Incident Category Guideline v2 0 0

Queensland Government Enterprise Architecture
Information security
incident category guideline
Final
August 2013
v2.0.0
PUBLIC
QGEA PUBLIC Information security incident category guideline
Document details
Security classification PUBLIC
Date of review of security

June 2013
classification
Authority Queensland Government Chief Information Officer
Author Queensland Government Chief Information Office
Documentation status Working draft Consultation release Final version
Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:
Queensland Government Chief Information Office
qgcio@qgcio.qld.gov.au
Acknowledgements
This version of the Information security incident category guideline was developed and updated by
Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.
Copyright
Information security incident category guideline
Copyright The State of Queensland (Queensland Government Chief Information Office) 2013
Licence
Information security incident category guideline by the Queensland Government Chief Information
Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of
this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope
of this licence, contact qgcio@qgcio.qld.gov.au.
To attribute this material, cite the Queensland Government Chief Information Office.
Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.
Final | v2.0.0 | August 2013 Page 2 of 27

PUBLIC
Contents
1 Introduction .......................................................................................................................... 4
1.1 Purpose ........................................................................................................................ 4
1.2 Audience....................................................................................................................... 4
1.3 Scope ........................................................................................................................... 4
2 Background .......................................................................................................................... 4
2.1 Why was the Information security incident category guideline developed? ................... 4
2.2 Relationship to other documents................................................................................... 5
2.3 How is the Information security incident category guideline structured? ........................ 6
3 Information security event and incident definitions .......................................................... 8
4 Information security event and incident categories .......................................................... 8

4.1 Incident classification .................................................................................................... 8
4.2 Incident impact ........................................................................................................... 10
4.3 Incident cause ............................................................................................................ 10
4.4 Incident origin ............................................................................................................. 10
4.5 Severity and severity type ........................................................................................... 10
5 Information security incident severity matrix .................................................................. 11

5.1 Severity type ............................................................................................................... 16
5.2 Example incident severity assessment ....................................................................... 18
Figures
Figure 1: Queensland Government Incident Management Documents ........................................... 5
Figure 2: Information Security Incident Definition, Categories and Severity..................................... 7
Figure 3: Information Security Incident Definition, Categories and Severity mapped to DSD
categories ........................................................................................ Error! Bookmark not defined.
Figure 4: Information security incident severity matrix ................................................................... 15

PUBLIC
1 Introduction
1.1 Purpose
The Information security incident category guideline provides guidance to achieve a
consistent approach to categorising information security incidents. It assists agencies in the
internal management of information security events and incidents and in the external
reporting of those incidents, when required. The consistency in categorising information
security events and incidents resulting from the use of this guideline will also facilitate
information sharing across Queensland Government agencies. This document provides
guidance in determining information security incident severity by providing a matrix for that
purpose. This matrix is based on the impact assessment matrix documented in the
Queensland Government Information Security Classification Framework (QGISCF).
1.2 Audience
This document is primarily intended for:
departmental staff and operational areas involved in information security incident
management
information governance bodies
Queensland Government Virtual Incident Response Team.
1.3 Scope
This guideline relates to incident management and compliance management domains
within the information security slice of the Queensland Government Enterprise Architecture
(QGEA).
2 Background
2.1 Why was the Information security incident category guideline
developed?
The Auditor General of Queenslands Report to Parliament No. 4 for 2009 detailed a
number of key network security issues outlined in Section 4.2 Information Technology
Network Security. With regards to information security incident management, the report
found that:
there is no centrally coordinated reporting and monitoring process for government IT
security incidents
no mandatory standards that require agencies to report such incidents exists
formal processes for security incident and problem management are not in place
agencies should monitor their networks for potential security breaches.
The Incident category guideline has been developed to provide a consistent and structured
approach to defining and categorising information security events and incidents within
agencies and at a whole-of-government level which will assist agencies in managing their
information security events and incidents internally and when external reporting is required.
Final | v2.0.0 | June 2013 Page 4 of 27

PUBLIC
The Information security incident category guideline will:

establish consistent terminology relating to information security incidents across the
Queensland Government
provide a method of accurately assessing the severity of information security incidents
facilitate information sharing and consistency across Queensland Government
agencies
allow easier business risks and impact analysis across Queensland Government
agencies
allow consistent response plans from the whole-of-government virtual response team
address issues raised in the Auditor General of Queenslands Report to Parliament No.
4 for 2009
enable consistency with Australian Standard ISO 27001.
2.2 Relationship to other documents

The Information security incident category guideline supports the implementation of
Information Standard 18: Information Security (IS18). In particular, it supports the principles
relating to incident management and compliance management. It is part of a suite of
documents that assist agencies to meet their internal incident management requirements
and external incident reporting requirements (see figure 1).
Queensland
Government
Information
Security Incident
Category Guideline
Queensland Queensland
Government Government
Information Information
Security Incident Security Event and
Management Incident Reporting
Guideline Standard
Figure 1: Queensland Government Incident Management Documents

PUBLIC
The Information security incident category guideline is the overarching document which
provides consistent definitions, categories and severity scales across all agencies within the
Queensland Government. However, the management of agency internal information
security events and incidents and agency external reporting requirements are outside the
scope of this guideline and are covered in the Information security incident management
guideline.
2.3 How is the Information security incident category guideline

structured?
As illustrated in Figure 2 , the QGISICG provides information security:
event/incident definitions
incident categories
incident severity matrix.

PUBLIC
DEFINITION
Event Incident
CATEGORY
COMPROMISES
Confidentiality Integrity
Unauthorised changes
to information,
Theft/loss of assets
applications, systems
or hardware
Availability
Unauthorised access
Defacement of public
to information/
information
systems
Unauthorised release Violation of Deliberate Accidental

or disclosure of information security
CAUSE
information policy
Suspicious system
behaviour or failure Error Unknown
Malware infections
(hardware/software
or communications)
Intrusions against Password Internal Internal

networks confidentiality ORIGIN
(agency) (Qld Gov)
Abuse of privileges Other events External Unknown

SEVERITY
None/Negligible Minor Moderate High Very High
F. Unauthorised
A. Risk to individual disclosure of personally K. Service delivery
P. Ease of recovery
safety or commercially disruption
sensitive information
G. Impact on Q. Impact on
B. Distress caused to Government finances L. Systems/network development or
SEVERITY TYPE
any party or economic and affected operation of major

commercial interests government policy
H. Financial loss to
C. Damage to any M. Assistance to
any client of the
partys standing or crime or impact on its
service provider or
reputation detection
third party
I. Financial loss to
D. Inconvenience to
agency/ service N. Agencies affected
any party
provider
J. Disruption to
E. Public order agency business O. Propagation
operations
Figure 2: Information security incident definition, categories and severity

PUBLIC
3 Information security event and incident definitions
Term Description
Event An identified occurrence or activity that threatens to adversely affect the

security of information, or indicates a potential vulnerability within the
agency, but is currently unsuccessful in its attempt.
Incident An identified occurrence or activity that has been successful in adversely

affecting the security of information.
4 Information security event and incident categories

4.1 Incident classification
Term Description
Theft/loss of assets The theft or loss of any information or technology asset/device (including
portable and fixed media) that might have been or has been used to
either process or store Queensland Government information.
Unauthorised access Unauthorised access from internal and external sources to Queensland
to information/systems Government information and systems.
Unauthorised release Unauthorised release or disclosure of Queensland Government

of or disclosure of information to an unknown environment.
information
Malware infections Software programs designed to cause damage to Queensland

Government systems.
Intrusions against Intrusions specifically targeting Queensland Government internal

networks infrastructure. This includes but is not limited to:
denial-of-service (DoS)/distributed denial-of-service (DDoS)
website defacements
brute force attempts.
Intrusion that cannot be attributed, after analysis, to what is considered
consistent with Internet noise. For example intrusion attempts that
consistently target internal network infrastructure, users or services
provided for external use such as web applications.
Abuse of privileges Changes to privilege use settings on stand-alone or networked

equipment including network profiles, local user or device configuration
files that have not been approved through the agencys change
management process.
Unauthorised changes Any unauthorised changes to an organisations file system, including

to information, media, through insertion, modification or deletion. For example, changes
applications, systems to standard operating environments (SOEs), addition of executables or
or hardware the modification of an executables configuration.

PUBLIC
Any unauthorised installation of additional processing, communications or

storage equipment into the IT network. This includes but is not limited to:
modems
portable games units
smart phones
PDAs
wireless access points.
Violation of Any violation of information security policy or the information security

information security related aspects of the code of conduct.
policy
Suspicious system Unknown network activities affecting/degrading network performance with

behaviour or failure increased network bandwidth usage and decreased response time, using
(hardware/software) excessive CPU, increased suspicious network requests or increased
or communications) Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts
leading to application crashes.
Includes a malfunction within the electronic circuits, electromechanical

components of a computer/communications system, or
malfunction/inability of a program to continue processing due to
erroneous logic.
Password Sharing/stealing/loss of passwords or other authentication token.

confidentiality
Sabotage/physical Any damage or destruction of physical information or electronic devices.

damage
Other events Natural events and other events which result in damage to information
and systems. This includes but is not limited to:
fire
flood
excessive heat
storms
biological agents
toxic dispersion
riots
power outage.

PUBLIC
4.2 Incident impact

Term Description
Confidentiality The confidentiality of Queensland Government information has been

compromised as a result of the incident. e.g. Unauthorised access to
information.
Integrity The integrity of Queensland Government Information has been

compromised as a result of the incident. e.g. Resulting in
inaccurate/incomplete information.
Availability The availability of Queensland Government information has been

compromised as a result of the incident. e.g. Information assets cannot
be accessed by authorised users
4.3 Incident cause

Term Description
Deliberate Where a person causes an information security incident intentionally with

a desired result or a particular purpose specified.
Accidental Where a person causes an information security incident or event

unexpectedly, unintentionally, without design or by chance.
Error A malfunction, error, flaw, mistake, failure, fault or bad code in an ICT
facility, device or software program that prevents it from behaving as
intended.
Unknown Incident cause is unable to be identified. Requires further investigation.
4.4 Incident origin

Term Description
Internal (agency) Existing, occurring or originating with the agency.
Internal (Queensland Existing, occurring or originating within the Queensland Government.

Government)
External Existing, occurring or originating outside the Queensland Government.
Unknown Origin is unable to be clearly identified. Requires further investigation
4.5 Severity and severity type

Refer to section 5 for event and incident severity matrix and severity type definitions

PUBLIC
5 Information security incident severity matrix

The Information security incident severity matrix (see figure 4, page 13) should be used to
determine the severity of an information security incident. This will result in a consistent
approach to both the process and the terminology across Queensland Government
agencies. It should be noted that this matrix is intended as a guide only, and the impact
types and their evaluation may need to be modified to suit individual agencies.
Agencies should avoid making a severity assessment solely on the basis of the security
classification of the information involved. For example, the unauthorised modification of
publicly available information such as a public health notice may still have a high impact on
individuals and agencies.
Note that it is the highest security incident severity rating as determined for a particular
incident that will be indicative of the overall severity of the incident. For example if an
incident as assessed has scores in a range from none/negligible to high, it is the highest
severity rating identified that should be applied to the incident.
See Section 5.1 below for an example of how to apply the severity matrix.

PUBLIC
Impact Type Severity

Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest
None/negligible Minor Moderate High Very high
Risk to individual None/negligible Any risk to personal Threatens life directly

safety safety
Distress caused to any None/negligible Short term distress Limited long term Substantial long term
party distress distress
Damage to any partys None/negligible Minor local impact Moderate Significant Severe
standing or reputation and/or limited short embarrassment and/or embarrassment, loss of embarrassment, loss of
term damage short term damage public confidence public confidence
and/or limited long and/or substantial long
term damage term damage
Inconvenience to any None/negligible Minor inconvenience Moderate Significant Substantial

party inconvenience inconvenience inconvenience
Public order None or negligible Measurable impact Prejudice Seriously prejudice
Unauthorised No or negligible Minor impact Measurable impact, Significant impact to Substantial impact to
disclosure of disclosure of sensitive breach of regulations person, agency or person, agency or
personally or information or commitment to business business
commercially sensitive confidentiality
information
Impact on Government No or negligible impact Cause financial loss or Work significantly Substantial damage
finances or economic loss of earning against
and commercial potential
interests

