Queensland Government Information

Security Controls Standard

Final
November 2010
v1.0.0

PUBLIC

Queensland Government Enterprise Architecture

ICT Policy and Coordination Office

Department of Public Works
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Document details
Security classification PUBLIC

Date of review of security November 2010

classification

Authority Queensland Government Chief Information Officer

Author ICT Policy and Coordination Office

Documentation status Working draft Consultation release  Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:
Director, Policy Development
ICT Policy and Coordination Office
ICTPolicy@qld.gov.au

Acknowledgements
This version of the Queensland Government Information Security Controls Standard was
developed and updated by the ICT Policy and Coordination Office.
Feedback was also received from a number of agencies, including members of the Information
Security Reference Group, which was greatly appreciated.

Copyright
Queensland Government Information Security Controls Standard
Copyright © The State of Queensland (Department of Public Works) 2010

Licence

Queensland Government Information Security Controls Standard is licensed under a Creative

Commons Attribution 2.5 Australia licence. To view a copy of this licence, visit
http://creativecommons.org/licenses/by/2.5/au. It is based on work sourced from the Australian
Government Protective Security Manual:2005, the Australian Government Information Technology
Security Manual (ACSI 33):2006, the SSIO Better Practice Guide for Information Asset
Classification and Control, and from material supplied by the Department of Justice and Attorney-
General Permissions may be available beyond the scope of this licence. See
www.qgcio.qld.gov.au.

Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.

Final v1.0.0, November 2010 ii

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Contents
1 Introduction............................................................................................................................ 1
1.1 Purpose .......................................................................................................................... 1
1.2 Audience ........................................................................................................................ 1
1.3 Scope ............................................................................................................................. 1

2 General controls .................................................................................................................... 2

2.1 Need-to-know ................................................................................................................. 2
2.2 Filing and markings ........................................................................................................ 2
2.3 Clear desk policy ............................................................................................................ 3
2.4 Reclassification of information........................................................................................ 3
2.5 Information shared with external parties......................................................................... 3
2.6 Disposal of information assets that are public records ................................................... 4
2.7 Sanitising and Disposal of media ................................................................................... 4

3 Non-general control details .................................................................................................. 5

3.1 Transporting security classified information ................................................................... 5
3.2 Discussing security classified information ...................................................................... 6
3.3 Copying security classified information .......................................................................... 7
3.4 Storage of security classified information and associated media ................................... 8
3.5 Electronic authentication and access controls ............................................................. 12
3.6 Audit logs...................................................................................................................... 12
3.7 Facsimile transmission ................................................................................................. 13
3.8 Email transmission ....................................................................................................... 14
3.9 Radio Transmission...................................................................................................... 14

Appendix A Protective Security Manual standard file colours............................................... 15

Tables
Table 1: Manual transmission requirements ..................................................................................... 6
Table 2: Data transmission requirements ......................................................................................... 6
Table 3: Description of security areas............................................................................................. 10
Table 4: Minimum security container requirements ........................................................................ 11
Table 5: Security container definitions ............................................................................................ 11
Table 6: Secure room definitions .................................................................................................... 11
Table 7: Levels of auditing required for classified information assets............................................. 13
Table 8: Facsimile transmission measures..................................................................................... 13
Table 9: PSM standard file colours ................................................................................................. 15

Final v1.0.0, November 2010 iii

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

1 Introduction
1.1 Purpose
This standard specifies the controls that must be applied to Queensland Government
information assets. It complements the Queensland Government Information Security
Classification Framework (QGISCF), and is also related to the Network Transmission
Security Assurance Framework (NTSAF) which provides greater detail on the controls
required to transmit security classified information assets.

1.2 Audience
This document is primarily intended for agency staff who:
 handle information assets
 develop information security policy and procedures.

1.3 Scope
The controls outlined in this document apply to information assets held by Queensland
Government agencies. Where information assets have been classified using alternative
classification schemes (such as the national security classification approach), the controls
specified by those schemes take precedence and should be applied.
Where there is a mismatch between advice provided by various documents, the most
stringent control should be applied.

Final v1.0.0, November 2010 Page 1 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

2 General controls
As well as the specific controls contained in the QGISCF, the following controls need to be
applied to all information assets, regardless of their security classification.

