You are on page 1of 27

Queensland Government Enterprise Architecture

Information security
incident category guideline

Final
August 2013
v2.0.0
PUBLIC
QGEA PUBLIC Information security incident category guideline

Document details

Security classification PUBLIC

Date of review of security


June 2013
classification

Authority Queensland Government Chief Information Officer

Author Queensland Government Chief Information Office

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changes


All enquiries regarding this document should be directed in the first instance to:
Queensland Government Chief Information Office
qgcio@qgcio.qld.gov.au

Acknowledgements
This version of the Information security incident category guideline was developed and updated by
Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.

Copyright
Information security incident category guideline
Copyright The State of Queensland (Queensland Government Chief Information Office) 2013

Licence

Information security incident category guideline by the Queensland Government Chief Information
Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of
this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope
of this licence, contact qgcio@qgcio.qld.gov.au.
To attribute this material, cite the Queensland Government Chief Information Office.

Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.

Final | v2.0.0 | August 2013 Page 2 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Contents
1 Introduction .......................................................................................................................... 4
1.1 Purpose ........................................................................................................................ 4
1.2 Audience....................................................................................................................... 4
1.3 Scope ........................................................................................................................... 4

2 Background .......................................................................................................................... 4
2.1 Why was the Information security incident category guideline developed? ................... 4
2.2 Relationship to other documents................................................................................... 5
2.3 How is the Information security incident category guideline structured? ........................ 6

3 Information security event and incident definitions .......................................................... 8

4 Information security event and incident categories .......................................................... 8


4.1 Incident classification .................................................................................................... 8
4.2 Incident impact ........................................................................................................... 10
4.3 Incident cause ............................................................................................................ 10
4.4 Incident origin ............................................................................................................. 10
4.5 Severity and severity type ........................................................................................... 10

5 Information security incident severity matrix .................................................................. 11


5.1 Severity type ............................................................................................................... 16
5.2 Example incident severity assessment ....................................................................... 18

Figures
Figure 1: Queensland Government Incident Management Documents ........................................... 5
Figure 2: Information Security Incident Definition, Categories and Severity..................................... 7
Figure 3: Information Security Incident Definition, Categories and Severity mapped to DSD
categories ........................................................................................ Error! Bookmark not defined.
Figure 4: Information security incident severity matrix ................................................................... 15

Final | v2.0.0 | August 2013 Page 3 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

1 Introduction
1.1 Purpose
The Information security incident category guideline provides guidance to achieve a
consistent approach to categorising information security incidents. It assists agencies in the
internal management of information security events and incidents and in the external
reporting of those incidents, when required. The consistency in categorising information
security events and incidents resulting from the use of this guideline will also facilitate
information sharing across Queensland Government agencies. This document provides
guidance in determining information security incident severity by providing a matrix for that
purpose. This matrix is based on the impact assessment matrix documented in the
Queensland Government Information Security Classification Framework (QGISCF).

1.2 Audience
This document is primarily intended for:
departmental staff and operational areas involved in information security incident
management
information governance bodies
Queensland Government Virtual Incident Response Team.

1.3 Scope
This guideline relates to incident management and compliance management domains
within the information security slice of the Queensland Government Enterprise Architecture
(QGEA).

2 Background
2.1 Why was the Information security incident category guideline
developed?
The Auditor General of Queenslands Report to Parliament No. 4 for 2009 detailed a
number of key network security issues outlined in Section 4.2 Information Technology
Network Security. With regards to information security incident management, the report
found that:
there is no centrally coordinated reporting and monitoring process for government IT
security incidents
no mandatory standards that require agencies to report such incidents exists
formal processes for security incident and problem management are not in place
agencies should monitor their networks for potential security breaches.
The Incident category guideline has been developed to provide a consistent and structured
approach to defining and categorising information security events and incidents within
agencies and at a whole-of-government level which will assist agencies in managing their
information security events and incidents internally and when external reporting is required.

