Skip to main content

Policy 10: Safeguarding information from cyber threats

  • Information security
Publication date
Last updated


This policy describes how to mitigate common and emerging cyber threats facing the Australian Government.


Entities must mitigate their exposure to cyber security risks. The most common cyber threat facing entities is external adversaries who attempt to steal data.

Often these adversaries attempt to access systems and information through malicious emails and websites. It is critical that entities prioritise applying mitigation strategies to the workstations of high-risk users and for internet-connected systems, before they implement them more broadly.

Entities must also consider which of the remaining mitigation strategies from the Strategies to Mitigate Cyber Security Incidents they need to implement to protect their entity. In particular they are strongly encouraged to consider the additional 4 of the Essential Eight mitigation strategies:

  • configuring Microsoft Office macro settings
  • user application hardening
  • multi-factor authentication
  • daily backups.

To attain a managing maturity level and to meet the minimum level that the government requires for each of the 4 mandatory mitigation strategies from the Strategies to Mitigate Cyber Security Incidents, entities must implement the maturity level 3 requirements in the Essential Eight Maturity Model.

When the public transacts online with government, entities must ensure that they do not expose the public to unnecessary cyber security risks.

Return to the Information security page