Information Security Compliance Checklist Reporting Year Agency Agency Contact email Phone Date Assessor email Phone Date Th by uma11431

VIEWS: 0 PAGES: 25

More Info
									                 Information Security Compliance Checklist

Reporting Year


Agency


Agency Contact
email
Phone
Date


Assessor
email
Phone
Date




                          This checklist (once completed) should be classified:
                                           IN-CONFIDENCE
Principle 1 - Policy, Planning and Governance

                                                                                                                                                                                                                          Source*       Status
#       Policy statement                                                                                                Example evidence of compliance                                                                                                Comments (eg risk of non-compliance)
                                                                                                                                                                                                                          IS18 MC


        Agencies must develop, document, implement, maintain and review appropriate security controls to
                                                                                                                        • formal noting of the Information Standard or QGEA policy by the agency's Information Steering
        protect the information they hold by:
                                                                                                                        Committee (or other appropriate governance body)
        • establishing appropriate information security policy, planning and governance within the agency in
                                                                                                                        • including the policy statement or equivalent in the agency's internal enterprise architecture             Not adopted
0.0.1   line with this information standard, including adopting all specified frameworks, standards and                                                                                                                   
                                                                                                                        documents                                                                                                   (non-compliant)
        reporting requirements
                                                                                                                        • referencing the QGEA policy in the agency's internal enterprise architecture documents
        • ensuring appropriate security controls are implemented as detailed by this information standard and
                                                                                                                        • including the policy statement in strategy documents or project gate keeping processes.
        its supporting documents.

        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Agency Signoff:


                                                                                                                        [Name], [Position], [Unit], [Department]
Principle 1 - Policy, Planning and Governance

                                                                                                                                                                                                                           Source*
#        Requirement                                                                                             Example evidence of compliance                                                                                        Status   Comments (eg risk of non-compliance)
                                                                                                                                                                                                                           IS18 MC


1.1      Information security policy

1.1.1    An information security policy has been developed                                                       An information security policy exists                                                                             Choose

         The information security policy contains the mandatory clauses detailed in the Queensland               All mandatory clauses in the Queensland Government Information Security Policy Guideline can be
1.1.2                                                                                                                                                                                                                              Choose
         Government Information Security Policy - Mandatory Clauses document                                     located in the information security policy

1.1.3    The Information security policy has been prepared on an agency wide basis                               There has been consultation across major business areas within the policy                                          Choose


1.1.4    The Information security policy is aligned with agency business planning                                Business requirements have been documented within the policy                                                       Choose


1.1.5    The Information security policy is aligned with the agency's general security plan                      General security plan requirements have been documented within the policy                                          Choose

                                                                                                                 A risk assessment has been documented and the results have informed the development of the
1.1.6    The Information security policy is aligned with risk assessment findings                                                                                                                                                   Choose
                                                                                                                 policy

1.1.7    The information security policy is consistent with the requirements of agency relevant legislation      Legislative requirements relevant to the agency have been documented within the policy                             Choose


1.1.8    The information security policy is consistent with the requirements of relevant policies                Agency and W-o-G policies relevant to the agency have been documented within the policy                            Choose

1.1.9    The information security policy is communicated to all employees on an ongoing basis                    Staff are aware of and trained in the use of the policy with refresher courses available                           Choose


1.1.10   The information security policy is accessible to all employees                                          The policy can be easily accessed by all employees                                                                 Choose


1.1.11   Approval for the information security policy has been obtained from the relevant senior executives      Senior Executive signoff/endorsement can be located within the policy or brief                                     Choose

         Endorsement for the information security policy has been obtained from the relevant governance
1.1.12                                                                                                           Governance body signoff/endorsement can be located within the policy or brief                                      Choose
         body

1.1.13   The information security policy is reviewed at least on an annual basis                                 The date of the policy's last review is no more that 12 months old                                                 Choose


1.1.14   The next review for the information security policy has been scheduled                                  The date for the policy's next review is documented within the policy                                              Choose

         The information security policy is reviewed and evaluated in line with changes to business and          If changes to business or new risks have occurred within the 12 month review period, has the policy
1.1.15                                                                                                                                                                                                                              Choose
         information security risks to reflect the current agency risk profile                                   been updated to reflect these changes?

1.2      Information security plan

1.2.1    An Information security plan has been developed                                                         An information security plan exists                                                                               Choose

                                                                                                                 There has been consultation across major business areas within the agency and business
1.2.2    Information security planning is aligned with agency business planning                                                                                                                                                    Choose
                                                                                                                 requirements have been documented within the plan

1.2.3    Information security planning is aligned with the agency's general security plan                        General security plan requirements have been documented within the plan                                           Choose


1.2.4    Information security planning is aligned with risk assessment findings                                  A risk assessment has been documented and the results have informed the development of the plan                   Choose


1.2.5    Endorsement for the information security plan has been obtained from the relevant senior executives Senior Executive signoff/endorsement can be located within the plan or brief                                           Choose


1.2.6    Endorsement for the information security plan has been obtained from the relevant governance body Governance body signoff/endorsement can be located within the plan or brief                                              Choose


1.2.7    The information security plan is reviewed at least on an annual basis                                   The date of the plan's last review is no more than 12 months old                                                   Choose

         A threat and risk assessment has been conducted for all ICT assets that create, store, process or        A threat and risk assessment has been conducted and documented for all ICT assets that create,
1.2.8    transmit security classified information at least annually or after any significant change has occurred, store, process or transmit security classified information. The date of the last assessment is no more            Choose
         such as machinery of Government                                                                          than 12 months old

1.3      Internal Governance
         Agency management recognizes the importance of, and demonstrates a commitment to, maintaining
1.3.1                                                                                                  Senior executive management group agenda/minutes include information security matters                                       Choose
         a robust agency information security environment
                                                                                                                 Information security governance body is in operation (e.g. information security governance body is
1.3.2    Information Security internal governance arrangements have been established                                                                                                                                               Choose
                                                                                                                 meeting as documented in minutes)
                                                                                                                        Information security governance body's terms of reference approved by senior executive
1.3.3   Information Security internal governance arrangements have been documented                                                                                                                                                 Choose
                                                                                                                        management group/CEO
                                                                                                                        Employees with information security roles and responsibilities have signed a document stating that
1.3.4   Information Security Roles and Responsibilities have been established                                                                                                                                                      Choose
                                                                                                                        they are understand their roles and responsibilities
                                                                                                                        Information security roles and responsibilities documented and approved by senior executive
1.3.5   Information Security Roles and Responsibilities have been documented                                                                                                                                                       Choose
                                                                                                                        management
        Endorsement for the internal governance arrangements has been obtained from the relevant senior                 Sign off obtained from senior executive management group/CEO for all information security internal
1.3.6                                                                                                                                                                                                                               Choose
        executives                                                                                                      governance arrangements
        Endorsement for the internal governance arrangements has been obtained from the relevant                        Sign off obtained from relevant governance body (e.g. Information Steering Committee) has been
1.3.7                                                                                                                                                                                                                               Choose
        governance body                                                                                                 obtained for information security internal governance arrangements

