Definition
Information asset security refers to protecting the information collected, processed, and stored on digital and ICT systems and networks. It encompasses protecting both information asset infrastructure, and information assets, from unauthorised access, disclosure, alteration, or destruction. This safeguards the confidentiality, integrity, and availability of information assets against various cyber threats and vulnerabilities.
Please consult Information Asset Management for details on processes and procedures employed in managing information assets, ensuring that information, insights, and services are conveyed to the public efficiently, timely, and in the appropriate format.
Purpose
Information asset security ensures entities appropriately safeguard information assets. maintains public trust by preventing unauthorised access, breaches, and potential exploitation by malicious actors.
A mature capability in Application Security enables fast and appropriate response to emerging threats, and continuous improvement of security posture.
Information asset security is realised through:
- appropriate classification of information assets, to inform their security requirements
- the definition, planning, deployment, and use of appropriate security measures (including policies/processes and technological solutions) to protect information assets in a manner suited to the situation-specific circumstances
- considering the capability as part of a complementary suite of Cyber Security Capabilities, including Application Security, Network Security, Privacy, and Permissions.
Objective
The objectives of this Australian Government Architecture (AGA) content are to:
- ensure Information Assets across Government are secured to a standard appropriate to their risk of security compromise
- ensure that entities are familiar with information asset security best practices, allowing them to make informed decisions on investment and implementation
- ensure that new information asset solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk
- ensure strategic alignment of information asset security features to the Australian Government’s cyber security goals
- meet the minimum compliance with contractual obligations, legislation and regulation, government policies and standards, and any national or international agreements relating to information asset management.
Whole-of Government Applicability
The 2023-2030 Australian Cyber Security Strategy and 2023-2030 Australian Cyber Security Action Plan impose obligations on the APS for Information Asset Security through:
- ensuring that security considerations are incorporated into the design, development, and deployment of systems across the Australian Public Service
- developing a unified and comprehensive approach to this capability to fortify security of information assets and contribute to the overall resilience and security posture of the entire government infrastructure
- preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.
The Data and Digital Government Strategy and Implementation Plan impose obligations on the APS for Information Asset Security through:
- Simple and seamless services: To deploy scalable and secure architecture
- Trusted and secure: To connect data, digital, and cyber security, and build and maintain trust.
Policy Elements
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Comply with relevant policies of the Protective Security Policy Framework (PSPF)
The PSPF is mandatory for all Commonwealth entities. Of relevance to Information Asset Security are:
-
Align to guidelines and standards
An entity should ensure that the application design, development, and deployment process aligns with relevant security standards, frameworks, and regulations.
-
Be Secure-by-Design
Entities should consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures.
-
Apply a risk-based approach to information asset security
The assessment and management of risks associated with information assets should inform security decisions and investments.
-
Align operational and technological needs
Entities should implement information asset security measures and protocols that align to operational and technological requirements.
-
Select and implement appropriate information asset security controls
Entities should consider the correct classification of information to determine the level of protection each asset requires. Controls should be chosen based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction.
-
Adhere to reuse principles
Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.