Definition
Information asset security refers to protecting the information collected, processed and stored on digital and ICT systems and networks. It encompasses protecting both information asset infrastructure and information assets from unauthorised access, disclosure, alteration or destruction. This safeguards the confidentiality, integrity and availability of information assets against various cyber threats and vulnerabilities.
Please consult Information Asset Management for details on processes and procedures employed in managing information assets, ensuring that information, insights and services are conveyed to the public efficiently, timely and in the appropriate format.
Purpose
Information asset security ensures entities appropriately safeguard information assets and maintain public trust by preventing unauthorised access, breaches and potential exploitation by malicious actors.
A mature capability in information asset security enables fast and appropriate response to emerging threats, and continuous improvement of security posture.
Information asset security is realised through:
- the appropriate classification of information assets, informing their security requirements
- the definition, planning, deployment and use of appropriate security measures (including policies/processes and technological solutions) to protect information assets in a manner suited to the circumstances
- the consideration of this capability as part of a complementary suite of cyber security capabilities, including Application Security, Network Security, Privacy, and Permissions.
Objectives
- Ensure information assets across government are secure to a standard appropriate to their risk of security compromise.
- Ensure that entities are familiar and compliant with information asset security best practices and standards, allowing them to make informed decisions on investment and implementation.
- Reduce the number of security incidents by ensuring improved security measures are in place across Commonwealth entities.
- Ensure that new information asset solutions draw security efficiency from preceding investments, implementations and learnings to maximise reuse and minimise risk.
- Regularly conduct security audits to identify vulnerabilities, implement corrective actions and improve incident response time, in alignment with the Australian Government’s cyber security goals.
- Meet the minimum compliance with contractual obligations, legislation and regulation, government policies and standards, and any national or international agreements relating to information asset management.
Whole-of-government applicability
On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy, a roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030.
The Data and Digital Government Strategy (DDGS) sets a vision for 2030 to deliver simple, secure and connected public services for all people and business, through world class data and digital capabilities.
Maturity in information asset security is of critical importance to the DDGS missions:
- Trusted and secure: The Australian Government commits to improving and maintaining trust in its use of data and digital technologies including through securing networks, systems and hardware.
- Simple and seamless services: The Australian Government commits to ensuring technology is scalable, secure, resilient and interoperable, with new systems and infrastructure that supports data access and discoverability.
Policy Elements
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Align to guidelines and standards
All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.
-
Be Secure-by-Design
Entities should consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures.
-
Apply a risk-based approach to information asset security
The assessment and management of risks associated with information assets should inform security decisions and investments.
-
Align operational and technological needs
Entities should implement information asset security measures and protocols that align to operational and technological requirements.
-
Select and implement appropriate information asset security controls
Entities should consider the correct classification of information to determine the level of protection each asset requires. Controls should be chosen based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction.
-
Adhere to reuse principles
Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.