Policy 8: Sensitive and classified information
Purpose
This policy details how to correctly assess the sensitivity or security classification of information. It also details marking, handling, storage and disposal arrangements to guard against information compromise.
Overview
To appropriately guard against information compromise, entities must consider:
- confidentiality – who should be able to see the information and why
- integrity – assurance that information is only being created, amended or deleted by the intended authorised means and is correct and valid
- availability – ensuring authorised persons have access to information when and as needed.
The Australian Government uses 3 security classifications:
- PROTECTED
- SECRET
- TOP SECRET.
All other information from business operations and services is OFFICIAL or, where it is sensitive, OFFICIAL: Sensitive.
The document's originator is responsible for applying the relevant sensitive or security classification. To do this they must assess the Business Impact Level (BIL) based on the likely damage if the information's confidentiality was compromised. The originator remains responsible for controlling the sanitisation, reclassification or declassification of that information.
Some information may need special protections in addition to those indicated by the sensitive marking or security classification. Caveats are used to indicate these additional special protections.
Some information requires the strictest control over its access and movement. The originator designates this as accountable material.
Information management markers are an optional way for entities to identify information that is subject to non-security related restrictions on access and use.
Entities must apply the Australian Government Recordkeeping Metadata Standard to protectively mark information on systems that store, process, or communicate sensitive or security classified information. Entities must ensure security classified information is stored, transferred, and disposed of appropriately.