Image of Queensland Parliament courtesy of Kgbo - Own work, CC BY-SA 4.0
The Queensland Government Information Security Classification Framework (QGISCF) supports the Information security policy (IS18:2018). The third requirement of this policy states that “Departments must meet minimum security requirements” and that they must comply with the QGISCF, wherein agencies “should classify their information and assets according to business impact and implement appropriate controls according to the classification.”
The use of security classification labels (protective markings) as an effective means to maintain data confidentiality and prevent data leakage is well established in national government circles, especially when dealing with hardcopy material. These same principles can also be applied to electronic information.
PROTECTIVE MARKINGS IN USE IN QUEENSLAND
The QGISCF discusses classification from three dimensions of information security – integrity, availability and confidentiality. Classification regarding confidentiality is to be considered in relation to the increasing business impact if the information were to be compromised or shared inappropriately at three levels of:
- OFFICIAL – low or negligible confidentiality impact
- SENSITIVE – moderate confidentiality impact
- PROTECTED – high confidentiality impact
The QGISCF mandates that agencies label (protectively mark) all new information with a moderate to high confidentiality impact (higher than OFFICIAL) and that they should apply labels to all information to signify confidentiality levels.
For agencies that deal with National Security Information that is above PROTECTED, then the framework integrates into the broader Australian Government approach to allow interoperability.
|
Protective Marking |
Description |
|
OFFICIAL |
OFFICIAL information is routine information without special sensitivity or handling requirements. All routine public-sector business, operations and services is treated as OFFICIAL. At the OFFICIAL classification there is a general presumption that data may be shared across government. Security measures should be proportionate and driven by the business requirement. |
|
SENSITIVE |
The use of SENSITIVE indicates that information requires additional handling care due to its sensitivity or moderate business impact if compromised or lost.
|
|
PROTECTED |
PROTECTED information requires the most careful safeguards due to its sensitivity or major business impact if compromised or lost. PROTECTED information assets require a substantial degree of control as compromise could cause serious damage to the State, the Government, commercial entities or members of the public. For instance, compromise could:
|
Appendix G of QGISCF also allows the use of optional descriptors added to the protective marking to support specific business requirements and the compartmentalisation of the information. But such descriptors might not be understood outside of the organization and therefore the information may not be handled and protected in the required manner.
Queensland Cabinet information is treated as PROTECTED, but should also be marked with Cabinet-in-Confidence. Janusnet advises that this Cabinet-in-Confidence marking be implemented as a special-handling caveat to be consistent with the notion used at the Federal Government level.
Click here for further information about Compliance with the Queensland Government Information Security Classification Framework.
If you would like to discuss how Janusnet can help you comply with QGISCF compliance standards, please contact us or to obtain a fully working Janusseal evaluation with QGISCF configuration, please complete the form below:
