Data and information are critical to government operations and as agencies we need to ensure the public can trust us to protect their information. To do this we need to make conscious decisions that demonstrate our ability to safeguard information and maintain services.
Information security is increasingly in focus for entities, and this is reflected in our recently tabled State entities 2024 (Report 11: 2024–25) report to parliament. We expanded the focus in our audits this year to better assess the controls entities have over access to their information systems and networks as they increasingly rely on new technologies and face heightened risks of cyber attacks.
In our report, we found while key controls at state entities are generally effective, 65 per cent of new control deficiencies identified in our audits related to information system controls. If entities act on our recommendations about the security of information systems, they can better manage security vulnerabilities, the risk of inappropriate access to information, and disruption to services.
Understanding how to assess, classify, and label information is a critical component of ensuring suitable controls are used to protect information. It involves understanding the sensitivity of information and the potential impacts to government operations if it is lost or compromised.
In this blog, we explore 3 steps that can help you effectively classify your entity’s information.
1. Assessing government information
To adequately protect information assets, entities should think about the value of their information at the agency and customer level. What might happen if information is lost or compromised? What could happen if systems or services are unavailable, or if you can’t rely on the accuracy of the data or information?
There are a few resources available to help you with this, including the recently updated Queensland Government Information security classification framework (QGISCF). This framework represents better practice and provides examples of Business Impact Levels (BILs). Agencies are encouraged to use these examples to work with leadership to understand and document the potential business impacts. The entity BILs are an expression of the agency’s information security risk appetite.
BILs use a sliding scale (low to high) to evaluate the potential impacts to government operations if information is lost, compromised, or misused. There are 3 assessment elements to consider – confidentiality, integrity, and availability. Understanding the requirements associated with each element can help your entity to apply suitable security controls.
Keep in mind that there is not always a direct correlation between the 3 elements. For example, an agency may decide its financial information has a low or negligible confidentiality requirement but has higher integrity and/or availability requirements. This means the agency’s controls should focus on preventing the data from being altered or changed without permission and ensuring the information is available when required.
- Confidentiality assessment
Examines the potential damage caused if government information is lost, compromised, or misused. For example, if an agency’s financial information was compromised it would have a low or negligible confidentiality impact, but the loss of government health records would have a higher confidentiality impact.
- Integrity assessment
Examines the potential impact to government operations if data or information is changed without authorisation. For example, if a patient’s medical history had been altered then it would have a higher integrity impact than if the patient’s phone number was wrong.
- Availability assessment
Examines the potential impact to government operations if information or data is not available when it is needed. For example, if a hospital cannot access medical records then there could be significant impacts to the health and safety of the patient.
2. Classifying government information
Before you classify your information, consider the confidentiality assessment you completed in the previous step. This will help you determine how sensitive the information is. This should be determined at the point of creation to ensure appropriate security controls are applied from the beginning. You can always review this decision if the sensitivity of the information changes.
Under the QGISCF, government information can be classified as:
- Official (low or negligible confidentiality impact) – routine information that could cause limited damage if lost or compromised
- Sensitive (medium confidentiality impact) – information that could cause moderate damage if lost or compromised
- Protected (high confidentiality impact) – information that could cause significant damage if lost or compromised.
Compliance with the QGISCF is only compulsory for some entities like government departments, but the Queensland Government encourages all entities to adopt this framework. The benefits of all entities applying the same logic include:
- easier and more consistent decision-making about how to process, use, store, and share government information
- perception that government is making conscious decisions about how to protect the public’s information, building trust
- ability to share information with another agency, knowing that the other agency will apply similar protection levels to their information if it is marked.
What do we mean by impact, damage, or harm?
These terms describe the effects which could be felt by the public, business, the state, or country if government information is lost, stolen, or misused. Factors may include, but are not limited to:
- health and safety
- environmental impacts
- reputation
- financial loss
- privacy implications
- assistance to crime
- impact on government policy
- risk of litigation
- data quality.
Appendix A: Business impact levels of the QGISCF includes tables of business impacts which could be used to conduct the confidentiality, integrity, and availability assessments.
3. Labelling government information
Once you have assessed and classified your information, you should then consider labelling it. This means marking it with a confidentiality label (also known as a security classification). For example, using watermarks, headers or footers, or applying sensitivity labels to electronic content or applying labels to physical files. Labelling is essential, irrespective of the format.
Labels are an important preventative control. They act as a visual prompt – telling the reader how important the information is and whether additional controls need to be used to protect it. The QGISCF requires all ‘sensitive’ and ‘protected’ information to be labelled, but entities can label all of their information assets.
We all have an obligation to safeguard government information. The best way to keep this top of mind is to consider these 2 key questions:
- How sensitive is this information?
- What could happen if it was lost or compromised?
Tips for sharing government information
- Know your data and information assets – what do you have?
- Ensure staff and suppliers understand how to assess information classification and apply appropriate controls.
- Tell the recipient how sensitive the information is – how have you classified it?
- Be clear about your requirements – do you want the recipient to apply specific controls?
- Clarify roles and responsibilities – who is responsible?
- Where appropriate, use data sharing agreements.
- Periodically review data sharing arrangements.
- Consider using technology to help identify the sensitivity of legacy information.
Resources
For more information, refer to: