INFOSEC-1: Access to, and management of, official information

The INFOSEC-1: Access to, and management of, official information policy and guidance will assist agencies to achieve an effective protective security outcome within the information security domain of the TAS PSPF. They address core requirement 7 and its supplementary requirements.

The Accountable Authority must adhere to whole-of-government protective security policies and procedures relating to the management of information security.

In adhering to the whole-of-government approach to the management of information security, the Accountable Authority must:

1. promote awareness of whole-of-government protective security policies and procedures relating to the management of information security or ensure development of agency‑specific policies as necessary^[1]
2. ensure that information is accessed only by people with a legitimate need to know and implement measures to protect sensitive information, through physical and electronic means, from unauthorised access, copy or release
3. ensure people requiring access to security-classified information, or assets, are appropriately security cleared to the correct level and, where necessary, meet additional suitability requirements^[2]
4. develop and implement an agreement or arrangement enabling the sharing of sensitive or security classified information external to the Tasmanian Government and its agencies^[3]
5. where appropriate, manage access to information systems with unique user identification, authentication and authorisation for each instance of system access.

Effective information management supports business operations and continuity while ensuring integrity, availability and confidentiality of information.

The TAS‑PSPF supports agencies in the use of tools to appropriately manage information, enabling efficient and timely functions of government business and processes.

1. Where whole-of-government policies and procedures are absent, agencies must develop their own in consultation with the Tasmanian Government Chief Information Officer.

   [Back]

2. Not all office holders are required to hold a security clearance – see exemptions.

   [Back]

3. This may be in the form of a deed or contract stipulating how the shared information is to be used and what protections must be applied.

   [Back]

This policy (INFOSEC-1) details security protections which support your agency in the provision of timely, reliable and appropriate access to official information, facilitating efficient and effective delivery of Tasmanian Government services. The availability of information assists in service delivery, business continuity, decision‑making and policy development.

While access to information facilitates Tasmanian Government services, it is important for your agency to protect the confidentiality, integrity and availability of the information your people use. The impact of compromise and harm to information can be felt within your agency, other agencies, the community and across the Tasmanian Government. For these reasons, you must apply this policy (INFOSEC-1) to protect the access to, and management of, official information.

Tasmanian Government information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to your agency’s business operations. When your information security policies and procedures are well designed and implemented, you reduce the risks of your information being compromised.

Where they exist, your agency must apply whole-of-government information management policies and procedures to ensure consistency aligned to commonly accepted industry standards and best practice. In the absence of these, you must develop your own in consultation with the Tasmanian Government Chief Information Officer (CIO), strengthening our combined approach to information security.

Promotion of these policies and procedures within your agency should be incorporated in induction packages, where practicable. Inclusion in induction provides an opportunity for all people to understand the expectations of your agency and the Tasmanian Government regarding the protection and management of information.

Awareness of agency‑specific and whole-of-government policies strengthens security culture and provides information with protection from compromise and harm.

The ‘need to know’ principle refers to the access of information based on an operational requirement. It is important to note this principle applies to all information regardless of the classification of the information and the position or seniority of the person seeking access.

Limiting access to information on a ‘need to know’ basis guards against the risk of unauthorised access, misuse of, and potential compromise to, information. You must apply the ‘need to know’ principle to all information within your agency; this can be achieved through implementing measures which deter and detect unauthorised access.

The ‘need to know’ principle is not intended to reduce or limit positive information sharing between people or agencies where an operational benefit exists.

Applying access controls and auditing capability to all information processes will assist you to maintain the ‘need to know’ principle. You must develop policies to support the management of, and access to, information based on this principle. Applying this principle in agency policies and security practices helps your people understand their responsibilities in the protection of information from compromise.

When applying access controls to information, you can consider restricting access based on the following table.

Physical locations

Access based on worksite or work station

File system permissions, including physical documents and files

The ability to create, read, edit or delete

Application or program permissions

The right to run a program

Data and information rights

The right to retrieve, print, update or delete information in a database or system

In addition to the ‘need to know’ principle, access to sensitive and security-classified information or assets necessitates a high level of assurance as to a person’s integrity. This is due to the potential harm associated with compromise of that information. Any person with an ongoing need to access security-classified information must have a valid security clearance to the appropriate level.

Minimum security clearance levels for access to each information classification level are detailed below.

4. Refer to TAS-PSPF policy: Protecting official information (INFOSEC-2) for more details regarding caveats and codewords.

   [Back]

5. Short‑term is considered a combined maximum of 3 months in any 12-month period, across all agencies.

   [Back]

6. Provisional access may be granted to people up until their security clearance application is granted or denied.

   [Back]

7. This information is available via your agency clearance sponsor, who will liaise with the authorised vetting agency.

   [Back]

8. Monitoring and audit logging are key measures to control access to ICT systems and the information held on those systems. For further information, refer to TAS-PSPF policy: Robust technology and information systems (INFOSEC-3).