Final | v2.0.0 | June 2013 Page 4 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

The Information security incident category guideline will:


establish consistent terminology relating to information security incidents across the
Queensland Government
provide a method of accurately assessing the severity of information security incidents
facilitate information sharing and consistency across Queensland Government
agencies
allow easier business risks and impact analysis across Queensland Government
agencies
allow consistent response plans from the whole-of-government virtual response team
address issues raised in the Auditor General of Queenslands Report to Parliament No.
4 for 2009
enable consistency with Australian Standard ISO 27001.

2.2 Relationship to other documents


The Information security incident category guideline supports the implementation of
Information Standard 18: Information Security (IS18). In particular, it supports the principles
relating to incident management and compliance management. It is part of a suite of
documents that assist agencies to meet their internal incident management requirements
and external incident reporting requirements (see figure 1).

Queensland
Government
Information
Security Incident
Category Guideline

Queensland Queensland
Government Government
Information Information
Security Incident Security Event and
Management Incident Reporting
Guideline Standard

Figure 1: Queensland Government Incident Management Documents

Final | v2.0.0 | June 2013 Page 5 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

The Information security incident category guideline is the overarching document which
provides consistent definitions, categories and severity scales across all agencies within the
Queensland Government. However, the management of agency internal information
security events and incidents and agency external reporting requirements are outside the
scope of this guideline and are covered in the Information security incident management
guideline.

2.3 How is the Information security incident category guideline


structured?
As illustrated in Figure 2 , the QGISICG provides information security:
event/incident definitions
incident categories
incident severity matrix.

Final | v2.0.0 | June 2013 Page 6 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

DEFINITION
Event Incident

CATEGORY

COMPROMISES
Confidentiality Integrity
Unauthorised changes
to information,
Theft/loss of assets
applications, systems
or hardware
Availability
Unauthorised access
Defacement of public
to information/
information
systems

Unauthorised release Violation of Deliberate Accidental


or disclosure of information security

CAUSE
information policy

Suspicious system
behaviour or failure Error Unknown
Malware infections
(hardware/software
or communications)

Intrusions against Password Internal Internal


networks confidentiality ORIGIN
(agency) (Qld Gov)

Abuse of privileges Other events External Unknown


SEVERITY

None/Negligible Minor Moderate High Very High

F. Unauthorised
A. Risk to individual disclosure of personally K. Service delivery
P. Ease of recovery
safety or commercially disruption
sensitive information

G. Impact on Q. Impact on
B. Distress caused to Government finances L. Systems/network development or
SEVERITY TYPE

any party or economic and affected operation of major


commercial interests government policy

H. Financial loss to
C. Damage to any M. Assistance to
any client of the
partys standing or crime or impact on its
service provider or
reputation detection
third party

I. Financial loss to
D. Inconvenience to
agency/ service N. Agencies affected
any party
provider

J. Disruption to
E. Public order agency business O. Propagation
operations

Figure 2: Information security incident definition, categories and severity

Final | v2.0.0 | June 2013 Page 7 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

3 Information security event and incident definitions

Term Description

Event An identified occurrence or activity that threatens to adversely affect the


security of information, or indicates a potential vulnerability within the
agency, but is currently unsuccessful in its attempt.

Incident An identified occurrence or activity that has been successful in adversely


affecting the security of information.

4 Information security event and incident categories


4.1 Incident classification
Term Description

Theft/loss of assets The theft or loss of any information or technology asset/device (including
portable and fixed media) that might have been or has been used to
either process or store Queensland Government information.

Unauthorised access Unauthorised access from internal and external sources to Queensland
to information/systems Government information and systems.

Unauthorised release Unauthorised release or disclosure of Queensland Government


of or disclosure of information to an unknown environment.
information

Malware infections Software programs designed to cause damage to Queensland


Government systems.

Intrusions against Intrusions specifically targeting Queensland Government internal


networks infrastructure. This includes but is not limited to:
denial-of-service (DoS)/distributed denial-of-service (DDoS)
website defacements
brute force attempts.
Intrusion that cannot be attributed, after analysis, to what is considered
consistent with Internet noise. For example intrusion attempts that
consistently target internal network infrastructure, users or services
provided for external use such as web applications.

Abuse of privileges Changes to privilege use settings on stand-alone or networked


equipment including network profiles, local user or device configuration
files that have not been approved through the agencys change
management process.

Unauthorised changes Any unauthorised changes to an organisations file system, including


to information, media, through insertion, modification or deletion. For example, changes
applications, systems to standard operating environments (SOEs), addition of executables or
or hardware the modification of an executables configuration.

Final | v2.0.0 | June 2013 Page 8 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Any unauthorised installation of additional processing, communications or


storage equipment into the IT network. This includes but is not limited to:
modems
portable games units
smart phones
PDAs
wireless access points.

Violation of Any violation of information security policy or the information security


information security related aspects of the code of conduct.
policy

Suspicious system Unknown network activities affecting/degrading network performance with


behaviour or failure increased network bandwidth usage and decreased response time, using
(hardware/software) excessive CPU, increased suspicious network requests or increased
or communications) Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts
leading to application crashes.

Includes a malfunction within the electronic circuits, electromechanical


components of a computer/communications system, or
malfunction/inability of a program to continue processing due to
erroneous logic.

Password Sharing/stealing/loss of passwords or other authentication token.


confidentiality

Sabotage/physical Any damage or destruction of physical information or electronic devices.


damage

Other events Natural events and other events which result in damage to information
and systems. This includes but is not limited to:
fire
flood
excessive heat
storms
biological agents
toxic dispersion
riots
power outage.

Final | v2.0.0 | June 2013 Page 9 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

4.2 Incident impact


Term Description

Confidentiality The confidentiality of Queensland Government information has been


compromised as a result of the incident. e.g. Unauthorised access to
information.

Integrity The integrity of Queensland Government Information has been


compromised as a result of the incident. e.g. Resulting in
inaccurate/incomplete information.

Availability The availability of Queensland Government information has been


compromised as a result of the incident. e.g. Information assets cannot
be accessed by authorised users

4.3 Incident cause


Term Description

Deliberate Where a person causes an information security incident intentionally with


a desired result or a particular purpose specified.

Accidental Where a person causes an information security incident or event


unexpectedly, unintentionally, without design or by chance.

Error A malfunction, error, flaw, mistake, failure, fault or bad code in an ICT
facility, device or software program that prevents it from behaving as
intended.

Unknown Incident cause is unable to be identified. Requires further investigation.

4.4 Incident origin


Term Description

Internal (agency) Existing, occurring or originating with the agency.

Internal (Queensland Existing, occurring or originating within the Queensland Government.


Government)

External Existing, occurring or originating outside the Queensland Government.

Unknown Origin is unable to be clearly identified. Requires further investigation

4.5 Severity and severity type


Refer to section 5 for event and incident severity matrix and severity type definitions

Final | v2.0.0 | June 2013 Page 10 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

5 Information security incident severity matrix


The Information security incident severity matrix (see figure 4, page 13) should be used to
determine the severity of an information security incident. This will result in a consistent
approach to both the process and the terminology across Queensland Government
agencies. It should be noted that this matrix is intended as a guide only, and the impact
types and their evaluation may need to be modified to suit individual agencies.
Agencies should avoid making a severity assessment solely on the basis of the security
classification of the information involved. For example, the unauthorised modification of
publicly available information such as a public health notice may still have a high impact on
individuals and agencies.
Note that it is the highest security incident severity rating as determined for a particular
incident that will be indicative of the overall severity of the incident. For example if an
incident as assessed has scores in a range from none/negligible to high, it is the highest
severity rating identified that should be applied to the incident.
See Section 5.1 below for an example of how to apply the severity matrix.

Final | v2.0.0 | June 2013 Page 11 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Impact Type Severity


Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest

None/negligible Minor Moderate High Very high

Risk to individual None/negligible Any risk to personal Threatens life directly


safety safety

Distress caused to any None/negligible Short term distress Limited long term Substantial long term
party distress distress

Damage to any partys None/negligible Minor local impact Moderate Significant Severe
standing or reputation and/or limited short embarrassment and/or embarrassment, loss of embarrassment, loss of
term damage short term damage public confidence public confidence
and/or limited long and/or substantial long
term damage term damage