1.4     External party governance

1.4.1   Information Security external governance arrangements have been established                                     External governance arrangements are in operation                                                          Choose

                                                                                                                        External governance arrangements have been documented and approved by the senior executive
1.4.2   Information Security external governance arrangements have been documented                                                                                                                                                 Choose
                                                                                                                        management group/CEO
        All third party service level agreements, operational level agreements, hosting agreements or similar Standard templates for service level agreement and operational level agreements include clauses
1.4.3                                                                                                                                                                                                                              Choose
        contracts clearly articulate the level of security required                                           dealing with information security requirements
                                                                                                                        Minutes of information security governance body meetings include outcomes of routine checks on
1.4.4   All third party service level agreements and operational level agreements are regularly monitored               inclusion of information security requirements in SLA and OLAs and audits to ensure third party            Choose
                                                                                                                        adherence to these agreements
        Endorsement for the external governance arrangements has been obtained from the relevant senior                 Sign off obtained from senior executive management group/CEO for all information security external
1.4.5                                                                                                                                                                                                                               Choose
        executives                                                                                                      governance arrangements
        Endorsement for the external governance arrangements has been obtained from the information                     Sign off obtained from the information security governance body has been obtained for information
1.4.6                                                                                                                                                                                                                               Choose
        security governance body                                                                                        security external governance arrangements
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                    36

        Total "Fully Compliant"                                                                                                                                                                                                                   0

        Total "Partly Compliant"                                                                                                                                                                                                                  0

        Total "Not Compliant"                                                                                                                                                                                                                     0

        Total "Exception Granted"                                                                                                                                                                                                                 0

        Total "Not Applicable"                                                                                                                                                                                                                    0

        Worksheet completion status                                                                                                                                                                                                  Incomplete

        Overall Full & Partial Principle Alignment                                                                                                                                                                                            0.00%

        Overall Full Principle Alignment                                                                                                                                                                                                      0.00%




        Agency Signoff:


                                                                                                                        [Name], [Position], [Unit], [Department]
Principle 2 - Asset Management

                                                                                                                                                                                                                                 Source*
#       Requirement                                                                                                     Example evidence of compliance                                                                                       Status         Comments (eg risk of non-compliance)
                                                                                                                                                                                                                                 IS18 MC


2.1     Asset protection responsibility
        Procedures for the protective control of information assets (regardless of format) have been                    Procedures for the protective control of information assets have been document and approved by the
2.1.1                                                                                                                                                                                                                                     Choose
        implemented                                                                                                     information security governance body
                                                                                                                        An ICT asset register, that documents the security classification of application and technology assets
        All ICT assets that create, store, process or transmit security classified information are assigned
                                                                                                                        (in accordance with QGISCF or in the case of national security information relevant national
2.1.3   appropriate controls in accordance with the Queensland Government Information Security                                                                                                                                           Choose
                                                                                                                        arrangements) and the corresponding controls that are applied to that asset (controls may be
        Classification Framework (QGISCF)
                                                                                                                        documented elsewhere)

2.1.4   All ICT assets (including hardware, software and services) have been identified and documented                  ICT asset register has been completed and is updated at least annually                                            Choose


2.1.5   All ICT assets (including hardware, software and services) have been assigned ICT asset custodians ICT asset register identifies the ICT asset custodian for all assets                                                           Choose

        All ICT assets that provide underpinning and ancillary services must be protected from internal and
                                                                                                                        All ICT assets that provide underpinning and ancillary services have been identified and documented.
2.1.6   external threats (eg. Mail gateways, domain name resolution, time, reverse proxies, remote access                                                                                                                                 Choose
                                                                                                                        Adequate controls have been implemented for these services
        and web servers)

2.2     Information security classification
                                                                                                                        Procedures for the classification of information assets have been document and approved by the
2.2.1   Procedures for the classification of information assets (regardless of format) have been implemented                                                                                                                              Choose
                                                                                                                        information security governance body

        All information assets are assigned appropriate classification in accordance with the Queensland                Agency has a complete information asset register, where all information assets are assigned a
2.2.2                                                                                                                                                                                                                                    Choose
        Government Information Security Classification Framework (QGISCF) as a minimum                                  QGISCF classification, or in the case of national security information, as per national arrangements

        All information assets are assigned appropriate control in accordance with the Queensland
2.2.3                                                                                                                   The controls applied to information assets are documented                                                        Choose
        Government Information Security Classification Framework (QGISCF)

                                                                                                                        The information security classification policy and procedure document that legislative obligations
        Classification schemes do not limit the provision of relevant legislation under which the agency
2.2.4                                                                                                                   override the classification scheme. For example, the security classification of an information asset              Choose
        operates
                                                                                                                        does not prevent it from being considered for release under the Right to Information Act 2009
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                          9

        Total "Fully Compliant"                                                                                                                                                                                                                         0

        Total "Partly Compliant"                                                                                                                                                                                                                        0

        Total "Not Compliant"                                                                                                                                                                                                                           0

        Total "Exception Granted"                                                                                                                                                                                                                       0

        Total "Not Applicable"                                                                                                                                                                                                                          0

        Worksheet completion status                                                                                                                                                                                                        Incomplete

        Overall Full & Partial Principle Alignment                                                                                                                                                                                                  0.00%

        Overall Full Principle Alignment                                                                                                                                                                                                            0.00%




        Agency Signoff:

                                                                                                                        [Name], [Position], [Unit], [Department]
Principle 3 - Human Resources Management

                                                                                                                                                                                                                                 Source*
#        Requirement                                                                                                     Example evidence of compliance                                                                                      Status        Comments (eg risk of non-compliance)
                                                                                                                                                                                                                                 IS18 MC


3.1      Pre-employment

3.1.1    Security requirements have been addressed within recruitment and selection and in job descriptions              Job descriptions include information security requirements                                                      Choose


3.2      During employment
                                                                                                                         Agency policies addressing information security issues within human resources have been approved
3.2.1    Policies have been developed to address information security issues within human resources                                                                                                                                       Choose
                                                                                                                         by the senior executive management group/CEO
                                                                                                                         Procedures for addressing information security within human resource management have been
3.2.2    Processes have been developed to address information security issues within human resources                                                                                                                                      Choose
                                                                                                                         document and approved
         Induction programs have been implemented to ensure that employees are aware of and
3.2.3                                                                                                                    Induction program documentation includes information security                                                   Choose
         acknowledge their security responsibilities

         Ongoing security training has been implemented to ensure that employees are aware of and                        An information security training plan has been approved by the CEO (note that this may be part of
3.2.4                                                                                                                                                                                                                                    Choose
         acknowledge their security responsibilities                                                                     the agency's general information security plan). Attendance records for information security training

         Security awareness programs have been implemented to ensure that employees are aware of and                     Example evidence of compliance might include emails, posters, fact sheets, intranet content etc that
3.2.5                                                                                                                                                                                                                                    Choose
         acknowledge their security responsibilities                                                                     communicate information security responsibilities
         Induction programs have been implemented to ensure that employees are aware of and                              Induction program documentation includes an overview of the agency's information security policies
3.2.6                                                                                                                                                                                                                                    Choose
         acknowledge the agency's information security policies and processes                                            and processes and details of where employees can go to get further information
         Ongoing training has been implemented to ensure that employees are aware of and acknowledge the The information security training plan includes targeted training in the agency's information security
3.2.7                                                                                                                                                                                                                                    Choose
         agency's information security policies and processes                                            policies and processes

                                                                                                                         Training attendance records or documents signed by all employees that document that they have
         Security awareness programs have been implemented to ensure that employees are aware of and
3.2.8                                                                                                                    been shown and understand agency information security policies and processes including how to use               Choose
         acknowledge the agency's information security policies and processes
                                                                                                                         agency ICT assets

         All information security roles and responsibilities have been fully documented where employees have
                                                                                                             Information security roles and responsibilities documented and approved by senior executive
3.2.9    access to security classified information (X-IN-CONFIDENCE or above) or perform security related                                                                                                                                Choose
                                                                                                             management
         roles
         All information security roles and responsibilities have been assigned to employees who have access Roles and responsibilities have been physically assigned to employees (with appropriate records
3.2.10                                                                                                                                                                                                                                   Choose
         to security classified information or perform security related roles                                retained)
         All information security roles and responsibilities that have been assigned to employees have been              Employees with information security roles and responsibilities have signed a document stating that
3.2.11                                                                                                                                                                                                                                    Choose
         communicated to these employees and signed acknowledgements obtained                                            they understand their roles and responsibilities

3.3      Post-employment

3.3.1    Procedures for the separation of employees within the agency have been developed                                Procedures for the separation of employees within the agency have been approved                                 Choose


3.3.2    Procedures for the separation of employees within the agency have been implemented                              Agency records demonstrate that all employee separations follow the approved procedure                          Choose

3.3.3    Procedures for employee movement within the agency have been developed                                          Procedures for the movement of employees within the agency have been approved                                   Choose

                                                                                                                         Agency records demonstrate that all employee movements within the agency follow the approved
3.3.4    Procedures for employee movement within the agency have been implemented                                                                                                                                                        Choose
                                                                                                                         procedure
         * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




         Number of Requirements                                                                                                                                                                                                                       16

         Total "Fully Compliant"                                                                                                                                                                                                                      0

         Total "Partly Compliant"                                                                                                                                                                                                                     0

         Total "Not Compliant"                                                                                                                                                                                                                        0

         Total "Exception Granted"                                                                                                                                                                                                                    0
Total "Not Applicable"                                                                               0

Worksheet completion status                                                             Incomplete

Overall Full & Partial Principle Alignment                                                     0.00%

Overall Full Principle Alignment                                                               0.00%




Agency Signoff:


                                             [Name], [Position], [Unit], [Department]
Principle 4 - Physical and Environmental Management

                                                                                                                                                                                                                               Source*
#       Requirement                                                                                                     Example evidence of compliance                                                                                     Status         Comments (eg risk of non-compliance)
                                                                                                                                                                                                                               IS18 MC


4.1     Building controls and security areas
        The requirements of the Queensland Government Information Security Classification Framework
4.1.1                                                                                                                   All information assets have been evaluated against the QGISCF?                                                 Choose
        (QGISCF) have been implemented
                                                                                                                        Building and entry controls for areas used in the processing and storage of security classified
        Building and entry controls for areas used in the processing and storage of security classified
4.1.2                                                                                                                   information have been documented, approved and are subject to regular updating. Agency records                  Choose
        information have been established and maintained in line with the QGISCF
                                                                                                                        demonstrate that these are subject to routine checks
        Physical security protection controls (commensurate with the security classification information                Physical security protection controls (commensurate with security classification levels) have been
4.1.3   levels) have been implemented for all offices, rooms, storage facilities and cabling infrastructure in          documented, approved and are subject to regular updating. Agency records indicate that these are                Choose
        line with the QGISCF                                                                                            subject to routine checks
        Control policies (including clear desk/clear screen) has been implemented in information processing             Controls for information processing areas have been documented, approved and are subject to
4.1.4                                                                                                                                                                                                                                   Choose
        areas that deal with security classified information                                                            regular updating. Agency records indicate that these are subject to routine checks

4.2     Equipment security

        All ICT assets that store or process information are located in secure areas with access control                Agency equipment is located in secure areas. Records of routine checks confirm that these areas
4.2.1                                                                                                                                                                                                                                   Choose
        mechanisms in place to restrict use to authorised personnel only                                                are accessible only to authorised personnel

                                                                                                                        Agency information security policies address the protection and monitoring of ICT assets that are
        Policies are implemented to monitor and protect the use and/or maintenance of information assets
4.2.2                                                                                                                   offsite. The relevant policy has been approved by the agency senior executive management                       Choose
        and ICT assets away from premises as required by the QGISCF
                                                                                                                        group/CEO

        Processes are implemented to monitor and protect the use and/or maintenance of information assets
4.2.3                                                                                                     Procedures for the protection and monitoring of offsite equipment have been document and approved                            Choose
        and ICT assets away from premises as required by the QGISCF

                                                                                                                        Agency information security policies address the disposal and reuse of ICT assets commensurate
        Policies are implemented for the secure disposal or reuse of ICT assets which are commensurate                  with the information asset's security classification level. These policies have been approved by the
4.2.4                                                                                                                                                                                                                                  Choose
        with the information asset's security classification level (as required by the QGISCF)                          agency senior executive management group/CEO. Agency records indicate that this policy is being
                                                                                                                        complied with

                                                                                                        Procedures for the disposal and reuse of equipment, storage devices and media commensurate with
        Processes are implemented for the secure disposal or reuse of ICT assets which are commensurate
4.2.5                                                                                                   the security classification of the information stored on the asset have been approved. Agency records                          Choose
        with the information asset's security classification level as required by the QGISCF
                                                                                                        indicate that these procedures are being followed
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                        9

        Total "Fully Compliant"                                                                                                                                                                                                                       0

        Total "Partly Compliant"                                                                                                                                                                                                                      0