   [Back]

Risks may arise when you share information outside of the Tasmanian Government and its agencies, because the TAS-PSPF only applies to Tasmanian Government agencies and their subsidiaries. For this reason, when your agency shares information externally, you should consider the need for written agreements which address how the information is to be used and the necessary protections that must be applied to it.

Agreements detailing information disclosure requirements provide a level of assurance that your external stakeholders understand their obligations to protect government information. The following factors may be relevant when considering whether a written agreement is necessary before sharing information:

• whether the nature of the work requires access to information protected by the Personal Information Protection Act 2004 – if so, you should include contractual measures to ensure the principles of the Act are upheld
• if the information is subject to any legislative secrecy provisions
• whether the aggregation of information to be shared increases the business impact level of potential compromise
• what type of access is being granted and the level of supervision and control that your agency will have over the personnel granted access.

To support information protection when involving external stakeholders, it is recommended that you implement regular monitoring of the security controls, service definitions and delivery levels that are included in any deed or contract agreement. This may be in the form of contractual milestone obligations, regular reviews, and audits of services.

Once your agency has established appropriate policies and procedures surrounding access to information, you must manage any access granted, where necessary. To do this, your information and technology systems need to be well-structured and robust, providing your people with the right tools and access to conduct their duties.

When providing access to your agency’s networks, operating systems, applications, and information, you should consider the following methods for control:

• establishing a clear understanding of the information held on the system/s
• effective user identification and authentication practices.

User identification, authentication and authorisation practices

To adequately protect your agency’s information, you should know who is accessing it and when. It is important to mitigate the risks of unauthorised or inappropriate access to and use of information; to do so, you must establish formal user registration and deregistration procedures for granting and revoking access to information systems.

Your people who access information systems must be authenticated on each occasion they seek access to the system. Establishing uniquely identifying user processes for your agency will ensure greater accountability that the information is being accessed appropriately.

You can authenticate access by using various methods, including:

• passphrases or passwords
• biometrics
• cryptographic tokens
• smart cards.

You may reduce the risk of user accounts being compromised by:

• using multi-factor authentication (2 or more authentication methods) where users provide something they know, like a passphrase; something they have, like a physical token; and/or something they are, like biometric data
• increasing the complexity of single authentication methods (such as passphrases or passwords) by increasing the minimum password length and using a mix of alphanumeric and special characters.

Some user and system/s access can be associated with greater risk due to the nature of such access, for example, system or network administrators and managers, database administrators, privileged users, positions of trust, and remote access users.

High‑risk users should be required to access relevant systems using multi-factor authentication to confirm their identity on each occasion of access.

Authorising access to ICT systems

Adopting robust authorisation processes will help you control access to your agency’s ICT systems, networks (including remote access), infrastructure and applications. It is recommended that you implement measures to manage authorised access to any system holding your sensitive and security-classified information.

Types of access authorisation and recommended measures are outlined below.

User access management

Ensure that systems for managing passwords are interactive and require users to follow good security practices in the selection and use of passwords or passphrases.

Authorised network access

Consider the use of automatic equipment identification as a means to authenticate connections from specific locations and equipment. Control physical and logical access to diagnostic and configuration ports.

Restrict the ability of users to connect to shared networks, including those that extend across agency boundaries.

Segregate groups of information services, users and information systems, based on an agency risk assessment.

Implement routing controls for networks to ensure computer connections and information flows do not breach other relevant access management measures.

Authorised operating system access

Control access to operating systems through a secure log-on procedure.

Restrict and tightly control the use of utility programs that may be capable of overriding system and application controls.

Display restricted access and authorised use only (or equivalent) warnings upon access to all agency ICT systems and shut down inactive sessions after a defined period of inactivity.

Consider restricting connection times to provide additional security for high-risk applications.

Application and information access

Afford sensitive systems a dedicated (isolated) computing environment, in accordance with your risk assessment.

Mobile computing and communications

Adopt security measures to protect against the risks of using mobile computing and communications facilities.

• Australian Government, Protective Security Policy Framework - Policy 5: Reporting on security (PDF)
• South Australian Government, Information security policies
• Tasmanian Government, Information and Records Management Standard (PDF)
• Tasmanian legislation, Personal Information Protection Act 2004

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

• V1.0 April 2023
  • Policy issued
• V2.0 February 2024
  • Definition: 'core requirement' updated
  • Definition: 'originator' updated
  • Definition: 'protected information' removed and replaced with 'security classified'
  • Definition: 'Responsible Executive' added
  • Definition: 'supplementary requirement' updated
  • Original supplementary requirement 'b' removed – duplication of footnote at supplementary requirement 'a'
  • Updated supplementary requirement 'c' – replaced 'protected information' with 'security classified information'