Information security is an important issue for the Australian Government, particularly with our increased reliance on technology to do business. Agencies need to ensure that the information and records they create are secured so they cannot be:
- tampered with or inappropriately altered
- inappropriately deleted or misplaced
- accessed by unauthorised personnel
Keeping records secure in your agency may involve a combination of systems and processes to ensure that these requirements are met. For example:
- applying controls which limit access to authorised personnel
- monitor security breaches,
- using passwords and passphrases for authentication
In establishing procedures and strategies to protect your information, be careful to ensure that security and authentication mechanisms do not inadvertently make digital records inaccessible in the long term. This is particularly important for records of archival or long term business value.
Taking a risk based approach to managing your information reduces the possibility of overly restrictive controls. Staff should capture unrestricted records into designated records management systems, with authorised users then applying relevant access controls.
Detailed advice on managing security risks to official resources, including information, can be found in the Australian Government Protective Security Policy Framework issued by the Attorney-General’s Department. The framework also contains the Australian Government Security Classification System.
The Protective Security Policy Framework is complemented by the Australian Government Information Security Manual (ISM) issued by the Defence Signals Directorate. The ISM is the standard which governs the security of government ICT systems.
Protecting online information outlines a number of practical measures on how to secure online business information from unauthorised access or alteration.
When to declassify records
Handling, storing and transferring highly classified records can be complicated and expensive. Prior to long term storage or transfer to the Archives, your agency should consider declassifying or downgrading records when protection is no longer needed.