The Queensland Government Chief Information Office introduced revised Information Security Policies (IS18) effective October 1, 2018. The changes move from a compliance focus to a risk-based approach based on ISO 27001. Key changes include requiring agencies to implement an Information Security Management System, apply systematic risk management, meet minimum security requirements, obtain assurance for systems, and have accountable officers attest to security posture annually. The goal is to establish effective governance, improve risk management, and design systems with assurance in mind.

1. Partners in Technology
Friday 2 November 2018
Queensland Government Chief Information Office

2. IS18 – Policy Changes
www.qgcio.qld.gov.au

3. Queensland Government Chief Information Office
IS18 - Security Policy Changes
From October 1st 2018 a revised Information Security Policies (IS18) came into
effect for Queensland Government.
What are these changes, what do they mean, and what does the information
security need to look like for Queensland Government in the future.

4. Queensland Government Chief Information Office
Cyber security is now a strategic risk to all organisations
- No one wants to be front page news for a cyber incident
- Everyone is a potential target
- Increasingly seeing attackers exploiting weakest points in security
Never underestimate a criminal’s ability to turn
your stuff
into their money
or the damage to your reputation when that happens.

5. Queensland Government Chief Information Office
We have be “doing” Information Security for decades.
So what’s changed?
•Digitization
•Complexity
Expectations of the
community and
stakeholders
Sophistication & motivation
of attackers

6. Queensland Government Chief Information Office
IS18 History
Part of the QGEA
First established in 1993
Last major refresh of IS18 in 2009 - (5th version)
Based around
ISO/IEC 17799:2000 and ISO/IEC 27001:2006

7. Queensland Government Chief Information Office
Drivers for change
Not aligned to the current of the ISO 27001 standard.
Needed refreshing to match agency requirements in managing increasingly
complex ICT and business environments.
Hadn’t been particularly well adopted
Focused on controls, not the processes and outcomes
Lacked guidance on governance and assurance

8. Queensland Government Chief Information Office
Information Security Policy (IS18:2018)
This new policy came into effect from 1 October 2018.
Represents a move from a compliance focus
to a risk based approach

9. Queensland Government Chief Information Office
Policy wording
Purpose
The Queensland Government is responsible for a significant amount of
information. To ensure trust and deliver business value it is critical that
this information is protected appropriately.
This policy seeks to ensure all agencies apply a consistent, risk-based
approach, to the implementation of information security to maintain
confidentiality, integrity and availability.
Policy statement
The Queensland Government will identify and manage risks to
information, applications and technologies, through their life cycle,
using Information Security Management Systems (ISMS).
Purpose
The Queensland Government is responsible for a significant amount of
information. To ensure trust and deliver business value it is critical that
this information is protected appropriately.
This policy seeks to ensure all agencies apply a consistent, risk-based
approach, to the implementation of information security to maintain
confidentiality, integrity and availability.
Policy statement
The Queensland Government will identify and manage risks to
information, applications and technologies, through their life cycle,
using Information Security Management Systems (ISMS).

10. Queensland Government Chief Information Office
Policy requirement 1:
Agencies must implement an ISMS based on ISO 27001
Agencies must implement and operate an ISMS based
on the current version of ISO 27001 Information
technology - Security techniques - Information
security management systems – Requirements. The
scope of the ISMS will include the protection of all
information, application and technology assets.

11. Queensland Government Chief Information Office
Policy requirement 2:
Agencies must apply a systematic and repeatable
approach to risk management
Risk management is an integral part of operating an ISMS where risks must
be considered at a business level. Agencies must adopt a risk management
framework by integrating their ISMS into their corporate risk management
processes.

12. Queensland Government Chief Information Office
Policy requirement 3:
Agencies must meet minimum security requirements
To ensure a consistent security posture, the ISMS must meet the following requirements:
• all ICT assets that create, store, process or transmit information are assigned appropriate
controls in accordance with the Queensland Government Information Security
Classification Framework (QGISCF).
• all information transmitted over data communications networks must be secured in line
with the Network transmission security assurance framework (NTSAF)*.
• all services requiring user authentication must meet the requirements of the Queensland
Government Authentication Framework (QGAF)*.
• agencies must implement the Australian Signals Directorate (ASD) “Essential
Eight” Strategies to Mitigate Cyber Security Incidents.
* Being reviewed

13. Queensland Government Chief Information Office
Policy requirement 4:
Agency accountable officers must obtain assurance for systems
Every system is unique and assurance should be applied sensibly
and appropriately. Accountable officers must obtain assurance to
establish an understanding of information security protections
and adherence to information security policy.
The level of assurance applied to systems must be based on the
criticality/significance of the system, using the business impact
levels determination methodology outlined in the QGISCF.

14. Queensland Government Chief Information Office
Policy requirement 5:
Accountable officers must attest to the appropriateness
of agency information security
Agency accountable officers must:
• endorse the Information Security Checklist.
• certify that it is an accurate report of the agency’s information
security posture.
• endorsement must be obtained from the agency's
accountable officer through corporate audit and risk
committee.

15. Queensland Government Chief Information Office
Reporting requirements:
• Agencies must submit an endorsed Information Security
Compliance Checklist annually by 30 October every year to
the Queensland Government Chief Information Office.
• Endorsement must be obtained from the agency's
accountable officer through corporate audit and risk
committee.
• Communicate incident response activities and threat
intelligence to the Queensland Government Chief Information
Office.

16. Queensland Government Chief Information Office
Information Security Classification Framework (QGISCF)
Consistent classification of
information helps Queensland
government agencies make more
informed and timely decisions about
how they should capture, store,
maintain, transmit, process, use and
share information to best deliver
services to Queenslanders.

17. Queensland Government Chief Information Office
Benefits of stronger adoption of ISO 27001
• Stronger focus on the elements of governance & accountability
• Move from a compliance to a risk management based approach
• Establish sustainable process improvement
• Common language assists in aligning requirements when using cloud and
managed ICT services
• Leverage the capabilities in the market

18. Queensland Government Chief Information Office
Approach
Focus on establishing effective governance & accountability
Improve risk management capability
The control objectives haven’t changed significantly
Certification is not required, but may be used.

19. Queensland Government Chief Information Office
What does information security need to look like
Cyber Security is a Business Risk not just an IT Problem.
Integrated into enterprise risk management
Business engagement essential
Considering information security risk in all operations
Design with assurance in mind

20. Queensland Government Chief Information Office
Further Details
QGCIO Website
https://www.qgcio.qld.gov.au/information-on/information-security/
QGCIO email
qgcio@qgcio.qld.gov.au

21. Testing Within Government
Showcase
7 December 2018
QUT Gardens Point
Gardens Theatre
9am – 11am
4 Government agencies – 4 SME’s collaborating to make a difference