QGEA Queensland Government Information security classification framework

Appendix A: Business impact levels

The following are suggested tables of business impacts for Confidentiality, Integrity and Availability which can be customised for individual
agency context.

The most effective way of determining business impact levels that align closely to the agency mission is for an agency executive to
undertake a process to examine agency information security risk tolerance and appetite. The executive can determine what business
impacts their organisation should be focussed on. This process can be achieved using the BIL tables in this appendix as a starting point.

Confidentiality
Confidentiality Low Medium High
impact
Risk to Individual Consider risk of Potential risk to Direct actual risk to Direct actual risk to Assessment results
safety injury or impact on individual safety individual safety individual life / lives in a rating of greater
safety, as well as than high for any
the possibility of loss harmful event. The
of life. An example information is
could include potentially National
release of names or Security Information
locations of under‐ (e.g. SECRET) and
cover officers, must be
people under safeguarded and

‐
protection orders. classified ‘Above
Distress caused to From the client’s or Some distress from Significant and real PROTECTED’
any party public’s point of information release distress according to the
view, distress could Federal Government
be caused by many PSPF
things, including the Refer to QLD Police
release of private Security and
information. Counter Terrorism

‐
group
Damage to any Effect on any party's Potential risk to Significant and long‐
party’s standing or standing or reputation lasting damage to
reputation reputation? Issues to reputation.
consider include
potential for adverse

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 1 of 11

QGEA Queensland Government Information security classification framework

Confidentiality Low Medium High

impact
publicity, either
locally or wider and
the potential for
damage occurring to
either the service
provider's or client's

‐
ongoing reputation.
Inconvenience to Releasing Some inconvenience Significant
any party information which inconvenience,
could lead to direct significant
identity fraud being tangible loss
perpetrated.
Public order Whether release of Public order affected Public order Complete loss of
information could significantly affected public order
pose a risk to
community relations

‐
and public order.
Release of Would disclosure of Some commercial Significant
commercially information have a impact commercial impact
sensitive data to commercial impact
third parties on any party,
commercially
sensitive
information that
could impact on
current or future

Privacy ‐ Would ‐
business
Spill of personal Loss of Personal Loss of sensitive
data release violate information /privacy personal information
legislative or impact causing moderate
regulatory damage to the
guidelines such as agency
information privacy

Low ‐ Moderate
principles?
Impact government Impact on Significant financial
finances, economic government loss, loss of PCI:DSS

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 2 of 11

QGEA Queensland Government Information security classification framework

Confidentiality Low Medium High

impact
finances or financial loss
economic and relative to
commercial government
interests Would finances
disclosure of
information result in
financial or
economic
consequences to
government? E.g.
Disclosure of
planning results in
changing property

Low ‐ Moderate ‐
valuations.
Financial loss to Consider this from Significant financial
agency / service the service financial loss loss, possible

perspective ‐ what
provider provider’s organisational
collapse
losses could they
incur?
Considerations
include possibility of
fraud, a party
illegally transferring
money, a party
gaining control of
assets they don't
legally own (e.g. by
using information to
establish an identity

Low ‐ Moderate ‐
which is not theirs
Threat or Would release of Significant threat to
Opportunity to this information threat to capacity agency systems or
government have the potential to capacity to conduct
agency’s systems or prevent or enhance business over years
capacity to conduct an agency or

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 3 of 11

QGEA Queensland Government Information security classification framework

Confidentiality Low Medium High

impact
their business external party
conducting their
business? For how
long would this
reduction/prevention
last?
Assistance to Crime Would release of Release of Release of Suspects of major
or impact on its this information information may information provides crime escape justice
detection have the potential to assist the conduct of moderate assistance
assist in the conduct a crime to the conduct of a
of a crime or crime

‐
terrorist activity?
Impact on Would disclosure Policy development Significant policy
development or cause negative or is slowed development is
operation of positive impact to halted.
government policy government during
the stages where
policy is being
formulated or

‐
implemented?
Impact on the Impact the Environmental Catastrophic
environment environment impact environmental
through information impact

‐
release
Impact on agency or Affect agency ability Damage agency Significantly
Queensland to function ability to function damage agency
Government ability to function

‐
workforce over years
Impact on risk of Litigation against Moderate Significant risk of
litigation the state of QLD is litigation
increased. Legal Professional

‐
Privilege
Impacts on National Causing damage to Causing limited Causing minor
Security national security (as damage to national damage to national
per Federal security security

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 4 of 11

QGEA Queensland Government Information security classification framework

Confidentiality Low Medium High

impact
Government BILs)
Impacts on National Damage to QLD Damaging or Damaging or ‐
Infrastructure critical infrastructure disrupting disrupting significant
infrastructure infrastructure
Impacts on Defence Defence operations Causing limited ‐ Causing damage to
Operations in QLD damage to the nonoperational
nonoperational effectiveness or
effectiveness or security of
security of Australian or allied
Australian or allied forces causing
forces without resupply problems
causing risk to life that could result in
risk to life
INSERT YOUR OWN Opportunity to add
IMPACTS HERE or remove impacts
that specifically
affect your
department
Confidentiality BIL Low Medium High (PROTECTED) NSI
(OFFICIAL) (SENSITIVE)

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 5 of 11

QGEA Queensland Government Information security classification framework

Integrity
Integrity impact Low Medium Hight
Risk to Individual safety Consider risk of injury / Risk to individual safety Direct actual risk to Direct actual risk to
impact on safety, as well individual safety individual life / lives
as the possibility of loss
of life. This could a
semantic attack which
causes a SCADA system
to misfunction
Data Quality Effect on agency data Record keeping does not Loss of historically Significant failure of
quality requirements meet Public Record Act important records Evidentiary reqs (QLD
(2002 QLD) requirements Evidence Act 1977),
Chain of Custody
Distress caused to any Information gathered A party is concerned that Multiple parties are Direct, tangible and
party about a party that is information gathered is concerned or issues significant distress
incorrect. Inability to incorrect caused
correct inaccuracies
effectively. Information is
aged and therefore less
accurate.
Personally sensitive data Does information held Quality of personal Low quality of holdings Inaccuracies in personal
integrity failure about clients have information held is not fit affects customers information have
appropriate for purpose adversely over days significant & tangible
integrity/quality. effects on multiple
Examples include customers
medical records and
other personal
information. Inability to
correct inaccurate
information in a timely
manner
Government finances, Impact on Government Low - Moderate impact Severe impact on a Catastrophic impact on
economic, commercial finances or economic single agency / some multiple agencies
interests and commercial impact on a number
interests. Fraud through
the changing of
government financial

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 6 of 11

QGEA Queensland Government Information security classification framework

Integrity impact Low Medium Hight

data is an integrity threat
Financial loss to any Consider this from the Low - Moderate impact Severe impact on small Catastrophic impact on
client* of the service service provider’s numbers of multiple third parties,
provider or third party perspective - what losses clients or third party service providers or
could they incur? significant numbers of
Considerations include clients
fraud, money laundering,
a party gaining control of
assets they don't legally
own
Financial Loss to Consider this from the Low - Moderate impact Severe impact to an Catastrophic impact on
Agency / Service Provider service provider’s agency or a service multiple agencies and
perspective - what losses provider service providers
could they incur?
Considerations include
fraud, money laundering,
a party gaining control of
assets they don't legally
own
Assistance to Crime or If the integrity of the Low Moderate detriment Significant
impact on its detection information were low,
would this have the
potential to assist
criminals.
Impact on development Would integrity loss Low Medium Catastrophic
or operation of impact government
government policy during the stages where
policy is being
formulated or
implemented? Policy
initiative does not
proceed.
Impact on risk of Integrity loss impacts Low Medium Catastrophic
litigation litigation against the
state of QLD negatively
INSERT YOUR OWN Customise for your
agency

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 7 of 11

QGEA Queensland Government Information security classification framework

Integrity impact Low Medium Hight

Integrity impact Low Medium High
* - in order to assist in the determination of the appropriate level of impact, the following is suggested: Low < 10% of contract , Severe
60% of contract and Catastrophic 90% of contract

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 8 of 11

QGEA Queensland Government Information security classification framework

Availability
Availability impact Low Medium High
Risk to Individual safety Consider any risk of Potential risk to Risk to individual safety Direct risk to individual
injury or impact on individual safety because information is life/ lives from
safety, as well as the not available on time information unavailability
possibility of loss of life.
E.g. information is not
available leading to

‐ information being slow

safety risks or Timeliness

to become available.
Emergency Services not
receiving timely

‐
information
Distress caused to any From the client’s or Some distress from Significant and real
party public’s point of view, information release distress
distress could be caused
by many things,
including not being able
to access their
information, particularly

‐
in times of duress.
Damage to any party’s Does loss of availability Potential risk to Significant and long‐
standing or reputation of information or systems reputation lasting damage to
affect any party's reputation because
standing or reputation? information is not
Issues to consider available
include potential for
adverse publicity, either
locally or wider and the
potential for damage
occurring to either the
service provider's or
client's ongoing
reputation due to
information being
unavailable

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 9 of 11

QGEA Queensland Government Information security classification framework

Availability impact Low Medium High

Inconvenience to any Consider factors such as Some inconvenience Significant inconvenience ‐
party releasing information
which could lead to
identity fraud being
perpetrated. Not
releasing information
which means that
customers should take
additional steps to
confirm processes
Public order Need to consider Public order affected Public order significantly Complete loss of public
whether lack of affected because order because
information availability information is information is
could risk community unavailable unavailable
relations and public

Low ‐ Moderate financial

order.
Impact on Impact on Government Significant financial loss
Government finances or finances or economic loss due to information being
economic and and commercial unavailable
commercial interests interests. Would lack of
availability affect
economic standing
Financial Loss to If information is None or Negligible Significant financial loss
Agency / Service Provider unavailable or
inaccessible, would this
cause financial loss
Assistance to Crime or Would availability of Inability to release Inability to release/share Inability to release/share
impact on its detection information have the information may assist information to target information to target
potential to assist to the conduct of a crime stakeholders in time stakeholders in time
prevent the conduct of a provides moderate means suspects of major
crime or terrorist activity crime escape justice
assistance in the conduct
of a crime
Impact on risk of Litigation against the Moderate Significant
litigation state of Queensland is
either helped or hindered
by information

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 10 of 11

QGEA Queensland Government Information security classification framework

Availability impact Low Medium High

availability
INSERT YOUR OWN Opportunity to add or
IMPACTS HERE remove impacts that
specifically affect your
department
Availability BIL Low Medium High

Final | v6.0.0 | November 2024 OFFICIAL-Public Page 11 of 11