Information security

Sensitive and classified information

Each entity must:

1. identify information holdings
2. assess the sensitivity and security classification of information holdings
3. implement operational controls for these information holdings proportional to their value, importance and sensitivity.

Access to information

Each entity must enable appropriate access to official information. This includes:

1. sharing information within the entity, as well as with other relevant stakeholders
2. ensuring that those who access sensitive or security classified information have an appropriate security clearance and need to know that information
3. controlling access (including remote access) to supporting ICT systems, networks, infrastructure and applications.

Safeguarding information from cyber threats

Each entity must mitigate common and emerging cyber threats by:

1. implementing the following Information Security Manual (ISM) Strategies to Mitigate Cyber Security Incidents:
   
   1. application control
   2. patching applications
   3. restricting administrative privileges
   4. patching operating systems.
2. Considering which of the remaining Strategies to Mitigate Cyber Security Incidents you need to implement to protect your entity.

Robust ICT systems

Each entity must ensure the secure operation of their ICT systems to safeguard information and the continuous delivery of government business by applying the Australian Government Information Security Manual’s cyber security principles during all stages of the lifecycle of each system.