PUBLIC

Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest
Financial loss to any No or negligible loss Minor loss Moderate loss Significant loss Substantial loss
client1 of the service
provider or third party
Financial loss to No or negligible Loss Minor Moderate Significant Substantial

agency/service < 2% of monthly 2% < 5% of monthly 5% < 10% of monthly 10% of monthly
provider agency budget agency budget agency budget agency budget
Disruption to agency No or negligible Agency business Agency business

business operations disruption operations impaired in halted or significantly
any way impaired for a
sustained period
Service delivery None or negligible Minor interruptions or Loss of transactions in Significant interruptions Unable to continue to
disruption delays progress or delays deliver service in
Loss of completed current form.
transactions
Systems/network None or negligible Few non-critical Many non-critical Any critical system in a Multiple critical
affected systems in a stand- systems in a stand- networked environment systems in a
alone or networked alone or networked networked
environment environment environment.
1
In order to assist in the determination of the appropriate level of impact, the following is suggested: Minor <$50, Moderate $50- <$200, High $200 - <$2000 and Very High >=$2000. These figures are
guidelines only, and are based on an average individual. Where the client is known to be a corporation of other similar entity, these figures would need to be adjusted to something more akin to the
figures used for financial loss to the service provider. If multiple clients will suffer the loss, the impact level should be adjusted accordingly to reflect the total losses to clients.

PUBLIC

Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest
Assistance to crime or Would be of no or Prejudice investigation Impede investigation or Prevent investigation

impact on its detection negligible assistance or or facilitate facilitate commission of or directly allow
hindrance to detection commission of serious crime commission of serious
of unlawful activity violations that will be crime
subject to enforcement
efforts
Agencies affected Small areas within a Most areas within a Multiple agencies Whole-of-government
single agency single agency
Propagation None or negligible Easily contained within Contained within a Likely to propagate (or Likely to propagate (or
a single system or single agency has propagated) to has propagated)
network segment other agencies beyond Queensland
Government networks.
Cannot be detected by
anti-virus products and
intrusion vector cant
be established.
Ease of recovery No/negligible recovery Handled by routine Requires additional Requires substantial Not directly
required tools and procedures resources (e.g. staff additional resources recoverable (significant
overtime, engagement (e.g. engagement of irreversible damage or
of third parties or additional staff or loss)
purchase of tools) contractors or
significant investment)

PUBLIC

Lowest ---------------------------------------------------------------------------------------------------------------------------- Highest
Impact on No or negligible impact Minor impact Impede effective Seriously Impede Substantially impede
development or development or
operation of major operation
government policy
Impact on risk of No or negligible impact Minor impact Measurable impact Significant impact Substantial impact
litigation
Figure 3: Information security incident severity matrix

PUBLIC
5.1 Severity type

To provide some assistance in completing the severity matrix, the following table (based on
the QGISCF approach) provides examples of considerations when assessing impacts.
Impact type Possible considerations
A. Risk to individual Consider any risk of any injury or impact on safety at all, as well as the
safety possibility of loss of life. An example could include release of names or
locations of under-cover officers, people under protection orders.
B. Distress caused to From the clients or publics point of view, distress could be caused by
any party many things, including the release of private information. From a service
providers point of view, potential impacts could include stress impacts on
employees and possible loss of jobs or major reorganisation forced by the
inappropriate release of information.
C. Damage to any Issues to consider include potential for adverse publicity, either locally or
partys standing or wider, and the potential to damage occurring to either the service
provider's or clients ongoing reputation. If inappropriate access to
reputation
information was granted, would it be of interest to the media?
D. Inconvenience to Consider factors such as releasing information which could lead to

any party identity fraud being perpetrated.
E. Public order Need to consider whether disclosure of information could pose a threat to
community relations and public order. This may occur when information is
released that can cause alarm in a way that then results in damage to
public order. An example would be disclosure of an offenders identity or
whereabouts where the community could then react and disturb public
order.
F. Unauthorised Would disclosure of information which should not be made public have an
disclosure of impact on any party, or would it violate legislative or regulatory guidelines
such as information privacy principles? Examples include medical records
personally or
and other personal information and commercially sensitive information
commercially sensitive
that could impact on current or future business.
information.
G. Impact on Would disclosure of information result in financial or economic

government finances consequences to government. Release of information may result in
financial gain or loss. Disclosure of planning decisions which could result
or economic and
in changing valuations would be an example
commercial interests
H. Financial loss to Consider this from the service providers perspective - what losses could
any client of the they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
service provider or
own (e.g. by using the provided information to establish an identity which
third party.
is not theirs, and then changing ownership details).
I. Financial loss to Consider this from the service providers perspective - what losses could
agency/service they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
provider
own (e.g. by using the provided information to establish an identity which
is not theirs, and then changing ownership details).

