Protect sensitive information
Limit access to sensitive information and records. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Why this countermeasure matters
Not controlling access to sensitive information and records can lead to individuals:
- accessing, manipulating or releasing sensitive information without authority
- using sensitive information to improperly influence decisions
- using sensitive information to coerce others to act in an involuntary manner
- stealing physical records.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- keeping login credentials confidential and secure
- restricting and monitoring access to the records of high-profile individuals
- restricting and monitoring access to sensitive information
- storing protected information in secure environments.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems
- physical security for entity resources
- entity facilities.
- confirm the existence of additional controls for more sensitive information
- review procedures or guidance to confirm that they clearly specify what constitutes sensitive information
- obtain and review requirements for who can access sensitive information
- confirm the existence of a request and approvals process for accessing sensitive information
- confirm request and approvals processes are consistently applied
- review procedures for requesting access to sensitive information, confirm the processes are robust and actively test them if required
- review the need for Security Clearances for accessing sensitive information and confirm staff have the minimum level of clearance
- undertake testing or a process walk-through to confirm that someone cannot get around access processes
- undertake checks to confirm compliance with clear desk policies
- confirm access to sensitive information is regularly reviewed and reconciled.
This type of countermeasure is supported by:
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Make sure sensitive or official information cannot leave your entity's network without authority or detection. The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.
Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Allow clients, staff and third parties to lodge complaints about actions or decisions they disagree with. This may identify fraud or corruption as a cause for complaints, such as a failure to receive an expected payment.
Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.