Inconvenience to any None/negligible Minor inconvenience Moderate Significant Substantial


party inconvenience inconvenience inconvenience

Public order None or negligible Measurable impact Prejudice Seriously prejudice

Unauthorised No or negligible Minor impact Measurable impact, Significant impact to Substantial impact to
disclosure of disclosure of sensitive breach of regulations person, agency or person, agency or
personally or information or commitment to business business
commercially sensitive confidentiality
information

Impact on Government No or negligible impact Cause financial loss or Work significantly Substantial damage
finances or economic loss of earning against
and commercial potential
interests

Final | v2.0.0 | August 2013 Page 12 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Impact Type Severity


Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest

None/negligible Minor Moderate High Very high

Financial loss to any No or negligible loss Minor loss Moderate loss Significant loss Substantial loss
client1 of the service
provider or third party

Financial loss to No or negligible Loss Minor Moderate Significant Substantial


agency/service < 2% of monthly 2% < 5% of monthly 5% < 10% of monthly 10% of monthly
provider agency budget agency budget agency budget agency budget

Disruption to agency No or negligible Agency business Agency business


business operations disruption operations impaired in halted or significantly
any way impaired for a
sustained period

Service delivery None or negligible Minor interruptions or Loss of transactions in Significant interruptions Unable to continue to
disruption delays progress or delays deliver service in
Loss of completed current form.
transactions

Systems/network None or negligible Few non-critical Many non-critical Any critical system in a Multiple critical
affected systems in a stand- systems in a stand- networked environment systems in a
alone or networked alone or networked networked
environment environment environment.

1
In order to assist in the determination of the appropriate level of impact, the following is suggested: Minor <$50, Moderate $50- <$200, High $200 - <$2000 and Very High >=$2000. These figures are
guidelines only, and are based on an average individual. Where the client is known to be a corporation of other similar entity, these figures would need to be adjusted to something more akin to the
figures used for financial loss to the service provider. If multiple clients will suffer the loss, the impact level should be adjusted accordingly to reflect the total losses to clients.

Final | v2.0.0 | August 2013 Page 13 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Impact Type Severity


Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest

None/negligible Minor Moderate High Very high

Assistance to crime or Would be of no or Prejudice investigation Impede investigation or Prevent investigation


impact on its detection negligible assistance or or facilitate facilitate commission of or directly allow
hindrance to detection commission of serious crime commission of serious
of unlawful activity violations that will be crime
subject to enforcement
efforts

Agencies affected Small areas within a Most areas within a Multiple agencies Whole-of-government
single agency single agency

Propagation None or negligible Easily contained within Contained within a Likely to propagate (or Likely to propagate (or
a single system or single agency has propagated) to has propagated)
network segment other agencies beyond Queensland
Government networks.
Cannot be detected by
anti-virus products and
intrusion vector cant
be established.

Ease of recovery No/negligible recovery Handled by routine Requires additional Requires substantial Not directly
required tools and procedures resources (e.g. staff additional resources recoverable (significant
overtime, engagement (e.g. engagement of irreversible damage or
of third parties or additional staff or loss)
purchase of tools) contractors or
significant investment)

Final | v2.0.0 | August 2013 Page 14 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Impact Type Severity


Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest

None/negligible Minor Moderate High Very high

Impact on No or negligible impact Minor impact Impede effective Seriously Impede Substantially impede
development or development or
operation of major operation
government policy

Impact on risk of No or negligible impact Minor impact Measurable impact Significant impact Substantial impact
litigation

Figure 3: Information security incident severity matrix

Final | v2.0.0 | August 2013 Page 15 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

5.1 Severity type


To provide some assistance in completing the severity matrix, the following table (based on
the QGISCF approach) provides examples of considerations when assessing impacts.

Impact type Possible considerations

A. Risk to individual Consider any risk of any injury or impact on safety at all, as well as the
safety possibility of loss of life. An example could include release of names or
locations of under-cover officers, people under protection orders.

B. Distress caused to From the clients or publics point of view, distress could be caused by
any party many things, including the release of private information. From a service
providers point of view, potential impacts could include stress impacts on
employees and possible loss of jobs or major reorganisation forced by the
inappropriate release of information.

C. Damage to any Issues to consider include potential for adverse publicity, either locally or
partys standing or wider, and the potential to damage occurring to either the service
provider's or clients ongoing reputation. If inappropriate access to
reputation
information was granted, would it be of interest to the media?