PUBLIC
Impact type Possible considerations
J. Disruption to Would unauthorised release of this information have the potential to

agency business reduce or prevent an agency or external party conducting their business?
For how long would this reduction/prevention last?
operations
K. Service delivery Would unauthorised release of this information have the potential to
disruption disrupt agency delivery of services to internal or external
clients/stakeholders? How long would this disruption last?
L. Systems affected How many systems have been affected by the incident? Are these critical
systems?
M. Assistance to Would release of this information have the potential to assist in the
serious crime or conduct of a crime or terrorist activity? This could include release of
information enabling the planning of a crime or terrorist activity, or the
hindrance of its
creation of a false identity.
detection
N. Agencies affected How many agencies have been affected? To what extent have they been
affected?
O. Propagation How quickly is this incident spreading? How wide is the spread? To what
extent is it affecting agencies? Can the incident be contained quickly?
P. Ease of recovery How long until systems are back to normal? How many systems are
affected?
Q. Impact on Would inappropriate disclosure cause embarrassment to government in

development or the stages where policy is being formulated or implemented? The impact
may be that a major policy initiative will not proceed.
operation of major
government policy

PUBLIC
5.2 Example incident severity assessment

The following tables provide examples of how to apply the categories and impact matrix for
the following events and incidents:
Example 1
The chair of an interview panel accidentally left a disk on a train which contains copies of
job applications for an advertised position. The applications contain personal applicant
details such as names, addresses, contact numbers, work history.
Category type Selection Rationale
Definition Incident
Incident
The occurrence was successful in
adversely affecting the security of the
information contained on the disk
Category Theft/loss of assets The disk was lost which contained

Theft/loss of assets
Queensland Government information
Compromises Confidentiality The confidentiality of the information

Confidentiality
on the disk has been compromised,
as it is viewable by anyone who
obtains it
Cause Accidental This loss was not intended or

Accidental
deliberate
Origin Internal Internal

The occurrence was caused by a staff
(agency) member within the agency
Severity type A. High: Any risk to The job applicant details (address/
A. Risk to individual
personal safety safety contact numbers) can be used to
locate individuals, which poses a risk
to their safety
B. Moderate: Short The job applicants may suffer distress

B. Distress caused to
term distress any party as a result of the loss of their
information.
C. Minor: Minor C. Damage to any The agencys reputation has not been
partys standing or
local impact and/or reputation
greatly affected amongst the general
limited short term public. However, it has had a negative
damage impact on the reputation amongst the
job applicants.
D. None/Negligible These details can be easily retrieved

D. Inconvenience to
any party from other electronic sources/devices
(original emails, original file locations)

PUBLIC
F. Moderate: F. Unauthorised The loss of the disk means that the

disclosure of personally
Measurable impact, or commercially details of the job applicants have
breach of been released to other parties without
regulations or the individuals authorisation
commitment to
confidentiality.
Severity High (Determined The occurrence was successful in

by highest severity High adversely affecting the security of the
rating) information contained on the disk
Example 2
A denial of service attack has occurred on an agency website, causing downtime and
disruption to critical public services. This attack left the agency unable to continue to deliver
the service for the duration of a working day, which caused inconvenience to consumers of
the service, and public embarrassment for the agency.
Definition Incident The denial of service attack caused

Incident
downtime and disruption it has
affected the availability of information.
Category Intrusions against Intrusions against

Since the attack was successful in
networks networks causing service disruption, it has
been classified as a network intrusion,
because agency firewalls were
penetrated.
Compromises Availability The availability of public services was

Availability
disrupted during the downtime of the
website.
Cause Deliberate The denial of service attack was a

Deliberate
persistent and focused attack which
illustrates it was deliberate in intent.
Origin External The attack came from outside the

External
agency network, with the aim of
infiltrating it.
Severity type C. Moderate: C. Damage to any The agencys reputation has been
partys standing or
Moderate reputation
damaged by the subsequent
embarrassment disruption of public services.
and/or short term
damage

PUBLIC
D. High: Significant The incident has caused a large

D. Inconvenience to
inconvenience any party amount of inconvenience to the
agency, as they attend to attack. The
public has been inconvenienced by
the disruption to services.
J. High: Agency J. Disruption to The agencys business operations

agency business
business operations operations
have been disrupted whilst they
impaired in any attend to the network intrusion.
way.
K. Very High: The agencys service delivery has

