Security controls

Information Management Plan Map highlighting the Security stage of the process.

Appropriate informational, physical, cyber and digital security controls must be implemented and reflected in an Information Management Plan. The Plan should also require all systems to be designed in accordance with relevant standards to ensure they support the effective management and disposal of information.

Relationship to the Information Management Standard

To ensure information assets remain accessible and reliable, appropriate informational, physical, cyber and digital security controls need to be implemented. These controls include:

ensuring all information assets are saved into systems in a timely manner that meets the relevant Standards and whole of government security Frameworks to ensure they are protected from compromise (Behaviour 4.2)
implementing information security classifications for all information assets applicable to the sensitivity of that information (Behaviour 5.1)
reviewing and amending access restrictions on information as sensitivity alters (Behaviour 5.2)

Compromise includes, but is not limited to, loss, misuse, interference, unauthorised modification, unauthorised disclosure.

Any information assets that require protection, even at a low level, should be treated as sensitive.

The actual level of sensitivity of an information asset is determined by its level of confidentiality, security classification or the amount and type of personal information contained within it.

This will help ensure information assets are managed and stored appropriately and remain accessible for as long as required (Behaviour 2.6).

These controls should be reflected in your agency’s Information Management Plan (Plan) and / or information security policy. The Plan should also require all systems to be designed in accordance with relevant standards to ensure they support the effective management and disposal of information (Behaviour 2.5).

Relevant standards include the Minimum Recordkeeping Metadata Requirements Standard (Metadata Standard) and the Managing Digital Records in Systems Standard (Systems Standard).

State government agencies will also need to comply with the South Australian Protective Security Framework (SAPSF) and the South Australian Cyber Security Framework (SACSF) in developing and implementing security controls.

Relevant security controls should also be included in any contract with third party providers who manage and / or store information assets on behalf of government to ensure these assets are managed in accordance with the State Records Act 1997 (SR Act) and any other relevant legislation or policy. This includes ensuring security controls are implemented by the third party provider to ensure the agency’s information assets are:

stored appropriate to their information classification in accordance with relevant government security standards (for example SAPSF and SACSF )
protected against unauthorised access
protected in the event of an incident (for example flood, power outage or ransomware cyber-attack)
handled appropriate to their format and protected from physical harm.

For more information on contracts with third parties refer to Contracting Standard and the Management and Storage of Temporary Value Information Assets Standard .

Security requirements

Your agency can use and implement several different controls to manage and monitor the security of information assets.

Information assets must be protected according to the impact misuse of such information could have on your agency’s business activities and functions.

Information Classification

Information classifications must be applied to information assets (Behaviour 5.1), including emails. A classification is determined based on the sensitivity of the information in question.

Systems, where possible, need to be configured to automatically assign access and edit permissions to information assets based on their information classification. Refer to the Systems Standard for more information.

Your agency should also apply access restrictions or permissions to information assets. Access restrictions or permissions should be regularly reviewed and removed as soon as they no longer apply or once sensitivity changes, this includes updating the systems that hold the information assets to reflect any changes made (Behaviour 5.2). Systems , where possible, should be configured to review access restrictions or permissions automatically as information classifications change.

State Government agencies need to ensure they apply information classifications in accordance with the SAPSF policy INFOSEC1: Protecting official information.

In addition to applying information classifications to the information assets, all cyber security risks must be managed in accordance with the SAPSF and SACSF when engaging third parties to access, store or otherwise handle information on behalf of the agency.

For further information on the SAPSF and how to apply the information classifications to the agency’s information assets, refer to the Department of the Premier and Cabinet’s website.

Personnel Security

Staff should only be given permission to access information if they meet the relevant suitability checks to access and / or view that information, particularly for staff in positions of trust who might have access over and above the average staff member in order to administer systems.

This ensures that information assets can only be accessed by staff, including contractors, with the relevant associated security or classification level. For example, before allocating permission to a staff member for access of information on individual children within a system, the systems administrator must first verify they have a current and valid working with children clearance and national police clearance.

The greater the sensitively of information, the higher level of assessment for suitability that will be required (such as a national security clearance).

Processes should be developed and maintained to ensure all staff remain suitable for the position they hold. Your agency’s procedures for ongoing suitability assessment should be determined through risk assessments that consider:

the type of staff and employment (ongoing staff, temporary staff, security clearance holders etc.)
the staff member’s level of access to sensitive or security classified information and resources
your agency’s tolerance for security risks
any position specific risks
the individual’s personal risk profile

State government agencies should refer to the SAPSF for more detailed requirements in relation to personnel security, including recruitment, maintaining staff suitability and staff separation.

Physical security

Information assets (both hardcopy or digital) should be kept secure to protect from:

physical interference or damage (such as theft, corruption, changes to environmental conditions, tearing, vermin, etc) and
unauthorised access (such as having inappropriate security measures and uncontrolled access to storage areas).

An indicative list of requirements is in the below Table with examples of appropriate controls.

The type of storage facility depends on the information assets format and their physical and chemical properties, their required retention period and accessibility requirements.

State government agencies should refer to the SAPSF for more detailed requirements for the physical security of information.

In addition to ensuring the storage facility has adequate physical security controls in place, they must also be fit for purpose for storing information assets.

All information assets must be stored in a clean, environmentally and pest controlled storage area that is well ventilated with a minimum of natural light. Information assets must be packed in suitable containers appropriate to their format and on shelves that are fit for purpose. For more information refer to the Management and Storage of Temporary Value Information Assets Standard.

Table: Requirements for physical security

Requirement for physical security	Examples of controls
Security arrangements for information assets stored onsite	intellectual and physical controls (for example file movement locations) secure and access-controlled server rooms secure and access-controlled storerooms for hardcopy information fire protection facilities key management building security, including compartmentalisation of access to sensitive or secure content vermin and climate (temperature, humidity, air quality and lighting) controls
Security arrangements for information assets in use onsite	clean desk policy and practice locked facilities for confidential or sensitive information (this includes access controls) ensure hardcopy information cannot be seen in public-facing areas ensure computer screens (containing corporate-only information) cannot be seen in public-facing areas
Security arrangements for information assets stored or taken offsite	secure transport and handling use only State Records and / or approved service provider if using non-agency facilities security is applied to offsite information assets taking into account the different risks of working outside your agency’s premises
Information transmission	information assets and equipment are managed securely when taken out of the office for official purposes, including home-based work
Ownership and custody arrangements	government information assets are not sold, abandoned or donated to external parties government information assets are not used for unofficial purposes without authorisation appropriate controls are applied when transferring information assets to other government agencies in the event of structural change or archiving
Retention and disposal	transfer permanent information assets to State Records according to applicable retention and disposal schedules and access determinations non-current information assets are securely retained for the required periods according to applicable retention and disposal schedules information assets are destroyed that are no longer required (as authorised under a current disposal schedule) using an appropriate method to ensure they are no longer accessible appropriate sanitising or destruction of obsolete or damaged media so they are no longer useable, for example [through] full data erasure, crushing or disposal via an external specialist company

Digital security

There are additional controls that apply for information assets stored in a digital environment regarding the accessibility, sharing, storage and disposal of information.

Information assets should only be accessible to those with appropriate permission and a need to know as defined by their security classification. Permission for users should be clearly defined and assigned in the systems used (refer to the Systems Standard), as well as align relevant security metadata to information assets (refer to Metadata Standard) (Behaviour 2.5).

When sharing digital information, staff should ensure they use:

appropriate email controls for sending information to others (internally or externally), including applying the appropriate information classification according to the sensitivity of the information
secure applications or methods for sharing information externally, in particular over public network infrastructure
encryption of sensitive material.

Digital information assets should be stored appropriately and securely (Behaviour 2.6). Having a robust Information and Communication Technology (ICT) infrastructure ensures digital information assets remain secure and are not subject to unauthorised access, amendment or use.

This can be achieved through mechanisms such as having secure logins, user authentication, encryption, supervision or surveillance of data. Other digital security controls include applying the principle of least privileged (a user only has access to specific information needed to complete the required task) or just-in-time access (access is granted for a limited to a predetermined period of time, on an as-needed basis).

Incident recovery and business continuity regimes can also be built into the ICT infrastructure management plan.

Incident recovery planning is an important element of your agency’s Program. Measures can be put in place that ensures that information assets continue to be accessible, managed, available and shared in the event of, and after, an incident. This is one security measure that aims to protect information assets against loss or irreparable damage (including corruption) because of an incident.

Your agency must also ensure any third party provider engaged to manage or store your agency's information assets has an incident recovery plan that includes the recovery of information assets in place.

When disposing of digital information assets, they need to be cleared using an appropriate method that ensures they are no longer accessible or capable of being recreated or reinstated. Disposal of any information assets must be done in accordance with the SR Act.

Page last updated: 21 April 2023