Information Security

Required outcome

Each agency is responsible for maintaining the confidentiality, integrity and availability of all official information.

To assist agencies to achieve this security outcome, Tasmania’s Protective Security Policy Framework (TAS-PSPF) includes 3 Information Security (INFOSEC) core requirements, supported by a varying number of supplementary requirements and a guiding policy for each. These requirements cover the scope of what agencies must do in relation to their information security.

Information Security policies

INFOSEC-1: Access to, and management of, official information

Context

Security protections support agencies in the provision of timely, reliable and appropriate access to official information while ensuring integrity, availability and confidentiality of information. The availability of information assists in service delivery, business continuity, decision making and policy development.

Core requirement

The Accountable Authority must adhere to whole-of-government protective security policies and procedures relating to the management of information security.

Policy guidance

• Read INFOSEC-1 policy (accessible version)
• Download INFOSEC-1 policy (PDF 2.7MB)
• Download INFOSEC-1 policy summary (PDF 188.5KB)

INFOSEC-2: Protecting official information

Context

Official information refers to all information that is created, sent, or received as part of the work of the Tasmanian Government. All official information must be protected according to the assessed business impact that any compromise of the information could cause.

Core requirement

Agencies will adopt the Australian Government’s Protective Security Policy Framework and related documentation for the classification, protective marking, transfer, handling and storage requirements of information (in any format) relative to its value, importance and sensitivity.

Policy guidance

• Read INFOSEC-2 policy (accessible version)
• Download INFOSEC-2 policy (PDF 2.3MB)
• Download INFOSEC-2 policy summary (PDF 195.7KB)

INFOSEC-3: Robust technology and information systems

Context

Access to information, particularly security-classified information, must be controlled to maintain the confidentiality and integrity of Tasmanian Government information, assets, and business operations. Limiting unintended or unauthorised access to protectively marked information relies on robust and validated technology, information and infrastructure systems, complemented by enhanced security governance.

Core requirement

The Accountable Authority must ensure the security of technology and information assets to safeguard data, information and privacy, and to ensure continuous delivery of government business during all stage of the asset life-cycle.

Policy guidance

• Read INFOSEC-3 policy (accessible version)
• Download INFOSEC-3 policy (PDF 1.5MB)
• Download INFOSEC-3 policy summary (PDF 189.3KB)