The Queensland Government Information Security Classification Framework (QGISCF) supports the Information security policy (IS18:2018). Show
Agencies should classify their information and information assets according to business impact and implement appropriate controls according to the classification. To apply information classification at the enterprise level an organisation needs to:
An assessment tool is available to assist agencies in determining their BILs. Information that has been assessed as having a ‘high’ business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:
The Confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact). Where an agency has determined high confidentiality information to be at the PROTECTED level, an agency must consider the PROTECTED controls outlined in the current Australian Government Information security manual published by the Australian Cyber Security Centre. Where an information asset is shared between government agencies, partner agencies should apply equivalent controls to those determined by the information-owning agency to be adequate. IntroductionThis document, the Queensland Government Information Security Classification Framework (QGISCF), supports the Information Security Policy (IS18:2018). It sets the minimum requirements for information security classification. Information security (IS18:2018) Policy Requirement 3: Agencies must meet minimum security requirements states that ‘To ensure a consistent security posture and promote information sharing, Queensland Government departments must comply with the Queensland Government Information Security Classification Framework (QGISCF)’. Consistent classification of information helps Queensland Government agencies make more informed and timely decisions about how they should capture, store, maintain, transmit, process, use and share information to best deliver services to Queenslanders. The confidentiality labels are OFFICIAL (low or negligible confidentiality impact), SENSITIVE (moderate confidentiality impact) and PROTECTED (high confidentiality impact). Agencies must:
Information that has been assessed as having a ‘high’ business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:
Where an agency has determined information has a ‘High’ Confidentiality Business Impact and warrants the PROTECTED label, the agency must consider applying the PROTECTED controls outlined in the current Australian Government Information Security Manual published by the Australian Cyber Security Centre. Agencies should:
Custodians of information should maintain a control environment deemed adequate by the information owner. ScopeThis framework provides a process and direction for determining the security classification of information considering the three elements of information security.
Information security consideration descriptions National securityThe QGISCF does not provide specific guidance for handling national security information, classified material or systems that are assessed to have confidentiality requirements abovePROTECTED. Where an agency has cause to handle such material/systems, it should refer to the Australian Government Protective Security Policy Framework and the Security and Counter-Terrorism Command in Queensland Police Service. Telephone 07 3364 3665 or email AudienceQueensland Government information must be security assessed. This document is intended for the use of employees and contractors within Queensland Government agencies. It will be relevant to:
ImplementationThis framework must be used by all Queensland Government agencies to assess the information security of their information and information assets. The classification assessment levels are as follows. Information security – confidentiality, integrity and availability The organisation should identify and apply assessment levels for confidentiality, integrity and availability impact to their information. The assessment levels are used to identify which controls are appropriate to safeguard that information. Where an agency shares information with partner agencies, there is an expectation that the partner agencies will apply equivalent controls. It is good practice to document the business impact levels for information and relevant control expectations between agencies when they share information. In some cases, a classification guide may be useful. Guides give users greater clarity in determining classification levels using specific examples relevant to the subject matter. There is not always a direct relationship between confidentiality, integrity and availability. In that case, the control selection would skew towards a control set that enhanced integrity as much as possible, did not unnecessarily restrict availability, and met the department’s minimum control requirements for confidentiality. Information offshore data storage and processingInformation that has been assessed as having a ‘high’ business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:
The risk assessment related to the C, I and A business impacts should consider the following threat areas:
Integrity assessmentInformation integrity refers to how well the information reflects its underlying subject. ISO/IEC 27000:2016 defines integrity as the ‘property of accuracy and completeness’. (2.40) Information integrity may be compromised by accident or by a (semantic) attack. Such attacks can be especially destructive against financial systems (e.g. Fraud) and SCADA[1] (e.g. Stuxnet). With the rise of the Internet of Things, information integrity, including data quality, will be an increasing concern.
The business impact of inadequate information integrity may differ for different information assets. Inadequate information integrity in a financial system will almost certainly have significant financial and/or legal consequences; whereas inadequate information integrity in an email distribution list may only result in inconvenience and slight embarrassment. The integrity level of ‘low or none’, ‘medium’ or ‘high’ should describe the business impact given a hazard event where inappropriate or unauthorised changes have reduced the integrity of the information. The higher the integrity requirement, the more control should be implemented to safeguard information against inappropriate or unauthorised change. The outcome of information security integrity assessment should be an indication of the business impact should the integrity of information be compromised. Information integrity levels are determined by the agency business needs, but at a minimum, information should be stored, handled and disposed of in accordance with the Public Records Act 2002 (Qld). Other specific legislation, such as the Information Privacy Act 2009 (Qld) and financial accountability regulations may also create information integrity requirements for agencies. Appendix A is an example of how a business impact assessment can be used to assess integrity levels. Availability assessmentFor information to be useful and serve the organisations purpose, it must reliably be available when it is needed and, in a form that is able to be consumed by users. Information availability refers to how accessible information is for an intended user or audience at the time the information is required. Agencies must determine the availability requirements of information that they own and manage and the business impact if the information is not available to the right people or systems at the right time.
The outcome of Information security availability assessment of ‘high’, ‘medium’or‘low’ is based on the business impact should the information availability be compromised. Information availability assessment levels are determined by the agency business needs. Information availability can be compromised because of both human directed (intentional) and non-directed (unintentional) events. Unintentional events include failure of equipment due to lack of maintenance or a natural occurrence such as a cyclone. Intentional attacks, such as denial of service attacks cause disruption of normal functioning of information systems, leading to availability compromise over varying timescales. Agencies should assess the risk that loss of information availability might cause damage to the organisation and consider whether specific controls are warranted. In many cases, planned and tested business continuity and disaster recovery processes will provide significant mitigation to information availability risk, however, where information is assessed to have a high availability impact, there may be a need for additional controls or approaches to ensure information is available to the right people and systems within the time tolerance required. Appendix B may assist in identifying availability objectives to support business impact requirements. Confidentiality assessmentAn information security confidentiality assessment examines the impact should the information be inappropriately released. A confidentiality level can be applied to individual documents or information assets. The information security (confidentiality) level applied to a document or data element flags how access to the information should be restricted and the efforts that should be made in doing so. Confidentiality classification labelsThe confidentiality classification labels are considered in relation to the increasing confidentiality business impact, should information be compromised or shared inappropriately. The confidentiality classification labels for Queensland Government information are:
A Confidentiality classification label should not be applied to information in order to either:
The QGISCF does not deal with National Security Information (NSI) that is assessed to be classified above PROTECTED, however the framework integrates into the broader Australian Government approach to allow interoperability. Agencies must undertake an information security confidentiality (business impact) assessment to determine the appropriate confidentiality level (OFFICIAL, SENSITIVE, PROTECTED). An agency must apply security controls which are commensurate with the assessed business impact. This framework does not mandate specific controls - agencies should select the controls best suited to their business and technology needs. The chosen controls must provide sufficient safeguards to adequately protect the information based on the confidentiality level of the information. For PROTECTED information, an agency must consider the controls outlined for PROTECTED information in the current Australian Government information security manual. Where the controls applied to PROTECTED information are not equivalent to those outlined in the information security manual, the agency accountable officer must accept any resulting risk. The risk should be recorded in the agency risk register and shared with partner agencies. OFFICIALOFFICIAL represents most Queensland Government information by volume, but lowest business impact per document if compromised or lost. However, where information is aggregated on an information asset such as an ICT server, the impact of compromise may increase and with it, the controls. OFFICIAL information is routine information without special sensitivity or handling requirements. All routine public-sector business, operations and services is treated as OFFICIAL. At the OFFICIAL classification there is a general presumption that data may be shared across government. Security measures should be proportionate and driven by the business requirement. Most OFFICIAL information is subject to the Public Records Act 2002 (Qld). SENSITIVEThe use of the SENSITIVE indicates that information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost. SENSITIVE information must be labelled. Examples of SENSITIVE information may include:
Most SENSITIVE information is subject to the Public Records Act 2002 (Qld). PROTECTEDPROTECTED information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the State, the Government, commercial entities or members of the public. PROTECTED information must be labelled. Cabinet information is PROTECTED. Cabinet documents (CABINET information) can be damaging to the public policy agenda and the government generally, and to the public interest. Unlawful disclosure of Cabinet information may constitute an offence under the Criminal Code Act 1899 (Qld), Public Sector Ethics Act 1994 (Qld) and may constitute official misconduct under the Crime and Misconduct Act 2001 (Qld). The primary guidance document to support these processes, including the handling of Cabinet material, is the Queensland Cabinet Handbook. Most PROTECTED information is subject the Public Records Act 2002 (Qld). Sharing information and the ‘need to know’The ‘need to share’ information must be balanced with the ‘need to know’ information to perform official tasks. Access to some information needs to be restricted because it could harm government interests or the people of Queensland. Applying a security classification to information signals that the agency has assessed the business impact arising from loss of the information’s confidentiality and expects those that access it to secure it appropriately.
Both over-classification and under-classification of information can be detrimental to government:
All government information must be:
Discrete information (unstructured data)Discrete information, such as documents or emails, may receive an information security confidentiality assessment to indicate the business impact should the information be compromised or made available to the wrong individuals. Agencies should create guidance and procedures to assist employees to classify discrete information correctly. Information assets (structured data)For information assets, a system’s confidentiality assessment provides an indication of the maximum sensitivity and confidentiality of information that the system is accredited to handle by the agency’s accountable officer. Any assessment must also consider the aggregate sensitivity of the data held in the system. Australian Government Protective Security Policy FrameworkQGISCF is intended to be compatible with the Australian Government Protective Security Policy Framework and Australian Government Information Security Manual. Queensland has adopted the security classification levels OFFICIAL, SENSITIVE and PROTECTED to align with the federal government approach. Confidentiality business impact levelsDepartments should identify on a risk basis which business impacts should be considered when identifying whether loss of information confidentiality has a high, medium or ‘low or negligible’ impact. The business impact level (confidentiality) will determine the classification label. Appendix C may assist in identifying confidentiality objectives to support business impact requirements. Confidentiality impact and classification levelsInformation asset confidentiality control summaryThis section contains summary details of the controls relevant for the various levels. OFFICIAL
SENSITIVE
PROTECTED
Information security assessment processIt is necessary to ensure that the information security assessment is a living process, that is, information security needs to be periodically and regularly reassessed as part of the Information Security Management System (ISMS). Each of the steps identified below is expanded in more detail in the following sub-sections. Information security assessment process Identify informationAgencies must identify any information assets that they hold. The Information asset custodianship policy states the Queensland Government will identify its information assets and assign appropriate custodianship roles and responsibilities to ensure these assets are managed throughout their lifecycle. Information assets can be documents, electronic messages, a row in a database (or the database table itself), collections of metadata, or a table or figure within a document. An information asset may hold information in multiple formats or media types. Information assets can be identified by a range of agency processes, including during application of the Digital and ICT Strategic Planning Framework and ICT profiling standard (Queensland Government employees only). In some cases, it may be prudent to logically segment an information asset to be able to assign different business impact levels to the information it contains. Segmentation is discussed further in the appendices. Determine the owner of the informationAll agencies must assign roles and responsibilities to information assets as per the Information asset custodianship policy. This should include the role of 'delegated owner' as defined in the Information management roles and responsibilities guideline . Ownership of an information asset or discrete segment of information should reside with only one individual with authority to make decisions about how the information should be handled. Information ownership must be documented and kept current. Information ownership may be delegated by the accountable officer (agency head) on a risk basis. The information owner is accountable for establishing the overall confidentiality, integrity and availability assessments of their information. The information owner may delegate the responsibility (custodianship) for maintaining asset information controls which must be clearly documented in line with the Information asset custodianship policy. Undertake Business impact level assessment and Assign C.I.A levelsExample business impact assessment tables for confidentiality, integrity and availability are in the appendices. These list in tabular form impacts which agencies might consider as low, medium or high. Using your department’s business impact levels, information must be assessed to determine confidentiality, integrity and availability levels. It should be noted that the outcome of a Business Impact Level (BIL) assessment may result in a mixture of high, medium and low business impacts. For Confidentiality business impacts, this then guides the confidentiality label that is applied. However, the label applied is not automatic and is a decision that rests with the information owner. Other agency, regulatory or legislative issues including those arising from the Public Records Act 2002 (Qld) may also impact on the impact assessment of the information, and need to be considered at this point. Select and apply controlsAppropriate controls must be applied to ensure that safeguards are applied to information assets commensurate with the assessed business impact levels. In limited cases, the controls are mandated (e.g. high confidentiality information), but in most cases, agencies are encouraged to identify suitable better practice control sets from reputable sources such as Australian Signals Directorate, ISO/IEC 27002, National Institue of Standards and Technology or ENISA that meet their needs on a risk basis. Ongoing activitiesContinuous reviewAs environments and circumstances change, information owners should review confidentiality levels to ensure controls remain appropriate.The impact from loss, compromise, or damage to information may reduce or increase over time. The decision to change the business impact level for information rests with the information owner. De-identification, aggregation and redaction techniques can be used to support proactive information release under right to information and Information access and use