The Queensland Government Information Security Classification Framework

Image of Queensland Parliament courtesy of Kgbo - Own work, CC BY-SA 4.0

The Queensland Government Information Security Classification Framework (QGISCF) supports the Information security policy (IS18:2018). The third requirement of this policy states that “Departments must meet minimum security requirements” and that they must comply with the QGISCF, wherein agencies “should classify their information and assets according to business impact and implement appropriate controls according to the classification.”

The use of security classification labels (protective markings) as an effective means to maintain data confidentiality and prevent data leakage is well established in national government circles, especially when dealing with hardcopy material. These same principles can also be applied to electronic information.

PROTECTIVE MARKINGS IN USE IN QUEENSLAND

The QGISCF discusses classification from three dimensions of information security – integrity, availability and confidentiality. Classification regarding confidentiality is to be considered in relation to the increasing business impact if the information were to be compromised or shared inappropriately at three levels of:

OFFICIAL – low or negligible confidentiality impact
SENSITIVE – moderate confidentiality impact
PROTECTED – high confidentiality impact

The QGISCF mandates that agencies label (protectively mark) all new information with a moderate to high confidentiality impact (higher than OFFICIAL) and that they should apply labels to all information to signify confidentiality levels.

For agencies that deal with National Security Information that is above PROTECTED, then the framework integrates into the broader Australian Government approach to allow interoperability.

Protective Marking	Description
OFFICIAL	OFFICIAL information is routine information without special sensitivity or handling requirements. All routine public-sector business, operations and services is treated as OFFICIAL. At the OFFICIAL classification there is a general presumption that data may be shared across government. Security measures should be proportionate and driven by the business requirement.
SENSITIVE	The use of SENSITIVE indicates that information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost. Examples of SENSITIVE information may include: government or agency business, whose compromise could affect the government’s capacity to make decisions or operate, the public’s confidence in government, the stability of the market place and so on commercial interests, whose compromise could significantly affect the competitive process and provide the opportunity for unfair advantage legal professional privilege law enforcement operations whose compromise could adversely affect crime prevention strategies, particular investigations or adversely affect personal safety personal information, which is required to be safeguarded under the Information Privacy Act 2009, or other legislation.
PROTECTED	PROTECTED information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the State, the Government, commercial entities or members of the public. For instance, compromise could: endanger individuals’ lives and private entities work substantially against government finances or economic and commercial interests substantially undermine the financial viability of major organisations and/or impede the investigation or facilitate the commission of serious crime information passed by other governments that is marked PROTECTED.

Appendix G of QGISCF also allows the use of optional descriptors added to the protective marking to support specific business requirements and the compartmentalisation of the information. But such descriptors might not be understood outside of the organization and therefore the information may not be handled and protected in the required manner.

Queensland Cabinet information is treated as PROTECTED, but should also be marked with Cabinet-in-Confidence. Janusnet advises that this Cabinet-in-Confidence marking be implemented as a special-handling caveat to be consistent with the notion used at the Federal Government level.

Click here for further information about Compliance with the Queensland Government Information Security Classification Framework.

If you would like to discuss how Janusnet can help you comply with QGISCF compliance standards, please contact us or to obtain a fully working Janusseal evaluation with QGISCF configuration, please complete the form below: