This policy describes the requirements for entities planning digital investments involving application security considerations.
Applicability
Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF).
Commonwealth entities are encouraged to apply this policy to all digital investments.
Policy requirements
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Align to guidelines and standards
All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.
-
Be secure-by-design
The integration of application security as a core element of digital products and services from the design phase through to deployment and beyond ensures security considerations and mitigations are embedded and effective throughout the lifecycle of the investment.
-
Align operational and technological needs
Analysis and assessment of specific needs, and determination of operational and technological functional and non-functional requirements, ensures selected for application security measures and protocols are fit-for purpose as well as traceable in their coverage of entity needs.
-
Apply a risk-based approach
The selection, deployment, and maintenance of application security solutions in balance with risks associated with the applications being secured will ensure that operational elements of security are prioritised, and solutions do not inadvertently impact system performance and functionality.
-
Implement preventative measures
Implementation of appropriate reporting processes is critical for both awareness of risk, and transparency. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).
-
Implement detective measures
Entities should consider and implement application security measures focused on identifying issues or breaches that may have already occurred or that are in progress.
-
Implement reporting measures
Entities should consider and implement appropriate reporting processes. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).
-
Implement corrective measures
The pro-active preparation of corrective measures will ensure entities are prepared to take action to fix vulnerabilities and restore security in an application after a breach or attack is detected.
-
Adhere to reuse principles
Entities should prioritise the reuse of existing digital and ICT solutions, patterns, or knowledge. Where necessary, design new solutions with a focus on future reuse.