policy. However, care and expertise is required to ensure these are effective and do not introduce risk. Due care is required to ensure privacy is preserved with data derived from information about individuals. AssuranceThe information security assessment in each category are determined by the Business Impact Level (BIL) of the information or asset. In turn, the BIL guides the level of assurance that should be sought by the organisation relative to the assessed information. At higher business impact levels, more robust assurance should be sought by the business. More detail is provided in the Information security assurance and classification guideline. Education and awarenessThe ongoing education and awareness of all employees regarding the importance of classifying information is critical to the success of the overall agency security environment. Agencies should ensure that all employees have a clear understanding of the agency information security classification policies and procedures, their responsibilities, and principles. Employees who create, process or handle security classified information assets should be trained in how to assess and handle classified information. Education and awareness programs will likely vary across an agency and between agencies and depend on the type of work and types of information assets dealt with. Information custodians should be given assistance to understand their roles and responsibilities. Guides to help employees work through the assessment and classification process should be developed. These are of use where information security assessment is not routinely part of an employee’s duties with agency specific examples used to assist. Business impact levelsInformation security assessment has traditionally been solely an assessment of the confidentiality of an information asset or the information it contains. Whilst emphasis is legitimately placed on the determination of confidentiality, it is important to also recognise and assess integrity and availability requirements for information on agency operations. Many Queensland Government information assets have significant requirements for information integrity and availability. The use of the business impact levels can assist those agencies to classify assets against their integrity and availability, as well as confidentiality. Importantly, where information is found to have high availability or high integrity requirements, agencies should assign proportionate controls based on the BILs. The information owner must classify the information they are responsible for against the three dimensions of information security. When determining the correct information security level for an information asset or domain, a range of factors must be considered. Where information assets can be security classified according to legislation, regulation, policy, contractual or other pre-determined means, it should be so classified. For example, breach of proper undertakings to maintain the confidentiality of information provided by third parties and breach of statutory restrictions on the management and disclosure of information need to be considered, and these may influence the overall control selection. Business impact may be affected by information aggregation. Aggregation of information may change business impact against confidentiality, integrity and/or availability of information. Controls commonly treat more than one risk. Control selection should aim to mitigate the highest impact risks and if possible, more than one area of the C.I.A. triad. In this way, information security adds value and can be balanced more effectively against the needs of the organisation that it serves. There are other methodologies for determining business impact levels such as those outlined in the Digital and ICT strategic planning framework. Agencies should have a repeatable and consistent process to identify business impacts of threats to information in their organisation and that this should consider confidentiality, integrity and availability . Example assessment of business impacts to confidentiality, integrity and availabilityThis shows an example of an assessment, and in this case the asset has been assessed as high BIL based on integrity, medium availability and low for confidentiality. An assessment tool is available to assist agencies in determining their BILs. The agency should consider existing controls required by the Information Security Policy (IS18:2018) and whether these mandatory requirements treat assessed risk to a level that is tolerable to the information owner. If not, consider additional integrity controls. Note that establishing cumulative control sets for CIA high-low may simplify architecture. For example, an agency may choose to assess risk above baseline controls or create controls standards for classification, as follows:
Or, it may be efficient for agencies create controls standards for some/all of the CIA configurations:
Appendix AClick on the thumbnail below to download Appendix BClick on the thumbnail below to download Appendix CClick on the thumbnail below to download Appendix DIt is often not practical to individually apply a full security assessment process to every document, record or other information asset in use in an agency. Particularly where there are large quantities of legacy documents. Agencies should therefore consider an ‘information asset security domain’[1] approach to information security classification. Agencies may choose to use this approach with legacy information classified under earlier classification schemes using the mappings diagram at APPENDIX E. Information asset security domain classifications are not mandatory and should only be established where a logical grouping and standard impact assessment can be identified. It should also be noted that an individual information asset security classification will override any broad domain classification. An information asset security domain is a grouping of related information assets that share a security classification. The assessment may be based on higher confidentiality, higher integrity, higher availability or a combination of more than one requirement. Security domains allow a defined level of security