Australian Government Information Security
The Australian Government collects and receives information to fulfil its functions and expects all those who access or hold this information to protect it. Non-corporate Commonwealth entities must develop, document, implement and review appropriate security measures to protect this information from unauthorised use or accidental modification, loss or release by:
- establishing an appropriate information security culture within the entity
- implementing security measures that match the information's value, classification and sensitivity, and
- adhering to all legal requirements.
The mandatory requirements of this core policy are based on the three elements of information security:
- confidentiality: ensuring that information is only accessible to those authorised to access it
- integrity: safeguarding the accuracy and integrity of information and processing methods
- availability: ensuring that authorised users have access to information and associated assets when required.
The term 'information assets' within this policy refers to any form of information, including:
- electronic data
- the software or information and communication technology (ICT) systems and networks on which the information is stored, processed or communicated
- printed documents and papers
- the intellectual information (knowledge) acquired by individuals
- physical items from which information regarding design, components or use could be derived.
Sharing of information and other assets
Non-corporate Commonwealth entities must implement this policy when sharing Australian Government information and other assets with other governments (including foreign, state, territory and municipal), as well as international, educational and private sector organisations. In these cases, entities must develop arrangements that outline security responsibilities, safeguards to be applied, and terms and conditions for continued participation.
Non-corporate Commonwealth entities are required to treat information and other assets received from other governments (including foreign, state, territory and municipal), international (e.g. EU), educational and private sector organisations, in accordance with agreements or arrangements between the parties concerned.
Non-corporate Commonwealth entities may share limited amounts of PROTECTED level information with non-government organisations that screen to the level of Australian Standard AS4811:2006 – Employment screening.
For further guidance on specific controls and principles see the following key guidance material: