Policy Requirements
Application Security policy requirements are as follows:
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Align to guidelines and standards
All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.
-
Be Secure-by-Design
Entities should consider application security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures.
-
Align operational and technological needs
Entities should implement application security measures and protocols that align to operational and technological requirements.
-
Apply a risk-based approach
Entities should ensure that application security solutions are maintained in balance with the risks associated with the applications being secured.
-
Implement preventative measures
Entities should implement measures designed to prevent application security incidents before they occur.
-
Implement detective measures
Entities should consider and implement application security measures focused on identifying issues or breaches that may have already occurred or that are in progress.
-
Implement reporting measures
Entities should consider and implement appropriate reporting processes. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).
-
Implement corrective measures
Entities should be prepared to take action to fix vulnerabilities and restore security in an application after a breach or attack is detected.
-
Adhere to reuse principles
Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.