K. Service delivery
Unable to continue disruption been disrupted as a result of website
to deliver service in downtime.
current form.
Severity Very High The highest severity rating is

Very High
recorded (Severity Type K Very
High)
Example 3
An agency has detected an attempted network intrusion from an external source. This
particular attempt was unsuccessful in adversely affecting the security of agency
information, as the agencys security controls prevented an intrusion from occurring.
Definition Event The attempted intrusion was

Event
unsuccessful, as the controls in place
prevented the occurrence.
Category Intrusion against Intrusion against

The agency controls detected an
network network attempted network intrusion.
Cause Unknown Further investigation is required to

Unknown
determine the exact cause.
Origin External The occurrence is from an external

External
source, outside of the agency
network.

PUBLIC
Example 4
An agency has detected a network intrusion from an external source. This particular
attempt was successful in adversely affecting the security of agency information, as the
agencys security controls were not able to prevent the intrusion from occurring. As a result
of the attack, the agencys website was defaced, with the attackers removing the existing
content, and replacing it with offensive material. The incident is under investigation to
identify where the attack has come from.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen as a result require different responses i.e. the network intrusion
requires action to increase the security controls, and the website defacement requires the
agency to restore their website and its content.
Incident 1 Network Intrusion
Definition Incident The agency controls were not able to

Incident
prevent the intrusion attempt.
Category Intrusion against Intrusion against Agency controls were breached,

network network leading to a network intrusion.
Compromises Confidentiality; Once the network intrusion has

Confidentiality
Integrity occurred, agency information is
viewable, compromising its
confidentiality. The subsequent
Integrity
website defacement has led to a
compromise of information integrity.
Cause Deliberate The intrusion has been deliberate,

Deliberate
because it has led to website
defacement.
Origin External The intrusion has occurred from

External
outside the agency network.
Severity type C. High: Significant C. Damage to any The network intrusion has caused
partys standing or
embarrassment, reputation
damage to the agencys reputation
loss of public (as a result of the subsequent website
confidence and/or defacement)
limited long term
damage.
D. Moderate: The agency has been inconvenienced

D. Inconvenience to
Moderate any party as a result of the efforts required to
inconvenience respond to the attack.
J. High: Agency J. Disruption to The agencys business operations

agency business
have been impacted on following the
impaired in any way intrusion of their network.

PUBLIC
N. Minor: Small The incident affected a small number

N. Agencies affected
areas within a of areas within the agency.
single agency
P. Moderate: In the affected area staff had to work

P. Ease of recovery
Requires additional extra hours to resolve the incident.
resources (e.g. staff
overtime,
engagement of third
parties or purchase
of tools)
Severity High The highest severity rating is

High
recorded
Incident 2 Website Defacement
Definition Incident The agency website was defaced.

Incident
Category Defacement of Defacement of public The website contained publicly

public information information accessible information, which was
modified without authorisation.
Compromises Integrity; Availability The integrity and availability of the

Integrity
website content was compromised, as
it was altered and/or removed from
Availability the website. Downtime to restore the
website further compromised
availability.
Cause Deliberate The attack was deliberate the

Deliberate
website was defaced indicating
malicious intent.
Origin External The intrusion occurred from outside

External
the agency network.
Severity type B. Moderate: Short Distress was caused to the public,

term distress any party since the web service was
unavailable. In addition, the public
were exposed to offensive material.

PUBLIC
C. High: Significant C. Damage to any The incident has caused damage to

partys standing or
embarrassment, reputation
the agencys reputation amongst the
loss of public public.
confidence and/or
limited long term
damage.
D. Moderate: Service downtime causes

D. Inconvenience to
Moderate any party inconvenience to both the agency and
inconvenience the public.
J. High: Agency J. Disruption to The agency business operations are

agency business
disrupted while they restore the
impaired in any website.
way.
K. High: Significant The services provided on the agency

K. Service delivery
interruptions or disruption website are adversely affected during
delays. Loss of the downtime.
completed
transactions.
P. Moderate: Efforts to restore the website to full

P. Ease of recovery
Requires additional functionality can be done with relative
resources (eg. staff ease. Some staff from the affected
overtime, area were required to work overtime
engagement of third to resolve the issue,
parties or purchase
of tools)
Severity High The highest severity rating is

