Information security is an important issue for the Australian Government, particularly with our increased reliance on technology to do business. Agencies need to ensure that the information and records they create are secured so they cannot be:
Keeping records secure in your agency may involve a combination of systems and processes to ensure that these requirements are met. For example, access to digital information and records can be managed by applying controls which limit access to authorised personnel and which monitor security breaches. Passwords and passphrases are common authentication methods used to verify and identify users.
Take care that security and authentication mechanisms do not inadvertently make digital records inaccessible in the long term. This is particularly important for records of archival or long term business value. There is a considerable risk that records will become inaccessible as staff changes occur and passwords are forgotten. Staff should capture unrestricted records into designated records management systems, with authorised users then applying relevant access controls.
Detailed advice on managing security risks to official resources, including information, can be found in the Australian Government Protective Security Policy Framework issued by the Attorney-General’s Department. The framework also contains the Australian Government Security Classification System.
Handling, storing and transferring highly classified records can be complicated and expensive. Prior to long term storage or transfer to the Archives, your agency should consider declassifying or downgrading records when protection is no longer needed.
The Protective Security Policy Framework is complemented by the Australian Government Information Security Manual (ISM) issued by the Defence Signals Directorate. The ISM is the standard which governs the security of government ICT systems.