2.1 Need-to-know
The need-to-know principle requires that information assets held by an agency should only
be available to those who need to use or access them to do their work. However, the need-
to-know principle must not inhibit access to information assets under legislation such as the
Right to Information Act 2009.
The dissemination of information assets must be no wider than is required for the efficient
conduct of business and it is the personal responsibility of all those who use or access
information assets, including unclassified assets, to apply the need-to-know principle to
their duties. It is the responsibilities of agencies to determine need-to-know designations for
staff. Personal information is also subject to legislative constraints and any confidentiality
provisions that apply to individual agencies.
Agencies typically implement a need-to-know approach to information asset access through
a combination of access control on applications and the implementation of both individual
and work-unit based security mechanisms for file servers.

2.2 Filing and markings

Security classified documents should be filed with appropriate ‘wrapper folders’ or file
covers. The coloured folders identifying security classification levels should be used as
wrappers on physical documents or files, and are not intended to replace existing storage
folders, such as those used to track file movements.

Figure 1: Security classified files

Generic Queensland Government coloured and printed folders have been sourced by some
agencies and are therefore available for purchase. Where agencies have other
requirements that preclude the use of the standard colour file covers, agencies should
ensure that an appropriate standard is adopted within the agency. File cover sheets should
also be used for all physical files, and standard cover sheets have been developed in
support of this framework.
The Australian Government Protective Security Policy Framework (PSPF) (which as
superseded the Australian Government Protective Security Manual) recommends that the
security classification should be in capital letters, in bold text, and of a minimum height of
5mm, preferably at the centre of the top and bottom of each page. Additionally where

Final v1.0.0, November 2010 Page 2 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

possible it is preferable for the markings to be in red (ARIAL, 20 point, bold and red is an
appropriate format). Page numbering of the form ‘Page n of x’ is desirable for all
classifications and mandatory for HIGHLY PROTECTED.
Markings for PUBLIC and UNCLASSIFIED documents should also be in capitals, bold and
red, but may be in a smaller size font if required. Because of the possibility of confusion
with information assets that have yet to be information security classified, acceptable
markings for UNCLASSIFIED documents are:
 UNCLASSIFIED
 INTERNAL-USE-ONLY or
 a combination UNCLASSIFIED–INTERNAL-USE-ONLY.
A domain can also be added if this is appropriate and would assist such as ‘AGENCY-
INTERNAL-USE-ONLY’ or ‘GOVERNMENT-INTERNAL-USE-ONLY’.

2.3 Clear desk policy

General agency controls should include a clear desk and clear screen policy for areas that
handle security classified information.
A clear desk policy requires that classified information assets are secured when
workstations are unattended and that unauthorised people are not able to access any
electronic material, system or network to which the user had been connected. For long
periods this would mean ‘logging off’ from computer systems, but for shorter periods a
screen saver with password or some similar desktop locking mechanism may be adequate.
At close of business, a workplace lock-up procedure should require that personnel:
 quit all systems and networks and, where possible, shut down workstations
 ensure that there are no security classified information assets left unsecured
 ensure there are no security classified information assets in waste-paper bins and that
information assets are disposed of lawfully
 ensure that electronic media storing security classified information assets are secured
 clear whiteboards and other displays of any security classified information assets
 secure vaults and containers holding security classified material
 ensure windows and doors are locked
 ensure that keys to containers holding security classified information assets are secure.

2.4 Reclassification of information

Employees should not change the classification of information assets unless this action is a
formal part of the reclassification process approved by the information owner.
Reclassification of information assets should be performed in accordance with the standard
classification process outlined in this framework and other agency specific classification
processes.

2.5 Information shared with external parties

Where agencies are required to handle security classified information assets from external
agencies or business partners, the information asset must:
 retain the security classification of the originating agency
 be managed according to that agency’s information security classification scheme and
policies or in line with a Memorandum of Understanding (MOU) or Service Level

Final v1.0.0, November 2010 Page 3 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Agreement (SLA) established between the agencies. The originating agency is

responsible for ensuring that its information assets will be properly protected
 if a MOU or other agreement has not been made, the information asset must, as a
minimum, be handled in accordance with this framework.

