Information security


Each entity maintains the confidentiality, integrity and availability of all official information.

There are four core information security requirements that entities apply to achieve the information security outcome. The information security requirements apply to all information assets owned by the Australian Government, or those entrusted to the Australian Government by third parties, within Australia.

Core requirements for information security

Policy title Core requirement

Sensitive and classified information

Each entity must:

  1. identify information asset holdings
  2. assess the sensitivity and security classification of information asset holdings
  3. implement operational controls for these assets proportional to their value, importance and sensitivity.

Access to information

Each entity must enable appropriate access to official information. This includes:

  1. sharing information within the entity, as well as with other relevant stakeholders
  2. ensuring that those who access sensitive or security classified information have an appropriate security clearance and need to know that information
  3. controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications.

Safeguarding information from cyber threats

Each entity must mitigate common and emerging cyber threats. This includes implementing the following Information Security Manual (ISM) Strategies to Mitigate Cyber Security Incidents:

  1. application whitelisting
  2. patching applications
  3. restricting administrative privileges
  4. patching operating systems.

Robust ICT systems

Each entity must have in place security measures during all stages of ICT systems development. This includes certifying and accrediting ICT systems in accordance with the Information Security Manual when implemented into the operational environment.