Академический Документы
Профессиональный Документы
Культура Документы
Information security
incident category guideline
Final
August 2013
v2.0.0
PUBLIC
QGEA PUBLIC Information security incident category guideline
Document details
Acknowledgements
This version of the Information security incident category guideline was developed and updated by
Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.
Copyright
Information security incident category guideline
Copyright The State of Queensland (Queensland Government Chief Information Office) 2013
Licence
Information security incident category guideline by the Queensland Government Chief Information
Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of
this licence, visit http://creativecommons.org/licenses/by/3.0/au. For permissions beyond the scope
of this licence, contact qgcio@qgcio.qld.gov.au.
To attribute this material, cite the Queensland Government Chief Information Office.
Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.
Contents
1 Introduction .......................................................................................................................... 4
1.1 Purpose ........................................................................................................................ 4
1.2 Audience....................................................................................................................... 4
1.3 Scope ........................................................................................................................... 4
2 Background .......................................................................................................................... 4
2.1 Why was the Information security incident category guideline developed? ................... 4
2.2 Relationship to other documents................................................................................... 5
2.3 How is the Information security incident category guideline structured? ........................ 6
Figures
Figure 1: Queensland Government Incident Management Documents ........................................... 5
Figure 2: Information Security Incident Definition, Categories and Severity..................................... 7
Figure 3: Information Security Incident Definition, Categories and Severity mapped to DSD
categories ........................................................................................ Error! Bookmark not defined.
Figure 4: Information security incident severity matrix ................................................................... 15
1 Introduction
1.1 Purpose
The Information security incident category guideline provides guidance to achieve a
consistent approach to categorising information security incidents. It assists agencies in the
internal management of information security events and incidents and in the external
reporting of those incidents, when required. The consistency in categorising information
security events and incidents resulting from the use of this guideline will also facilitate
information sharing across Queensland Government agencies. This document provides
guidance in determining information security incident severity by providing a matrix for that
purpose. This matrix is based on the impact assessment matrix documented in the
Queensland Government Information Security Classification Framework (QGISCF).
1.2 Audience
This document is primarily intended for:
departmental staff and operational areas involved in information security incident
management
information governance bodies
Queensland Government Virtual Incident Response Team.
1.3 Scope
This guideline relates to incident management and compliance management domains
within the information security slice of the Queensland Government Enterprise Architecture
(QGEA).
2 Background
2.1 Why was the Information security incident category guideline
developed?
The Auditor General of Queenslands Report to Parliament No. 4 for 2009 detailed a
number of key network security issues outlined in Section 4.2 Information Technology
Network Security. With regards to information security incident management, the report
found that:
there is no centrally coordinated reporting and monitoring process for government IT
security incidents
no mandatory standards that require agencies to report such incidents exists
formal processes for security incident and problem management are not in place
agencies should monitor their networks for potential security breaches.
The Incident category guideline has been developed to provide a consistent and structured
approach to defining and categorising information security events and incidents within
agencies and at a whole-of-government level which will assist agencies in managing their
information security events and incidents internally and when external reporting is required.
Queensland
Government
Information
Security Incident
Category Guideline
Queensland Queensland
Government Government
Information Information
Security Incident Security Event and
Management Incident Reporting
Guideline Standard
The Information security incident category guideline is the overarching document which
provides consistent definitions, categories and severity scales across all agencies within the
Queensland Government. However, the management of agency internal information
security events and incidents and agency external reporting requirements are outside the
scope of this guideline and are covered in the Information security incident management
guideline.
DEFINITION
Event Incident
CATEGORY
COMPROMISES
Confidentiality Integrity
Unauthorised changes
to information,
Theft/loss of assets
applications, systems
or hardware
Availability
Unauthorised access
Defacement of public
to information/
information
systems
CAUSE
information policy
Suspicious system
behaviour or failure Error Unknown
Malware infections
(hardware/software
or communications)
F. Unauthorised
A. Risk to individual disclosure of personally K. Service delivery
P. Ease of recovery
safety or commercially disruption
sensitive information
G. Impact on Q. Impact on
B. Distress caused to Government finances L. Systems/network development or
SEVERITY TYPE
H. Financial loss to
C. Damage to any M. Assistance to
any client of the
partys standing or crime or impact on its
service provider or
reputation detection
third party
I. Financial loss to
D. Inconvenience to
agency/ service N. Agencies affected
any party
provider
J. Disruption to
E. Public order agency business O. Propagation
operations
Term Description
Theft/loss of assets The theft or loss of any information or technology asset/device (including
portable and fixed media) that might have been or has been used to
either process or store Queensland Government information.
Unauthorised access Unauthorised access from internal and external sources to Queensland
to information/systems Government information and systems.
Other events Natural events and other events which result in damage to information
and systems. This includes but is not limited to:
fire
flood
excessive heat
storms
biological agents
toxic dispersion
riots
power outage.
Error A malfunction, error, flaw, mistake, failure, fault or bad code in an ICT
facility, device or software program that prevents it from behaving as
intended.
Distress caused to any None/negligible Short term distress Limited long term Substantial long term
party distress distress
Damage to any partys None/negligible Minor local impact Moderate Significant Severe
standing or reputation and/or limited short embarrassment and/or embarrassment, loss of embarrassment, loss of
term damage short term damage public confidence public confidence
and/or limited long and/or substantial long
term damage term damage
Unauthorised No or negligible Minor impact Measurable impact, Significant impact to Substantial impact to
disclosure of disclosure of sensitive breach of regulations person, agency or person, agency or
personally or information or commitment to business business
commercially sensitive confidentiality
information
Impact on Government No or negligible impact Cause financial loss or Work significantly Substantial damage
finances or economic loss of earning against
and commercial potential
interests
Financial loss to any No or negligible loss Minor loss Moderate loss Significant loss Substantial loss
client1 of the service
provider or third party
Service delivery None or negligible Minor interruptions or Loss of transactions in Significant interruptions Unable to continue to
disruption delays progress or delays deliver service in
Loss of completed current form.
transactions
Systems/network None or negligible Few non-critical Many non-critical Any critical system in a Multiple critical
affected systems in a stand- systems in a stand- networked environment systems in a
alone or networked alone or networked networked
environment environment environment.
1
In order to assist in the determination of the appropriate level of impact, the following is suggested: Minor <$50, Moderate $50- <$200, High $200 - <$2000 and Very High >=$2000. These figures are
guidelines only, and are based on an average individual. Where the client is known to be a corporation of other similar entity, these figures would need to be adjusted to something more akin to the
figures used for financial loss to the service provider. If multiple clients will suffer the loss, the impact level should be adjusted accordingly to reflect the total losses to clients.
Agencies affected Small areas within a Most areas within a Multiple agencies Whole-of-government
single agency single agency
Propagation None or negligible Easily contained within Contained within a Likely to propagate (or Likely to propagate (or
a single system or single agency has propagated) to has propagated)
network segment other agencies beyond Queensland
Government networks.
Cannot be detected by
anti-virus products and
intrusion vector cant
be established.
Ease of recovery No/negligible recovery Handled by routine Requires additional Requires substantial Not directly
required tools and procedures resources (e.g. staff additional resources recoverable (significant
overtime, engagement (e.g. engagement of irreversible damage or
of third parties or additional staff or loss)
purchase of tools) contractors or
significant investment)
Impact on No or negligible impact Minor impact Impede effective Seriously Impede Substantially impede
development or development or
operation of major operation
government policy
Impact on risk of No or negligible impact Minor impact Measurable impact Significant impact Substantial impact
litigation
A. Risk to individual Consider any risk of any injury or impact on safety at all, as well as the
safety possibility of loss of life. An example could include release of names or
locations of under-cover officers, people under protection orders.
B. Distress caused to From the clients or publics point of view, distress could be caused by
any party many things, including the release of private information. From a service
providers point of view, potential impacts could include stress impacts on
employees and possible loss of jobs or major reorganisation forced by the
inappropriate release of information.
C. Damage to any Issues to consider include potential for adverse publicity, either locally or
partys standing or wider, and the potential to damage occurring to either the service
provider's or clients ongoing reputation. If inappropriate access to
reputation
information was granted, would it be of interest to the media?
E. Public order Need to consider whether disclosure of information could pose a threat to
community relations and public order. This may occur when information is
released that can cause alarm in a way that then results in damage to
public order. An example would be disclosure of an offenders identity or
whereabouts where the community could then react and disturb public
order.
F. Unauthorised Would disclosure of information which should not be made public have an
disclosure of impact on any party, or would it violate legislative or regulatory guidelines
such as information privacy principles? Examples include medical records
personally or
and other personal information and commercially sensitive information
commercially sensitive
that could impact on current or future business.
information.
H. Financial loss to Consider this from the service providers perspective - what losses could
any client of the they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
service provider or
own (e.g. by using the provided information to establish an identity which
third party.
is not theirs, and then changing ownership details).
I. Financial loss to Consider this from the service providers perspective - what losses could
agency/service they incur? Considerations include possibility of fraud, a party illegally
transferring money, a party gaining control of assets they don't legally
provider
own (e.g. by using the provided information to establish an identity which
is not theirs, and then changing ownership details).
K. Service delivery Would unauthorised release of this information have the potential to
disruption disrupt agency delivery of services to internal or external
clients/stakeholders? How long would this disruption last?
L. Systems affected How many systems have been affected by the incident? Are these critical
systems?
M. Assistance to Would release of this information have the potential to assist in the
serious crime or conduct of a crime or terrorist activity? This could include release of
information enabling the planning of a crime or terrorist activity, or the
hindrance of its
creation of a false identity.
detection
N. Agencies affected How many agencies have been affected? To what extent have they been
affected?
O. Propagation How quickly is this incident spreading? How wide is the spread? To what
extent is it affecting agencies? Can the incident be contained quickly?
P. Ease of recovery How long until systems are back to normal? How many systems are
affected?
Definition Incident
Incident
The occurrence was successful in
adversely affecting the security of the
information contained on the disk
Severity type A. High: Any risk to The job applicant details (address/
A. Risk to individual
personal safety safety contact numbers) can be used to
locate individuals, which poses a risk
to their safety
C. Minor: Minor C. Damage to any The agencys reputation has not been
partys standing or
local impact and/or reputation
greatly affected amongst the general
limited short term public. However, it has had a negative
damage impact on the reputation amongst the
job applicants.
Example 2
A denial of service attack has occurred on an agency website, causing downtime and
disruption to critical public services. This attack left the agency unable to continue to deliver
the service for the duration of a working day, which caused inconvenience to consumers of
the service, and public embarrassment for the agency.
Severity type C. Moderate: C. Damage to any The agencys reputation has been
partys standing or
Moderate reputation
damaged by the subsequent
embarrassment disruption of public services.
and/or short term
damage
Example 3
An agency has detected an attempted network intrusion from an external source. This
particular attempt was unsuccessful in adversely affecting the security of agency
information, as the agencys security controls prevented an intrusion from occurring.
Example 4
An agency has detected a network intrusion from an external source. This particular
attempt was successful in adversely affecting the security of agency information, as the
agencys security controls were not able to prevent the intrusion from occurring. As a result
of the attack, the agencys website was defaced, with the attackers removing the existing
content, and replacing it with offensive material. The incident is under investigation to
identify where the attack has come from.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen as a result require different responses i.e. the network intrusion
requires action to increase the security controls, and the website defacement requires the
agency to restore their website and its content.
Incident 1 Network Intrusion
Category type Selection Rationale
Severity type C. High: Significant C. Damage to any The network intrusion has caused
partys standing or
embarrassment, reputation
damage to the agencys reputation
loss of public (as a result of the subsequent website
confidence and/or defacement)
limited long term
damage.
Example 5
An agency staff member has been caught viewing and editing confidential files that belong
to a senior staff member, without the authorisation to do so. The documents, which were
classified X-In Confidence, were removed from a filing cabinet located in the senior staff
members office, and replaced with alternative copies. In the process of searching for the
desired files, the employee also went through other documents containing personal details
of the senior staff member. It was later revealed the employee edited the documents
content for personal gain.
Classification: This occurrence has been classified as two separate incidents, as both
incidents that have arisen have compromised different aspects of agency information,
i.e. unauthorised access, and unauthorised changes to agency documents.
Incident 1 Unauthorised access to agency documents
Unauthorised changes
Category Unauthorised to information, Changes have been made to an
changes to applications, systems agency document, without
or hardware
information, authorisation.
applications,
systems or
hardware
Example 6
An agency staff member has been caught viewing confidential documents that belong to a
senior staff member, without authorisation. The documents, which were not marked as
classified, were left unattended on a public desk. The staff member claims he was unaware
that he did not have the appropriate authority to view the documents.
Category Unauthorised Unauthorised access The staff member did not have
to information/
access to systems authorisation to view the contents of
information/ the document.
systems
Severity type B. Moderate: Short There was some short term distress
B. Distress caused to
term distress any party to the employee who accessed the
information.
Example 7
A staff member has incorrectly sent an email with confidential agency information to
another staff member. The email recipient was incorrectly selected by the sender, and as a
result, the confidential content was not sent to the intended person, but instead read by the
unauthorised staff member. It was determined by the agency that the recipient had no prior
involvement in the leaking of this information i.e. did not instigate the email, and was not in
breach of any agency information security policy. The sender confirmed that the incident
was a result of an error on their behalf.