Protective security governance guidelines

Transcription

1 Protective security governance guidelines Business impact levels Approved November 2014 Amended April 2015 Version 2.1

2 Commonwealth of Australia 2013 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence ( For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence ( Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour website ( Contact us Enquiries regarding the licence and any use of this document are welcome at: Commercial and Administrative Law Branch Attorney-General s Department 3 5 National Cct BARTON ACT 2600 Call: copyright@ag.gov.au Document details Security classification Dissemination limiting marking Date of security classification review Authority Author Unclassified Publicly available Not applicable Protective Security Policy Committee Attorney-General s Department Document status Version 2.0 approved 1 November 2014 Replaces Version 1.1 Approved 21 June 2011 amended October 2013 Amended April 2015

3 Contents 1. Introduction Purpose Audience Scope Use of specific terms in these guidelines Background Why the guidelines were developed Relationship to other documents How the guidelines are structured Using business impact levels Impacts to confidentiality and security classifications Terminology Benefit to agency collaboration Relationship to security risk management... 4 Annex A: Australian Government business impact levels guidance... 5

4 Amendments No. Date Location Amendment 1. April 2015 Throughout Update PSPF hyperlinks 2. 3.

5 1. Introduction 1.1 Purpose 1. The Australian Government protective security governance guidelines Business impact levels provide guidance to agencies so they can apply a consistent approach to assessing business impact from an Australian Government perspective. The guidelines give clear, understandable definitions of business impact and examples of the types of impacts to the Australian Government. 1.2 Audience 2. These guidelines are aimed at those within the Australian Government who are responsible for defining the business impact levels (BILs) for government assets, including information and ICT systems. 1.3 Scope 3. These guidelines relate to protective security within the Australian Government Use of specific terms in these guidelines 4. In these guidelines the terms: should refers to better practice; agencies are expected to apply better practice unless there is a reason based on their risk assessment to apply alternative controls. National interest a matter which has or could have impact on Australia, including: national security international relations law and governance, including: inter-state/ territory relations law enforcement operations where compromise could hamper or prevent national crime prevention strategies or investigations, or endanger personal safety economic wellbeing heritage or culture. 5. For details on policy exceptions see the Australian Government information security management protocol.

6 2. Background 2.1 Why the guidelines were developed 6. Without a broadly consistent impact assessment tool, agencies will not be able to effectively share the implications of a particular information risk with their business partners. With such a tool it becomes possible to communicate in a manner that allows the collaborative management of information risks. 7. Furthermore, automating the processes for managing risk is not straightforward if the impact is not commonly understood. 8. Collaborating agencies need more clarity over the controls that apply in their relationships. 9. With the increased significance of collaboration it is becoming more important to be able to share the implications of a risk about the potential business impact. Agencies need to do so in a manner that is generally understood. There is no commonly agreed method available to communicate, with enough detail, the impact of information risk on agencies. 10. The Australian Government needs reasonably consistent and scalable BILs that would be associated with assets of different sensitivity, suitable asset controls, and trust levels. 2.2 Relationship to other documents 11. The Attorney-General s Department issues the guidelines, in support of mandatory requirements and protocols named in the Protective Security Policy Framework (PSPF). All publicly available PSPF documents are listed in the PSPF Document Map. 2.3 How the guidelines are structured 12. These guidelines explain the purpose of BILs and describe their use. They include Annex A: Australian Government business impact levels guidance.

7 3. Using business impact levels 13. The table at Annex A: Australian Government business impact levels guidance provides a framework that allows agencies to assess the BILs for compromises to the confidentiality, integrity or availability of individual or aggregated information, ICT systems and assets. 14. The BILs scale ranges from 1 (Low/Medium) impact to 5 (Catastrophic) impact. 15. The business impacts of a loss of confidentiality, integrity and availability should be assessed separately for any given asset or aggregation of assets. 16. The highest impact from the compromise of confidentiality, integrity or availability should be the BIL assigned to a resource or aggregation of resources. 3.1 Impacts to confidentiality and security classifications 17. Where a security classification is applied to an asset there is an indicative correlation that should be considered when classifying or categorising. The security classifications of PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET directly match to business impact levels 2, 3, 4, and 5 respectively for confidentiality of individual documents or files. 18. It is not the case that an aggregation of assets with a business impact level of 4 for confidentiality necessarily will be marked individually at SECRET. The Australian Government information security management guidelines Management of aggregated information, provides further guidance on managing data aggregation. 19. While the protective markings of PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET relate to confidentiality, there is no equivalent set of protective markings for integrity or availability. 3.2 Terminology 20. Many BILs examples come with a descriptive adjective, for example minor or major. They are simply portraying a level of importance to the impact in a particular government business environment. 21. There are some relative terms used within the table and their use is not precisely defined; rather it is apt to the business function in question. For example, medium term in one case may mean two to five days, but in another case may mean up to three years. Agencies should consider these terms in the context of the operation requirements. 3.3 Benefit to agency collaboration 22. BILs will vary greatly between agencies, based on their functions and size.

8 23. One important difference to understand with BILs is that they do not measure the size of the risk event; a given information risk would not necessarily have the same business impact on each party in a collaboration. The ability to clearly communicate the potential impact on both parties facilitates proper negotiation between them over the risk controls or mitigation measures that should be employed. 24. Similarly, the financial implications of an event will not always be the same for each agency. Losing $10,000 would have a very different effect on a small agency than it would on a large department. It is important to ensure the BIL used tells the true implications of a risk event for each agency. 3.4 Relationship to security risk management 25. The successful exploitation of a vulnerability by a threat vector will have an impact on an asset s availability, confidentiality or integrity. 26. These BILs provide agencies with a common understanding of the resulting consequences for the National interest, organisations and the individuals, to aid them in performing effective risk assessments and analysis. 27. Agencies should consider all threat sources and potential consequences on an asset before determining the overall business impact from the asset s compromise or loss for example, the impact on national security from harm to an individual may be negligible while the impact on the individual may be extreme. Conversely minor harm to a key officer involved in a critical operation may have a high impact.

