $ecurity t*at re$ult in un$ati$factory audit and em!loyee re!ort$ can lead to

di$ci!linary action including di$mi$$al and/or action by releant regulatory aut*oritie$. Di$ci!linary action

and !roce$$ i$ determined under t*e Public Service !ct "##3 )*ere releant.


2ery em!loyee of t*e de!artment i$ re$!on$ible for re!orting I&T $ecurity incident$ and $u$!ected $ecurity

incident$. e!orting of $ecurity incident$ you become a)are of can be e$calated t*roug* your direct

$u!eri$or u$ing t*e Information $ecurity incident online re!orting form calling t*e Serice &entre oremailing info$ecdete.ld.go.au.

u$ine$$ area$ t*at o!erate I&T bu$ine$$ $y$tem$ are re$!on$ible for en$uring $ecurity te$ting i$

underta8en for ulnerability management and $ecurity breac*e$ including detectable intru$ion$.

Resources


$ecurity $ection !roide$ t*e reuirement$ !laced on em!loyee$ to!rotect and $ecure t*e de!artment,$ information and I&T bu$ine$$$y$tem$. T*i$ include$ reuirement$ for re!orting information$ecurity breac*e$.

• =ueen$land Goernment,$ Information Security 6 IS1+ information$tandard !roide$ t*e reuirement$ for a con$i$tent a!!roac* toinformation $ecurity im!lementation and o!eration acro$$=ueen$land Goernment.

$eed further ad!ice on incident management#

If you *ae any ue$tion$ in relation to incident management contact t*e Serice &entre or !*one 1+00 7+0

445.

19 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ +.1.4 -o #010 1.0.##0 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ +.#.1 -o #010 1.0.#


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page 1( of #1

https://qlddet.service-now.com/sco/http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/P/PublicServA08.pdfhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/informationsecurity/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICThelp/Pages/ICThelp.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICThelp/Pages/ICThelp.aspxmailto:[email protected]:[email protected]://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://qlddet.service-now.com/sco/https://qlddet.service-now.com/sco/http://ppr.det.qld.gov.au/https://qlddet.service-now.com/sco/http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/P/PublicServA08.pdfhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/informationsecurity/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/Services/InformationTechnology/ICTServiceCatalogue/ICThelp/Pages/ICThelp.aspxmailto:[email protected]://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttps://qlddet.service-now.com/sco/http://ppr.det.qld.gov.au/


18/21

9. 2usiness continuity managementT*e de!artment *a$ im!lemented an information and I&T a$$et$ bu$ine$$ continuity !lan in t*e eent of a

di$a$ter or ma:or $ecurity failure. T*i$ )ill enable t*e timely re$toration or recoery of t*e affected I&T

a$$et$ )it* minimal di$ru!tion to de!artmental bu$ine$$.

T*e Information and Tec*nologie$ ranc* IT )it*in t*e de!artment loo8$ after bu$ine$$ continuity!lanning for t*e de!artment,$ information and I&T a$$et$ )*ere t*e$e fall )it*in IT,$ o!erational control#1.

>o)eer all bu$ine$$ unit$ and $c*ool$ and t*e $enior em!loyee$ )it*in are re$!on$ible for en$uring in

t*e eent of a di$a$ter t*at t*e information and I&T a$$et$ )it*in t*eir o!erational reac* are able to be

recoered or re$tored or an alternatie o!tion for o!eration i$ de!loyed in a timely manner.


2m!loyee$ $*ould be a)are of t*eir bu$ine$$ area,$ bu$ine$$ continuity !lan for it$ I&T a$$et$. *ere you

are re$!on$ible for t*e cu$todian$*i! of information a$$et$ or o!eration of a de!artmental I&T bu$ine$$

$y$tem you are to en$ure bu$ine$$ continuity !lan$ are in !lace in t*e eent of a di$a$ter or ma:or $erice

outage and t*at t*ey are regularly reie)ed and u!dated to reflect current !roce$$e$ contact$ and t*at

reuired eui!ment i$ readily aailable.u$ine$$ $y$tem o)ner$ t*at o!erate I&T bu$ine$$ $y$tem$ are re$!on$ible for en$uring $ecurity te$ting i$

underta8en for ulnerability management and $ecurity breac*e$ including detectable intru$ion$.

Di$a$ter recoery !lan$ are deelo!ed te$ted and u!dated regularly to en$ure t*at t*ey are u!6to6date )it*

t*e reuirement$ for continuality of critical and bu$ine$$6a$6u$ual o!eration$##.

2ent$ ari$ing from ri$8$ and ulnerabilitie$ t*at can cau$e interru!tion$ to bu$ine$$ !roce$$e$ )ill be

regularly identified including t*e !robability and im!act of $uc* interru!tion$ and t*eir con$euence$ for

information $ecurity.

i$8 a$$e$$ment !roce$$e$ and !lan$ )ill be maintained and ri$8 mitigation $trategie$ )ill be reie)ed and

u!dated to en$ure t*e $ecurity of all information a$$et$.

Resources

• AnePortal,$ bu$ine$$ continuity management )eb !age !roide$

detail$ on t*e de!artment,$ u$ine$$ &ontinuity ManagementStrategy.

• AnePortal,$ 2mergency and Security Management Fnit )eb$ite

!roide$ adice on t*e de!artment,$ emergency management !olicy.

• AnePortal,$ $oft)are load !erformance and $ecurity te$ting $erice$

li$t$ t*e de!artment,$ a!!roed $u!!lier$ under D2TPS"6100(++ for load !erformance te$ting and $ecurity/!enetration te$ting.





General ad!ice

• eie) bu$ine$$ continuity !lan$ and emergency management

!lan$ on regular ba$i$.

#1 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 9.1.# -o #010 1.0.### =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 9.#.# 9.#.3 9.#.4 -o #0101.0.#


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page 1+ of #1

https://oneportal.deta.qld.gov.au/Services/strategymanagement/GSP/EnterpriseRiskManagement/Pages/BusinessContinuityManagementApproch.aspxhttps://oneportal.deta.qld.gov.au/Services/strategymanagement/GSP/EnterpriseRiskManagement/Pages/BusinessContinuityManagementApproch.aspxhttps://oneportal.deta.qld.gov.au/Services/strategymanagement/GSP/EnterpriseRiskManagement/Pages/BusinessContinuityManagementApproch.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/emergencysecuritymanagementinformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/emergencysecuritymanagementinformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/emergencysecuritymanagementinformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/https://oneportal.deta.qld.gov.au/Services/strategymanagement/GSP/EnterpriseRiskManagement/Pages/BusinessContinuityManagementApproch.aspxhttps://oneportal.deta.qld.gov.au/Services/Facilities/emergencysecuritymanagementinformation/Pages/default.aspxhttps://oneportal.deta.qld.gov.au/services/procurement_purchasing/preferredsupplier/softwareloadperformanceandsecuritytestingservices/Pages/default.aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/


19/21

• e6train em!loyee$ on bu$ine$$ continuity !lan$ and emergency

management !lan$ eac* year.

$eed further ad!ice on business continuity management#

u$ine$$ &ontinuity Management i$ coordinated t*roug* Planning Performance and i$8 Fnit Goernance

Strategy and Planning !*one 0( 3#35 9959.





20/21

:. ompliance management2m!loyee$ are to com!ly )it* de!artmental !olicie$ and !rocedure$ =ueen$land Goernment !olicy

legi$latie and audit reuirement$#3. T*e de!artment,$ !lanning and im!lementation control$ on I&T $ecurity

are goerned )it*in t*e Information Security %rame)or8 and Information Security Plan $ee Section 1 of t*i$

guide for detail$.

T*e de!artment !roide$ adice on meeting t*e$e reuirement$ t*roug* t*e Information and

Communication Technology (ICT) Procedure,$ I&T $ecurity $ection and t*i$ guideline.


2m!loyee$ are re$!on$ible for en$uring t*ey are a)are of information $ecurity reuirement$ and ad*ere to

t*e$e )*en underta8ing o!eration$ a$ !art of t*eir !o$ition )it*in t*e de!artment.

Security incident$ are re!orted in accordance )it* Section + of t*i$ guide.

Resources





$eed further ad!ice on compliance management#

If you *ae any ue$tion$ in relation to information $ecurity com!liance management contact I&T

Goernance Strategy and Policy Information and Tec*nologie$ ranc* IT on !*one 0( 3034 4313.

#3 =ueen$land Goernment Information Security Policy ? Mandatory &lau$e$ 10.1.1 -o #010 1.0.#


en$ure you *ae t*e mo$t current er$ion of t*i$ document.Page #0 of #1

http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/http://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://ppr.det.qld.gov.au/corp/ict/management/Pages/Information-Communication-and-Technology-(ICT).aspxhttp://www.qgcio.qld.gov.au/products/information-securityhttp://ppr.det.qld.gov.au/


21/21

ommon information security termsontrol " mea$ure t*at i$ ta8en to mitigate ri$8$.

;ncryption T*e art or $cience concerning t*e !rinci!le$ mean$ and met*od$ for rendering!lain information unintelligible.

)ire*all " net)or8 deice t*at filter$ incoming and outgoing net)or8 data ba$ed on a$erie$ of rule$.

'ard*are T*e !*y$ical com!onent$ of com!uter eui!ment including !eri!*eraleui!ment. %or eam!le !er$onal com!uter$ $erer$ la!to!$ !rinter$ router$$mart !*one$ and mobile !*one$.

IT asset I&T *ard)are $oft)are $y$tem$ and $erice$ u$ed in t*e de!artment,$o!eration$ including !*y$ical a$$et$ u$ed to !roce$$ $tore or tran$mitinformation.

IT business system Information tec*nology $y$tem$ or a!!lication$ de$igned to automate and$u!!ort t*e underta8ing of a $!ecific bu$ine$$ !roce$$ or !roce$$e$. T*ey maycreate receie manage and maintain bu$ine$$ information relating to bu$ine$$!roce$$e$.

Information asset I$ an identifiable collection of data $tored in any manner and recogni$ed a$

*aing alue for t*e !ur!o$e of enabling t*e de!artment to !erform it$ bu$ine$$function$ t*i$ include$ tran$actional information in bu$ine$$ $y$tem$ document$and mail.

Informationcustodian

Delegated by t*e information o)ner to $et and define t*e rule$ of an informationa$$et to en$ure t*e information a$$et i$ a!!ro!riately managed to maintain it$currency integrity and aailability. T*i$ include$ identifying it$ information$ecurity cla$$ification/$ and regi$tering and maintaining it$ detail$ )it*in t*ede!artment,$ Information "$$et egi$ter .

6alicious code "ny $oft)are t*at attem!t$ to $ubert t*e confidentiality integrity or aailability of a $y$tem. Maliciou$ code include$; logic bomb$ tra!door$ Tro:an !rogram$iru$e$ and )orm$.

6edia T*e com!onent of *ard)are t*at i$ u$ed to $tore information.

Pri!ileged user " u$er )*o can alter or circument $y$tem $ecurity !rotection$. T*i$ may al$oa!!ly to u$er$ )*o may *ae only limited !riilege$ $uc* a$ $oft)aredeelo!er$ )*o can $till by!a$$ $ecurity !recaution$. " !riileged u$er may*ae t*e ca!ability to modify $y$tem configuration$ account !riilege$ auditlog$ data file$ or a!!lication$ for eam!le $y$tem admini$trator$ I&T $ecurityem!loyee$ *el!de$8 em!loyee$.

Remote access "ny acce$$ to a de!artmental !ractice $y$tem from a location not )it*in t*e!*y$ical control of t*e de!artment.

Remo!able media Storage media t*at can be ea$ily remoed from an I&T bu$ine$$ $y$tem and i$de$igned for remoal for eam!le *ard di$8$ &D$ flo!!y di$8$ ta!e$$martcard$ and fla$*card$.

Ris+ " ri$8 i$ ,a future eent, t*at im!act$ on organi$ational ob:ectie$. It may *a!!enor it may not. e can !lan for ri$8 ba$ed on it$ li8eli*ood and !otential im!act ?ri$8$ can be aoided com!letely minimi$ed tran$ferred to anot*er !arty or )ecan meet t*em *ead on )it* $trategie$ to deal )it* t*eir effect$.

Security incident "n eent t*at im!act$ on t*e confidentiality integrity or aailability of a $y$temt*roug* an act of unaut*ori$ed acce$$ di$clo$ure modification mi$u$edamage lo$$ or de$truction.

Ser!er " com!uter u$ed to run !rogram$ t*at !roide $erice$ to multi!le u$er$ foream!le file $erer$ mail $erer$ and databa$e $erer$.

System administrator T*e !er$on re$!on$ible for t*e day6to6day o!eration of t*e $y$tem.

User "ny indiidual or entity acce$$ing t*e de!artment,$ I&T bu$ine$$ $y$tem$ and/or

a!!lication$ including em!loyee$ $tudent$ adult$ !arent$/caregier$bu$ine$$ !artner$ and/or t*e )ider community.

Virus See maliciou$ code.
https://bint.eq.edu.au/register/IAR/default.aspxhttps://bint.eq.edu.au/register/IAR/default.aspx