D. Inconvenience to Consider factors such as releasing information which could lead to


any party identity fraud being perpetrated.

E. Public order Need to consider whether disclosure of information could pose a threat to
community relations and public order. This may occur when information is
released that can cause alarm in a way that then results in damage to
public order. An example would be disclosure of an offenders identity or
whereabouts where the community could then react and disturb public
order.

F. Unauthorised Would disclosure of information which should not be made public have an
disclosure of impact on any party, or would it violate legislative or regulatory guidelines
such as information privacy principles? Examples include medical records
personally or
and other personal information and commercially sensitive information
commercially sensitive
that could impact on current or future business.
information.

G. Impact on Would disclosure of information result in financial or economic


government finances consequences to government. Release of information may result in
financial gain or loss. Disclosure of planning decisions which could result
or economic and
in changing valuations would be an example
commercial interests

H. Financial loss to Consider this from the service providers perspective - what losses could
any client of the they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
service provider or
own (e.g. by using the provided information to establish an identity which
third party.
is not theirs, and then changing ownership details).

I. Financial loss to Consider this from the service providers perspective - what losses could
agency/service they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
provider
own (e.g. by using the provided information to establish an identity which
is not theirs, and then changing ownership details).

Final | v2.0.0 | August 2013 Page 16 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Impact type Possible considerations

J. Disruption to Would unauthorised release of this information have the potential to


agency business reduce or prevent an agency or external party conducting their business?
For how long would this reduction/prevention last?
operations

K. Service delivery Would unauthorised release of this information have the potential to
disruption disrupt agency delivery of services to internal or external
clients/stakeholders? How long would this disruption last?

L. Systems affected How many systems have been affected by the incident? Are these critical
systems?

M. Assistance to Would release of this information have the potential to assist in the
serious crime or conduct of a crime or terrorist activity? This could include release of
information enabling the planning of a crime or terrorist activity, or the
hindrance of its
creation of a false identity.
detection

N. Agencies affected How many agencies have been affected? To what extent have they been
affected?

O. Propagation How quickly is this incident spreading? How wide is the spread? To what
extent is it affecting agencies? Can the incident be contained quickly?

P. Ease of recovery How long until systems are back to normal? How many systems are
affected?

Q. Impact on Would inappropriate disclosure cause embarrassment to government in


development or the stages where policy is being formulated or implemented? The impact
may be that a major policy initiative will not proceed.
operation of major
government policy

Final | v2.0.0 | August 2013 Page 17 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

5.2 Example incident severity assessment


The following tables provide examples of how to apply the categories and impact matrix for
the following events and incidents:
Example 1
The chair of an interview panel accidentally left a disk on a train which contains copies of
job applications for an advertised position. The applications contain personal applicant
details such as names, addresses, contact numbers, work history.

Category type Selection Rationale

Definition Incident
Incident
The occurrence was successful in
adversely affecting the security of the
information contained on the disk

Category Theft/loss of assets The disk was lost which contained


Theft/loss of assets
Queensland Government information

Compromises Confidentiality The confidentiality of the information


Confidentiality
on the disk has been compromised,
as it is viewable by anyone who
obtains it

Cause Accidental This loss was not intended or


Accidental
deliberate

Origin Internal Internal


The occurrence was caused by a staff
(agency) member within the agency

Severity type A. High: Any risk to The job applicant details (address/
A. Risk to individual
personal safety safety contact numbers) can be used to
locate individuals, which poses a risk
to their safety

B. Moderate: Short The job applicants may suffer distress


B. Distress caused to
term distress any party as a result of the loss of their
information.

C. Minor: Minor C. Damage to any The agencys reputation has not been
partys standing or
local impact and/or reputation
greatly affected amongst the general
limited short term public. However, it has had a negative
damage impact on the reputation amongst the
job applicants.

D. None/Negligible These details can be easily retrieved


D. Inconvenience to
any party from other electronic sources/devices
(original emails, original file locations)

Final | v2.0.0 | August 2013 Page 18 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Category type Selection Rationale

F. Moderate: F. Unauthorised The loss of the disk means that the


disclosure of personally
Measurable impact, or commercially details of the job applicants have
sensitive information
breach of been released to other parties without
regulations or the individuals authorisation
commitment to
confidentiality.

Severity High (Determined The occurrence was successful in


by highest severity High adversely affecting the security of the
rating) information contained on the disk

Example 2
A denial of service attack has occurred on an agency website, causing downtime and
disruption to critical public services. This attack left the agency unable to continue to deliver
the service for the duration of a working day, which caused inconvenience to consumers of
the service, and public embarrassment for the agency.

Category type Selection Rationale

Definition Incident The denial of service attack caused


Incident
downtime and disruption it has
affected the availability of information.

Category Intrusions against Intrusions against


Since the attack was successful in
networks networks causing service disruption, it has
been classified as a network intrusion,
because agency firewalls were
penetrated.

Compromises Availability The availability of public services was


Availability
disrupted during the downtime of the
website.

Cause Deliberate The denial of service attack was a


Deliberate
persistent and focused attack which
illustrates it was deliberate in intent.

Origin External The attack came from outside the


External
agency network, with the aim of
infiltrating it.

Severity type C. Moderate: C. Damage to any The agencys reputation has been
partys standing or
Moderate reputation
damaged by the subsequent
embarrassment disruption of public services.
and/or short term
damage

Final | v2.0.0 | August 2013 Page 19 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Category type Selection Rationale

D. High: Significant The incident has caused a large


D. Inconvenience to
inconvenience any party amount of inconvenience to the
agency, as they attend to attack. The
public has been inconvenienced by
the disruption to services.

J. High: Agency J. Disruption to The agencys business operations


agency business
business operations operations
have been disrupted whilst they
impaired in any attend to the network intrusion.
way.

K. Very High: The agencys service delivery has


K. Service delivery
Unable to continue disruption been disrupted as a result of website
to deliver service in downtime.
current form.

Severity Very High The highest severity rating is


Very High
recorded (Severity Type K Very
High)

Example 3
An agency has detected an attempted network intrusion from an external source. This
particular attempt was unsuccessful in adversely affecting the security of agency
information, as the agencys security controls prevented an intrusion from occurring.

Category type Selection Rationale

Definition Event The attempted intrusion was


Event
unsuccessful, as the controls in place
prevented the occurrence.

Category Intrusion against Intrusion against


The agency controls detected an
network network attempted network intrusion.

Cause Unknown Further investigation is required to


Unknown
determine the exact cause.

Origin External The occurrence is from an external


External
source, outside of the agency
network.

Final | v2.0.0 | August 2013 Page 20 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Example 4
An agency has detected a network intrusion from an external source. This particular
attempt was successful in adversely affecting the security of agency information, as the
agencys security controls were not able to prevent the intrusion from occurring. As a result
of the attack, the agencys website was defaced, with the attackers removing the existing
content, and replacing it with offensive material. The incident is under investigation to
identify where the attack has come from.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen as a result require different responses i.e. the network intrusion
requires action to increase the security controls, and the website defacement requires the
agency to restore their website and its content.
Incident 1 Network Intrusion
Category type Selection Rationale

Definition Incident The agency controls were not able to


Incident
prevent the intrusion attempt.

Category Intrusion against Intrusion against Agency controls were breached,


network network leading to a network intrusion.

Compromises Confidentiality; Once the network intrusion has


Confidentiality
Integrity occurred, agency information is
viewable, compromising its
confidentiality. The subsequent
Integrity
website defacement has led to a
compromise of information integrity.

Cause Deliberate The intrusion has been deliberate,


Deliberate
because it has led to website
defacement.

Origin External The intrusion has occurred from


External
outside the agency network.

Severity type C. High: Significant C. Damage to any The network intrusion has caused
partys standing or
embarrassment, reputation
damage to the agencys reputation
loss of public (as a result of the subsequent website
confidence and/or defacement)
limited long term
damage.

D. Moderate: The agency has been inconvenienced


D. Inconvenience to
Moderate any party as a result of the efforts required to
inconvenience respond to the attack.

J. High: Agency J. Disruption to The agencys business operations


agency business
business operations operations
have been impacted on following the
impaired in any way intrusion of their network.

Final | v2.0.0 | August 2013 Page 21 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Category type Selection Rationale

N. Minor: Small The incident affected a small number


N. Agencies affected
areas within a of areas within the agency.
single agency

P. Moderate: In the affected area staff had to work


P. Ease of recovery
Requires additional extra hours to resolve the incident.
resources (e.g. staff
overtime,
engagement of third
parties or purchase
of tools)

Severity High The highest severity rating is


High
recorded

Incident 2 Website Defacement

Category type Selection Rationale

Definition Incident The agency website was defaced.


Incident

Category Defacement of Defacement of public The website contained publicly


public information information accessible information, which was
modified without authorisation.

Compromises Integrity; Availability The integrity and availability of the


Integrity
website content was compromised, as
it was altered and/or removed from
Availability the website. Downtime to restore the
website further compromised
availability.

Cause Deliberate The attack was deliberate the


Deliberate
website was defaced indicating
malicious intent.

Origin External The intrusion occurred from outside


External
the agency network.

Severity type B. Moderate: Short Distress was caused to the public,


B. Distress caused to
term distress any party since the web service was
unavailable. In addition, the public
were exposed to offensive material.

Final | v2.0.0 | August 2013 Page 22 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Category type Selection Rationale

C. High: Significant C. Damage to any The incident has caused damage to


partys standing or
embarrassment, reputation
the agencys reputation amongst the
loss of public public.
confidence and/or
limited long term
damage.

D. Moderate: Service downtime causes


D. Inconvenience to
Moderate any party inconvenience to both the agency and
inconvenience the public.

J. High: Agency J. Disruption to The agency business operations are


agency business
business operations operations
disrupted while they restore the
impaired in any website.
way.

K. High: Significant The services provided on the agency


K. Service delivery
interruptions or disruption website are adversely affected during
delays. Loss of the downtime.
completed
transactions.

P. Moderate: Efforts to restore the website to full


P. Ease of recovery
Requires additional functionality can be done with relative
resources (eg. staff ease. Some staff from the affected
overtime, area were required to work overtime
engagement of third to resolve the issue,
parties or purchase
of tools)

Severity High The highest severity rating is


High
recorded

Final | v2.0.0 | August 2013 Page 23 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Example 5
An agency staff member has been caught viewing and editing confidential files that belong
to a senior staff member, without the authorisation to do so. The documents, which were
classified X-In Confidence, were removed from a filing cabinet located in the senior staff
members office, and replaced with alternative copies. In the process of searching for the
desired files, the employee also went through other documents containing personal details
of the senior staff member. It was later revealed the employee edited the documents
content for personal gain.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen have compromised different aspects of agency information,
i.e. unauthorised access, and unauthorised changes to agency documents.
Incident 1 Unauthorised access to agency documents

Category type Selection Rationale

Definition Incident The staff member has accessed


Incident
confidential information without
authorisation.

Category Unauthorised Unauthorised access The staff member has accessed


to information/
access to systems confidential documents from a senior
information/systems staff members filing cabinet.

Compromises Confidentiality The unauthorised access to senior


Confidentiality
staff documents has compromised the
confidentiality of the information.

Cause Deliberate The employee deliberately accessed


Deliberate
the document, in search of particular
information.

Origin Internal Internal


The incident occurred from within the
(agency) agency.

Severity type B. Moderate: Short Distress has been caused to the


B. Distress caused to
term distress any party senior staff member, whose filing
cabinet was opened and searched.

D. Moderate: The incident has caused


D. Inconvenience to
Moderate any party inconvenience to the senior staff
inconvenience member.

F. Very High: F. Unauthorised The confidential documents have had


disclosure of personally
Substantial impact or commercially their contents disclosed to other
sensitive information
to person, agency parties, without the authorisation of
or business the owner.

Severity Very High The highest severity rating is


Very High
recorded

Final | v2.0.0 | August 2013 Page 24 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Incident 2 Unauthorised changes to agency documents

Category type Selection Rationale

Definition Incident The staff member has compromised


Incident
the integrity of the information, by
developing a fraudulent copy of a
document.

