This policy describes the requirements for Commonwealth entities to ensure secure data exchange between digital systems.
Applicability
Commonwealth entities are encouraged to apply this policy to their digital and ICT systems to ensure a best-practice, consistent approach across government.
Entities bringing forward investment proposals through the Digital and ICT investment oversight framework (IOF) will be assessed against this policy.
Policy requirements
This section describes the requirements for developing and maintaining a secure data exchange capability.
Implement security, data protection and access controls
Entities must implement encryption, authentication and access controls appropriate to the sensitivity of the data as defined in the Information security manual. They are also required to maintain data security through secure transmission protocols and verification mechanisms.
Ensure standardisation and interoperability
Entities must use standardised data exchange protocols to ensure consistency and seamless integration across government systems. Secure data exchange solutions must be designed to support interoperability, and to enable efficient and secure data sharing between entities and external partners.
Apply governance practices to ensure compliance
Entities must implement audit and logging capabilities to ensure data exchanges are traceable, auditable and compliant with transparency requirements. Conducting ongoing governance, monitoring and risk assessments is vital to mitigating emerging threats and vulnerabilities.
Manage risk and implement resilience measures
Entities must apply a risk management framework to assess, mitigate and monitor risks associated with secure data exchanges. Solution designs must consider resilience measures including redundancy, failover mechanisms and disaster recovery. Access to secure data exchange systems should be restricted to authorised users based on a principle of least privilege.
Align to guidelines and standards
Entities must comply with the Protective security policy framework (PSPF) as well as any other mandatory frameworks, policies and standards.
Adhere to reuse principles
Entities must give priority to the adoption of existing reusable digital and ICT solutions, patterns and knowledge wherever possible, and develop new solutions with a focus on their future reuse.
Comply with relevant legislation
An entity must comply with any legislation relevant to its circumstances. Details of what entities need to do to comply with these requirements are included under the Secure data exchange standard.