High
recorded

PUBLIC
Example 5
An agency staff member has been caught viewing and editing confidential files that belong
to a senior staff member, without the authorisation to do so. The documents, which were
classified X-In Confidence, were removed from a filing cabinet located in the senior staff
members office, and replaced with alternative copies. In the process of searching for the
desired files, the employee also went through other documents containing personal details
of the senior staff member. It was later revealed the employee edited the documents
content for personal gain.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen have compromised different aspects of agency information,
i.e. unauthorised access, and unauthorised changes to agency documents.
Incident 1 Unauthorised access to agency documents
Definition Incident The staff member has accessed

Incident
confidential information without
authorisation.
Category Unauthorised Unauthorised access The staff member has accessed

to information/
access to systems confidential documents from a senior
information/systems staff members filing cabinet.
Compromises Confidentiality The unauthorised access to senior

Confidentiality
staff documents has compromised the
confidentiality of the information.
Cause Deliberate The employee deliberately accessed

Deliberate
the document, in search of particular
information.

The incident occurred from within the
(agency) agency.
Severity type B. Moderate: Short Distress has been caused to the

term distress any party senior staff member, whose filing
cabinet was opened and searched.
D. Moderate: The incident has caused

D. Inconvenience to
Moderate any party inconvenience to the senior staff
inconvenience member.
F. Very High: F. Unauthorised The confidential documents have had

Substantial impact or commercially their contents disclosed to other
to person, agency parties, without the authorisation of
or business the owner.

Very High
recorded

PUBLIC
Incident 2 Unauthorised changes to agency documents
Definition Incident The staff member has compromised

Incident
the integrity of the information, by
developing a fraudulent copy of a
document.
Unauthorised changes
Category Unauthorised to information, Changes have been made to an
changes to applications, systems agency document, without
or hardware
information, authorisation.
applications,
systems or
hardware
Compromises Confidentiality; The incident compromises the

Confidentiality
Integrity confidentiality of the original
document (and additional ones
Integrity searched), as well as the integrity of
the edited document.
Cause Deliberate The employee deliberately edited the

Deliberate
document.

The incident occurred from within the
(agency) agency.
Severity type B. High: Limited Distress has been caused to the

long term distress any party senior staff member, whose filing
cabinet was opened and searched,
and documents were edited.
D. High: Significant The incident has caused

D. Inconvenience to
inconvenience any party inconvenience to the senior staff
member.
F. Very High: F. Unauthorised The confidential documents have had

Substantial impact or commercially their contents disclosed to other
to person, agency parties, without the authorisation of
or business the owner.

Very High
recorded

PUBLIC
Example 6
An agency staff member has been caught viewing confidential documents that belong to a
senior staff member, without authorisation. The documents, which were not marked as
classified, were left unattended on a public desk. The staff member claims he was unaware
that he did not have the appropriate authority to view the documents.
Definition Incident The confidentiality of the document

Incident
has been compromised as a result of
this occurrence.
Category Unauthorised Unauthorised access The staff member did not have
to information/
access to systems authorisation to view the contents of
information/ the document.
systems
Compromises Confidentiality The document had confidential

Confidentiality
material, which was viewed by a staff
member without authorisation.
Cause Accidental The employee was unaware of the

Accidental
documents confidentiality. The
employee assumed it was suitable to
read, since the document was left in a
public place, without specifying the
correct licensing.

The incident has occurred within the
(agency) agency from an employee.
Severity type B. Moderate: Short There was some short term distress
term distress any party to the employee who accessed the
information.
F. Very High: F. Unauthorised The employee who viewed the

Substantial impact or commercially document was not authorised to do
to person, agency so. The owner of the document has
or business allowed for the contents to be viewed
by employees who do not have
authorisation to do so. It has caused a
substantial impact to the party that
was the subject of the document.

Very High
recorded

PUBLIC
Example 7
A staff member has incorrectly sent an email with confidential agency information to
another staff member. The email recipient was incorrectly selected by the sender, and as a
result, the confidential content was not sent to the intended person, but instead read by the
unauthorised staff member. It was determined by the agency that the recipient had no prior
involvement in the leaking of this information i.e. did not instigate the email, and was not in
breach of any agency information security policy. The sender confirmed that the incident
was a result of an error on their behalf.
Definition Incident Through the distribution of a

Incident
misguided email, the confidentiality of
agency information was
compromised.
Category Unauthorised F. Unauthorised The staff member has disclosed

disclosure of or commercially agency information to another staff
personally or member, without authorisation.
commercially
Compromises Confidentiality The confidentiality of agency

Confidentiality
information was compromised.
Cause Accidental The sender of the email has made an

Accidental
error when distributing the
information. It was not intentional.

The incident has occurred between
(agency) two staff members within the agency.
Severity type B. Moderate: Short B. Distress caused to

The incident has caused short term
any party
term distress distress for the employee who sent
the email, as they were responsible
for the unauthorised distribution of
confidential material.
F. Moderate: F. Unauthorised The sender of the email has disclosed

Measurable impact, or commercially confidential information without
breach of regulations authorisation.
or commitment to
confidentiality
P. Minor: Handled by The incident was handled by routine

P. Ease of recovery
routine tools and procedures
procedures
Severity Moderate The highest severity rating is

Moderate
recorded

PUBLIC

Incident Category Guideline v2 0 0

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Incident Category Guideline v2 0 0

Загружено:

Авторское право:

Доступные форматы

Queensland Government Enterprise Architecture

Security classification PUBLIC

Date of review of security

Authority Queensland Government Chief Information Officer

Author Queensland Government Chief Information Office

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changes

Final | v2.0.0 | August 2013 Page 2 of 27

3 Information security event and incident definitions .......................................................... 8

4 Information security event and incident categories .......................................................... 8

5 Information security incident severity matrix .................................................................. 11

Final | v2.0.0 | August 2013 Page 3 of 27

Final | v2.0.0 | June 2013 Page 4 of 27

The Information security incident category guideline will:

2.2 Relationship to other documents

Figure 1: Queensland Government Incident Management Documents

Final | v2.0.0 | June 2013 Page 5 of 27

2.3 How is the Information security incident category guideline

Final | v2.0.0 | June 2013 Page 6 of 27

Unauthorised release Violation of Deliberate Accidental

Intrusions against Password Internal Internal

Abuse of privileges Other events External Unknown

None/Negligible Minor Moderate High Very High

any party or economic and affected operation of major

Figure 2: Information security incident definition, categories and severity

Final | v2.0.0 | June 2013 Page 7 of 27

3 Information security event and incident definitions

Event An identified occurrence or activity that threatens to adversely affect the

Incident An identified occurrence or activity that has been successful in adversely

4 Information security event and incident categories

Unauthorised release Unauthorised release or disclosure of Queensland Government

Malware infections Software programs designed to cause damage to Queensland

Intrusions against Intrusions specifically targeting Queensland Government internal

Abuse of privileges Changes to privilege use settings on stand-alone or networked

Unauthorised changes Any unauthorised changes to an organisations file system, including

Final | v2.0.0 | June 2013 Page 8 of 27

Any unauthorised installation of additional processing, communications or

Violation of Any violation of information security policy or the information security

Suspicious system Unknown network activities affecting/degrading network performance with

Includes a malfunction within the electronic circuits, electromechanical

Password Sharing/stealing/loss of passwords or other authentication token.

Sabotage/physical Any damage or destruction of physical information or electronic devices.

Final | v2.0.0 | June 2013 Page 9 of 27

4.2 Incident impact

Confidentiality The confidentiality of Queensland Government information has been

Integrity The integrity of Queensland Government Information has been

Availability The availability of Queensland Government information has been

4.3 Incident cause

Deliberate Where a person causes an information security incident intentionally with

Accidental Where a person causes an information security incident or event

Unknown Incident cause is unable to be identified. Requires further investigation.

4.4 Incident origin

Internal (agency) Existing, occurring or originating with the agency.

Internal (Queensland Existing, occurring or originating within the Queensland Government.

External Existing, occurring or originating outside the Queensland Government.

Unknown Origin is unable to be clearly identified. Requires further investigation

4.5 Severity and severity type

Final | v2.0.0 | June 2013 Page 10 of 27

5 Information security incident severity matrix

Final | v2.0.0 | June 2013 Page 11 of 27

Impact Type Severity

None/negligible Minor Moderate High Very high

Risk to individual None/negligible Any risk to personal Threatens life directly