2.6 Disposal of information assets that are public records

Section 26 of the Public Records Act 2002 provides for the disposal of public records and
applies to records created and maintained in any format, including records that are security
classified and controlled. The Public Records Act 2002 defines disposal of a record as
including:
 destroying or damaging the record, or part of it, or
 abandoning, transferring, donating, giving away or selling the record, or part of it.
Information Standard 31: Retention and Disposal of Public Records (IS31) requires that the
disposal (including the destruction, sale or transfer) of records can only be performed with
the written authorisation of the State Archivist. Public authorities must develop and
implement formal disposal schedules authorised by the State Archivist and implement
disposal processes, to ensure the legal, systematic, and consistent disposal of records no
longer required for business, accountability or cultural purposes.

2.7 Sanitising and Disposal of media

The following media cannot be sanitised and should be destroyed if they contain or may
have contained classified information assets 1 :
 microfiche and microfilm
 optical discs, including CDs and DVDs
 printer ribbons
 programmable read only memory (PROM) and read only memory (ROM).
Other media including various forms of erasable or alterable PROM (EPROM), laser printer
and photocopier drums, and magnetic media such as hard disk drives may be sanitised for
reuse by wiping or by using a suitable degaussing tool. Sanitisation of magnetic media by
erasure should be performed using specifically designed security erasure software to
effectively wipe the contents of electronic storage media.

Methods of destruction
Security classified material may be disposed of by:
 pulping: transforming used paper into a moist, slightly cohering mass, from which new
paper products will be made
 burning: (in accordance with relevant environment protection restrictions)
 pulverisation: using hammermills with rotating steel hammers to pulverise the material
 disintegration: using blades to cut and gradually reduce the waste particle to a given
size determined by a removable screen
 shredding: using cross-cut shredders. Where the disposal method is shredding,
classified material should be destroyed using a cross-cut shredder that reduces waste
to a particle size of 2.3mm x 25mm or less (B Class Shredder).

1
unless the information asset is subject to recordkeeping requirements as outlined in sections 2.6.

Final v1.0.0, November 2010 Page 4 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Garbage and recycling

Security classified information assets should not be recycled or discarded in the agency’s
general garbage unless it has already undergone some form of appropriate destruction,
such as shredding.
Any decision to dispose of security classified waste using an authorised disposal company
should be determined in the context of sound risk management and with the authority of the
information owner.

3 Non-general control details

3.1 Transporting security classified information
Table 1 describes the protocol for manual transmission of security classified information
assets.

Security classification Within a single location Between locations

UNCLASSIFIED May be passed uncovered by Passed by internal mail in a

hand. use-gain envelope.
Passed by internal mail in a use Passed by external mail in an
again envelope. opaque envelope.

X-IN-CONFIDENCE Single opaque envelope Single opaque envelope that

indicating classification. does not indicate classification.
Uncovered by hand in discrete Receipting at discretion of
office environment. information owner.
Delivered by hand or authorised
messenger including Australia
Post

PROTECTED Single opaque envelope Double enveloping (ie. sealed

indicating classification. inner envelope indicating
Uncovered by hand directly classification placed within a
between authorised members single opaque outer envelope
of staff in discrete office that does not indicate
environment. classification);
Should not be left unattended or
on recipient’s desk. Single opaque envelope that
does indicate classification and
secured in a lockable container
and delivered by an authorised
messenger.
Receipting required.

Final v1.0.0, November 2010 Page 5 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Security classification Within a single location Between locations

HIGHLY PROTECTED Single opaque envelope Double enveloping (ie. sealed

indicating classification. inner envelope indicating
Uncovered by hand directly classification placed within a
between authorised members single opaque outer envelope
of staff in discrete office that does not indicate
environment. classification);
Must not be left unattended on or
recipient’s desk. Single opaque envelope that
does indicate classification and
secured in a lockable container
and delivered by an authorised
messenger.
Receipting required.

Table 1: Manual transmission requirements

Table 2 summarises the protocols for data transmission of security classified information
assets. See the NTSAF for further guidance.

Security classification Data transmission requirements

UNCLASSIFIED May use internal or external networks including the internet with controls
as specified by the NTSAF.

X-IN-CONFIDENCE May be passed over appropriately classified internal networks as defined

in the NTSAF.
Should be encrypted when being sent between agencies using controls
as specified by the NTSAF.

