Information Security Compliance Checklist2013 v1 0 0

Reporting Year 30 June 2013
Agency
Agency Contact
email
Phone
Date
Assessor
email
Phone
Date
Completion effort estimated FTE hours for assessing officer/s to complete checklist
estimated FTE hours to go from initial completed draft to the release version
Approval effort
including any internal approval process effort
This checklist (once completed) should be classified:
IN-CONFIDENCE
Please note the new Top4 worksheet to be completed
The additional tab has been added to the workbook which provides a number of additional questions with a focus on the top four
Please note: All uses of not applicable need to be justified within the comments column of the IS18 compliance
self-assessment workbook.
For more information please see the Reference tab of this workbook.
Licence
Queensland Government Information Security Compliance Checklist is licensed under a
Creative Commons Attribution 3.0 Australia licence.
To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/au.
Permissions may be available beyond the scope of this licence. See
www.qgcio.qld.gov.au.
focus on the top four strategies to mitigate targeted cyber intrusions.
Principle 1 - Policy, Planning and Governance
Source* Status
# Policy statement Example evidence of compliance
IS18 MC
Agencies must develop, document, implement, maintain and review appropriate security controls to
formal noting of the Information Standard or QGEA policy by the agency's Information Steering
protect the information they hold by:
Committee (or other appropriate governance body)
establishing appropriate information security policy, planning and governance within the agency in
including the policy statement or equivalent in the agency's internal enterprise architecture Not adopted
0.0.1 line with this information standard, including adopting all specified frameworks, standards and
documents (non-compliant)
reporting requirements
referencing the QGEA policy in the agency's internal enterprise architecture documents
ensuring appropriate security controls are implemented as detailed by this information standard and
including the policy statement in strategy documents or project gate keeping processes.
its supporting documents.
* IS18 - Information Standard 18, Information Security: MC - Information Security Policy - Mandatory Clause
Agency Signoff:
[Name], [Position], [Unit], [Department]

Comments (eg risk of non-compliance)
DSD Top Four Mitigations
For background of the Defence Signals Directorate strategies to mitigate targeted cyber intrusions refer to the page:
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
For further context on these Top 4 related questions see the Reference worksheet. As this series of questions is being
asked for the first time, it is understood confidence in answers may be lower than the rest of self assessment. As such,
please also indicate a degree of confidence in the comments column. For percentage answers indicate likely % error range(
eg. +-5%) in your response.
# Question Explanation of response requested Answers
Application whitelisting (supporting Principle 5 - Communications and operations management Little Moderate Full
T4.1 of IS18) control control whitelist
Use application whitelisting to help prevent malicious software and other unapproved programs from running
Answers to total 100%
For workstations used to access agency information in this group estimate the
Application whitelisting as applied to privileged workstations
approximate percentage of workstations for which there is:
e.g. those used by administrators and/or those handling
T4.1.1 a) little execution control
information PROTECTED or above. NOTE: PROTECTED
b) moderately effective execution control (explain controls), and
includes CABINET-IN-CONFIDENCE
c) enforced application whitelisting
approximate percentage of workstations for which there is:
Application whitelisting as applied to non-privileged
T4.1.2 a) little execution control
workstations
b) moderately effective execution control (explain controls), and
For servers used in this group estimate the approximate percentage of servers for which
there is:
Application whitelisting as applied to internal (non-internet
a) little execution control
T4.1.3 exposed) servers (file, print, SharePoint etc, transaction
b) moderately effective execution control (explain controls e.g. full integrity and alert such
systems)
as tripwire or other execution controls), and
there is:
Application whitelisting as applied to internet exposed servers
a) little execution control
T4.1.4 (tracking systems, email, webmail, SharePoint, transaction
b) moderately effective execution control (explain controls e.g. full integrity and alert such
systems)
as tripwire or other execution controls), and
not
patched in Active
patched in
Patch applications (supporting Principle 7 - System acquisition, development and maintenance 3 months
3 months patching
T4.2 of IS18)
Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers Answers to total 100%
Totals for b) should exclude those in the
criteria for c)
approximate percentage of workstations for which:
Patching as applied to privileged workstations e.g. those used a) patches have not been applied across at least all the above applications in the last 3
by administrators and/or those handling information months
T4.2.1
PROTECTED or above. NOTE: PROTECTED includes b) patches have been applied across at least all the above applications to became fully
CABINET-IN-CONFIDENCE patched in the last 3 months, and
c) an active patching program is in place with serious (priv escal or remote) vulnerabilities
assessed and patched within 10 business days as per the patch management guideline
approximate percentage of workstations for which:
a) patches have not been applied across at least all the above applications in the last 3
months
T4.2.2 Patching as applied to non-privileged workstations
b) patches have been applied across at least all the above applications to became fully
patched in the last 3 months, and
assessed and patched within 10 business days as per the patch management guideline
For servers used in this group estimate the approximate percentage of servers for which:
a) patches have not been applied across server applications (e.g. content management,
record keeping, wikis, webmail etc) in the last 3 months
Patching as applied to internal (non-internet exposed) servers b) patches have been applied across server applications to became fully patched in the
T4.2.3
(file, print, SharePoint etc, transaction systems) last 3 months, and
assessed within 2 business days and patched or escalated to management within 10
business days as per the patch management guideline
For servers used in this group estimate the approximate percentage of servers for which:
a) patches have not been applied across server applications (e.g. content management,
record keeping, wikis, webmail etc) in the last 3 months
Patching as applied to internet exposed servers (tracking b) patches have been applied across server applications to became fully patched in the
T4.2.4
systems, email, webmail, SharePoint, transaction systems) last 3 months, and
assessed within 2 business days and patched within 10 business days as per the patch
management guideline
not
patched in Active
patched in
Patch operating systems (supporting Principle 7 - System acquisition, development and 3 months
3 months patching
T4.3 maintenance of IS18)
Patch operating system vulnerabilities Answers to total 100%
Totals for b) should exclude those in the
criteria for c)
Patching as applied to privileged workstations e.g. those used approximate percentage of workstations for which operating system:
by administrators and/or those handling information a) patches have not been applied in the last 3 months
T4.3.1
PROTECTED or above. NOTE: PROTECTED includes b) patches have been applied to became fully patched in the last 3 months, and
CABINET-IN-CONFIDENCE c) patching is in place with serious (priv escal or remote) vulnerabilities assessed and
patched within 10 business days as per the patch management guideline
approximate percentage of workstations for which operating system:
a) patches have not been applied in the last 3 months
T4.3.2 Patching as applied to non-privileged workstations
b) patches have been applied to became fully patched in the last 3 months, and
c) patching is in place with serious (priv escal or remote) vulnerabilities assessed and
patched within 10 business days as per the patch management guideline
operating system (and basic platform component):
Patching as applied to internal (non-internet exposed) servers
T4.3.3 b) patches have been applied to became fully patched in the last 3 months, and
(file, print, SharePoint etc, transaction systems)
c) patching is in place with serious (priv escal or remote) vulnerabilities assessed within 2
business days and patched or escalated to management within 10 business days as per
the patch management guideline
operating system (and basic platform component):
Patching as applied to internet exposed servers (tracking
T4.3.4 b) patches have been applied to became fully patched in the last 3 months, and
systems, email, webmail, SharePoint, transaction systems)
c) patching is in place with serious (priv escal or remote) vulnerabilities assessed within 2
business days and patched within 10 business days as per the patch management
guideline
Minimise users with administrative privileges (supporting Principle 6 - Access management of

T4.4 IS18) Part a) Part b) Part c)
The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise
Part a) using Full, substantial, partial or not compliant rating, are formal processes in
place and enforced for granting and revoking administrative privileged access to
workstations
Formal process exists and is enforced for granting and Part b) : Percentage of workstations for which their regular/primary user has administrative
T4.4.1 Choose
revoking administrative privileged access to workstations privileges
Part c) of those users with administrative level access to their workstations what
percentage only gain this access through a separate account/authentication to their day to
day use accounts (used for web browsing, email, office tasks).
Part a) using Full, substantial, partial or not compliant rating - are processes followed to
revoke access and change all shared access tokens/passwords for all departing staff and
Regular reviews are conducted on all users with administrative contractors
T4.4.2 Choose
privileged access Part b) in months how long since the last review of accounts in central agency directories
(to identify dormant accounts, departed staff/contractors, and continued need for
privileged roles/groups)
Ssytem administrators have separate accounts for day to day

use such as web browsing and document creation. System Part a) of system administrative staff what percentage only gain this access through a
T4.4.3 administrators are those staff who have a primary role separate account/authentication to their day to day use accounts (used for web browsing,
performing ICT system and/or application administration email, office tasks).
functions.
Comments
Principle 1 - Policy, planning and governance
Source*
# Requirement Example evidence of compliance Status
IS18 MC
1.1 Information security policy
1.1.1 An information security policy has been developed An information security policy exists Choose
The information security policy contains the mandatory clauses detailed in the Queensland All mandatory clauses in the Queensland Government Information Security Policy Guideline can be
1.1.2 Choose
Government Information Security Policy - Mandatory Clauses document located in the information security policy
1.1.3 The Information security policy has been prepared on an agency wide basis There has been consultation across major business areas within the policy Choose
1.1.4 The Information security policy is aligned with agency business planning Business requirements have been documented within the policy Choose
1.1.5 The Information security policy is aligned with the agency's general security plan General security plan requirements have been documented within the policy Choose
A risk assessment has been documented and the results have informed the development of the
1.1.6 The Information security policy is aligned with risk assessment findings Choose
policy
1.1.7 The information security policy is consistent with the requirements of agency relevant legislation Legislative requirements relevant to the agency have been documented within the policy Choose
1.1.8 The information security policy is consistent with the requirements of relevant policies Agency and W-o-G policies relevant to the agency have been documented within the policy Choose
1.1.9 The information security policy is communicated to all employees on an ongoing basis Staff are aware of and trained in the use of the policy with refresher courses available Choose
1.1.10 The information security policy is accessible to all employees The policy can be easily accessed by all employees Choose
1.1.11 Approval for the information security policy has been obtained from the relevant senior executives Senior Executive signoff/endorsement can be located within the policy or brief Choose
Endorsement for the information security policy has been obtained from the relevant governance
1.1.12 Governance body signoff/endorsement can be located within the policy or brief Choose
body
1.1.13 The information security policy is reviewed at least on an annual basis The date of the policy's last review is no more that 12 months old Choose
1.1.14 The next review for the information security policy has been scheduled The date for the policy's next review is documented within the policy Choose
The information security policy is reviewed and evaluated in line with changes to business and If changes to business or new risks have occurred within the 12 month review period, has the policy
1.1.15 Choose
information security risks to reflect the current agency risk profile been updated to reflect these changes?
1.2 Information security plan
1.2.1 An Information security plan has been developed An information security plan exists Choose
There has been consultation across major business areas within the agency and business
1.2.2 Information security planning is aligned with agency business planning Choose
requirements have been documented within the plan
1.2.3 Information security planning is aligned with the agency's general security plan General security plan requirements have been documented within the plan Choose
1.2.4 Information security planning is aligned with risk assessment findings A risk assessment has been documented and the results have informed the development of the plan Choose
1.2.5 Endorsement for the information security plan has been obtained from the relevant senior executives Senior Executive signoff/endorsement can be located within the plan or brief Choose
1.2.6 Endorsement for the information security plan has been obtained from the relevant governance body Governance body signoff/endorsement can be located within the plan or brief Choose
1.2.7 The information security plan is reviewed at least on an annual basis The date of the plan's last review is no more than 12 months old Choose
A threat and risk assessment has been conducted for all ICT assets that create, store, process or A threat and risk assessment has been conducted and documented for all ICT assets that create,
1.2.8 transmit security classified information at least annually or after any significant change has occurred, store, process or transmit security classified information. The date of the last assessment is no more Choose
such as machinery of Government than 12 months old
1.3 Internal Governance

Agency management recognizes the importance of, and demonstrates a commitment to, maintaining
1.3.1 Senior executive management group agenda/minutes include information security matters Choose
a robust agency information security environment
Information security governance body is in operation (e.g. information security governance body is
1.3.2 Information Security internal governance arrangements have been established Choose
meeting as documented in minutes)
Information security governance body's terms of reference approved by senior executive

1.3.3 Information Security internal governance arrangements have been documented Choose
management group/CEO
Employees with information security roles and responsibilities have signed a document stating that
1.3.4 Information Security Roles and Responsibilities have been established Choose
they are understand their roles and responsibilities
Information security roles and responsibilities documented and approved by senior executive
1.3.5 Information Security Roles and Responsibilities have been documented Choose
management
Endorsement for the internal governance arrangements has been obtained from the relevant senior Sign off obtained from senior executive management group/CEO for all information security internal
1.3.6 Choose
executives governance arrangements
Endorsement for the internal governance arrangements has been obtained from the relevant Sign off obtained from relevant governance body (e.g. Information Steering Committee) has been
1.3.7 Choose
governance body obtained for information security internal governance arrangements
1.4 External party governance
1.4.1 Information Security external governance arrangements have been established External governance arrangements are in operation Choose
External governance arrangements have been documented and approved by the senior executive
1.4.2 Information Security external governance arrangements have been documented Choose
management group/CEO
All third party service level agreements, operational level agreements, hosting agreements or similar Standard templates for service level agreement and operational level agreements include clauses
1.4.3 Choose
contracts clearly articulate the level of security required dealing with information security requirements
Minutes of information security governance body meetings include outcomes of routine checks on
1.4.4 All third party service level agreements and operational level agreements are regularly monitored inclusion of information security requirements in SLA and OLAs and audits to ensure third party Choose
adherence to these agreements
Endorsement for the external governance arrangements has been obtained from the relevant senior Sign off obtained from senior executive management group/CEO for all information security external
1.4.5 Choose
executives governance arrangements
Endorsement for the external governance arrangements has been obtained from the information Sign off obtained from the information security governance body has been obtained for information
1.4.6 Choose
security governance body security external governance arrangements
Number of Requirements 36
Total "Fully Compliant" 0
Total "Substantially Compliant" 0
Total "Partially Compliant" 0
Total "Not Compliant" 0
Total "Exception Granted" 0
Total "Not Applicable" 0
Worksheet completion status Incomplete
Overall Full, Substanital and Partial principle alignment 0.00%
Overall Full principle alignment 0.00%
Agency signoff:

Comments (e.g. risk of non-compliance)
Principle 2 - Asset management
Source*
IS18 MC
2.1 Asset protection responsibility

Procedures for the protective control of information assets (regardless of format) have been Procedures for the protective control of information assets have been document and approved by the
2.1.1 Choose
implemented information security governance body
An ICT asset register, that documents the security classification of application and technology assets
All ICT assets that create, store, process or transmit security classified information are assigned
(in accordance with QGISCF or in the case of national security information relevant national
2.1.2 appropriate controls in accordance with the Queensland Government Information Security Choose
arrangements) and the corresponding controls that are applied to that asset (controls may be
Classification Framework (QGISCF)
documented elsewhere)
2.1.3 All ICT assets (including hardware, software and services) have been identified and documented ICT asset register has been completed and is updated at least annually Choose
2.1.4 All ICT assets (including hardware, software and services) have been assigned ICT asset custodians ICT asset register identifies the ICT asset custodian for all assets Choose
All ICT assets that provide underpinning and ancillary services must be protected from internal and
All ICT assets that provide underpinning and ancillary services have been identified and documented.
2.1.5 external threats (eg. Mail gateways, domain name resolution, time, reverse proxies, remote access Choose
Adequate controls have been implemented for these services
and web servers)
2.2 Information security classification

Procedures for the classification of information assets have been document and approved by the
2.2.1 Procedures for the classification of information assets (regardless of format) have been implemented Choose
information security governance body
All information assets are assigned appropriate classification in accordance with the Queensland Agency has a complete information asset register, where all information assets are assigned a
2.2.2 Choose
Government Information Security Classification Framework (QGISCF) as a minimum QGISCF classification, or in the case of national security information, as per national arrangements
All information assets are assigned appropriate control in accordance with the Queensland
2.2.3 The controls applied to information assets are documented Choose
Government Information Security Classification Framework (QGISCF)
The information security classification policy and procedure document that legislative obligations
Classification schemes do not limit the provision of relevant legislation under which the agency
2.2.4 override the classification scheme. For example, the security classification of an information asset Choose
operates
does not prevent it from being considered for release under the Right to Information Act 2009
Agency signoff:
Principle 3 - Human Resources Management
Source*
IS18 MC
3.1 Pre-employment
3.1.1 Security requirements have been addressed within recruitment and selection and in job descriptions Job descriptions include information security requirements Choose
3.2 During employment

Agency policies addressing information security issues within human resources have been approved
3.2.1 Policies have been developed to address information security issues within human resources Choose
by the senior executive management group/CEO
Procedures for addressing information security within human resource management have been
3.2.2 Processes have been developed to address information security issues within human resources Choose
document and approved
Induction programs have been implemented to ensure that employees are aware of and
3.2.3 Induction program documentation includes information security Choose
acknowledge their security responsibilities
Ongoing security training has been implemented to ensure that employees are aware of and An information security training plan has been approved by the CEO (note that this may be part of the
3.2.4 Choose
acknowledge their security responsibilities agency's general information security plan). Attendance records for information security training
Security awareness programs have been implemented to ensure that employees are aware of and Example evidence of compliance might include emails, posters, fact sheets, intranet content etc that
3.2.5 Choose
acknowledge their security responsibilities communicate information security responsibilities
Induction programs have been implemented to ensure that employees are aware of and Induction program documentation includes an overview of the agency's information security policies
3.2.6 Choose
acknowledge the agency's information security policies and processes and processes and details of where employees can go to get further information
Ongoing training has been implemented to ensure that employees are aware of and acknowledge the The information security training plan includes targeted training in the agency's information security
3.2.7 Choose
agency's information security policies and processes policies and processes
Training attendance records or documents signed by all employees that document that they have
Security awareness programs have been implemented to ensure that employees are aware of and
3.2.8 been shown and understand agency information security policies and processes including how to use Choose
acknowledge the agency's information security policies and processes
agency ICT assets
All information security roles and responsibilities have been fully documented where employees have
Information security roles and responsibilities documented and approved by senior executive
3.2.9 access to security classified information (X-IN-CONFIDENCE or above) or perform security related Choose
management
roles
All information security roles and responsibilities have been assigned to employees who have access Roles and responsibilities have been physically assigned to employees (with appropriate records
3.2.10 Choose
to security classified information or perform security related roles retained)
All information security roles and responsibilities that have been assigned to employees have been Employees with information security roles and responsibilities have signed a document stating that
3.2.11 Choose
communicated to these employees and signed acknowledgements obtained they understand their roles and responsibilities
3.3 Post-employment
3.3.1 Procedures for the separation of employees within the agency have been developed Procedures for the separation of employees within the agency have been approved Choose
3.3.2 Procedures for the separation of employees within the agency have been implemented Agency records demonstrate that all employee separations follow the approved procedure Choose
3.3.3 Procedures for employee movement within the agency have been developed Procedures for the movement of employees within the agency have been approved Choose
Agency records demonstrate that all employee movements within the agency follow the approved
3.3.4 Procedures for employee movement within the agency have been implemented Choose
procedure

