Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ISMF Guideline 8a

advertisement 
OCIO/G4.8a
Government guideline on cyber security
ISMF Guideline 8a
An approach to classification using the ISMF
BACKGROUND
Version 3 and later of the South Australian Information Security Management Framework [ISMF]
introduced a new classification structure for confidentiality (refer ISMF Guideline 8b) and
reinforced the importance of classifying information and associated information assets (such as
ICT platforms and services) based on Integrity, Availability and Confidentiality requirements.
Protection efforts should be prioritised for those assets that are considered critical, and to
information that is of high value to supporting the business’ ongoing operations and resilience. This
guideline supports implementation of ISMF Policy Statement 8.
PRE-REQUISITE DOCUMENTS
The following documents should be read in conjunction with this guideline:

ISMF Guideline 8b describes the new classification scheme for confidentiality and provides
translation from the earlier scheme used within government to the new markings.

Annex B of the ISMF contains a flow-chart describing the confidentiality marking structure.

Table 1 of the ISMF describes the Dissemination Limiting Markers [DLMs] used by SA
Government agencies. These alert recipients and custodians of information as to special
handling requirements surrounding confidentiality and intended audience for materials that
use the information. Release requirements are often governed by legislation.

Table 2 of the ISMF describes the protective markings used by SA Government agencies.
These are classifications indicating that the information requires a heightened level of
protection to ensure confidentiality. Examples include personnel vetting and security
clearances to access the information, and stringent storage and access methods for ICT
systems and hardcopy documentation containing information at this level.

Table 3 of the ISMF describes the availability and integrity classifications used by SA
Government agencies.

ISMS Statement of Applicability tool is a spread-sheet based tool to facilitate the recording of
agency decisions on what policies, standards and controls are in place against a particular
system, workplace function or geographic location.
GUIDANCE
This guideline outlines a process for classifying information and associated information assets.
Essentially the classifications are a result of characterising attributes of information to determine a
set of requirements (or assign a value to the information) for an organisation and/or its
stakeholders (including customers and the public). The outcome is that corresponding protective
ISMF Guideline 8a
ISMF Guideline 4
markings are associated with the information (or information asset) so that the information risk
management techniques described in the ISMF can be applied to ICT systems and organisational
processes in order to proportionately protect and maintain confidence in an agency’s ability to
deliver information based services.
RESPONSIBLE INFORMATION SHARING
A key attribute of information classification, is to recognise that all information is shared at some
point in its lifecycle. No matter how sensitive or restricted the destination audience may be,
information is generated (or created), stored and then used by an individual or a group by applying
the ‘need-to-know’ principle. This principle means a person must have a legitimate need to access
the classified information assets to carry out their official duties. Other justifications, such as
position of authority, or the desire to enter controlled areas or access information for the sake of
convenience, are not valid.
Once information classifications have been determined, the business-driven risk-based approach
to cyber security of the ISMF requires decisions to be recorded on how identified risks have been
addressed in order to provide an adequate level of assurance to the business that cyber security
controls and protection mechanisms are in place, being used and effective.
Some examples of the varying degrees of responsible information sharing are illustrated below:

Emergency management and crisis response information is generally distributed on a broad
public scale, but requiring exceptionally high degrees of accuracy (integrity) and availability in
order to inform the community and emergency services personnel in a timely and accurate
manner.

Payroll processing and financial information need a high degree of accuracy and will have
varying requirements in terms of its availability requirements. This is often driven by calendar
based events, such as salary processing periods, during budget bids or during forecasting
events for significant initiatives such as major projects.

Information Sharing Guidelines for Promoting the Safety and Wellbeing of Children, Young
People and their Families - these guidelines deal with the legal and practical framework that
supports appropriate information sharing for the provision of integrated support to children,
young people and their families.

Medical and healthcare information, particularly patient data needs to be extremely accurate
and held in the strictest confidence to protect patient privacy and wellbeing yet is still shared
between medical practitioners that have a legitimate ‘need-to-know’.

Criminal investigations, operations and counter-terrorism undertakings require significantly
elevated degrees of confidentiality to be applied.
The sheer diversity and complexity of information types used within and between governments
means that no single process for determining the value of information will work in all scenarios. By
implementing an approach that accounts for the three dimensions of information security
(confidentiality, integrity and availability), the likelihood of success in meeting business operating
objectives is significantly improved.
Government guideline on cyber security
An approach to classification using the ISMF (v1.0)
Page 2 of 7
ISMF Guideline 8a
ISMF Guideline 4
BENEFITS REALISATION
By balancing the ‘need-to-protect’ information with the ‘need-to-publicly disclose’ and share
information, visible benefits are realised. As open-government initiatives in multiple jurisdictions
gain traction, information management practises must transition to account for the ever increasing
use of social media and other bi-directional information systems as a channel for community
consultation.
The benefits of responsible information sharing include:

User experience both within and external to government
o Information is easy to find and can be relied upon
o Services are interactive and timely

Elimination of delays
o Information on demand (i.e. readily shared and accessible when required)
o Accessible by leveraging the internet, including mobile devices and emerging
technologies

Reduction in costs and increase in organisational efficiencies
o Lowers cost of service delivery
o Fosters greater use of ‘self-service’ capabilities
o Interactive government is an agile and consultative government

Accurate and timely information
o Timely information is achieved because availability requirements have been
considered
o Accurate information is more likely because integrity requirements have been
considered

Maintaining trust and confidence in government as a supplier and custodian of information
o Reliable and secure information services engender trust and confidence. This is
reflected by organisational capability, capacity and communication.
Government guideline on cyber security
An approach to classification using the ISMF (v1.0)
Page 3 of 7
ISMF Guideline 8a
ISMF Guideline 4
CHARACTERISING THE VALUE OF INFORMATION
The following process diagram presents an overview of the necessary process flow required to
establish a value for the information or asset using a classification process. This facilitates
managing and recording any risks identified by the business using the ISMF as a control
mechanism. This process shifts thinking from a conventional confidentiality based approach to
consider the three dimensions of information management and security in order to meet business
level requirements and objectives. The process recognises that public information may require
exceptionally high degrees of integrity (accuracy) and availability (and by association that
availability requirements may change based on calendar or event driven periods, a notion of ‘peakdemand’ for certain types of information). Confidentiality of information is also embedded in the
process, however this approach recognises that in many instances, confidentiality protections are
applied to prevent corruption, theft or denial of service to important information upon which the
business or the broader community rely, including information held about persons:
•Work with Business Owners to understand what inaccuracies to the information can be tolerated
prior to undertaking corrections or reissuing the information to be classified. The ultimate
determination of information value must come from the business itself.
How accurate
must the
information be
•Determine the extent of consequences if the information contains errors, becomes corrupted or
de-faced or contains omissions. (Table 3 of the ISMF for Integrity)
• Information is bound to become unavailable at certain points in time. Whether the information is
unavailable due to system outages or planned maintenance windows or as a result of unintended
and unplanned events. The determination of a 'tolerable outage' must be accepted by the
business.
What is the
tolerable outage
for the
information
• Tolerable outages can drive an Availability classification for the information. Factors to consider
include the dependence the business, its customers or the community has on the information and
the business impacts a disruption or loss of access to the information may cause. Availability
requirements may change at certain times whether event or calendar driven. (Table 3 of the ISMF for
Availability)
•Establishing the intended audience for information is generally sufficient to determine a
confidentiality classification.
Who is the
intended audience
•Factors to consider include how information is shared and who needs to know this information.
The vast majority of information in government is public or 'For Official Use Only' meaning that is
to be retained but may be shared within government. (Table 1 and 2 of the ISMF for Confidentiality)
•Information that is not destined for public or whole of government consumption is generally
driven by commercial, legislative or regulatory requirements. Sensitive information is marked
according to the enactment or consideration that warrants additional controls around handling
and storage.
Legislative and
regulatory
requirements
•Information that requires secrecy provisions and security clearances due to its content and
potential for endangering individuals, the government, its partners or other jurisdictions requires
a protective marking. Such information requires heightened security controls and is more costly
to maintain. This information also requires special arrangements for disposal and destruction .
Government guideline on cyber security
An approach to classification using the ISMF (v1.0)
Page 4 of 7
ISMF Guideline 8a
ISMF Guideline 4
CONVEYING PROTECTIVE MARKINGS IN DOCUMENTS
Agencies should formulate localised procedures and processes for applying protective markings to
information on systems and within documents or other datasets. It is often impractical and
confusing to apply markings to headers and footers of documents and letters that are destined for
public consumption. The following general guidance may assist agencies in applying markings to
these types of material:
1. Public documents including policy statements, initiatives, disclosures and corporate materials
The use of a ‘DLM block’ or similar document control mechanism within the document may
assist in fulfilling obligations with respect to records management, security and release and
revision information. The advantage of such an approach is that members of the public are
easily able to identify the currency and validity of the information they have obtained. It is
recommended that the classification/DLM descriptor details the three axis of security
classification for Confidentiality, Integrity and Availability as this greatly facilitates ICT support
personnel in fulfilling their obligations to meet required service levels as contractually
determined by the business for the information they are entrusting to their providers. By
example, a DLM with records management and security classification information is applied to
the last page of this guideline.
2. Email, letters, memorandums and other correspondence directed to members of the public or
commercial entities
A common-sense approach to indicating security treatments and records management needs
to be applied in correspondence to individuals and commercial entities. Examples include a
simple marking such as ‘Sensitive: Personal’ or ‘Sensitive: Medical’ appearing somewhere on
the letter, receipt or other communique may be entirely appropriate if the level of detail
contained in the correspondence warrants this marking and treatment. In other instances, no
marking may be warranted at all.
When dealing with commercial entities, it is important to recognise that the marking of
‘Sensitive: Commercial’ does not apply in a blanket fashion. Due consideration should be
applied to the content of the information being communicated. Sensitive commercial
information would be information that would give an unfair advantage to competitors or
jeopardise the commercial entity in some such way should the information be released or
leaked inadvertently. A simple quotation for list price items with no substantial discounts, or
items that are already published by the vendor in a non-competitive manner (such as at an
online shopping site or as a pricelist) would not give rise to use of this marking.
3. Documents not authorised for public release but retained and used within and between
governments, or within a single agency
Although ‘For Official Use Only’ is the most commonly applied marking for collaboration and
sharing within and between governments, information may be exchanged on a ‘need-to-know’
basis at many classification levels. The most important factor to apply to information that is
essentially for internal use, is that the marking should appear somewhere in the header or
footer of each page. The Australian Government has mandated an approach that requires the
marking to be applied in both the header and footer of each page. This requirement does not
extend to the Government of South Australia although it has been applied in many agencies.
The primary requirement is that each page clearly conveys the handling and treatment
requirements for the information contained on that page (or section).
Government guideline on cyber security
An approach to classification using the ISMF (v1.0)
Page 5 of 7
ISMF Guideline 8a
ISMF Guideline 4
The Australian Government guideline on marking of documents provides excellent guidance on
this matter and may be used as a template for development of agency specific procedures and
guidance, bearing in mind the nuances of the South Australian classification scheme which
factors in additional treatments and markings for materials that are: commercial, medical, SA
Cabinet related etc.
For further information on marking guidelines, consult the document entitled ‘Protectively
marking and handling sensitive and security classified information’ which is available for
download from http://www.protectivesecurity.gov.au/
AGGREGATED INFORMATION MAY TRIGGER SPECIAL HANDLING OBLIGATIONS
The sum total of multiple information sets stored in a single device, service or physical location
may lead to greater protection efforts being required when these sets are considered in their
entirety (i.e. the compilation of multiple data sets). The principal of aggregated information
protection and management is particularly relevant to databases, inventories and multiple
instances of Official Information that has not been authorised for public release. In instances where
there are multiple lesser classified datasets stored by and processed on a common ICT system or
platform, a comprehensive risk assessment may warrant the system or platform being classified at
a higher level than that of the individual datasets it holds. Such a notion is particularly relevant for
example if there is a substantial quantity of Sensitive information on a server platform or disk
storage array etc.
Although this guideline focuses on the aggregation of electronic information; the ideas, principles
and themes are also applicable to the management of aggregations of hard copy information.
For further information on the management of aggregated information, consult the document
entitled ‘Management of aggregated information’ which is available for download from
http://www.protectivesecurity.gov.au/
ADDITIONAL CONSIDERATIONS

Agencies should contact their Information Technology Security Adviser [ITSA] for further
advice and guidance on agency specific classification procedures and guidelines.

Information received by another entity, whether it is commercial or from government in other
jurisdictions must not have its protective markings altered or changed without the express
written consent of the originator of the information.

There is no protective marking that prohibits, inhibits or prevents an agency from sharing,
using and collaborating information provided that there is a legitimate and established ‘needto-know’. The primary purpose of information classification is to ensure that protection and
management efforts are proportionate to the value and sensitivity of the information being
processed.

Information that needs to be restricted to a given audience, such as a single agency, a
committee or other governance group or a particular workforce function should consider the
use of the ‘Eyes Only’ caveat in their protective markings. Applicable caveats for use in South
Australian government agencies are described in detail in table 4 of the ISMF.
Government guideline on cyber security
An approach to classification using the ISMF (v1.0)
Page 6 of 7
ISMF Guideline 8a
This guideline does not constitute an absolute or mandatory method for classifying information. It
is merely a good practice guideline applied to the protective security policy position and operating
characteristics of the Government of South Australia at the time of writing. The individual
requirements and operational characteristics of agencies will have direct bearing on what
measures are implemented to mitigate identified risk(s) and how such outcomes are achieved.
REFERENCES, LINKS & ADDITIONAL INFORMATION

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

AS/NZS ISO/IEC 27002:2006

Australian Government Protective Security Policy Framework [PSPF]
ID
OCIO_G4.8a
Classification/DLM
PUBLIC-I2-A1
Issued
December 2012 (re-issued as ISMF Guideline 8a from Guideline 15 – February 2014)
Authority
Security and Risk Steering Committee
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\ISMFguidelines\ISMFguideline8a(information classification).docx
Records management
File Folder: 2011/15123/01 - Document number: 7078872
Managed & maintained by
Office of the Chief Information Officer
Author
Jason Caley, Principal Policy Adviser
Reviewer
Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES ,
Director Security and Risk Assurance
Compliance
Discretionary
Review date
February 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 8a.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2012.
Disclaimer
Related documents
ISMF Guideline 8b – New classification scheme for confidentiality of
ISMF Guideline 8b – New classification scheme for confidentiality of
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 21 – Media handling
ISMF Guideline 21 – Media handling
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 5 – Cloud computing
ISMF Guideline 5 – Cloud computing
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 25 - User Access Management
ISMF Guideline 25 - User Access Management
About-Breast-Cancer-June
About-Breast-Cancer-June
About-the-Pharmacological-Management-of-Cancer-Pain-in
About-the-Pharmacological-Management-of-Cancer-Pain-in
Appendix 1 to the Rules of Procedure
Appendix 1 to the Rules of Procedure
Information Security Management Framework version 3.2.0
Information Security Management Framework version 3.2.0
Download
advertisement