PROTECTED May be passed over appropriately classified internal networks as defined

in the NTSAF.
Should be encrypted when being sent between agencies using controls
as specified by the NTSAF.

HIGHLY PROTECTED May be passed over appropriately classified internal networks as defined
in the NTSAF.
Must be encrypted when being sent between agencies using
cryptographic protocols 2 as specified by the NTSAF.

Table 2: Data transmission requirements

3.2 Discussing security classified information

All discussions of HIGHLY PROTECTED or PROTECTED information assets should occur
behind closed doors in fully enclosed rooms. If discussions of X-IN-CONFIDENCE
information assets are held, care should be taken to ensure that people without a need to
know are not able to overhear the discussions.
When it is necessary to discuss security classified information assets in meetings (including
in-person meetings, presentations, teleconferences, and video conferences), convenors
should take appropriate steps to ensure that the audience is restricted to those with a need-

Final v1.0.0, November 2010 Page 6 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

to-know and that the risk of compromise of these assets is minimised by ensuring seating
arrangements preclude the possibility of the information assets be viewed without proper
authority.
Where meetings are held, the security classification of the information asset should be
notified to the audience and the audience reminded of their responsibility to maintain
confidentiality.
Visual aids such as slides and overhead transparencies should include the appropriate
security classification markings and should be removed at the conclusion of the meeting,
including deleting the presentation from corporate resources such as laptops. This includes
deleting documents from the Recent Documents list, deleting any HTML pages from the
browser history and emptying the Recycle bin.
Any security classified information assets placed on whiteboards should be erased with a
suitable cleaner prior to the room being vacated.

3.2.1 Telephone and video conference

An agency’s private video conference, telephone or intercom systems using wireline or fibre
optic transmission paths only (that is, no microwaves or similar radio frequency links) may
be used to pass voice or facsimile information classified X-IN-CONFIDENCE without further
precautions. For PROTECTED and HIGHLY PROTECTED information assets, additional
encryption, or the use of approved secure communications systems, is required.
Mobile telephones should not be used for data or voice transmission of PROTECTED or
HIGHLY PROTECTED security classified information assets unless both handsets are
provided with encryption appropriate to the asset’s classification. See the NTSAF for
details.

3.2.2 Records of discussion and/or presentation

Agencies will exercise discretion in regard to this aspect of information security. Where an
agency decides it is applicable, a record should be taken of all discussions and
presentations of HIGHLY PROTECTED and PROTECTED information assets. The record
should detail the:
 nature of the material presented
 date
 audience present
 decisions made
 actions to be taken.
All records taken during the presentation or discussion of security classified information
assets should assume the same security classification.

3.3 Copying security classified information

Classified information assets should only be reproduced (copied or re-printed) when it is
strictly necessary to do so. Spare or spoilt copies of security classified information assets
should be destroyed immediately in accord with the appropriate disposal requirements
(including recordkeeping disposal schedules).
When making copies of information assets that have a copy number (especially
PROTECTED and HIGHLY PROTECTED material), the permission of the information
owner must be obtained. When seeking permission to make copies, the proposed

Final v1.0.0, November 2010 Page 7 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

additional distribution should be provided and the owner should indicate the appropriate
copy numbers.
Copiers and printers should not be left unattended if classified information assets are being
reproduced unless there are suitable physical access controls to prevent unauthorised
persons (including those without a need-to-know) from both entering the area around the
copier or printer, and viewing the material being printed.

3.4 Storage of security classified information and associated media

Physical security protection (in line with the security classification level of the asset) must
be in place for all government offices, rooms, storage facilities and cabling infrastructure.
Building and entry controls must be in place for areas that process or store security
classified information assets.
The following section applies equally to the storage of physical (eg. paper) and electronic
information assets. Electronic storage media 2 (discs, CD Towers) containing classified
information assets must be afforded the full protection given to equivalent classified hard
copy information assets. Due to the risk of accidental loss and lack of movement control
and audit trails, classified information assets stored on stand-alone or portable computers,
hard drives, flash memory drives, and other storage devices must be treated with the same
controls applicable to removable media including the use of encryption and storage where
applicable in secure containers.
Where possible, this type of media must be clearly labelled in accordance with the security
classification level of the data stored on the media. If encryption systems do not encrypt the
entire media content, care must be taken to ensure that either all of the classified data is
encrypted appropriately or that the media is handled in accordance with the highest
classification of the unencrypted data.
Electronic storage media includes fixed or removable storage and can be either:
 volatile storage, which loses its information when power is removed, or
 non-volatile, which retains its information when power is removed.
Volatile media used to process classified material may be treated as UNCLASSIFIED once
the power has been removed. As noted previously, any non-volatile media containing
classified material should be labelled appropriately. In the case of internally mounted hard-
drives, the computer case should be labelled.
Suitable storage for classified material and electronic media should be determined by a risk
assessment. The type of secure storage device or area required is dependant upon a
number of factors including:
 the classification of the information asset
 the type of access facility where the information is located
 the value and attractiveness of the information asset stored
 the structure and location of the building
 entry control systems
 other physical protection systems (for example, locks and alarms).

2
In the context of this framework, media is the component of computer hardware that is used to store information.

Final v1.0.0, November 2010 Page 8 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

3.4.1 Secure areas

Secure, Partially Secure or Intruder Resistant Areas are areas that have measures in place
for the secure handling and storage of security classified information assets. They may be a
single room, a building, or a complex consisting of a number of buildings.
The descriptions about what constitutes a Secure, Partially Secure, and Intruder Resistant
Area are provided below and are summarised in Table 3. These descriptions have been
adapted from the Protective Security Manual to assist the organisation when selecting
appropriate handling and storage measures, including suitable containers.

Secure Area
A Secure Area is one that provides the highest integrity of access to, and audit of, security
classified information assets to ensure restricted distribution and to assist in subsequent
investigation if there is unauthorised disclosure or loss of information assets. The essential
physical security features of a Secure Area include:
 appropriately secured points of entry and other openings
 tamper-evident barriers, highly resistant to covert entry
 an effective means of providing access control during both operational and non-
operational hours all persons to wear passes
 all visitors escorted at all times
 during non-operational hours a monitored security alarm system, providing coverage
for all areas where security classified information assets are stored
 an approved means of limiting entry to authorised persons.

Partially Secure Area

A Partially Secure Area is one that provides a degree of audit by both physical or electronic
and personnel means. The essential physical security features of a Partially Secure Area
include:
 appropriately secured points of entry and other openings
 tamper-evident barriers, highly resistant to covert entry
 an effective means of providing access control during both operational and non-
operational hours
 all persons to wear passes
 all visitors escorted at all times
 during non-operational hours a monitored security alarm system, providing coverage
for all areas where security classified information assets are stored
 an approved means of limiting entry to authorised persons.

Intruder Resistant Area

An intruder resistant area is a facility or room that meets the following essential physical
security requirements (drawn from section 7.54 of the PSPF):
 tamper-evident barriers, resistant to covert entry, and
 an effective means of limiting entry to authorised people only during both operational
and non-operational hours.

Final v1.0.0, November 2010 Page 9 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Control Measure Secure Partially Intruder

Areas Secure Resistant
Areas Area

Tamper-evident barriers, highly resistant to covert entry 3 Yes Yes Yes

An effective means of providing access control during both Yes Yes Yes
operational and non-operational hours

All persons to wear passes Yes Yes Yes

All visitors escorted at all times Yes Yes Yes

Appropriately secured points of entry and other openings Yes Yes No

During non-operational hours a monitored security alarm system, Yes Yes No

providing coverage for all areas where security classified
information assets are stored

An approved means of limiting entry to authorised persons Yes No No

Table 3: Description of security areas

The standard and combination of the measures should be in keeping with the highest level
of security classified information assets protected in the area. The measures must ensure
that the less effort and time required to gain access to the information asset, the quicker the
detection and response must be to the security incident. Conversely, the better the physical
security barriers protecting the information asset, the greater the time can be allowed for
the detection and response to the security incident.

3.4.2 Security containers

Depending on the outcomes of the risk assessment and taking into account the various
factors mentioned above, secure storage may range from (but is not limited to) lockable
drawers, secure filing containers or compactus, to secure rooms. The recommended
minimum standard of security container or room for security classified information assets
depends on the types of area they are situated in, as shown in Table 4 4 (page 11).

3
Such barriers provide containment in all directions. They have enough resistance to covert entry to provide some
assurance that a person attempting to gain unauthorised entry and exit without being apprehended would have to
damage or modify the barriers so that it was obvious that a security incident had occurred.
4
The Australian Government specifies appropriate containers in its Security Equipment Catalogue (SEC) which is
managed by the Australian Security Intelligence Organisation (ASIO).

Final v1.0.0, November 2010 Page 10 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Facility physical security classification

Secure Area Partially Secure Area Intruder Resistant
Area
HIGHLY Class C cabinet or room Class B cabinet or room Class A cabinet or room
PROTECTED
Class C cabinet or Class C cabinet or room Class B cabinet or room
PROTECTED
room 5
IN- Agency discretion Lockable commercial Lockable commercial
CONFIDENCE cabinet cabinet

Table 4: Minimum security container requirements

Table 5 and Table 6 provide descriptions of secure containers and rooms.

Class A security container A steel-lined concrete-strengthened container secured with an

endorsed combination lock manufactured to ASIO-approved
specifications; for further information, refer to the Security Equipment
Catalogue.
Class B security container A security container manufactured to ASIO-approved specifications;
for further information, refer to the Security Equipment Catalogue.
Class C security container A security container manufactured to ASIO-approved specifications;
for further information, refer to the Security Equipment Catalogue.

Table 5: Security container definitions

Class A secure room A room constructed and secured in accordance with ASIO
specifications – note that doors are fitted with two endorsed
combination locks; for further information, refer to the Security
Equipment Catalogue.
Class B secure room A room constructed and secured in accordance with ASIO
specifications – note that doors are fitted with one endorsed
combination lock; for further information, refer to the Security
Equipment Catalogue.
Class C secure room A room constructed and secured in accordance with ASIO
specifications and locked using one lock endorsed for the protection of
national security classification information; for further information, refer
to the Security Equipment Catalogue.

Table 6: Secure room definitions

5
A lockable container with a Security Construction & Equipment Committee (SCEC) endorsed lock is also acceptable.

Final v1.0.0, November 2010 Page 11 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

3.5 Electronic authentication and access controls

In addition to physical access controls, agencies must have a means of controlling access
to their computer systems or networks. All computer-resident classified information assets
should have authentication and access controls to ensure that only authorised users can
access the information asset and it is not improperly disclosed, modified, deleted, or
rendered unavailable. In addition, the computer and communications system privileges of
all users, systems and programs should be restricted on a need-to-know basis.
Authentication controls must be based on those documented within the Queensland
Government Authentication Framework, which provides additional detail concerning
appropriate authentication controls and mechanisms.
Where practical, computer and communications equipment should be located in secure
areas with access control mechanisms in place to restrict use to authorised personnel only.
Where physical controls are not possible, other control methods must be in place.
When implementing controls to restrict logical access to certain resources, agencies
should:
 limit user access on the basis of Need-to-know
 provide users with the minimum of privileges required for their job
 require requests for access to a system be authorised by the information owner or
other approval authority.
To ensure that access and back-up of electronic information assets remain tightly controlled
and monitored, classified information assets in electronic form are best stored and
managed through an electronic document and records management system (eDRMS) or
other system with appropriate equivalent functionality.
At a minimum, information assets kept on network file-servers must be kept in locked files
designated for defined user groups and individual users.

3.6 Audit logs

To maintain confidentiality and integrity of classified information assets a strict audit logging
process is to be implemented, with traceability provided from the security classified
information register. This audit log must be carefully designed to ensure it is capable of
providing a ‘trail of evidence’ which can be used to investigate inappropriate or illegal
access.
Care must be taken that the audit log captures all information which is useful in constructing
this trail of evidence. Audit log access controls must be in place with explicit user
authentication (also logged) needed to view the audit log database. The levels of auditing
required for security-classified information assets are shown in Table 6 (page 13).
It is best practice for administrators to not have read, write, modify or delete access to audit
logs. Restricting access to auditors or other independent roles reduces the risk of
unauthorised access, modification and loss on the part of the administrator and also
protects the administrator.

