Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, to the Department of Home Affairs from the Attorney-General’s Department. These Machinery of Government (MOG) changes commenced on 4 August 2023.

Policy 10: Safeguarding data from cyber threats

  • Information security
Publication date
Last updated


This policy describes how to mitigate common and emerging cyber threats facing the Australian Government.


Entities must mitigate their exposure to cyber security risks. Cyber threats faced by the Australian Government include both external and internal adversaries that steal data, destroy data or attempt to prevent systems from functioning. The most common cyber threat facing entities is external adversaries who attempt to steal data. Often these adversaries attempt to access systems and data through malicious emails and websites. It is critical that entities safeguard the data held on systems that can receive emails or browse internet content.

While no single mitigation strategy, or set of mitigation strategies, is guaranteed to prevent a cyber security incident, the Australian Cyber Security Centre (ACSC) estimates many cyber security incidents could be mitigated by implementing eight essential mitigation strategies (known as the 'Essential Eight'). These mitigation strategies are considered the baseline for cyber security. Each entity also needs to consider which of the remaining mitigation strategies from the ACSC's factsheet Strategies to Mitigate Cyber Security Incidents they need to implement to protect their entity.

To attain a 'Managing' maturity level for each of the eight mandatory mitigation strategies from the Strategies to Mitigate Cyber Security Incidents, entities must implement the maturity level 2 requirements in the Essential Eight Maturity Model.

When the public transacts online with government, entities must ensure that they do not expose the public to unnecessary cyber security risks.

Return to the Information security page