Agency signoff:

Principle 4 - Physical and Environmental Management
Source*
IS18 MC
4.1 Building controls and security areas

The requirements of the Queensland Government Information Security Classification Framework
4.1.1 All information assets have been evaluated against the QGISCF? Choose
(QGISCF) have been implemented
Building and entry controls for areas used in the processing and storage of security classified
Building and entry controls for areas used in the processing and storage of security classified
4.1.2 information have been documented, approved and are subject to regular updating. Agency records Choose
information have been established and maintained in line with the QGISCF
demonstrate that these are subject to routine checks
Physical security protection controls (commensurate with the security classification information levels) Physical security protection controls (commensurate with security classification levels) have been
4.1.3 have been implemented for all offices, rooms, storage facilities and cabling infrastructure in line with documented, approved and are subject to regular updating. Agency records indicate that these are Choose
the QGISCF subject to routine checks
Control policies (including clear desk/clear screen) has been implemented in information processing Controls for information processing areas have been documented, approved and are subject to
4.1.4 Choose
areas that deal with security classified information regular updating. Agency records indicate that these are subject to routine checks
4.2 Equipment security
All ICT assets that store or process information are located in secure areas with access control Agency equipment is located in secure areas. Records of routine checks confirm that these areas are
4.2.1 Choose
mechanisms in place to restrict use to authorised personnel only accessible only to authorised personnel
Agency information security policies address the protection and monitoring of ICT assets that are
Policies are implemented to monitor and protect the use and/or maintenance of information assets
4.2.2 offsite. The relevant policy has been approved by the agency senior executive management Choose
and ICT assets away from premises as required by the QGISCF
group/CEO
Processes are implemented to monitor and protect the use and/or maintenance of information assets
4.2.3 Procedures for the protection and monitoring of offsite equipment have been document and approved Choose
and ICT assets away from premises as required by the QGISCF
Agency information security policies address the disposal and reuse of ICT assets commensurate
Policies are implemented for the secure disposal or reuse of ICT assets which are commensurate with the information asset's security classification level. These policies have been approved by the
4.2.4 Choose
with the information asset's security classification level (as required by the QGISCF) agency senior executive management group/CEO. Agency records indicate that this policy is being
complied with
Procedures for the disposal and reuse of equipment, storage devices and media commensurate with
Processes are implemented for the secure disposal or reuse of ICT assets which are commensurate
4.2.5 the security classification of the information stored on the asset have been approved. Agency records Choose
with the information asset's security classification level as required by the QGISCF
indicate that these procedures are being followed

Agency signoff:

Principle 5 - Communications and Operations Management
Source*
IS18 MC
5.1 Operational procedures and responsibilities

Operational procedures and controls have been documented to ensure that all information assets Operational procedures for all information assets and ICT assets including information systems and
5.1.1 and ICT assets, are managed securely and consistently, in accordance with the level of required network tasks are managed consistently in accordance with the required level of security have been Choose
security documented and approved
Operational procedures and controls have been implemented to ensure that all information, assets Agency records indicate that these procedures are being implemented. e.g. Errors and exceptional
5.1.2 and ICT assets, are managed securely and consistently, in accordance with the level of required conditions are captured and handled in accordance with the procedures; backups occur in Choose
security accordance with procedures
Capacity planning and system acceptance procedures have been documented and approved.
Operational change control procedures have been implemented to ensure that changes to Agency records indicate that these are being implemented, e.g. new system business requirements
5.1.3 Choose
information processing facilities or systems are appropriately approved and managed document capacity requirements; system acceptance criteria is documented and tests are taken out
during development and prior to acceptance
5.2 Third party service delivery

All the requirements within IS18 relating to third party service delivery have been documented within
5.2.1 Third party service delivery agreements comply fully with IS18 Choose
agreements
Third party service delivery agreements are periodically reviewed and updated to ensure they
5.2.2 Agreements are reviewed regularly and documented Choose
address any changes in business requirements whilst remaining compliant with IS18
Third party service operating agreements must specifically address third party governance policies Agreements clearly articulate the level of security required, are regularly monitored and endorsed by
5.2.3 Choose
and processes (see section 1.4) the relevant senior executives and governance body
5.3 Capacity planning and system acceptance

System acceptance must include confirmation of the application of appropriate security controls and Appropriate system acceptance and change criteria and processes have been established and
5.3.1 Choose
of the capacity requirements of the system documented
System capacity must be regularly monitored to ensure risks of system overload or failure which
5.3.2 Processes for reviewing and updating system capacity have been documented Choose
could lead to a security breach are avoided
5.4 Application integrity
Adequate controls have been defined and implemented for the prevention, detection, removal and Controls for the prevention, detection, removal and reporting of the introduction of malicious and
5.4.1 Choose
reporting of attacks of malicious code on all ICT assets mobile code are documented and approved
Vulnerability / integrity scans of core software must be defined and conducted regularly to ensure Details of vulnerability/integrity scans have been documented, including what core software has been
5.4.2 Choose
detection of unauthorised changes scanned, when it has been scanned, when the next scan is due, and the scan results
Anti malicious-code software has been regularly updated with new definition files and scanning Details of anti-malicious-code software updates have been documented, including details of definition
5.4.3 Choose
engines files and scanning engines
Employees have been educated about malicious and mobile code in general, the risks posed, virus Employee education about malicious code and associated processes have been conducted, for
5.4.4 symptoms and warning signs including what processes should be followed in the case of a suspected example through induction programs, training programs/plans and awareness campaigns (eg. emails, Choose
virus posters, factsheets, intranet contents etc)
5.5 Backup procedures

