Australian Government Architecture
Search

Type

Policy

Reference

.

Applicable from

19 Aug 2024

Mandate

Endorsed

Status

Core

Responsible agency

Digital Transformation Agency

Information Asset Security Policy

Policy Requirements

Information Asset Security policy requirements are as follows:

  • Comply with legislation and regulation

    An entity must comply with any legislation relevant to its circumstances.

  • Align to guidelines and standards

    All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.

  • Be Secure-by-Design

    Entities should consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures. 

  • Apply a risk-based approach to information asset security

    The assessment and management of risks associated with information assets should inform security decisions and investments. 

  • Align operational and technological needs

    Entities should implement information asset security measures and protocols that align to operational and technological requirements.

  • Select and implement appropriate information asset security controls

    Entities should consider the correct classification of information to determine the level of protection each asset requires. Controls should be chosen based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction. 

  • Adhere to reuse principles

    Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Capabilities

This policy includes requirements that relate to the following capability.
CAP10

Information Asset Security

Standards

The following standards show what to do to satisfy this policy.

Information Security Manual (ISM)

STA8
The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is…

Information Asset Security Standard

STA52
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual,…

Designs

The following designs can be relevant to meeting the requirements of this policy.

Essential Eight Cyber Threat Mitigation Strategies

DES119
While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes…

Gatekeeper Public Key Infrastructure Framework

DES165
The Gatekeeper Public Key Infrastructure (PKI) Framework governs the way the Australian Government uses digital keys and certificates to assure the identity of subscribers to authentication services.  Please note this framework is currently under review. Annual audits of existing accredited…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.