Australian Government - Attorney-General's Department

Protective
Security Policy
Framework

Achieving a Just and Secure Society

Skip breadcrumbHome » Information Security » Australian Government Information Security Core Policy

Australian Government Information Security Core Policy

Non-corporate Commonwealth entities (agencies) are required to:

  • appropriately safeguard all official information to ensure its confidentiality, integrity, and availability by applying safeguards so that:
    • only authorised people access information through approved processes
    • information is only used for its official purpose, retains its content integrity, and is available to satisfy operational requirements
    • information is classified and labelled as required
  • ensure information created, stored, processed, or transmitted in or over government information and communication technology (ICT) systems is properly managed and protected throughout all phases of a system's life cycle.

There are seven overarching mandatory requirements covering information security underpinned by high level controls set out below:

Information security

INFOSEC 1

Agency heads must provide clear direction on information security through the development and implementation of an agency information security policy, and address agency information security requirements as part of the agency security plan.

INFOSEC 2

Each agency must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risks to the agency's information environment.

INFOSEC 3

Agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper-based formats), which match their value, importance and sensitivity.

INFOSEC 4

Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. This includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian Government Information Security Manual.

INFOSEC 5

Agencies must have in place control measures based on business owner requirements and assessed/accepted risks for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications. Agency access control rules must be consistent with agency business requirements and information classification as well as legal obligations.

INFOSEC 6

Agencies must have in place security measures during all stages of ICT system development, as well as when new ICT systems are implemented into the operational environment. Such measures must match the assessed security risk of the information holdings contained within, or passing across, ICT networks, infrastructures and applications.

INFOSEC 7

Agencies must ensure that agency information security measures for all information processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under which the agency operates.

Agency information security policy and planning

INFOSEC 1: Agency heads must provide clear direction on information security through the development and implementation of an agency information security policy, and address agency information security requirements as part of the agency security plan.

The policy and plan are to:

  • detail the objectives, scope and approach to the management of information security issues and risks within the agency
  • be endorsed by the agency head
  • identify information security roles and responsibilities
  • detail the types of information that an employee:
    • can lawfully disclose in the performance of his or her duties, or
    • needs to obtain authority to disclose
  • be reviewed and evaluated in line with changes to agency business and information security risks
  • be consistent with the requirements of the agency's protective security plan and information security risk assessment findings
  • address the issue of data aggregation
  • include details of the agency's declassification program
  • explain the consequences for breaching the policy or circumventing any associated protective security measure, and
  • be communicated on an on-going basis and be accessible to all agency employees, and where reasonable and practical be publicly available.

Information security framework and third party access

INFOSEC 2: Each agency must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risks to the agency's information environment.

Agencies are to:

  • document requirements for information security when entering into outsourcing contracts and arrangements with contractors and consultants
  • enter into memorandums of understanding (MOU) with other agencies when regularly sharing information, and where reasonable and practical make the MOU publicly available
  • ensure that prior to providing third parties access to Australian Government information and ICT systems, security measures that match the security classification or dissemination limiting marker of the information or ICT system are in place, or clearly defined, in appropriate agreements or contracts, and
  • ensure that appropriate permissions are received before providing third parties access to information not originating within the agency.

Back to top

Information asset classification and control

INFOSEC 3: Agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper-based formats) which match their value, importance and sensitivity.

When addressing security classification and control policies and procedures, agencies are to:

Additionally agencies are to ensure that:

  • the agency's classification guide does not limit the provisions of relevant legislative requirements or international obligations under which the agency operates, and
  • disposal of public records is in accordance with legislative and regulatory requirements.

Back to top

Operational security management

INFOSEC 4: Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. This includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian Government Information Security Manual.

Agencies are to:

  • put in place incident management procedures and mechanisms to review violations and to ensure appropriate responses in the event of security incidents, breaches or failures
  • put in place adequate controls to prevent, detect, remove and report attacks of malicious and mobile code on ICT systems and networks
  • put in place comprehensive systems maintenance processes and procedures including operator and audit/fault logs and information backup procedures
  • implement operational change control procedures to ensure that they appropriately approve and manage changes to information processing facilities or ICT systems
  • comply with legal requirements when exchanging information in all forms, between agencies and/or third parties, and
  • apply the classification schemes and measures defined in the Australian Government information security management protocol and the Australian Government Information Security Manual (ISM) when exchanging information in all forms, between agencies and/or third parties.

Information access controls

INFOSEC 5: Agencies must have in place control measures based on business owner requirements and assessed/accepted risks for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications. Agency access control rules must be consistent with agency business requirements and information classification as well as legal obligations.

Agencies are to:

  • require specific authorisation to access agency ICT systems
  • assign each user a unique personal identification code and secure means of authentication
  • define, document and implement policies and procedures to manage operating systems security, including user registration, authentication management, access rights and privileges to ICT systems or application utilities
  • display restricted access and authorised use only (or equivalent) warnings upon access to all agency ICT systems
  • where wireless communications are used, appropriately configure the security features of the product to at least the equivalent level of security of wired communications
  • implement control measures to detect and regularly log, monitor and review ICT systems and network access and use, including all significant security relevant events
  • conduct risk assessments and define policies and processes for mobile technologies and teleworking facilities, and
  • assess security risks and implement appropriate controls associated with use of ICT facilities and devices (including non-governmental equipment) within the agency such as mobile telephony, personal storage devices and internet and email prior to connection.

Back to top

Information system development and maintenance

INFOSEC 6: Agencies must have in place security measures during all stages of ICT system development, as well as when new ICT systems are implemented into the operational environment. Such measures must match the assessed security risk of the information holdings contained within, or passing across, ICT networks infrastructures and applications.

When establishing new ICT systems or implementing improvements to current ICT systems including off-the-shelf or outsourced software development, agencies are to:

  • address security in the early phases of the system's development life cycle, including the system concept development and planning phases and then in the requirements analysis and design phases
  • consult internal and/or external audit when implementing new or significant changes to financial and critical business ICT systems
  • incorporate processes including data validity checks, audit trails and activity logging in applications to ensure the accuracy and integrity of data captured or held in applications
  • carry out appropriate change control, acceptance and ICT system testing, planning and migration control measures when upgrading or installing software in the operational environment
  • control access to ICT system files to ensure integrity of the business systems, applications and data, and
  • identify and implement access controls including access restrictions and segregation/isolation of ICT systems into all infrastructures, business and user developed applications.

Compliance

INFOSEC 7: Agencies must ensure that agency information security measures for all information processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under which the agency operates.

To ensure all legal, statutory, regulatory, contract or privacy obligations relating to information security are managed appropriately agencies are to:

  • take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal and/or external auditors and specialist organisations where required, and
  • regularly review all agency information security policies, processes and requirements including contracts with third parties, for compliance and report to appropriate agency management.

Back to top

Featured Links

Other Links

Downloads