Anitech’s Guide on Information Security Policies for Australian Organisations

The government of Australia has various information security policies organisations can adhere to protect their data or sensitive information.

Australia has a well-developed and mature information security policy framework, which is driven by a number of legislative, regulatory, and industry-specific requirements.

Information Security Rules

To prevent information compromise, information security rules explain how institutions categorise and manage official information. They also outline how to enable appropriate and secure access to government information, mitigate common and developing cyber risks, and protect government information and communication technology systems.

The four main criteria in these regulations, as well as the related supporting requirements, specify what organisations must do to accomplish the information security outcome.

Outcome

Every entity ensures the secrecy, integrity, and accessibility of all official information.

Here are the information security policies in Australia, organisations must have to secure their systems, devices and data.

1. Policy 8: Sensitive and Classified Information

a) Core requirement

Each entity must:

1. identify information assets;
2. analyse the security and sensitivity classification of information assets; and
3. apply operational controls for these information holdings in accordance with their value, importance, and sensitivity.

b) Key topics

• Official information
• Security and sensitive classified information.
• Accountable material and Caveats.
• Information management markers.
• Minimal protections for security and sensitive classified information.
• Disposal of sensitive and security classified information.
• Emergencies, security violations or breaches involving security classified information.
• Minimum protections and handling requirements for sensitive and security classified information.

c) Purpose

This guideline explains how to assess the sensitivity or security classification of information appropriately. It also specifies labelling, handling, storage, and disposal procedures to prevent information compromise.

d) Overview

Entities must examine the following factors to properly protect against information compromise:

• confidentiality – Who should have access to the information and why?
• integrity – guarantee that information is only being generated, modified or deleted by the appropriate approved means and is correct and legitimate.
• availability – ensuring approved employees have access to information when and as needed.

The Australian Government uses the following three security classifications:

• PROTECTED
• SECRET
• TOP SECRET.

All other data from business operations and services is OFFICIAL or, where it is sensitive, OFFICIAL: Sensitive.

The creator of the document is responsible for applying the appropriate sensitive or security classification. To do so, they should calculate the Business Impact Level (BIL) based on the potential damage if the confidentiality of the information is exposed. The creator retains authority over the information’s sanitization, reclassification, or declassification.

Certain information may require additional safeguards beyond those specified by the sensitive label or security classification. These additional particular safeguards are denoted with caveats.

Certain information necessitates the most stringent restrictions on its access and movement. This is designated as responsible material by the creator.

Information management markers are an optional method for businesses to identify information that is subject to non-security-related access and usage limitations.

Organszations have to adhere to the Australian Government Recordkeeping Metadata Standard to secure information stored, processed or sent on systems that are sensitive or security classified. Businesses must guarantee that security classified information is properly maintained, transferred, and disposed of.

2. Policy 9: Access to Information

a) Core requirement

Each body is responsible for ensuring adequate access to official information.

This includes:

1. information exchange inside the entity and with other relevant stakeholders
2. ensuring that persons who have access to sensitive or secret information have the necessary security clearance and need to know that information
3. managing access to supporting ICT systems, networks, infrastructure, devices, and applications (including remote access).

b) Key topics

• External and internal information sharing.
• The need-to-know principle.
• Personnel security requirements to access security and sensitive classified resources.
• Temporary access to classified resources.
• ICT access controls.

c) Purpose

This policy describes the security safeguards that enable an institution to offer timely, dependable, and appropriate access to official information.

d) Overview

Access to OFFICIAL government information must be adequately regulated, particularly when distributing sensitive or classified information or releasing information outside the government.

Entities must take into account the information they exchange and reveal. When exchanging information with those outside the government, they must have plans in place.

Entities must guarantee that individuals within the government have the right security clearance and a need to know. Certain Australian office holders have access exclusions.

Caveated information is subject to stringent safeguards. The following releasability caveats are particularly noteworthy:

• Australian Eyes Only (AUSTEO)
• Australian Government Access Only (AGAO)
• Releasable to (REL) that restricts resource access depending on citizenship.

Temporary access to classified materials may be necessary for certain restricted circumstances. After analysing the security concerns, short-term or temporary access may be provided.

Businesses must implement controls to restrict access to information systems containing sensitive and classified data.