        Total "Not Compliant"                                                                                                                                                                                                                         0

        Total "Exception Granted"                                                                                                                                                                                                                     0

        Total "Not Applicable"                                                                                                                                                                                                                        0

        Worksheet completion status                                                                                                                                                                                                      Incomplete

        Overall Full & Partial Principle Alignment                                                                                                                                                                                                0.00%

        Overall Full Principle Alignment                                                                                                                                                                                                          0.00%




        Agency Signoff:
[Name], [Position], [Unit], [Department]
Principle 5 - Communications and Operations Management

                                                                                                                                                                                                                      Source*
#       Requirement                                                                                           Example evidence of compliance                                                                                      Status   Comments (eg risk of non-compliance)
                                                                                                                                                                                                                      IS18 MC


5.1     Operational procedures and responsibilities
        Operational procedures and controls have been documented to ensure that all information assets        Operational procedures for all information assets and ICT assets including information systems and
5.1.1   and ICT assets, are managed securely and consistently, in accordance with the level of required       network tasks are managed consistently in accordance with the required level of security have been              Choose
        security                                                                                              documented and approved
        Operational procedures and controls have been implemented to ensure that all information, assets      Agency records indicate that these procedures are being implemented. e.g. Errors and exceptional
5.1.2   and ICT assets, are managed securely and consistently, in accordance with the level of required       conditions are captured and handled in accordance with the procedures; backups occur in                         Choose
        security                                                                                              accordance with procedures
                                                                                                              Capacity planning and system acceptance procedures have been documented and approved.
        Operational change control procedures have been implemented to ensure that changes to                 Agency records indicate that these are being implemented, e.g. new system business requirements
5.1.3                                                                                                                                                                                                                         Choose
        information processing facilities or systems are appropriately approved and managed                   document capacity requirements; system acceptance criteria is documented and tests are taken out
                                                                                                              during development and prior to acceptance

5.2     Third party service delivery
                                                                                                              All the requirements within IS18 relating to third party service delivery have been documented within
5.2.1   Third party service delivery agreements comply fully with IS18                                                                                                                                                         Choose
                                                                                                              agreements

        Third party service delivery agreements are periodically reviewed and updated to ensure they
5.2.2                                                                                                         Agreements are reviewed regularly and documented                                                                 Choose
        address any changes in business requirements whilst remaining compliant with IS18

        Third party service operating agreements must specifically address third party governance policies    Agreements clearly articulate the level of security required, are regularly monitored and endorsed by
5.2.3                                                                                                                                                                                                                          Choose
        and processes (see section 1.4)                                                                       the relevant senior executives and governance body

5.3     Capacity planning and system acceptance
        System acceptance must include confirmation of the application of appropriate security controls and   Appropriate system acceptance and change criteria and processes have been established and
5.3.1                                                                                                                                                                                                                          Choose
        of the capacity requirements of the system                                                            documented
        System capacity must be regularly monitored to ensure risks of system overload or failure which
5.3.2                                                                                                         Processes for reviewing and updating system capacity have been documented                                        Choose
        could lead to a security breach are avoided

5.4     Application integrity

        Adequate controls have been defined and implemented for the prevention, detection, removal and        Controls for the prevention, detection, removal and reporting of the introduction of malicious and
5.4.1                                                                                                                                                                                                                         Choose
        reporting of attacks of malicious code on all ICT assets                                              mobile code are documented and approved

        Vulnerability / integrity scans of core software must be defined and conducted regularly to ensure    Details of vulnerability/integrity scans have been documented, including what core software has been
5.4.2                                                                                                                                                                                                                          Choose
        detection of unauthorised changes                                                                     scanned, when it has been scanned, when the next scan is due, and the scan results

        Anti malicious-code software has been regularly updated with new definition files and scanning        Details of anti-malicious-code software updates have been documented, including details of definition
5.4.3                                                                                                                                                                                                                          Choose
        engines                                                                                               files and scanning engines

        Employees have been educated about malicious and mobile code in general, the risks posed, virus       Employee education about malicious code and associated processes have been conducted, for
5.4.4   symptoms and warning signs including what processes should be followed in the case of a               example through induction programs, training programs/plans and awareness campaigns (eg.                         Choose
        suspected virus                                                                                       emails, posters, factsheets, intranet contents etc)

5.5     Backup procedures
                                                                                                              Agency backup policies and procedures (including archiving) have been documented and approved.
        Comprehensive systems maintenance processes and procedures (including operator and audit/fault
5.5.1                                                                                                         Agency records that may indicate implementation of this requirement include records of backup                   Choose
        logs), information backup procedures and archiving have been implemented
                                                                                                              copies and test results

5.6     Network security
        A network security policy in line with the Network Transmission Security Assurance Framework
                                                                                                              Network security policy and guidelines in line with NTSAF have been documented and approved.
5.6.1   (NTSAF) have been developed and documented to guide network administrators in achieving the                                                                                                                           Choose
                                                                                                              Network administrators are aware of and follow these documents
        appropriate level of security
        Processes to periodically review and test firewall rules and associated network architectures have
                                                                                                              Firewall rule and associated network architecture testing processes are documented. Agency records
5.6.2   been developed and implemented to ensure the expected level of network perimeter security is                                                                                                                          Choose
                                                                                                              document tests, their results and any corrective action taken
        maintained
        Processes must be established to periodically review and update current network security design,      Processes for reviewing and updating network security design, configuration, vulnerability and
5.6.3   configuration, vulnerability and integrity checking to ensure network level security controls are     integrity are documented. Agency records demonstrate that periodic network security checks,                      Choose
        appropriate and effective                                                                             reviews and updates are occurring
         A policy on scanning has been developed to ensure that traffic entering and leaving the agency                  A policy on scanning has been documented and approved. Supporting processes to ensure
5.6.4                                                                                                                                                                                                                                Choose
         network is appropriately scanned for malicious or unauthorised content                                          adherence to the policy have also been developed

         Processes relating to IT change management (including maintenance of network systems) and                       Approved IT change management processes address network security and configuration
5.6.5                                                                                                                                                                                                                                Choose
         configuration management processes are established and updated as required                                      management. Agency records indicate that network security configuration is updated regularly

5.7      Media handling
                                                                                                                         Media handling procedures have been documented and implemented. All the requirements of the
5.7.1    Media handling procedures must be in line with the requirements of the QGISCF                                                                                                                                               Choose
                                                                                                                         QGISCF have been documented within these procedures

5.8      Information exchange
         The Network Transmission Security Assurance Framework (NTSAF) has been implemented to                           Network security policy and guidelines in line with NTSAF have been documented and approved.
5.8.1                                                                                                                                                                                                                                Choose
         ensure the security of data during transportation over communication networks                                   Network administrators are aware of and follow these documents
         Methods for exchanging information within the agency, between agencies, through online services,                Approved agency information security policy documents relevant legislative requirements to be
5.8.2                                                                                                                                                                                                                               Choose
         and/or third parties are compliant with legislative requirements                                                complied with
         Methods for exchanging information within the agency, between agencies, through online services,
                                                                                                                         Agency information exchange controls are consistent with those specified in QGISCF and in the case
5.8.3    and/or third parties are consistent with the Queensland Government Information Security                                                                                                                                    Choose
                                                                                                                         of national security information, national arrangements
         Classification Framework (QGISCF)
         Methods for exchanging information within the agency, between agencies, through online services,
5.8.4    and/or third parties are consistent with the Network Transmission Security Assurance Framework                  Agency information exchange controls are consistent with those specified in NTSAF                           Choose
         (NTSAF)
                                                                                                                         Appropriate authorisation has been obtained and documented for the type and level of encryption
         The type and level of encryption must be authorised and compliant with the requirements of the
5.8.5                                                                                                                    used within the agency. The type and level of encryption is consistent with those specified in the          Choose
         QGISCF and NTSAF
                                                                                                                         QGISCF and NTSAF
         All information exchanges over public networks, including all online or publicly available                      Appropriate authorisation for information exchanges can be documented (either within existing
5.8.6                                                                                                                                                                                                                                Choose
         transactions/systems must be authorised either directly or through clear policy                                 policies or separate documentation)
                                                                                                                         A policy to control email, has been approved by the relevant senior executive/governance body and
5.8.7    A policy to control email has been developed, implemented and endorsed                                                                                                                                                      Choose
                                                                                                                         has been implemented within the agency

5.9      e-commerce
                                                                                                                         Details of penetration testing have been documented, including what critical online services have
5.9.1    All critical online services must have penetration testing performed periodically                                                                                                                                           Choose
                                                                                                                         been tested, when the testing has occurred, when the next test is due and test results
         Policies and controls have been developed to manage all aspects of on-line and internet activities
                                                                                                                         Policies and controls exist to manage all aspects of online and internet activities, and have been
         including anonymity/privacy, data confidentiality, use of cookies, applications/plug-ins, types of
5.9.2                                                                                                                    endorsed by the relevant senior executive/governance body. The policies and controls have also              Choose
         language used, practices for downloading executables, web server security configuration, auditing,
                                                                                                                         been implemented within the agency
         access controls and encryption

5.10     Information processing monitoring
                                                                                                                         Details of operator and audit/fault logs have been documented including what events are logged,
5.10.1   Comprehensive operator and audit/fault logs must be implemented                                                 when and who will review and monitor logs, where and for how long the logs are stored, are logs             Choose
                                                                                                                         adequately protected

5.10.2   All ICT assets must be synchronised to a trusted time source that is visible and common to all                  All assets have a synchronised time source which is visible                                                 Choose
         * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




         Number of Requirements                                                                                                                                                                                                                    30

         Total "Fully Compliant"                                                                                                                                                                                                                   0

         Total "Partly Compliant"                                                                                                                                                                                                                  0

         Total "Not Compliant"                                                                                                                                                                                                                     0

         Total "Exception Granted"                                                                                                                                                                                                                 0

         Total "Not Applicable"                                                                                                                                                                                                                    0

         Worksheet completion status                                                                                                                                                                                                  Incomplete

         Overall Full & Partial Principle Alignment                                                                                                                                                                                            0.00%

         Overall Full Principle Alignment                                                                                                                                                                                                      0.00%
Agency Signoff:


                  [Name], [Position], [Unit], [Department]
Principle 6 - Access Management

                                                                                                                                                                                                                    Source*
#       Requirement                                                                                          Example evidence of compliance                                                                                     Status   Comments (eg risk of non-compliance)
                                                                                                                                                                                                                    IS18 MC


6.1     Access control policy

        Control mechanisms based on business owner requirements and assessed/accepted risks for
6.1.1                                                                                                        Access control policy                                                                                          Choose
        controlling access to all information assets and ICT assets have been established


6.1.2   Access control rules are consistent with business requirements                                       Approved access control policy refers to the agency's specific business requirements                            Choose

                                                                                                             Approved access controls as documented in the agency policy are consistent with QGISCF and
6.1.3   Access control rules are consistent with information classification                                                                                                                                                  Choose
                                                                                                             where applicable national arrangements

6.1.4   Access control rules are consistent with legislative obligations                                     Approved access control policy documents legal obligations                                                      Choose


6.2     Authentication

                                                                                                             Agency records indicate that all authentication requirements have been assessed against QGAF.
        Authentication requirements, including on-line transactions and services, have been assessed
6.2.1                                                                                                        Business requirements for all online transactions and services include consistency with QGAF.                  Choose
        against the Queensland Government Authentication Framework (QGAF)
                                                                                                             Agency records indicate that online transactions and services have been assessed against QGAF

                                                                                                             Agency records indicate that all authentication of users external to the agency have been assessed
6.2.2   All authentication of users external to the agency must be implemented in compliance with QGAF                                                                                                                       Choose
                                                                                                             against QGAF

6.3     User access

                                                                                                             Agency information systems cannot be accessed without specific authorisation. Agency records that
6.3.1   Access to information systems requires specific authorisation                                                                                                                                                        Choose
                                                                                                             may indicate evidence of compliance include completed system access request forms for all users

        Each user has been assigned an individually unique personal identification code and secure means     Agency records indicate that each user is issued a unique personal identification code and secure
6.3.2                                                                                                                                                                                                                        Choose
        of authentication                                                                                    means of authentication

6.4     User responsibilities

        NO MANDATORY CLAUSES


6.5     Network access

        Control measures have been implemented to detect and regularly log, monitor and review               Agency records indicate that system and network access and use is logged, monitored and reviewed.
6.5.1                                                                                                                                                                                                                       Choose
        information systems and network access and use, including all significant security relevant events   Events are recorded

        Authorisation must be obtained and documented for access (including new connections) to agency       Agency records indicate that authorisation has been obtained and documented for new and existing
6.5.2                                                                                                                                                                                                                        Choose
        networks                                                                                             access to networks
        All wireless communications have appropriate configured product security features and afford at least Agency records (e.g. configuration documentation, tests) indicate that wireless communications are
6.5.3                                                                                                                                                                                                                        Choose
        the equivalent level of security of wired communications                                              secured as per any agency wired communication
        Security risks associated with use of ICT facilities and devices (including non-government           Agency records indicate that a risk assessment has been performed for all ICT facilities and devices
6.5.4   equipment) such as mobile telephony, personal storage devices and internet and email have been       (including non-government equipment) prior to connection. Records all indicate that appropriate                 Choose
        assessed prior to connection and appropriate controls implemented                                    controls have been implemented based on this risk assessment

