QGISCF – Information Security Classification
Queensland Government Information Security Classification Framework
The Queensland Government’s Information Security Classification Framework (QGISCF) is a requirement for QLD government departments and agencies that need to meet the QLD information security standard called IS18.
Information Classification used to be something that was only really important in the national security sphere. However, with the rise of mass storage of data online and particularly in the cloud, information classification is at the core of good security for all organisations, particularly those that wish to share information which is sensitive with others. It helps resolve the tension between the need to share information to do the task and the need to know principle at the heart of security.
At its heart, Queensland’s QGISCF uses the process of business impact levels (BILS) to ask the question:
“what would happen if the Confidentiality, Integrity or Availability of data or an asset is compromised in some way”
Classification allows the organisation to apply differential controls on the information or the asset the information resides in. It is also repeatable across organisations and promotes confidence in sharing of sensitive information between authorised users.
The QGISCF process is consistent with ISO27000 family of standards and has a mapping to the Australian Federal Government’s information classification system.
Information classification doesn’t have to be hard, but it does take a consistent approach from the organisation to transform its approach. The good news is that there are tools and methodologies available which can help your organisation identify what it needs to do to succeed.
How we can help you
Here at Resilience Outcomes, we’ve helped a number of entities develop practical responses to information classification. This includes:
- delivering training at user and executive level on how to classify information
- advising on the adoption of tools such as those available in Microsoft’s Azure Information Protection (AIP)
- developing organisational procedures for information classification.