The information asset security policy provides whole-of-government guidance on safeguarding government information assets from unauthorised access, misuse, and loss.
The aims of this policy are to:
- ensure compliance with legal and regulatory requirements
- strengthen security measures by ensuring that entities are familiar with information asset security best practice
- ensure that new information asset solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk
- ensure strategic alignment of information asset security features to the Australian Government’s cyber security goals.
Applicability
Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF).
Commonwealth entities are encouraged to apply this policy to all digital investments.
Policy requirements
-
Align to guidelines and standards
All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.
-
Be secure-by-design
Consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures.
-
Apply a risk-based approach to information asset security
Proactively identify, assess and manage risks associated with information assets to inform security decisions and investments.
-
Select and implement appropriate information asset security controls
Correctly classify information to determine the level of protection each asset requires. Choose security controls based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction.
-
Adhere to reuse principles
Give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.
-
Comply with legislation and regulation
Entities must comply with any legislation relevant to their circumstances.