Australian Government Architecture
Search

Type

Standard

Reference

. .

Applicable from

19 Aug 2024

Mandate

Endorsed

Status

Core

Responsible agency

Digital Transformation Agency

Information Asset Security Standard

The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual, Protective Security Policy Framework, the Essential Eight Mitigations, and by increasingly adopting secure-by-design and secure-by-default principles and tactics.

An Information Asset Security Standard will ensure that applications are developed and maintained with security in mind, protecting sensitive information assets and preventing unauthorised access, use, disclosure, modification, or destruction of those assets to ensure that the Australian Government maintains the safety and security of its operations and it remains a trusted custodian of sensitive information.

Cornerstones of investment include the secure environment of data centres and associated infrastructure that provide hosting services for Commonwealth entities.

It is critical this standard be considered alongside those of complementary capabilities:

  • Application Security.
  • Network Security.
  • Permissions.

Comply with legislation and regulation

Entities must:

  • comply with relevant whole-of-government laws, regulations, and domain standards including (but not limited to):
    • Archives Act 1983 (Cth)
    • Data Availability and Transparency (DAT) Act 2002 (Cth)
    • Privacy Act 1988 (Cth) 
    • Security of Critical Infrastructure Act 2018 (Cth)
  • comply with any other legislation applicable to specific functions and circumstances

Align to guidelines and standards

Entities must:

Entities should consider and align, where suitable, to security frameworks across Government:

Entities should also consider the following from organisations outside of the APS:

  • ISO/IEC 27001 defines requirements an information security management system ISMS must meet.
  • The Open Web Application Security Project (OWASP): provides comprehensive resources in relation to data security, including the OWASP Data Security Top 10 that provides information about the most major security risks for storing and moving sensitive and PII information, the challenges involved, and how to overcome them.

Be Secure-by-Design

Entities should:

  1. application control
  2. patch applications
  3. configure Microsoft Office macro settings
  4. user application hardening
  5. restrict administrative privileges
  6. patch operating systems
  7. multi-factor authentication
  8. regular backups.

Align operational and technological needs

Entities should:

  • design information asset security measures and solutions to integrate seamlessly with an entity’s existing security infrastructure to provide layered security
  • understand the specific type of information being handled, and tailor security measures accordingly
  • use trusted suppliers vetted as part of cyber supply chain risk management assessments
  • record suppliers on their approved supplier list once vetted
  • adopt advanced encryption methods, secure communication protocols, and intrusion detection systems to safeguard both data in transit and at rest
  • ensure security solutions for information assets are scalable and flexible to adapt to evolving threats and technological advancements
  • integrate security awareness and training programs, as human factors may pose a significant risk to the security of information assets.

Apply a risk-based approach

Entities should:

  • be careful to ensure that security mechanisms do not inadvertently impact the performance, availability, accessibility, or other aspects of systems to the detriment of the user experience
  • be careful to ensure that security and authentication mechanisms do not inadvertently make digital records inaccessible in the long term
  • prioritise security considerations throughout all stages of the software delivery lifecycle, including when architecting, developing, testing, and deploying applications
  • integrate security awareness and training programs
  • demonstrate and foster a culture of security among their employees.

Select and implement appropriate information asset security controls

The Australian Government uses 4 security classifications:

  • OFFICIAL: Sensitive
  • PROTECTED
  • SECRET
  • TOP SECRET

All other information from business operations and services is OFFICIAL by default. UNOFFICIAL information is information that does not form part of official duty.

Entities must:

Entities should:

  • consider declassifying or downgrading records when protection is no longer needed
  • understand the specific type of information asset being held or transferred, and tailor security measures accordingly.

Implement detective measures

Entities should:

  • implement detective controls such as intrusion detection systems, and agents that monitor data health and availability
  • develop and implement mechanisms for continuous vulnerability assessment and remediation across all stages of the application development lifecycle
  • monitor emerging risks and understand the threats these pose to their specific information assets.

Implement reporting measures

Entities should:

  • consider and implement appropriate reporting processes
  • have protocols and processes for reporting and recording any security incidents.

Implement corrective measures

Entities should:

  • establish a process for timely identification of attacks to prevent further compromise of the application
  • be able to understand the impact of an attack, by gathering facts and evaluating risks, including potential harm to affected individuals, and, where possible, take action to remediate any risk of harm
  • ensure secure data redundancy such that critical systems can be restored and made available following any breach.

Adhere to reuse principles

Reuse content on the Australian Government Architecture provides information for entities on Reuse.

Entities should:

  • consider application security-specific functional and non-functional requirements prior to solution design or consideration of technology choice, including:
    • volume and nature of information assets
    • broader system purpose
    • performance and availability requirements
    • privacy/sensitivity concerns
  • meet the requirements of the whole-of-government reuse policy.

Capabilities

This standard supports digital solutions in the following capability.
CAP10

Information Asset Security

Policies

This standard assists in meeting the requirements of the following policies.
POL39

Information Asset Security Policy

Designs

The following designs show how to achieve the intent of this standard.

Essential Eight Cyber Threat Mitigation Strategies

DES119
While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes…

Gatekeeper Public Key Infrastructure Framework

DES165
The Gatekeeper Public Key Infrastructure (PKI) Framework governs the way the Australian Government uses digital keys and certificates to assure the identity of subscribers to authentication services.  Please note this framework is currently under review. Annual audits of existing accredited…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.