Policy 10: Safeguarding data from cyber threats
Purpose
This policy describes how to mitigate common and emerging cyber threats facing the Australian Government.
Overview
Entities must mitigate their exposure to cyber security risks. Cyber threats faced by the Australian Government include both external and internal adversaries that steal data, destroy data or attempt to prevent systems from functioning. The most common cyber threat facing entities is external adversaries who attempt to steal data. Often these adversaries attempt to access systems and data through malicious emails and websites. It is critical that entities safeguard the data held on systems that can receive emails or browse internet content.
While no single mitigation strategy, or set of mitigation strategies, is guaranteed to prevent a cyber security incident, the Australian Cyber Security Centre (ACSC) estimates many cyber security incidents could be mitigated by implementing eight essential mitigation strategies (known as the 'Essential Eight'). These mitigation strategies are considered the baseline for cyber security. Each entity also needs to consider which of the remaining mitigation strategies from the ACSC's factsheet Strategies to Mitigate Cyber Security Incidents they need to implement to protect their entity.
To attain a 'Managing' maturity level for each of the eight mandatory mitigation strategies from the Strategies to Mitigate Cyber Security Incidents, entities must implement the maturity level 2 requirements in the Essential Eight Maturity Model.
When the public transacts online with government, entities must ensure that they do not expose the public to unnecessary cyber security risks.