Set up controls for sensitive information
Limit access to sensitive information and records. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Why this countermeasure matters
Not controlling access to sensitive information and records can lead to individuals:
- accessing, manipulating or releasing sensitive information without authority
- using sensitive information to improperly influence decisions
- using sensitive information to coerce others to act in an involuntary manner
- stealing physical records.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- restricting and monitoring access to the records of high profile individuals
- restricting and monitoring access to sensitive information
- storing protected information in secure environments.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure using the following methods:
- Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems
- physical security for entity resources
- entity facilities.
- Confirm the existence of additional controls for more sensitive information.
- Review procedures or guidance to confirm it clearly specifies what constitutes sensitive information.
- Obtain and review requirements for who can access sensitive information.
- Confirm the existence of a request and approvals process for accessing sensitive information.
- Confirm request and approvals processes are consistently applied.
- Review procedures for requesting access to sensitive information, confirm the processes are robust and actively test them if required.
- Review the need for Security Clearances for accessing sensitive information and confirm staff have the minimum level of clearance.
- Undertake testing or a process walk-through to confirm that someone cannot get around access processes.
- Undertake checks to confirm compliance with clear desk policies.
- Confirm access to sensitive information is regularly reviewed and reconciled.
This type of countermeasure is supported by: