Skip breadcrumbHome » Information Security

Australian Government information security management core policy


The Australian Government collects and receives information to fulfil its functions and expects all those who access or hold this information to protect it. Agencies are to develop, document, implement and review appropriate security measures to protect this information from unauthorised use or accidental modification, loss or release by:

  • establishing an appropriate information security culture within the agency
  • implementing security measures that match the information’s value, classification and sensitivity, and
  • adhering to all legal requirements.

The mandatory requirements of this core policy are based on the three elements of information security:

  • confidentiality: ensuring that information is accessible only to those authorised to have access
  • integrity: safeguarding the accuracy and completeness of information and processing methods, and
  • availability: ensuring that authorised users have access to information and associated assets when required.

The term ‘information assets’ within this policy refers to any form of information, including:

  • electronic data
  • the software or information and communication technology (ICT) systems and networks on which the information is stored, processed or communicated
  • printed documents and papers
  • the intellectual information (knowledge) acquired by individuals, and
  • physical items from which information regarding design, components or use could be derived.

Sharing of information and other assets

Agencies are to implement this policy when sharing Australian Government information and other assets with other governments (including foreign, state, territory and municipal), international, educational and private sector organisations. In these cases, agencies are to develop arrangements that outline security responsibilities, safeguards to be applied, and terms and conditions for continued participation.

Agencies are to treat information and other assets received from other governments (including foreign, state, territory and municipal), international (e.g. EU), educational and private sector organisations, in accordance with agreements or arrangements between the parties concerned.

Agencies may share limited amounts of PROTECTED level information with non-government organisations that screen to the level of Australian Standard AS4811:2006 – Employment screening.

Agency information security policy and planning

Mandatory requirement

INFOSEC 1: Agency heads must provide clear direction on information security through the development and implementation of an agency information security policy, and address agency information security requirements as part of the agency security plan.

The policy and plan are to:

  • detail the objectives, scope and approach to the management of information security issues and risks within the agency
  • be endorsed by the agency head
  • identify information security roles and responsibilities
  • detail the types of information that an employee:
    • can lawfully disclose in the performance of his or her duties, or
    • must obtain authority to disclose
  • be reviewed and evaluated in line with changes to agency business and information security risks
  • be consistent with the requirements of the agency’s protective security plan and information security risk assessment findings
  • address the issue of data aggregation
  • include details of the agency’s declassification program
  • explain the consequences for breaching the policy or circumventing any associated protective security measure, and
  • be communicated on an on-going basis and be accessible to all agency employees, and where reasonable and practical, be publicly available.

For further guidance refer to:

Information security framework and third party access

Mandatory requirement

INFOSEC 2: Each agency must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risks to the agency’s information environment.

Agencies are to:

  • document requirements for information security when entering into outsourcing contracts and arrangements with contractors and consultants
  • enter into memorandums of understanding (MOU) with other agencies when regularly sharing information, and where reasonable and practical, make the MOU publicly available
  • ensure that prior to providing third parties access to Australian Government information and ICT systems, security measures that match the security classification or dissemination limiting marker of the information or ICT system are in place, or clearly defined, in appropriate agreements or contracts, and
  • ensure that appropriate permissions are received before providing third parties access to information not originating within the agency.

For further guidance refer to:

Information asset classification and control

Mandatory requirement

INFOSEC 3: Agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper-based formats) which match their value, importance and sensitivity.

When addressing security classification and control policies and procedures, agencies are to:

  • identify, document and assign owners for the maintenance of security measures for all major information assets including hardware, software and services used in agency operations (including physical information assets used to process, store or transmit information)
  • require all agency information to be protectively marked/ security classified in accordance with the Australian Government security classification system
  • implement controls for all security classified information (including handling, storage, transmission, transportation and disposal) in accordance with the Australian Government information security management protocol
  • require staff, including contractors, to mark, store and handle information in accordance with the Australian Government information security management protocol, and
  • develop and maintain a classification guide specific to the agency which is accessible to all agency employees.

Additionally, agencies are to ensure that:

  • the agency’s classification guide does not limit the requirements of relevant legislation or international obligations under which the agency operates, and
  • disposal of public records is in accordance with legislative and regulatory requirements.

For further guidance refer to:

Operational security management

Mandatory requirement

INFOSEC 4: Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. This includes implementing the mandatory ‘Strategies to Mitigate Targeted Cyber Intrusions’ as detailed in the Australian Government Information Security Manual.

Agencies are to:

  • put in place incident management procedures and mechanisms to review violations and to ensure appropriate responses in the event of security incidents, breaches or failures
  • put in place adequate controls to prevent, detect, remove and report attacks of malicious and mobile code on ICT systems and networks
  • put in place comprehensive systems' maintenance processes and procedures including operator and audit/fault logs and information backup procedures
  • implement operational change control procedures to ensure that they appropriately approve and manage changes to information processing facilities or ICT systems
  • comply with legal requirements when exchanging information in all forms, between agencies and/or third parties
  • apply the classification schemes and measures defined in the Australian Government information security management protocol and the Australian Government Information Security Manual (ISM) when exchanging information in all forms, between agencies and/or third parties, and
  • apply the requirements of the National e-Authentication Framework to online transactions and services.

For further guidance refer to:

Information access controls

Mandatory requirement

INFOSEC 5: Agencies must have in place control measures based on business owner requirements and assessed/accepted risks for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications. Agency access control rules must be consistent with agency business requirements and information classification as well as legal obligations.

Agencies are to:

  • assess access requirements against the National e-Authentication Framework
  • require specific authorisation to access agency ICT systems
  • assign each user a unique personal identification code and secure means of authentication
  • define, document and implement policies and procedures to manage operating systems' security, including user registration, authentication management, access rights and privileges to ICT systems' or application utilities
  • display restricted access and authorised use only (or equivalent) warnings upon access to all agency ICT systems
  • where wireless communications are used, appropriately configure the security features of the product to at least the equivalent level of security of wired communications
  • implement control measures to detect and regularly log, monitor and review ICT systems and network access and use, including all significant security relevant events
  • conduct risk assessments and define policies and processes for mobile technologies and teleworking facilities, and
  • assess security risks and implement appropriate controls associated with use of ICT facilities and devices (including non-governmental equipment) within the agency such as mobile telephony, personal storage devices and internet and email prior to connection.

For further guidance refer to:

Information system development and maintenance

Mandatory requirement

INFOSEC 6: Agencies must have in place security measures during all stages of ICT system development, as well as when new ICT systems are implemented into the operational environment. Such measures must match the assessed security risk of the information holdings contained within, or passing across, ICT networks, infrastructures and applications.

When establishing new ICT systems or implementing improvements to current ICT systems including off-the-shelf or outsourced software development, agencies are to:

  • address security in the early phases of the systems development life cycle, including the system concept development and planning phases and then in the requirements analysis and design phases
  • consult internal and/or external audit when implementing new or significant changes to financial and critical business ICT systems
  • incorporate processes including data validity checks, audit trails and activity logging in applications to ensure the accuracy and integrity of data captured or held in applications
  • apply the National e-Authentication Framework requirements to authentication techniques and policies
  • carry out appropriate change control, acceptance and ICT system testing, planning and migration control measures when upgrading or installing software in the operational environment
  • control access to ICT system files to ensure integrity of the business systems, applications and data, and
  • identify and implement access controls including access restrictions and segregation/isolation of ICT systems into all infrastructures, business and user developed applications.

For further guidance refer to:


Mandatory requirement

INFOSEC 7: Agencies must ensure that agency information security measures for all information processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under which the agency operates.

To ensure all legal, statutory, regulatory, contract or privacy obligations relating to information security are managed appropriately, agencies are to:

  • take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal and/or external auditors and specialist organisations where required, and
  • regularly review all agency information security policies, processes and requirements including contracts with third parties, for compliance and report to appropriate agency management.

For further guidance refer to:

Featured Links