Unauthorised changes
Category Unauthorised to information, Changes have been made to an
changes to applications, systems agency document, without
or hardware
information, authorisation.
applications,
systems or
hardware

Compromises Confidentiality; The incident compromises the


Confidentiality
Integrity confidentiality of the original
document (and additional ones
Integrity searched), as well as the integrity of
the edited document.

Cause Deliberate The employee deliberately edited the


Deliberate
document.

Origin Internal Internal


The incident occurred from within the
(agency) agency.

Severity type B. High: Limited Distress has been caused to the


B. Distress caused to
long term distress any party senior staff member, whose filing
cabinet was opened and searched,
and documents were edited.

D. High: Significant The incident has caused


D. Inconvenience to
inconvenience any party inconvenience to the senior staff
member.

F. Very High: F. Unauthorised The confidential documents have had


disclosure of personally
Substantial impact or commercially their contents disclosed to other
sensitive information
to person, agency parties, without the authorisation of
or business the owner.

Severity Very High The highest severity rating is


Very High
recorded

Final | v2.0.0 | August 2013 Page 25 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Example 6
An agency staff member has been caught viewing confidential documents that belong to a
senior staff member, without authorisation. The documents, which were not marked as
classified, were left unattended on a public desk. The staff member claims he was unaware
that he did not have the appropriate authority to view the documents.

Category type Selection Rationale

Definition Incident The confidentiality of the document


Incident
has been compromised as a result of
this occurrence.

Category Unauthorised Unauthorised access The staff member did not have
to information/
access to systems authorisation to view the contents of
information/ the document.
systems

Compromises Confidentiality The document had confidential


Confidentiality
material, which was viewed by a staff
member without authorisation.

Cause Accidental The employee was unaware of the


Accidental
documents confidentiality. The
employee assumed it was suitable to
read, since the document was left in a
public place, without specifying the
correct licensing.

Origin Internal Internal


The incident has occurred within the
(agency) agency from an employee.

Severity type B. Moderate: Short There was some short term distress
B. Distress caused to
term distress any party to the employee who accessed the
information.

F. Very High: F. Unauthorised The employee who viewed the


disclosure of personally
Substantial impact or commercially document was not authorised to do
sensitive information
to person, agency so. The owner of the document has
or business allowed for the contents to be viewed
by employees who do not have
authorisation to do so. It has caused a
substantial impact to the party that
was the subject of the document.

Severity Very High The highest severity rating is


Very High
recorded

Final | v2.0.0 | August 2013 Page 26 of 27


PUBLIC
QGEA PUBLIC Information security incident category guideline

Example 7
A staff member has incorrectly sent an email with confidential agency information to
another staff member. The email recipient was incorrectly selected by the sender, and as a
result, the confidential content was not sent to the intended person, but instead read by the
unauthorised staff member. It was determined by the agency that the recipient had no prior
involvement in the leaking of this information i.e. did not instigate the email, and was not in
breach of any agency information security policy. The sender confirmed that the incident
was a result of an error on their behalf.

Category type Selection Rationale

Definition Incident Through the distribution of a


Incident
misguided email, the confidentiality of
agency information was
compromised.

Category Unauthorised F. Unauthorised The staff member has disclosed


disclosure of personally
disclosure of or commercially agency information to another staff
sensitive information
personally or member, without authorisation.
commercially
sensitive information

Compromises Confidentiality The confidentiality of agency


Confidentiality
information was compromised.

Cause Accidental The sender of the email has made an


Accidental
error when distributing the
information. It was not intentional.

Origin Internal Internal


The incident has occurred between
(agency) two staff members within the agency.

Severity type B. Moderate: Short B. Distress caused to


The incident has caused short term
any party
term distress distress for the employee who sent
the email, as they were responsible
for the unauthorised distribution of
confidential material.

F. Moderate: F. Unauthorised The sender of the email has disclosed


disclosure of personally
Measurable impact, or commercially confidential information without
sensitive information
breach of regulations authorisation.
or commitment to
confidentiality

P. Minor: Handled by The incident was handled by routine


P. Ease of recovery
routine tools and procedures
procedures

Severity Moderate The highest severity rating is


Moderate
recorded

Final | v2.0.0 | August 2013 Page 27 of 27


PUBLIC