Final v1.0.0, November 2010 Page 12 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Audit Log Controls

Information Security
General User / Files Administrator
Classification
Log In/Out, File Access. Administrators
Log In/Out, Failed Attempts,
HIGHLY PROTECTED are not to have Read, Write, Modify or
Read, Write, Modify & Delete
Delete access to audit logs
Log In/Out, File Access. Administrators
Log In/Out, Failed Attempts,
PROTECTED are not to have Read, Write, Modify or
Read, Write & Delete
Delete access to audit logs
Log In/Out, File Access. Administrators
Log In/Out, Failed Attempts &
IN-CONFIDENCE are not to have Read, Write, Modify or
Delete
Delete access to audit logs
Log In/Out, File Access. Administrators
Unclassified Log In/Out, Failed Attempts, are not to have Read, Write, Modify or
Delete access to audit logs

Table 7: Levels of auditing required for classified information assets

3.7 Facsimile transmission

All staff must be aware of the ‘need to know’ guidelines in this document for the
transmission of information security assets using a facsimile. When transmitting any
security classified material it is a requirement that someone attend the receiving facsimile to
receive the material, and that receipt or non-receipt of the document is advised. For
PROTECTED and HIGHLY PROTECTED there is an additional requirement that the link is
encrypted. These controls are detailed in table 8.

Measure UN- IN- PROTECTED HIGHLY

CLASSIFIED CONFIDENCE PROTECTED

Requires encrypted link No No Yes Yes

May be faxed internally Not Applicable Yes Yes Yes

and externally if the
recipient is standing by
the receiving fax
machine and there is no
opportunity for any
unauthorised person to
view the document.

Receiving officer is to No Yes Yes Yes

acknowledge receipt or
non-receipt of the
document within 10
minutes of its
transmission

Table 8: Facsimile transmission measures

Final v1.0.0, November 2010 Page 13 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

3.8 Email transmission

Internal networks can be used to transmit in-confidence or higher classified data (although
email should be a last resort for HIGHLY PROTECTED assets). When internal networks
are used to transmit classified information assets, care must be taken to ensure that all mail
servers involved in the transaction are appropriately secured to the required security
classification.
If IN-CONFIDENCE or higher assets are passed between agencies they must be encrypted
to an appropriate level (see the NTSAF for guidance).
Agencies should avoid sending information assets over email if the information has been
classified as HIGHLY PROTECTED (although email may need to be used as a last resort).
When sending emails, agencies should also consider stating the classification level in the
‘Subject’ line eg [SEC=PROTECTED]. Including classification levels within emails allows
easy recognition and handling at the email server gateway, assists application of security
controls and enables appropriate recordkeeping activity. If agencies do decide to state the
classification level within emails, policies and procedures should include:
 When are classification levels applied? (eg. original messages, replies, forwards)
 How staff can classify emails?
 What is the format and location of classification markings?
 What level of classification can be transmitted on the agency’s internal network?
 What is the level of classification that can be transmitted to external addresses?
Agencies should assess the risks associated with the accidental or unauthorised release of
security classified information assets prior to transmitting them via email.
For further information on email classification, agencies can refer to the Australian
Government’s Implementation Guide for Email Protective Markings for Australian
Government Agencies.

3.9 Radio Transmission

Guidance on transmitting security classified information assets via radio is being explored.
Until further details are provided, agencies should ensure that assets are transmitted via
this channel only where other options are unavailable, and where the risks of disclosure
have been assessed and accepted. In particular, the radio transmission of PROTECTED
and HIGHLY PROTECTED information assets should only be used as a last resort.

Final v1.0.0, November 2010 Page 14 of 15

PUBLIC
 PUBLIC
QGEA Queensland Government Information Security Controls Standard

Appendix A Protective Security Manual standard file

colours
The PSPF specifies standard file colours as indicated in the QGISCF. The recommended
stripe colour is Pantone Process Yellow-2U. The stripe should run diagonally across the
front and on the spine.

Table 9: PSM standard file colours

Security Classification File Colour Sample Colour

TOP SECRET post office red

SECRET salmon pink

CONFIDENTIAL Green

RESTRICTED blue or buff

HIGHLY PROTECTED salmon pink plus stripe

PROTECTED green plus stripe

X-IN-CONFIDENCE blue or buff plus stripe

Final v1.0.0, November 2010 Page 15 of 15

PUBLIC