9 Annex A: Australian Government business impact levels guidance The examples given below are indicative to assist agencies in developing their own business impact level guides. 1 (Low-medium) 2 (High) 3 (Very High) 4 (Extreme) 5 (Catastrophic) Could be expected to cause limited damage to the National interest, organisations or individuals by: Impacts on National Security Could be expected to cause damage to the National interest, organisations or individuals by: Could be expected to cause significant damage to the National interest, organisations or individuals by: Could be expected to cause serious damage to the National interest, organisations or individuals by: Could be expected to cause exceptionally grave damage to the National interest, by: causing limited damage to national security causing minor damage to national security causing damage to national security causing serious damage to national security causing exceptionally grave damage to national security Impacts on Agency Operations Operational capacity causing a significant degradation in organisational capability to an extent and duration that, while the agency can perform its primary functions, the effectiveness of the functions is noticeably reduced Agency Assets causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform one or more of its primary functions causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform one or more of its functions for an extended time resulting in damage to agency assets resulting in major harm to agency assets resulting in major long term harm to agency assets Agency Finances resulting in moderate financial loss to an agency Australian Financial and Economic Impacts undermining the financial viability of one or more individuals, minor Australia-based or Australian-owned organisations or companies, or disadvantaging a major Australian organisation or company resulting in loss to Australian Government / public sector of $10 to $100 million causing limited damage to international trade or commerce, with the potential to reduce economic growth in Australia Impacts on Government Policies impedes the development of government policies resulting in minor loss of confidence in government resulting in substantial financial loss to an agency undermining the financial viability of, or causing substantial financial damage to, a major Australia-based or Australian-owned organisation or company, or disadvantaging a number of major Australian organisations or companies resulting in short-term material damage to national finances or economic interests to an estimated total of $100 million to $10 billion causing material damage to international trade or commerce, with the potential to directly and noticeably reducing economic growth in Australia seriously impedes the development or operation of major government policies disadvantaging Australia in international negotiations or strategy resulting in a major loss of confidence in government undermining the financial viability of, or causing substantial financial damage to, a number of major Australia-based or Australianowned organisations or companies causing long-term damage to the Australian economy to an estimated total of $10 to $20 billion causing major, short-term damage to global trade or commerce, leading to short term recession or hyperinflation in Australia significantly disadvantaging Australia in international negotiations or strategy temporarily damaging the internal stability of Australia or friendly countries causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform any of its functions undermining the financial viability of a number of major Australia-based or Australian-owned organisations or companies in the same sector causing major, long-term damage to the Australian economy to an estimated total in excess of $20 billion causing major, long-term damage to global trade or commerce, leading to prolonged recession or hyperinflation in Australia severely disadvantaging Australia in major international negotiations or strategy threatening directly the internal stability of Australia or friendly countries leading to widespread instability resulting in the collapse of internal political stability of Australia or friendly countries 5

10 causing embarrassment to diplomatic relations causing short term damage or disruption to diplomatic relations causing significant damage or disruption to diplomatic relations including resulting in formal protest or retaliatory action raising international tension, or causing severe damage or disruption, to diplomatic relations directly provoking international conflict or causing exceptionally grave damage to relations with friendly governments Impacts on Personal Safety limited harm to individuals could cause harm to individuals including injuries that are not serious or life threatening endangering individuals - the compromise of information could lead to serious harm or potentially life threatening injury to an individual endangering small groups of individuals - the compromise of information could lead to serious harm or potentially life threatening injuries to a small group of individuals threatening life directly the compromise of information could reasonably be expected to lead to loss of life of an individual or small group leading directly to widespread loss of life the compromise of information could reasonably be expected to lead to the death of a large number of people Impacts on Crime Prevention hindering the detection, impeding the investigation, or facilitating the commission of low-level crime or hindering the detection of a serious offence, i.e. an offence resulting in 2 or more years imprisonment impeding the investigation of, or facilitating the commission of a serious offence, i.e. an offence resulting in 2 or more years imprisonment causing major, long-term impairment to the ability to investigate serious offences, i.e. offences resulting in 2 or more years imprisonment causing major, long-term impairment to the ability to investigate serious organised crime undertaken by an organised crime group as defined in the Convention Against Transnational Organised Crime Impacts on Defence Operations causing limited damage to the non-operational effectiveness or security of Australian or allied forces without causing risk to life causing damage to the non-operational effectiveness or security of Australian or allied forces causing re-supply problems that could result in risk to life causing damage to the operational effectiveness or security of Australian or allied forces that could result in risk to life resulting in severe damage to the operational effectiveness or security of Australian or allied forces causing exceptionally grave damage to the operational effectiveness or security of Australian or allied forces Impacts on Intelligence Operations causing damage to Australian or allied intelligence capability causing severe damage to Australian or allied intelligence capability causing exceptionally grave damage to the effectiveness of extremely valuable security or intelligence operations Impacts on National Infrastructure damaging or disrupting significant State or Territory infrastructure damaging or disrupting significant national infrastructure shutting down or substantially disrupting significant national infrastructure 6