Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at pspf@homeaffairs.gov.au or the PSPF hotline on 02 5127 9999.

Policy 10: Safeguarding data from cyber threats

  • Information security
Publication date
Last updated

Purpose

This policy describes how to mitigate common and emerging cyber threats facing the Australian Government.

Overview

Entities must mitigate their exposure to cyber security risks. Cyber threats faced by the Australian Government include both external and internal adversaries that steal data, destroy data or attempt to prevent systems from functioning. The most common cyber threat facing entities is external adversaries who attempt to steal data. Often these adversaries attempt to access systems and data through malicious emails and websites. It is critical that entities safeguard the data held on systems that can receive emails or browse internet content.

While no single mitigation strategy, or set of mitigation strategies, is guaranteed to prevent a cyber security incident, the Australian Cyber Security Centre (ACSC) estimates many cyber security incidents could be mitigated by implementing eight essential mitigation strategies (known as the 'Essential Eight'). These mitigation strategies are considered the baseline for cyber security. Each entity also needs to consider which of the remaining mitigation strategies from the ACSC's factsheet Strategies to Mitigate Cyber Security Incidents they need to implement to protect their entity.

To attain a 'Managing' maturity level for each of the eight mandatory mitigation strategies from the Strategies to Mitigate Cyber Security Incidents, entities must implement the maturity level 2 requirements in the Essential Eight Maturity Model.

When the public transacts online with government, entities must ensure that they do not expose the public to unnecessary cyber security risks.

Return to the Information security page