Australian Government Architecture
Search

Type

Policy

Reference

.

Applicable from

20 Aug 2024

Mandate

Endorsed

Status

Core

Responsible agency

Digital Transformation Agency

Application Security policy

This policy describes the requirements for entities planning digital investments involving application security considerations.

Applicability

Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF).

Commonwealth entities are encouraged to apply this policy to all digital investments.

Policy requirements

  • Comply with legislation and regulation

    An entity must comply with any legislation relevant to its circumstances.

  • Align to guidelines and standards

    All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.

  • Be secure-by-design

    The integration of application security as a core element of digital products and services from the design phase through to deployment and beyond ensures security considerations and mitigations are embedded and effective throughout the lifecycle of the investment.

  • Align operational and technological needs

    Analysis and assessment of specific needs, and determination of operational and technological functional and non-functional requirements, ensures selected for application security measures and protocols are fit-for purpose as well as traceable in their coverage of entity needs.

  • Apply a risk-based approach

    The selection, deployment, and maintenance of application security solutions in balance with risks associated with the applications being secured will ensure that operational elements of security are prioritised, and solutions do not inadvertently impact system performance and functionality.

  • Implement preventative measures

    Implementation of appropriate reporting processes is critical for both awareness of risk, and transparency. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).

  • Implement detective measures

    Entities should consider and implement application security measures focused on identifying issues or breaches that may have already occurred or that are in progress.

  • Implement reporting measures

    Entities should consider and implement appropriate reporting processes. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).

  • Implement corrective measures

    The pro-active preparation of corrective measures will ensure entities are prepared to take action to fix vulnerabilities and restore security in an application after a breach or attack is detected.

  • Adhere to reuse principles

    Entities should prioritise the reuse of existing digital and ICT solutions, patterns, or knowledge. Where necessary, design new solutions with a focus on future reuse.

Capabilities

This policy includes requirements that relate to the following capability.
CAP11

Application Security

Standards

The following standards show what to do to satisfy this policy.

Application Security Standard

STA54
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual,…

Designs

The following designs can be relevant to meeting the requirements of this policy.

Integrated Regulatory Information System (IRIS)

DES155
Responsible agency: Comcare Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.