Australian Government Architecture
Search

Type

Capability

Reference

.

Mandate

Endorsed

Information Asset Security

Definition

Information asset security refers to protecting the information collected, processed, and stored on digital and ICT systems and networks. It encompasses protecting both information asset infrastructure, and information assets, from unauthorised access, disclosure, alteration, or destruction. This safeguards the confidentiality, integrity, and availability of information assets against various cyber threats and vulnerabilities.

Please consult Information Asset Management for details on processes and procedures employed in managing information assets, ensuring that information, insights, and services are conveyed to the public efficiently, timely, and in the appropriate format.

Purpose

Information asset security ensures entities appropriately safeguard information assets. maintains public trust by preventing unauthorised access, breaches, and potential exploitation by malicious actors.

A mature capability in Application Security enables fast and appropriate response to emerging threats, and continuous improvement of security posture.

Information asset security is realised through:

  • appropriate classification of information assets, to inform their security requirements
  • the definition, planning, deployment, and use of appropriate security measures (including policies/processes and technological solutions) to protect information assets in a manner suited to the situation-specific circumstances
  • considering the capability as part of a complementary suite of Cyber Security Capabilities, including Application Security, Network Security, Privacy, and Permissions.

Objective 

The objectives of this Australian Government Architecture (AGA) content are to:

  • ensure Information Assets across Government are secured to a standard appropriate to their risk of security compromise
  • ensure that entities are familiar with information asset security best practices, allowing them to make informed decisions on investment and implementation
  • ensure that new information asset solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk
  • ensure strategic alignment of information asset security features to the Australian Government’s cyber security goals
  • meet the minimum compliance with contractual obligations, legislation and regulation, government policies and standards, and any national or international agreements relating to information asset management.

Whole-of Government Applicability

The 2023-2030 Australian Cyber Security Strategy and 2023-2030 Australian Cyber Security Action Plan impose obligations on the APS for Information Asset Security through:

  • ensuring that security considerations are incorporated into the design, development, and deployment of systems across the Australian Public Service
  • developing a unified and comprehensive approach to this capability to fortify security of information assets and contribute to the overall resilience and security posture of the entire government infrastructure
  • preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.

The Data and Digital Government Strategy and Implementation Plan impose obligations on the APS for Information Asset Security through:

  • Simple and seamless services: To deploy scalable and secure architecture
  • Trusted and secure: To connect data, digital, and cyber security, and build and maintain trust.

Policy Elements

Policy:
POL39
Information Asset Security Policy Mandate:
Endorsed
Status:
Core

  • Comply with legislation and regulation

    An entity must comply with any legislation relevant to its circumstances.

  • Align to guidelines and standards

    All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.

  • Be Secure-by-Design

    Entities should consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures. 

  • Apply a risk-based approach to information asset security

    The assessment and management of risks associated with information assets should inform security decisions and investments. 

  • Align operational and technological needs

    Entities should implement information asset security measures and protocols that align to operational and technological requirements.

  • Select and implement appropriate information asset security controls

    Entities should consider the correct classification of information to determine the level of protection each asset requires. Controls should be chosen based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction. 

  • Adhere to reuse principles

    Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Domains

This capability is part of the following domain.
DOM9

Cyber Security

Policies

The following policies have requirements that impact this capability.
Protective Security Policy Framework (PSPF)
POL19
Mandate: Endorsed
Status: Core
The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing…
Information Asset Security Policy
POL39
Mandate: Endorsed
Status: Core

Standards

The following standards support development of digital solutions in this capability.

Information Security Manual (ISM)

STA8
The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is…

Information Asset Security Standard

STA52
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual,…

Designs

The following designs include examples of how digital solutions in this capability can be delivered.

Essential Eight Cyber Threat Mitigation Strategies

DES119

Lead Agency: Australian Cyber Security Centre

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline.

Gatekeeper Public Key Infrastructure Framework

DES165

Lead Agency: Department of Finance

The Gatekeeper Public Key Infrastructure (PKI) Framework governs the way the Australian Government uses digital keys and certificates to assure the identity of subscribers to authentication services.  Please note this framework is currently under review. Annual audits of existing accredited…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.