assessment to be automatically assigned to assets of the domain. This helps to ensure consistency and reduce owner and user workloads. Domain security classifications must be approved by the information owner/s responsible for the assets that the domain will apply to. An example of an existing domain classification is Cabinet documents, which are pre-determined as being CABINET-IN-CONFIDENCE with High integrity requirements and are treated as PROTECTED information assets. Any new information needs only to be individually assessed by exception, and the appropriate controls applied. The domain security classification scope will be determined by the ability to group information assets with similar impact assessment results. Often domains will be related to business functions such as human resource management, strategy or procurement functions. Business classification schemes such as those developed for document and records management systems may be useful tools for identifying potential domain security classification areas. Domain security classifications should be reviewed by agency information owners regularly to ensure they remain appropriate. Information classified under previous schemesAgencies may choose to apply a domain approach to legacy information classified under earlier classification schemes using the mappings diagram at Appendix E. Segmentation of information assets by impact levelsIn cases where information is assessed as having different business impact levels, it requires differential confidentiality, information integrity or availability controls. Identifying, segmenting and/or segregating high business impact or data from other agency information and applying appropriate controls can be an efficient approach that is superior to raising the security of all information holdings. Generally segmenting information so that higher impact information sets are safeguarded from the broader information holdings will work best for Queensland agencies. This approach might be applied where the agency holds relatively small amounts of information that has a higher confidentiality classification, or integrity and availability requirements. Examples include credit card data (PCI-DSS) or information subject to specific legislation, such as the Privacy Act. Public informationPUBLIC is not a security classification level under the new classification framework. However, there is no restriction on an information owner choosing to label information PUBLIC, noting that where the information is held on an information system, it will be subject to Integrity and Availability requirements. Public information is OFFICIAL information that has undergone an agency authorised publication process to identify that it was suitable to be published. Some of these processes are not security related including relevant copyright identification processes. Agencies need to maintain their own processes to approve information for public release. Some information assets intended for public consumption may have time-limited confidentiality requirements before release (for example, budget papers). In this case, the information should be embargoed, marked and appropriately safeguarded until publication is authorised. De-identification, de-aggregation and redaction techniques can be used to support proactive information release under right to information and open data goals. However, care and expertise are required to ensure these are effective. Special care is required to ensure privacy is preserved with data derived from information about individuals. The Office of the Information Commissioner Queensland has some useful guidance on Dataset publication and de-identification techniques and risks surrounding re-identification. Further information - QGEA Information access and use policy (IS33). National security informationNational security information (NSI) is not a confidentiality classification as different NSI may need different levels of safeguarding. NSI is any official resource (including equipment) that records information about, or is associated with, Australia’s:
In some cases, the risk may dictate that national interest information requires the same safeguards as national security information. National interest information comprises official resources (including equipment) that records information about, or is associated with:
The source of most national security information is the federal government. National security information and systems above PROTECTED must be dealt with according to the arrangements outlined in the Memorandum of Understanding on the Protection of National Security Information between the Commonwealth and States and Territories. These arrangements are specified in the Queensland Manual for Protecting National Security Information. You can obtain copies from the Queensland Police Service: Security and Counter-Terrorism Command. Telephone 07 3364 3665 or email In addition to the above guideline, agency officers responsible for handling national security information will need to meet handling instructions or agreements between their own agency and source federal agencies. This may include: physical security; personnel security; information security and security governance. Familiarity with the Australian Government Protective Security Policy Framework and related documents is also helpful. These are available from the Australian Government Attorney-General’s Department. Limiting the duration of information security classification levelsWhen information is classified, it may be possible to determine a specific date or event, after which the consequences of compromise might change. It is important to note that an event may trigger an increase in the confidentiality level of information, for example a human resource form may become ‘SENSITIVE (when complete)’. Alternatively, an archive may become available after a certain number of years. This may change the business impact for the information. Over time, the information may require safeguards for confidentiality reasons, but later it may be that loss of integrity is the primary business impact, or indeed availability. Some information may require time limited controls because it is under embargo until a specific public policy statement, after which it is published and enters the public domain. If a future date cannot be determined, it is essential to ensure that the date the information assets were created or classified is noted. The date can be recorded either in the document metadata, or the classified asset register if it exists, so that the date be used for future assessment of classification levels, and for right to information purposes. Data qualityData quality is an additional information integrity consideration which may be considered in determining business impact. The Australian Bureau of Statistics has released the ABS Data Quality Framework which includes seven dimensions related primarily to information integrity:
The framework can be used for multiple purposes including declaring quality, assessing quality and identifying gaps in data sets. There are also online tools for assessing data quality, including one provided by the National Statistical Service. Understanding basic business requirementsIt is important to establish some basic business requirements for confidentiality, availability and integrity of the information asset. For example, it is difficult to assess the business impact of a compromise of confidentiality if you are not aware who the authorised or unauthorised group of users are. A patient’s health record is subject to confidentiality requirements contained in the My Health Record Act 2012 (Cth), this means that there is a different business impact if it is shared with a registered medical professional; compared to sharing with a member of the public. Departments should determine the detail this activity should cover. The following questions may assist:
There will also always be exceptions which may be considered on a case by case basis. It is also important that the answers to these questions are revisited regularly as you learn more about how (positive or negative) the information is being used. Appendix EClick on the thumbnail below to download Appendix FIf an information asset has no security classification or Creative Commons licence, what process should I follow? All information assets should undergo a security classification assessment. They may inherit a classification from the previous QGISCF, in which case, mapping may be used. As the Creative Commons licensing process can only be applied to published information, generally only OFFICIAL information that is, or will be, published is a candidate for a Creative Commons licence. Therefore, in addition to a security assessment the information will need to go through your department’s publication or information release process. The security classification helps to understand the confidentiality, integrity and availability needs of the information asset, so that the appropriate controls can be implemented during the preparation and publishing process. Should the information asset be suitable for publication, a Creative Commons licensing review can be conducted and, if appropriate, a licence applied. If an information asset has a security classification (e.g. OFFICIAL, SENSITIVE or PROTECTED) do I need to apply a Creative Commons licence? A Creative Commons licence can only be applied to information that is published because it implies that the information can be shared publicly and potentially reused. Where an information asset has been published it can be assessed using the Creative Commons licensing review process. OFFICIAL information is generally suitable for sharing with other government agencies, as there are low/negligible confidentiality requirements. OFFICIAL information that is intended to be published publicly requires further consideration by the department (e.g. under their publishing and information release processes) to ensure the implications are fully understood. But what if the information asset has the old security classification PUBLIC but no Creative Commons licence? Existing information assets that have previously been classified as PUBLIC under the old scheme, can undergo a Creative Commons (CC) licencing review and be licensed using one of the six CC Licences. If an information asset already has a Creative Commons licence, what should its security classification be? If a licence already exists, then it is assumed that the information has been purposefully prepared for publication and is able to be shared with the public under the terms of the CC licence. As Creative Commons licences generally only apply to information assets that are published, it would be expected that the information would have a classification of OFFICIAL (i.e. the lowest security classification). However, it is best not to guess, and undertake a security assessment just in case anything was overlooked during the decision to publish. We used to use the old security classification of ‘PUBLIC’ to identify when an information asset can be published – what do I do now? While a security classification of PUBLIC doesn’t exist, it doesn’t mean you can’t use the term to identify that a decision to publish has been made. For example, you could add a public label alongside the classification level (e.g. OFFICIAL – Public). Alternatively, you may want to just use the CC licence as an indication – it’s up to your organisation to decide. Appendix GTo support specific business requirements and compartmentalise information, organisations may apply an optional additional descriptor to information. Agencies may decide to use further descriptors when handling, processing and storing their information. However, it should be noted that any additional descriptors may not be understood outside the organisation and therefore the information may not be handled and protected in the required manner, unless it has been agreed beforehand. Appendix HThis framework has been developed to align with the following Queensland Government legislation and regulation, Australian Government standards, Australian Standards, and Queensland Government ICT strategy and policy. Relevant resources are listed below Appendix ISuggested implementation dates. These dates are for guidance only, shading indicates implementation dates which have passed. For mandatory timings, see Information security policy (IS18:2018)
Last Reviewed: 11 January 2021 |