Australian Government Architecture
Search

Type

Policy

Reference

.

Applicable from

19 Aug 2024

Mandate

Endorsed

Status

Core

Responsible agency

Digital Transformation Agency

Information asset security policy

The information asset security policy provides whole-of-government guidance on safeguarding government information assets from unauthorised access, misuse, and loss. 

The aims of this policy are to:

  • ensure compliance with legal and regulatory requirements
  • strengthen security measures by ensuring that entities are familiar with information asset security best practice
  • ensure that new information asset solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk
  • ensure strategic alignment of information asset security features to the Australian Government’s cyber security goals.

Applicability 

Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT Investment Oversight Framework (IOF).

Commonwealth entities are encouraged to apply this policy to all digital investments.

Policy requirements

  • Align to guidelines and standards

    All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.

  • Be secure-by-design

    Consider information asset security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures. 

  • Apply a risk-based approach to information asset security

    Proactively identify, assess and manage risks associated with information assets to inform security decisions and investments. 

  • Select and implement appropriate information asset security controls

    Correctly classify information to determine the level of protection each asset requires. Choose security controls based on the ability to mitigate identified risks to the information asset, ensuring that they protected against unauthorised access, disclosure, alteration, or destruction. 

  • Adhere to reuse principles

    Give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

  • Comply with legislation and regulation

    Entities must comply with any legislation relevant to their circumstances.

Capabilities

This policy includes requirements that relate to the following capability.
CAP10

Information Asset Security

Standards

The following standards show what to do to satisfy this policy.

Information Security Manual (ISM)

STA8
The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is…

Information Asset Security standard

STA52
As a trusted custodian of sensitive information, the Australian Government is required to ensure the safety and security of its operations. The Government continues to maintain the safe, secure operation of the systems and technology through:  the effective implementation of the Information…

Designs

The following designs can be relevant to meeting the requirements of this policy.

Essential Eight

DES119
Direct link: cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eightResponsible agency: Australian Signals DirectorateLast updated: 27 November 2023 The Australian Signals Directorate has developed a number of Strategies to Mitigate Cyber Security Incidents, to help…

Integrated Regulatory Information System (IRIS)

DES155
Responsible agency: Comcare Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data…

Gatekeeper Public Key Infrastructure Framework

DES165
The Gatekeeper Public Key Infrastructure (PKI) Framework governs the way the Australian Government uses digital keys and certificates to assure the identity of subscribers to authentication services.  Please note this framework is currently under review. Annual audits of existing accredited…
Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.