Agency backup policies and procedures (including archiving) have been documented and approved.
Comprehensive systems maintenance processes and procedures (including operator and audit/fault
5.5.1 Agency records that may indicate implementation of this requirement include records of backup Choose
logs), information backup procedures and archiving have been implemented
copies and test results
5.6 Network security
A network security policy in line with the Network Transmission Security Assurance Framework
Network security policy and guidelines in line with NTSAF have been documented and approved.
5.6.1 (NTSAF) have been developed and documented to guide network administrators in achieving the Choose
Network administrators are aware of and follow these documents
appropriate level of security
Processes to periodically review and test firewall rules and associated network architectures have
Firewall rule and associated network architecture testing processes are documented. Agency records
5.6.2 been developed and implemented to ensure the expected level of network perimeter security is Choose
document tests, their results and any corrective action taken
maintained
Processes must be established to periodically review and update current network security design, Processes for reviewing and updating network security design, configuration, vulnerability and
5.6.3 configuration, vulnerability and integrity checking to ensure network level security controls are integrity are documented. Agency records demonstrate that periodic network security checks, reviews Choose
appropriate and effective and updates are occurring
A policy on scanning has been developed to ensure that traffic entering and leaving the agency A policy on scanning has been documented and approved. Supporting processes to ensure
5.6.4 Choose
network is appropriately scanned for malicious or unauthorised content adherence to the policy have also been developed
Processes relating to IT change management (including maintenance of network systems) and Approved IT change management processes address network security and configuration
5.6.5 Choose
configuration management processes are established and updated as required management. Agency records indicate that network security configuration is updated regularly
5.7 Media handling

Media handling procedures have been documented and implemented. All the requirements of the
5.7.1 Media handling procedures must be in line with the requirements of the QGISCF Choose
QGISCF have been documented within these procedures
5.8 Information exchange

The Network Transmission Security Assurance Framework (NTSAF) has been implemented to Network security policy and guidelines in line with NTSAF have been documented and approved.
5.8.1 Choose
ensure the security of data during transportation over communication networks Network administrators are aware of and follow these documents
Methods for exchanging information within the agency, between agencies, through online services, Approved agency information security policy documents relevant legislative requirements to be
5.8.2 Choose
and/or third parties are compliant with legislative requirements complied with
Methods for exchanging information within the agency, between agencies, through online services,
Agency information exchange controls are consistent with those specified in QGISCF and in the case
5.8.3 and/or third parties are consistent with the Queensland Government Information Security Choose
of national security information, national arrangements
Classification Framework (QGISCF)
Methods for exchanging information within the agency, between agencies, through online services,
5.8.4 and/or third parties are consistent with the Network Transmission Security Assurance Framework Agency information exchange controls are consistent with those specified in NTSAF Choose
(NTSAF)
Appropriate authorisation has been obtained and documented for the type and level of encryption
The type and level of encryption must be authorised and compliant with the requirements of the
5.8.5 used within the agency. The type and level of encryption is consistent with those specified in the Choose
QGISCF and NTSAF
QGISCF and NTSAF
All information exchanges over public networks, including all online or publicly available Appropriate authorisation for information exchanges can be documented (either within existing
5.8.6 Choose
transactions/systems must be authorised either directly or through clear policy policies or separate documentation)
A policy to control email, has been approved by the relevant senior executive/governance body and
5.8.7 A policy to control email has been developed, implemented and endorsed Choose
has been implemented within the agency
5.9 e-commerce
Details of penetration testing have been documented, including what critical online services have
5.9.1 All critical online services must have penetration testing performed periodically Choose
been tested, when the testing has occurred, when the next test is due and test results
Policies and controls have been developed to manage all aspects of on-line and internet activities
Policies and controls exist to manage all aspects of online and internet activities, and have been
including anonymity/privacy, data confidentiality, use of cookies, applications/plug-ins, types of
5.9.2 endorsed by the relevant senior executive/governance body. The policies and controls have also Choose
language used, practices for downloading executables, web server security configuration, auditing,
been implemented within the agency
access controls and encryption
5.10 Information processing monitoring
Details of operator and audit/fault logs have been documented including what events are logged,
5.10.1 Comprehensive operator and audit/fault logs must be implemented when and who will review and monitor logs, where and for how long the logs are stored, are logs Choose
adequately protected
5.10.2 All ICT assets must be synchronised to a trusted time source that is visible and common to all All assets have a synchronised time source which is visible Choose

Agency signoff:

Principle 6 - Access Management
Source*
IS18 MC
6.1 Access control policy
Control mechanisms based on business owner requirements and assessed/accepted risks for
6.1.1 Access control policy Choose
controlling access to all information assets and ICT assets have been established
6.1.2 Access control rules are consistent with business requirements Approved access control policy refers to the agency's specific business requirements Choose
Approved access controls as documented in the agency policy are consistent with QGISCF and
6.1.3 Access control rules are consistent with information classification Choose
where applicable national arrangements
6.1.4 Access control rules are consistent with legislative obligations Approved access control policy documents legal obligations Choose
6.2 Authentication
Agency records indicate that all authentication requirements have been assessed against QGAF.
Authentication requirements, including on-line transactions and services, have been assessed
6.2.1 Business requirements for all online transactions and services include consistency with QGAF. Choose
against the Queensland Government Authentication Framework (QGAF)
Agency records indicate that online transactions and services have been assessed against QGAF
Agency records indicate that all authentication of users external to the agency have been assessed
6.2.2 All authentication of users external to the agency must be implemented in compliance with QGAF Choose
against QGAF
6.3 User access
Agency information systems cannot be accessed without specific authorisation. Agency records that
6.3.1 Access to information systems requires specific authorisation Choose
may indicate evidence of compliance include completed system access request forms for all users
Each user has been assigned an individually unique personal identification code and secure means Agency records indicate that each user is issued a unique personal identification code and secure
6.3.2 Choose
of authentication means of authentication
6.4 User responsibilities
NO MANDATORY CLAUSES
6.5 Network access
Control measures have been implemented to detect and regularly log, monitor and review information Agency records indicate that system and network access and use is logged, monitored and reviewed.
6.5.1 Choose
systems and network access and use, including all significant security relevant events Events are recorded
Authorisation must be obtained and documented for access (including new connections) to agency Agency records indicate that authorisation has been obtained and documented for new and existing
6.5.2 Choose
networks access to networks
All wireless communications have appropriate configured product security features and afford at least Agency records (e.g. configuration documentation, tests) indicate that wireless communications are
6.5.3 Choose
the equivalent level of security of wired communications secured as per any agency wired communication
Security risks associated with use of ICT facilities and devices (including non-government equipment) Agency records indicate that a risk assessment has been performed for all ICT facilities and devices
6.5.4 such as mobile telephony, personal storage devices and internet and email have been assessed prior (including non-government equipment) prior to connection. Records all indicate that appropriate Choose
to connection and appropriate controls implemented controls have been implemented based on this risk assessment
6.6 Operating system access
Agency has documented and approved access controls for operating systems that cover user
Policies and/or procedures for user registration, authentication management, access rights and
6.6.1 registration, authentication, user responsibilities. Access to operating systems is conducted in Choose
privileges, are defined, documented and implemented for all ICT assets
compliance with these controls
6.7 Application and information access

Agency systems cannot be accessed until restricted access and authorised use only warning are
6.7.1 Restricted access and authorised use only warnings are displayed upon access to all systems Choose
displayed on the screen and accepted by the user
Confidential/sensitive systems cannot be access unless appropriate approval has been given by
6.7.2 Access to all confidential/sensitive systems must only be allowed after authorised approval Choose
those authorised within the agency to do so
6.8 Mobile computing and telework access
Agency records indicate that mobile technologies and teleworking facilities are not introduced unless
6.8.1 Risk assessments have been conducted for mobile technologies and teleworking facilities Choose
a risk assessment has been performed
6.8.2 Processes have been established for mobile technologies and teleworking facilities Agency has documented and approved processes for mobile technologies and teleworking facilities Choose
Agency signoff:

Principle 7 - System Acquisition, Development and Maintenance
Source*
# Requirement Example evidence of compliance Status Comments (eg risk of non-compliance)
IS18 MC
7.1 System security requirements
Security controls are commensurate with the security classifications of the information contained Agency system security controls are commensurate with the highest level of security classification of
7.1.1 Choose
within, or passing across information systems, network infrastructures and applications the information stored and passing through the system
7.1.2 Security requirements are addressed in the specifications, analysis and/or design phases Business requirements for all systems include information security requirements Choose
Internal and/or external audit have been consulted when implementing new or significant changes to Records of audit results are documented for new or significant changes to financial or critical
7.1.3 Choose
financial or critical business information systems business information systems
Security controls have been established during all stages of system development, as well as when
7.1.4 Documented system security controls address acquisition, development and maintenance stages Choose
new systems are implemented and maintained in the operational environment
Appropriate change control, acceptance and system testing, planning and migration control measures Agency records document change control, acceptance and system testing, planning and migration
7.1.5 Choose
have been carried out when upgrading or installing software in the operational environment control measures have been taken when upgrading or installing software
Accurate records must be maintained to show traceability from original business requirements to Records of traceability from original business requirements to actual configuration and
7.1.6 Choose
actual configuration and implementation, including appropriate justification and authorisation implementation are documented (including authorisation)
7.2 Correct processing
Access controls have been identified and implemented including access restrictions and
7.2.1 Records of the identified access controls and their implementation are documented Choose
segregation/isolation of systems into all infrastructures, business and user developed applications
7.3 Cryptographic controls

Authentication processes are consistent with those of the Queensland Government Authentication
7.3.1 Authentication processes are consistent with QGAF Choose
Framework (QGAF) requirements
Cryptographic controls are consistent with those of the Queensland Government Network
7.3.2 Agency records document cryptographic controls in line with NTSAF requirements Choose
Transmission Security Assurance Framework (NTSAF)
7.4 System files
7.4.1 Access to system files is controlled to ensure integrity of business systems, applications and data Access controls for system files are documented Choose
7.5 Secure development and support processes
Processes (including data validity checks, audit trails and activity logging) have been established in
7.5.1 applications to ensure development and support processes do not compromise the security of Records of the processes for secure development have been documented Choose
applications, systems or infrastructure
Audit logs for UNCLASSIFIED and security classified information log the specifications set out in the
Audit logs are maintained in accordance with the 'Queensland Government Information Security 'Queensland Government Information Security Controls Standards'.
7.5.2 Choose
Controls Standard' Administrator rights to audit logs follow the specifications set out in the 'Queensland Government
Information Security Controls Standard'
7.6 Technical vulnerability management

Processes to manage software vulnerability risks for all IT security infrastructure has been developed
7.6.1 Existence of an audit log for all technical vulnerability procedures undertaken Choose
and implemented
A patch management program for operating systems, firmware and applications of all ICT assets
7.6.2 must be implemented to maintain vendor support, increase stability and reduce the likelihood of Patch management program is implemented and documented including any tests that are carried out Choose
threats being exploited
Agency signoff:

Principle 8 - Incident Management
Source*
IS18 MC
8.1 Event/weakness reporting

All information security incidents have been reported and escalated through appropriate management Copies of information security incident reports. Receipt of incident reports by relevant management
8.1.1 Choose
channels channels
Agency records indicate that information security incidents are reported to appropriate authorities
8.1.2 All information security incidents have been reported through appropriate authorities if applicable Choose
(e.g. police) where applicable
Responsibilities and procedures have been communicated to all employees including contractors and
Training attendance records or documents signed by all employees, contractors and third parties that
8.1.3 third parties for the timely reporting of information security events and incidents including breaches, Choose
document that they understand their responsibilities to report events/weaknesses and incidents
threats and security weaknesses
8.2 Incident procedures
Information security incident management procedures have been established to ensure appropriate Agency information security incident management procedures have been documented and covers
8.2.1 Choose
responses in the event of information security incidents, breaches or system failures the review of and response to incidents
8.2.2 All Information security incidents caused by employees have been investigated Records of information security incident reports and corresponding investigations. Choose
Disciplinary processes for deliberate violations or breaches of information security policy have been
Where a deliberate information security violation or breach has occurred, formal disciplinary
8.2.3 approved by the senior executive management group/CEO. Where these incidents have occurred, Choose
processes have been applied
agency records demonstrate that these processes have been applied
An information security incident and response register has been established and maintained. All
8.2.4 Existence of a current agency information security incident and response register Choose
incidents have been recorded within this register
Information security incidents have been submitted quarterly to the Queensland Government Chief
8.2.6 Reports have been submitted via the qgisvrt@qld.gov.au email address. Choose
Information Office (QGCIO) in line with the IS18 reporting requirements
Agency signoff:
Principle 9 - Business continuity management
Source*
IS18 MC
9.1 Business continuity

Business continuity plans have been established to enable information and ICT assets to be restored
9.1.1 Approved agency business continuity plan Choose
or recovered in the event of a major security failure
Business continuity processes have been established to enable information and ICT assets to be Processes that enable the information environment to be restored or recovered in the event of a
9.1.2 Choose
restored or recovered in the event of a major security failure major information security failure have been approved
Business continuity risk and impact assessment processes have been approved. Agency records
Business continuity processes have been established to assess the risk and impact of the loss of
9.1.3 indicate that these assessments are made, and inform the development of the agency's business Choose
information and ICT assets in the event of a security failure
continuity plan
9.1.4 Methods have been developed to reduce known risks to information and ICT assets Existence of a risk register that documents how known risks will be managed Choose
Business continuity plans have been maintained and tested to ensure information and ICT assets are Business continuity plan is regularly updated. Business continuity tests are conducted and any
9.1.5 Choose
available and consistent with agency business and service level requirements weaknesses identified as a result are addressed
Records show that a business impact analysis has been undertaken, and the results have been used
9.1.6 A business impact analysis has been undertaken Choose
to reduce risks
All critical business processes and associated information and ICT assets have been identified and Records show that all critical business processes and associated assets have been identified,
9.1.7 Choose
prioritised prioritised and documented
9.2 ICT disaster recover

An information and ICT asset disaster recovery register has been established to assess and classify
9.2.1 Existence of disaster recovery register Choose
systems to determine their criticality
An ICT disaster recovery plan has been established to enable information and ICT assets to be
9.2.2 Approved disaster recovery plan Choose
restored or recovered in the event of a disaster
ICT disaster recovery processes have been established to enable information and ICT assets to be Processes that enable the information environment to be restored or recovered in the event of a
9.2.3 Choose
restored or recovered in the event of a disaster disaster have been approved
ICT disaster recovery processes have been established to assess the risk and impact of the loss of Disaster recovery risk and impact assessment processes have been approved. Agency records
9.2.4 Choose
information and ICT assets in the event of a disaster indicate that these are made, and inform the development of the agency's disaster recovery plan
9.2.5 Methods have been developed to reduce known risks to information and ICT assets Existence of a risk register that documents how known risks will be managed Choose
An ICT disaster recovery plan has been maintained and tested to ensure information and ICT assets Disaster recovery plan is regularly updated. Disaster recovery tests are conducted and any
9.2.6 Choose
are available and consistent with agency business and service level requirements weaknesses identified as a result are addressed
9.2.7 ICT disaster recovery plans must have clearly defined maximum acceptable downtimes Clearly defined maximum acceptable downtimes are documented within ICT disaster recovery plans Choose
Maximum acceptable downtimes for ICT services must also be defined in service and operational Maximum acceptable downtimes for ICT services are documented in all service and operational level
9.2.8 Choose
level agreements with external parties agreements with external parties
Copies of ICT disaster recovery plans must be stored in multiple locations including at least one Copies of ICT disaster recovery plans can be located in multiple locations including at least one
9.2.9 Choose
location offsite offsite location

Agency signoff:

Principle 10 - Compliance Management
Source*
IS18 MC
10.1 Legal requirements

All legislative obligations relating to information security have been complied with and managed Agency has identified and documented all its legal obligations relating to information security and its
10.1.1 Choose
appropriately response to these.
A list of legislation compliance has been developed and is cross referenced against all information
10.1.2 All information security policies have been reviewed for legislative compliance on a regular basis Choose
security policies on a regular basis (including when changes to legislation occur)
The results of compliance reviews against information security policies have been reported to
10.1.3 Agency management has signed off on the compliance review Choose
appropriate agency management
A list of legislation compliance has been developed and is cross referenced against all information
10.1.4 All information security processes have been reviewed for legislative compliance on a regular basis Choose
security processes on a regular basis (including when changes to legislation occur)
The results of compliance reviews against information security processes have been reported to
appropriate agency management
A list of legislative compliance has been developed and is cross referenced against all information
All information security requirements (including contracts with third parties) have been reviewed for
10.1.6 security requirements (including contracts with third parties) on a regular basis (including when Choose
legislative compliance on a regular basis
changes to legislation occur)
The results of compliance reviews against all information security requirements (including contracts
with third parties) have been reported to appropriate agency management
Processes to ensure legislative compliance across all agency activities have been developed and Agency has identified and documented processes for assessing compliance against its information
10.1.8 Choose
implemented security related legal obligations. Agency records indicate that these processes are being conducted
10.2 Policy requirements

All reporting obligations relating to information security have been complied with and managed
10.2.1 Agency has identified all reporting obligations and have documented compliance and management Choose
appropriately
This Information Security Compliance Checklist is submitted annually to the ICT Policy and Completed information security compliance checklist submitted annually to the ICT Policy and
10.2.2 Choose
Coordination Office in line with the IS18 reporting requirements Coordination Office
10.3 Audit requirements
Examples include: completed IS18 component of the QGEA self-assessment alignment report;
All reasonable steps have been taken to monitor, review and audit agency information security
10.3.1 completed internal and external audit against legal and policy requirements; completed information Choose
compliance
security maturity assessment; accreditation with appropriate standards or industry bodies
Employees with information security roles and responsibilities have signed a document stating that
10.3.2 All reasonable steps have been taken to ensure the assignment of appropriate security roles Choose
they are understand their roles and responsibilities
Examples include: completed IS18 component of the QGEA self-assessment alignment report;
All reasonable steps have been taken to ensure the engagement of internal and/or external auditors
10.3.3 completed internal and external audit against legal and policy requirements; completed information Choose
and specialist organisations where required
security maturity assessment; accreditation with appropriate standard

Agency signoff:

Total IS18 alignment scores
Full, substantial and

IS18 principle Full
partial
Principle 1 alignment 0.00% 0.00%
OVERALL IS18 ALIGNMENT 0.00% 0.00%

Policy statement
Adopted
(fully compliant)
Adopted
(risk exempt)
Not adopted
(non-compliant)
Mandatory principles
Fully compliant
Substantially compliant
Partially compliant
Not compliant
Exception granted
Not applicable
Top 4
Application whitelisting
little execution control
moderately effective control
enforced application
whitelisting
The information standard policy statement has been incorporated into the agencys policy framework or enterprise architec
agency, but could be:
- formal noting of the Information Standard policy statement by the agency's Information Steering Committee
- including or referencing the policy in the agency's internal policies architecture documents
- including the policy in strategy documents or project gate keeping processes.
The agency has:

- plans in place to address all aspects of the information standard.
The agency has:

- chosen to adopt a different policy or requirements than those outlined in the information standard or QGEA policy OR
- not developed plans to address the policy and requirements contained within a given information standard or QGEA polic
- Meets all aspects of the mandatory principle or policy requirement.

- Implementation has occurred throughout the entire department.
Most aspects of the mandatory principle or policy requirement have been met.
- Significant implementation has occurred for all business critical elements (systems/services/assets/domains/risks etc.) an
Many aspects of the mandatory principle or policy requirement have been met.
- Implementation has occurred across many business units of the department.
Limited or no aspects of the mandatory principle or policy requirement have been met.
- Implementation has not occurred or is ad-hoc.
An official exception to the mandatory principle or policy requirement has been approved through the QGEA governance
- Due to legislative requirements exceptions cannot be granted for Information standard 31: Retention and disposal of pub
- Where departments self-assess as an exception granted without formal approval, the department will be deemed not co
A not applicable should only be used when the policy (or information standard) excludes the department.
- A not applicable cannot be used where the department is consuming a third party service, as the department is responsi
- All uses of not applicable need to be justified within the comments column of the self-assessment workbook.
- Where departments incorrectly self-assess as not applicable, the department will be deemed as not compliant.
Questions related to the Defence Signals Directorate top 4 have been included in the IS 18 self assessment to gain visibili
It is also worthy to note that the Top 4 Strategies are now mandatory for Australian Government agencies and understandin
application execution control is limited, for example the main control is limited to antivirus
some form of application execution control beyond antivirus is in place, however this control is less effective
controls.
application whitelisting is enforced and additions to the list are performed in a controlled manner consistent
An agency is considered to be fully compliant with QGEA artefacts when it implements and maintains
when it implements and maintains the necessary administrative controls to meet QGEA principles, policies, requirements (in the form o
cies, requirements (in the form of Information Standards and QGEA policies) and targets (in the form of QGEA positions).
of QGEA positions).

Information Security Compliance Checklist2013 v1 0 0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Compliance Checklist2013 v1 0 0

Uploaded by

Copyright:

Available Formats

Reporting Year 30 June 2013

This checklist (once completed) should be classified:

Please note the new Top4 worksheet to be completed

[Name], [Position], [Unit], [Department]

# Question Explanation of response requested Answers

Minimise users with administrative privileges (supporting Principle 6 - Access management of

Ssytem administrators have separate accounts for day to day

1.1 Information security policy

1.2 Information security plan

1.3 Internal Governance

Information security governance body's terms of reference approved by senior executive

1.4 External party governance

Total "Fully Compliant" 0

Total "Substantially Compliant" 0

Total "Partially Compliant" 0

Total "Not Compliant" 0

Total "Exception Granted" 0

Total "Not Applicable" 0

Worksheet completion status Incomplete

Overall Full, Substanital and Partial principle alignment 0.00%

Overall Full principle alignment 0.00%

[Name], [Position], [Unit], [Department]

2.1 Asset protection responsibility

2.2 Information security classification

Total "Fully Compliant" 0

Total "Substantially Compliant" 0

Total "Partially Compliant" 0

Total "Not Compliant" 0

Total "Exception Granted" 0

Total "Not Applicable" 0

Worksheet completion status Incomplete

Overall Full, Substanital and Partial principle alignment 0.00%

Overall Full principle alignment 0.00%

3.2 During employment

Total "Fully Compliant" 0

Total "Substantially Compliant" 0

Total "Partially Compliant" 0

Total "Exception Granted" 0

Total "Not Applicable" 0

Worksheet completion status Incomplete

Overall Full, Substanital and Partial principle alignment 0.00%

Overall Full principle alignment 0.00%

[Name], [Position], [Unit], [Department]

4.1 Building controls and security areas

4.2 Equipment security

Total "Fully Compliant" 0

Total "Substantially Compliant" 0

Total "Partially Compliant" 0

Total "Not Compliant" 0

Total "Exception Granted" 0

Total "Not Applicable" 0

Worksheet completion status Incomplete

Overall Full, Substanital and Partial principle alignment 0.00%

Overall Full principle alignment 0.00%

[Name], [Position], [Unit], [Department]

5.1 Operational procedures and responsibilities

5.2 Third party service delivery

5.3 Capacity planning and system acceptance

5.4 Application integrity

5.5 Backup procedures

5.6 Network security

5.7 Media handling

5.8 Information exchange

5.10 Information processing monitoring