Protecting online information from unauthorised access and alteration
Online government transactions are subject to the same legislative and regulatory requirements, and community expectations, as business information created by any other means. Your agency needs to safeguard the confidentiality, integrity and availability of the online business information it creates and manages, so that information cannot be:
- inappropriately altered
- inappropriately deleted or misplaced
- accessed by unauthorised personnel.
Measures to protect your online business information from unauthorised access and alteration include:
- assessing the security and privacy risks related to the management of online business information. Risks can be identified and analysed if you ask what could happen, how it would happen, how likely is to happen and what the consequence would be
- identifying records that should be created and captured as a result of your agency's online activities
- assigning and documenting responsibilities for capturing records of online activities into your agency's business systems
- deciding on the appropriate online security solutions, such as data encryption, the use of digital certificates, and passwords or passphrases for the authentication of external clients
- maintaining and updating relevant encryption keys so that records contained on the server remain accessible
- preserving relevant records in a usable and accessible form for long term storage. For accessibility reasons, records should not be captured and stored in an encrypted form when storing long term
- declassifying or downgrading records when protection is no longer needed
- ensuring business systems used for capturing records of online activities comply with the requirements of the international standard for software systems that are designed to manage records, 'ISO 16175:2011Principles and Functional Requirements for Records in Electronic Office Environments'. These systems need to maintain the authenticity of online transactions by, for example, capturing contextual metadata for digital signatures, and having access controls applied by authorised users.
- Cyber Security Strategy provides the framework to ensure that personal and business information provided online to government is protected and that online government services are available when needed.
- Guide to securing personal information details the steps agencies are required to take under the Privacy Act 1988 to protect the holdings of personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- National e-Authentication Framework (NeAF) assists agencies with the authentication of external clients to a desired level of assurance or confidence. The NeAF encompasses the electronic authentication (e‑authentication) of the identity of individuals and businesses dealing with the government, on one side of the transaction, as well as the authentication of government websites on the other side.
- ISO 16175:2011 Principles and Functional Requirements for Records in Electronic Office Environments provides internationally agreed principles and functional requirements for software used to create and manage digital information in office environments.