Information policies and standards Department of Transport and Main Roads Prepared by Enterprise Security Unit Version no. v3.0 Status Final QGCIO ref. QGEA Information Standard, Information Security (IS18) DMS ref. no. 700/00458 E125416 Template v1.0 I:\Policies\Information Security IS18\v3.0 Final 2009\Information security policy v3.0.doc
Version legend Version Document status Date 2.0 Final Sign off document 08/08/2008 2.1 Draft policy rewritten by Information Policies and Standards Unit to 18/06/2009 combine the two department's separate policies. Further amended to align to updated QGCIO Information Security Standard (IS18) 2.2 Review by Enterprise Security Unit 10/09/2009 2.3 Additional review by Enterprise Security Unit 16/11/2009 3.0 Final document 25/01/2010 Document control sheet Contact for enquiries and proposed changes Officer Phone Operational owner (Director) Lloyd Carter, Director (Information Management) 3834 2461 Review officer (contact officer) Greg Smith, Enterprise Security Manager 3834 8934 Version history Version no. Issue date Nature of amendment 1.0 09/09/2003 First final version. 2.0 08/08/2008 Major review 3.0 25/01/2010 Major review to create one policy and remove all sub-policies including updated to new department's name following a restructure. This document has an information security classification of PUBLIC. The State of Queensland (Department of Transport and Main Roads) 2009 http://creativecommons.org/licences/by/2.5/au This work is licensed under a Creative Commons Attribution 2.5 Australia Licence To attribute this material, cite State of Queensland (Department of Transport and Main Roads) 2009, Information Security Policy Information policies and standards v3.0 ii
Document sign off This information policy is approved by the Director-General: David Stewart Director-General Signature Date 25/01/2010 This information policy is endorsed by: Jack Noye Deputy Director-General (Corporate) Signature Date 21/01/2010 This information policy is endorsed by: Cathi Taylor Chief Information Officer Signature Date 18/12/2009 This information policy is presented for approval by the operational owner: Lloyd Carter Director (Information Management), Enterprise Information and Systems Division Signature Date 14/12/2009 Information policies and standards v3.0 iii
Contents 1 Policy statement... 1 2 Scope... 1 3 Applicability... 1 4 Objectives... 1 5 Rationale... 1 6 Benefits...1 7 Definitions... 1 8 References... 2 Information policies and standards v3.0 iv
1 Policy statement The Department of Transport and Main Roads will develop, document, implement and continually review appropriate security controls and processes to ensure the confidentiality, integrity and availability of the department's information and ICT assets. These information security controls and processes will include security measures to protect information from misuse and loss, and from unauthorised access, modification or disclosure. 2 Scope This policy encompasses all information and ICT assets (as defined in section 7) that are owned, managed or operated by the department. 3 Applicability This policy applies to all employees (as defined in section 7) for the duration of their employment within the department. 4 Objectives The objectives of this policy are to assist the department to meet all legislative requirements for information security and to mitigate the risk to the confidentiality, integrity and availability of the department's information and ICT assets. 5 Rationale Under the Queensland Financial and Performance Management Standard 2009 (Part 2, Section 27), the department has a legal requirement to implement policies and standards in compliance with the Queensland Government's Information Standard, Information Security (IS18). 6 Benefits The benefits to the department from implementing this policy include: appropriate protection and control of the departments information and ICT assets information security measures commensurate with the value, business significance and sensitivity of the department's information assets adherence to all legal and legislative requirements. 7 Definitions Terms, abbreviations and acronyms Authentication Definitions Process that verifies the claimed identity of an individual as established by an identification process. Information policies and standards v3.0 1
Terms, abbreviations and acronyms Employee ICT ICT assets Information Information assets QGCIO Definitions All temporary and permanent staff, consultants, contractors, students or any other person who provides services on a paid or voluntary basis to the Department of Transport and Main Roads. Information and communication technology. ICT hardware, software, systems and services used in the departments operations including physical assets used to process, store or transmit information. Knowledge communicated, processed, analysed, interpreted, classified or received concerning some fact or circumstance. An identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling the department to perform its business functions, thereby satisfying a recognised departmental requirement. Note: Data or information from an external source does not need to be managed as the department's information asset. However, any modification of this information will create a new information asset that will require management. The Queensland Government Chief Information Office within the Department of Public Works provides strategic leadership, management and advice to ensure that whole-of-government ICT initiatives are maximised. 8 References Queensland Government Information Standard, Information security (IS18), Queensland Government Chief Information Office http://qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/pa ges/information%20security.aspx Financial Accountability Act 2009 http://www.legislation.qld.gov.au/legisltn/acts/2009/09ac009.pdf Financial and Performance Management Standard 2009 http://www.legislation.qld.gov.au/legisltn/sls/2009/09sl104.pdf Queensland Government Enterprise Architecture 2.0, Queensland Government Chief Information Office http://qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/page s/index.aspx Queensland Government Authentication Framework, Queensland Government Chief Information Office http://qgcio.qld.gov.au/qgcio/architectureandstandards/pages/security.aspx Queensland Government Information Security Classification Framework, Queensland Government Chief Information Office http://qgcio.qld.gov.au/qgcio/architectureandstandards/pages/security.aspx Information policies and standards v3.0 2