6.6     Operating system access
                                                                                                             Agency has documented and approved access controls for operating systems that cover user
        Policies and/or procedures for user registration, authentication management, access rights and
6.6.1                                                                                                        registration, authentication, user responsibilities. Access to operating systems is conducted in               Choose
        privileges, are defined, documented and implemented for all ICT assets
                                                                                                             compliance with these controls

6.7     Application and information access
                                                                                                             Agency systems cannot be accessed until restricted access and authorised use only warning are
6.7.1   Restricted access and authorised use only warnings are displayed upon access to all systems                                                                                                                          Choose
                                                                                                             displayed on the screen and accepted by the user
                                                                                                             Confidential/sensitive systems cannot be access unless appropriate approval has been given by
6.7.2   Access to all confidential/sensitive systems must only be allowed after authorised approval                                                                                                                          Choose
                                                                                                             those authorised within the agency to do so

6.8     Mobile computing and telework access
                                                                                                                        Agency records indicate that mobile technologies and teleworking facilities are not introduced unless
6.8.1   Risk assessments have been conducted for mobile technologies and teleworking facilities                                                                                                                                    Choose
                                                                                                                        a risk assessment has been performed

6.8.2   Processes have been established for mobile technologies and teleworking facilities                              Agency has documented and approved processes for mobile technologies and teleworking facilities            Choose
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                   17

        Total "Fully Compliant"                                                                                                                                                                                                                  0

        Total "Partly Compliant"                                                                                                                                                                                                                 0

        Total "Not Compliant"                                                                                                                                                                                                                    0

        Total "Exception Granted"                                                                                                                                                                                                                0

        Total "Not Applicable"                                                                                                                                                                                                                   0

        Worksheet completion status                                                                                                                                                                                                 Incomplete

        Overall Full & Partial Principle Alignment                                                                                                                                                                                           0.00%

        Overall Full Principle Alignment                                                                                                                                                                                                     0.00%




        Agency Signoff:


                                                                                                                        [Name], [Position], [Unit], [Department]
Principle 7 - System Acquisition, Development and Maintenance

                                                                                                                                                                                                                                Source*
#       Requirement                                                                                                     Example evidence of compliance                                                                                      Status        Comments (eg risk of non-compliance)
                                                                                                                                                                                                                                IS18 MC


7.1     System security requirements

        Security controls are commensurate with the security classifications of the information contained               Agency system security controls are commensurate with the highest level of security classification of
7.1.1                                                                                                                                                                                                                                   Choose
        within, or passing across information systems, network infrastructures and applications                         the information stored and passing through the system


7.1.2   Security requirements are addressed in the specifications, analysis and/or design phases                        Business requirements for all systems include information security requirements                                 Choose

        Internal and/or external audit have been consulted when implementing new or significant changes to Records of audit results are documented for new or significant changes to financial or critical
7.1.3                                                                                                                                                                                                                                   Choose
        financial or critical business information systems                                                 business information systems

        Security controls have been established during all stages of system development, as well as when
7.1.4                                                                                                                   Documented system security controls address acquisition, development and maintenance stages                     Choose
        new systems are implemented and maintained in the operational environment

        Appropriate change control, acceptance and system testing, planning and migration control           Agency records document change control, acceptance and system testing, planning and migration
7.1.5                                                                                                                                                                                                                                    Choose
        measures have been carried out when upgrading or installing software in the operational environment control measures have been taken when upgrading or installing software

        Accurate records must be maintained to show traceability from original business requirements to                 Records of traceability from original business requirements to actual configuration and
7.1.6                                                                                                                                                                                                                                    Choose
        actual configuration and implementation, including appropriate justification and authorisation                  implementation are documented (including authorisation)

7.2     Correct processing

        Access controls have been identified and implemented including access restrictions and
7.2.1                                                                                                                   Records of the identified access controls and their implementation are documented                                Choose
        segregation/isolation of systems into all infrastructures, business and user developed applications


7.3     Cryptographic controls
        Authentication processes are consistent with those of the Queensland Government Authentication
7.3.1                                                                                                                   Authentication processes are consistent with QGAF                                                                Choose
        Framework (QGAF) requirements
        Cryptographic controls are consistent with those of the Queensland Government Network
7.3.2                                                                                                                   Agency records document cryptographic controls in line with NTSAF requirements                                   Choose
        Transmission Security Assurance Framework (NTSAF)

7.4     System files

7.4.1   Access to system files is controlled to ensure integrity of business systems, applications and data             Access controls for system files are documented                                                                  Choose


7.5     Secure development and support processes
        Processes (including data validity checks, audit trails and activity logging) have been established in
7.5.1   applications to ensure development and support processes do not compromise the security of                      Records of the processes for secure development have been documented                                            Choose
        applications, systems or infrastructure
                                                                                                                        Audit logs for UNCLASSIFIED and security classified information log the specifications set out in the
        Audit logs are maintained in accordance with the 'Queensland Government Information Security                    'Queensland Government Information Security Controls Standards'.
7.5.2                                                                                                                                                                                                                                    Choose
        Controls Standard'                                                                                              Administrator rights to audit logs follow the specifications set out in the 'Queensland Government
                                                                                                                        Information Security Controls Standard'

7.6     Technical vulnerability management
        Processes to manage software vulnerability risks for all IT security infrastructure has been developed
7.6.1                                                                                                          Existence of an audit log for all technical vulnerability procedures undertaken                                          Choose
        and implemented
        A patch management program for operating systems, firmware and applications of all ICT assets
                                                                                                                        Patch management program is implemented and documented including any tests that are carried
7.6.2   must be implemented to maintain vendor support, increase stability and reduce the likelihood of                                                                                                                                  Choose
                                                                                                                        out
        threats being exploited
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                       14

        Total "Fully Compliant"                                                                                                                                                                                                                      0
Total "Partly Compliant"                                                                             0

Total "Not Compliant"                                                                                0

Total "Exception Granted"                                                                            0

Total "Not Applicable"                                                                               0

Worksheet completion status                                                             Incomplete

Overall Full & Partial Principle Alignment                                                     0.00%

Overall Full Principle Alignment                                                               0.00%




Agency Signoff:


                                             [Name], [Position], [Unit], [Department]
Principle 8 - Incident Management

                                                                                                                                                                                                                                Source*
#       Requirement                                                                                                     Example evidence of compliance                                                                                      Status         Comments (eg risk of non-compliance)
                                                                                                                                                                                                                                IS18 MC


8.1     Event/weakness reporting
        All information security incidents have been reported and escalated through appropriate                         Copies of information security incident reports. Receipt of incident reports by relevant management
8.1.1                                                                                                                                                                                                                                   Choose
        management channels                                                                                             channels
                                                                                                                        Agency records indicate that information security incidents are reported to appropriate authorities
8.1.2   All information security incidents have been reported through appropriate authorities if applicable                                                                                                                             Choose
                                                                                                                        (e.g. police) where applicable
        Responsibilities and procedures have been communicated to all employees including contractors
                                                                                                                        Training attendance records or documents signed by all employees, contractors and third parties that
8.1.3   and third parties for the timely reporting of information security events and incidents including                                                                                                                                Choose
                                                                                                                        document that they understand their responsibilities to report events/weaknesses and incidents
        breaches, threats and security weaknesses

8.2     Incident procedures

        Information security incident management procedures have been established to ensure appropriate                 Agency information security incident management procedures have been documented and covers
8.2.1                                                                                                                                                                                                                                   Choose
        responses in the event of information security incidents, breaches or system failures                           the review of and response to incidents


8.2.2   All Information security incidents caused by employees have been investigated                                   Records of information security incident reports and corresponding investigations.                              Choose


                                                                                                                        Disciplinary processes for deliberate violations or breaches of information security policy have been
        Where a deliberate information security violation or breach has occurred, formal disciplinary
8.2.3                                                                                                                   approved by the senior executive management group/CEO. Where these incidents have occurred,                     Choose
        processes have been applied
                                                                                                                        agency records demonstrate that these processes have been applied

        An information security incident and response register has been established and maintained. All
8.2.4                                                                                                                   Existence of a current agency information security incident and response register                               Choose
        incidents have been recorded within this register


        Information security incidents have been submitted annually to the Queensland Government Chief
8.2.6                                                                                                                   Reports have been submitted to QGCTO                                                                             Choose
        Technology Office (QGCTO) in line with the IS18 reporting requirements

        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                         8

        Total "Fully Compliant"                                                                                                                                                                                                                        0

        Total "Partly Compliant"                                                                                                                                                                                                                       0

        Total "Not Compliant"                                                                                                                                                                                                                          0

        Total "Exception Granted"                                                                                                                                                                                                                      0

        Total "Not Applicable"                                                                                                                                                                                                                         0

        Worksheet completion status                                                                                                                                                                                                       Incomplete

        Overall Full & Partial Principle Alignment                                                                                                                                                                                                 0.00%

        Overall Full Principle Alignment                                                                                                                                                                                                           0.00%




        Agency Signoff:

                                                                                                                        [Name], [Position], [Unit], [Department]
Principle 9 - Business continuity management

                                                                                                                                                                                                                            Source*
#       Requirement                                                                                                     Example evidence of compliance                                                                                  Status        Comments (eg risk of non-compliance)
                                                                                                                                                                                                                            IS18 MC


9.1     Business continuity
        Business continuity plans have been established to enable information and ICT assets to be restored
9.1.1                                                                                                       Approved agency business continuity plan                                                                                 Choose
        or recovered in the event of a major security failure
        Business continuity processes have been established to enable information and ICT assets to be                  Processes that enable the information environment to be restored or recovered in the event of a
9.1.2                                                                                                                                                                                                                                Choose
        restored or recovered in the event of a major security failure                                                  major information security failure have been approved
                                                                                                                        Business continuity risk and impact assessment processes have been approved. Agency records
        Business continuity processes have been established to assess the risk and impact of the loss of
9.1.3                                                                                                                   indicate that these assessments are made, and inform the development of the agency's business                Choose
        information and ICT assets in the event of a security failure
                                                                                                                        continuity plan

9.1.4   Methods have been developed to reduce known risks to information and ICT assets                                 Existence of a risk register that documents how known risks will be managed                                 Choose


        Business continuity plans have been maintained and tested to ensure information and ICT assets are Business continuity plan is regularly updated. Business continuity tests are conducted and any
9.1.5                                                                                                                                                                                                                               Choose
        available and consistent with agency business and service level requirements                       weaknesses identified as a result are addressed

                                                                                                                        Records show that a business impact analysis has been undertaken, and the results have been used
9.1.6   A business impact analysis has been undertaken                                                                                                                                                                               Choose
                                                                                                                        to reduce risks
        All critical business processes and associated information and ICT assets have been identified and              Records show that all critical business processes and associated assets have been identified,
9.1.7                                                                                                                                                                                                                                Choose
        prioritised                                                                                                     prioritised and documented

9.2     ICT disaster recover
        An information and ICT asset disaster recovery register has been established to assess and classify
9.2.1                                                                                                       Existence of disaster recovery register                                                                                 Choose
        systems to determine their criticality
        An ICT disaster recovery plan has been established to enable information and ICT assets to be
9.2.2                                                                                                                   Approved disaster recovery plan                                                                             Choose
        restored or recovered in the event of a disaster
        ICT disaster recovery processes have been established to enable information and ICT assets to be                Processes that enable the information environment to be restored or recovered in the event of a
9.2.3                                                                                                                                                                                                                               Choose
        restored or recovered in the event of a disaster                                                                disaster have been approved

        ICT disaster recovery processes have been established to assess the risk and impact of the loss of              Disaster recovery risk and impact assessment processes have been approved. Agency records
9.2.4                                                                                                                                                                                                                               Choose
        information and ICT assets in the event of a disaster                                                           indicate that these are made, and inform the development of the agency's disaster recovery plan


9.2.5   Methods have been developed to reduce known risks to information and ICT assets                                 Existence of a risk register that documents how known risks will be managed                                  Choose

        An ICT disaster recovery plan has been maintained and tested to ensure information and ICT assets Disaster recovery plan is regularly updated. Disaster recovery tests are conducted and any
9.2.6                                                                                                                                                                                                                               Choose
        are available and consistent with agency business and service level requirements                  weaknesses identified as a result are addressed

9.2.7   ICT disaster recovery plans must have clearly defined maximum acceptable downtimes                              Clearly defined maximum acceptable downtimes are documented within ICT disaster recovery plans               Choose

        Maximum acceptable downtimes for ICT services must also be defined in service and operational                   Maximum acceptable downtimes for ICT services are documented in all service and operational level
9.2.8                                                                                                                                                                                                                                Choose
        level agreements with external parties                                                                          agreements with external parties
        Copies of ICT disaster recovery plans must be stored in multiple locations including at least one               Copies of ICT disaster recovery plans can be located in multiple locations including at least one
9.2.9                                                                                                                                                                                                                                Choose
        location offsite                                                                                                offsite location
        * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




        Number of Requirements                                                                                                                                                                                                                   16

        Total "Fully Compliant"                                                                                                                                                                                                                  0

        Total "Partly Compliant"                                                                                                                                                                                                                 0

        Total "Not Compliant"                                                                                                                                                                                                                    0

        Total "Exception Granted"                                                                                                                                                                                                                0

        Total "Not Applicable"                                                                                                                                                                                                                   0
Worksheet completion status                                                             Incomplete

Overall Full & Partial Principle Alignment                                                     0.00%

Overall Full Principle Alignment                                                               0.00%




Agency Signoff:


                                             [Name], [Position], [Unit], [Department]
Principle 10 - Compliance Management

                                                                                                                                                                                                                                   Source*
#        Requirement                                                                                                     Example evidence of compliance                                                                                        Status        Comments (eg risk of non-compliance)
                                                                                                                                                                                                                                   IS18 MC


10.1     Legal requirements
         All legislative obligations relating to information security have been complied with and managed                Agency has identified and documented all its legal obligations relating to information security and its
10.1.1                                                                                                                                                                                                                                     Choose
         appropriately                                                                                                   response to these.

                                                                                                                         A list of legislation compliance has been developed and is cross referenced against all information
10.1.2   All information security policies have been reviewed for legislative compliance on a regular basis                                                                                                                                Choose
                                                                                                                         security policies on a regular basis (including when changes to legislation occur)

         The results of compliance reviews against information security policies have been reported to
10.1.3                                                                                                                   Agency management has signed off on the compliance review                                                         Choose
         appropriate agency management

                                                                                                                         A list of legislation compliance has been developed and is cross referenced against all information
10.1.4   All information security processes have been reviewed for legislative compliance on a regular basis                                                                                                                               Choose
                                                                                                                         security processes on a regular basis (including when changes to legislation occur)

         The results of compliance reviews against information security processes have been reported to
10.1.5                                                                                                                   Agency management has signed off on the compliance review                                                         Choose
         appropriate agency management
                                                                                                                         A list of legislative compliance has been developed and is cross referenced against all information
         All information security requirements (including contracts with third parties) have been reviewed for
10.1.6                                                                                                                   security requirements (including contracts with third parties) on a regular basis (including when                 Choose
         legislative compliance on a regular basis
                                                                                                                         changes to legislation occur)
         The results of compliance reviews against all information security requirements (including contracts
10.1.7                                                                                                                   Agency management has signed off on the compliance review                                                         Choose
         with third parties) have been reported to appropriate agency management

         Processes to ensure legislative compliance across all agency activities have been developed and                 Agency has identified and documented processes for assessing compliance against its information
10.1.8                                                                                                                                                                                                                                      Choose
         implemented                                                                                                     security related legal obligations. Agency records indicate that these processes are being conducted


10.2     Policy requirements
         All reporting obligations relating to information security have been complied with and managed
10.2.1                                                                                                                   Agency has identified all reporting obligations and have documented compliance and management                     Choose
         appropriately

         This Information Security Compliance Checklist is submitted annually to the ICT Policy and                      Completed information security compliance checklist submitted annually to the ICT Policy and
10.2.2                                                                                                                                                                                                                                     Choose
         Coordination Office in line with the IS18 reporting requirements                                                Coordination Office


10.3     Audit requirements

                                                                                                                         Examples include: completed IS18 component of the QGEA self-assessment alignment report;
         All reasonable steps have been taken to monitor, review and audit agency information security
10.3.1                                                                                                                   completed internal and external audit against legal and policy requirements; completed information                Choose
         compliance
                                                                                                                         security maturity assessment; accreditation with appropriate standards or industry bodies

                                                                                                                         Employees with information security roles and responsibilities have signed a document stating that
10.3.2   All reasonable steps have been taken to ensure the assignment of appropriate security roles                                                                                                                                        Choose
                                                                                                                         they are understand their roles and responsibilities

                                                                                                                         Examples include: completed IS18 component of the QGEA self-assessment alignment report;
         All reasonable steps have been taken to ensure the engagement of internal and/or external auditors
10.3.3                                                                                                                   completed internal and external audit against legal and policy requirements; completed information                 Choose
         and specialist organisations where required
                                                                                                                         security maturity assessment; accreditation with appropriate standard
         * IS18 - Information Standard 18, Information Security:   MC - Information Security Policy - Mandatory Clause




         Number of Requirements                                                                                                                                                                                                                         13

         Total "Fully Compliant"                                                                                                                                                                                                                        0

         Total "Partly Compliant"                                                                                                                                                                                                                       0

         Total "Not Compliant"                                                                                                                                                                                                                          0

         Total "Exception Granted"                                                                                                                                                                                                                      0

         Total "Not Applicable"                                                                                                                                                                                                                         0
Worksheet completion status                                                             Incomplete

Overall Full & Partial Principle Alignment                                                     0.00%

Overall Full Principle Alignment                                                               0.00%




Agency Signoff:


                                             [Name], [Position], [Unit], [Department]
Total IS18 Alignment Scores

IS18 PRINCIPLE                FULL & PARTIAL     FULL

Principle 1 Alignment                    0.00%          0.00%

Principle 2 Alignment                    0.00%          0.00%

Principle 3 Alignment                    0.00%          0.00%

Principle 4 Alignment                    0.00%          0.00%

Principle 5 Alignment                    0.00%          0.00%

Principle 6 Alignment                    0.00%          0.00%

Principle 7 Alignment                    0.00%          0.00%

Principle 8 Alignment                    0.00%          0.00%

Principle 9 Alignment                    0.00%          0.00%

Principle 10 Alignment                   0.00%          0.00%


OVERALL IS18 ALIGNMENT                   0.00%          0.00%
Policy statement
Choose
                       The Information Standard policy statement has been incorporated into the agency’s policy framework or enterprise architecture. Incorporation into the policy
                       framework or enterprise architecture will vary from agency to agency, but could be:
Adopted
                       • formal noting of the Information Standard policy statement by the agency's Information Steering Committee
(fully compliant)
                       • including or referencing the policy in the agency's internal policies architecture documents
                       • including the policy in strategy documents or project gate keeping processes.
Adopted                The agency has:
(risk exempt)          • plans are in place to address all aspects of the Information Standard.
                       The agency has:
Not adopted
                       • chosen to adopt a different policy or requirements than those outlined in the Information Standard or QGEA policy OR
(non-compliant)
                       • not developed plans to address the policy and requirements contained within a given Information Standard or QGEA policy.


Mandatory principles
Choose
Fully compliant        Meets all aspects of the Mandatory Principles and/or Policy Requirements.
Partly compliant       Some aspects of the Mandatory Principles and/or Policy Requirements have been met.
Exception granted      The Queensland Government Chief Information Office has approved an exception to the Mandatory Principle or Policy Requirement.
Not compliant          None of the Mandatory Principles and/or Policy Requirements have been met.
Not applicable         The scope of the Mandatory Principles and/or Policy Requirements is not applicable to the agency.

								
To top