Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at pspf@homeaffairs.gov.au or the PSPF hotline on 02 5127 9999.

Policy 11: Robust ICT systems

  • Information security
Publication date
Last updated

Purpose

This policy describes how to safeguard information and communication technology (ICT) systems to support the secure and continuous delivery of government business.

Overview

An ICT system is a related set of hardware and software that processes, stores or communicates information, as well as the governance framework in which it operates.

To safeguard ICT systems from cyber threats, entities must effectively implement the Australian Government Information Security Manual (ISM) cyber security principles:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

Entities must only use ICT systems that the determining authority has authorised.

The ISM provides a 6-step, risk-based approach for cyber security. Entities must consider this before they authorise or re-authorise the use of systems.

Australian Government information that is processed, stored or communicated via an outsourced information technology or cloud service provider is protected in the same way as an internal entity service. The same authorisation to operate a framework to manage security risks during the life of the ICT system/service still applies.

A gateway is an information flow control mechanism that manages information flows between connected networks from different security domains. Entities must implement secure internet gateways that meet the Australian Signals Directorate requirements.

Return to the Information security page