3. Policy 10: Safeguarding Data from Cyber-threats

a) Core requirements

Each entity must protect itself from prevalent cyber-attacks by:

• adopting the following mitigating methods from the Cyber Security Incident Mitigation Strategies:

1. application control
2. patch applications

• configuration of Microsoft Office macro settings

1. user application hardening
2. restricting administrative privileges.
3. patch operating systems

• multi-factor authentication
• daily backups
• determining which of the remaining mitigation strategies from the Strategies to Mitigate Cyber Security Incidents must be adopted in order for their entity to attain an acceptable level of residual risk.

b) Key topics

• Obtaining PSPF maturity through the implementation of specified mitigation techniques
• Applying the Essential Eight and additional cyber security mitigation methods
• Cyber security duties while trading with the general public online.

c) Purpose

This policy explains how the Australian Government might minimise common and developing cyber risks.

d) Overview

Entities should reduce their vulnerability to cyber security concerns. External and internal enemies that steal data, damage data, or seek to prevent systems from working are among the cyber dangers confronting the Australian Government. External adversaries attempting to steal data are the most typical cyber danger that companies face. These adversaries frequently attempt to get access to systems and data via fraudulent emails and websites. It is vital that organisations protect the data stored on computers that may send emails or surf the internet.

While no single mitigation strategy, or set of mitigation strategies, can guarantee the prevention of a cyber security incident, the Australian Cyber Security Centre (ACSC) estimates that by implementing eight essential mitigation strategies (known as the ‘Essential Eight- external site’), many cyber security incidents can be avoided. These mitigation measures are regarded as the foundation of cyber security. Each entity must also decide which of the other mitigation techniques from the ACSC’s factsheet Ways to Mitigate Cyber Security Incidents- an external site they will use to safeguard their entity.

Entities should apply the maturity level 2 criteria in the Essential Eight- external site Maturity Model to achieve a ‘Managing’ maturity level for each of the eight necessary mitigation techniques from the Strategies to Mitigate Cyber Security Incidents- external site.

When the public transacts with the government online, institutions must guarantee that the public is not exposed to unwarranted cyber security risks.

4. Policy 11: Robust ICT Systems

a) Core requirement

Each entity must examine and assure the secure functioning of its ICT systems to preserve information and the continued delivery of government business by implementing cyber security principles from the Australian Government Information Security Manual at all stages of each system’s lifetime.

b) Key topics

• Safeguarding the security of ICT systems throughout their lifespan.
• ICT system authorisation.
• Safe internet gateways.

c) Purpose

This policy explains how to protect information and communication technology (ICT) systems in order to facilitate the secure and continuous delivery of government services.

d) Overview

An information and communication technology (ICT) system is a connected collection of hardware and software that processes, saves, or communicates information, as well as the governing structure within which it functions.

Entities should successfully follow the Australian Government Information Security Manual (ISM) cyber security standards to protect ICT systems from cyber-attacks:

• Governance: Determine and controlling security concerns.
• Protect: Putting in place security safeguards to decrease security threats.
• Detection: The detection and comprehension of cyber security occurrences.
• Respond: Reacting to cyber security incidents and recovering from them.

Entities shall only utilise ICT systems that have been authorised by the governing authority.

The ISM offers a risk-based 6-step strategy to cyber security. Entities must take this into account while authorising or reauthorizing the usage of systems.

Information processed, stored, or shared by the Australian Government through an outsourced information technology or cloud service provider is safeguarded in the same way as an internal corporate service. The same permission to run a framework to manage security risks throughout the life of the ICT system/service remains in effect.

Other Information Security Policies

Besides, the other information security policies that play an important role in helping organisations secure their data from cyber threats are as follows:

• Privacy Act 1988:

This act regulates how personal information is collected, used, and disclosed by Australian government agencies and private sector organizations. It also outlines the requirements for securing personal information.

• Australian Government Information Security Manual (ISM):

The ISM provides guidelines for securing Australian government information and systems. It covers a range of security topics, including risk management, access control, incident response, and security testing.

• Australian Cyber Security Centre (ACSC):

The ACSC is the central authority for information security in Australia, providing advice, guidance, and assistance to government agencies and private sector organizations. It publishes a range of resources, including threat reports, security advisories, and best practice guides.

• Payment Card Industry Data Security Standard (PCI DSS):

The PCI DSS is a set of security standards that applies to organizations that handle credit card information. It outlines requirements for protecting cardholder data, including encryption, access control, and security testing.

• Health Information Privacy Code 2020:

This code regulates how health information is collected, used, and disclosed by healthcare providers and other organizations that handle health information. It also outlines the requirements for securing health information.

What is Gateway in information security management?

A gateway is an information flow control mechanism that manages information flows between connected networks from different security domains. Entities must implement secure internet gateways that meet the Australian Signals Directorate requirements.

If you want Anitech’s experienced ISMS consultants to help your organisation in understanding and fulfilling all requirements essential for each policy, and comply with it, feel free to contact us.

To book an appointment, you can call us at 1300 802 163 or email info@anitechgroup.com.

Our team will be happy to help!

Stay tuned to Anitech website for more blogs.