This document provides guidance in managing information security risks associated with record keeping* and aligns with the 2024 Western Australian (WA) Government Cyber Security Policy.
* Refer to Section 3 (2) of the State Records Act 2000 for the definition of record keeping
What is information or cyber security?
“Cyber security” or “information security” are terms which refer to the measures used to “protect digital information, information systems and assets from cyber threats and ensure their confidentiality, integrity and availability” (WA Government Cyber Security Policy 2024).
Information Security and Record Keeping
Information (data and records) is a valuable public asset that is protected by maintaining it over time in appropriate systems and eventually disposing of it properly or retaining in perpetuity if a State archive (Principle, Information Management Framework for WA, 2024).
Government organisations rely on information assets to provide public services and ensure business continuity.
The consequences of losing information and disruption to services include financial loss, reputational harm and a loss of trust by the community in using the organisation’s digital services.
A comprehensive and systematic approach to information security will assist government organisations to reduce the level of risk to their information assets.
Together, information security measures, including information management procedures, aim to ensure the confidentiality, integrity and availability of government information.
Information Security Considerations for Information Management
Information secure management practices must comply with WA Government Cyber Security Cyber Security Policy 2024 (the Policy). The following list provides a summary of the clauses in the Policy relevant to information management.
Refer to the recommendations or actions in the WA Cyber Security Policy Clauses and SRC Standards Table.
- 1.4 Cyber Security Governance
Each entity must establish governance of cyber security for their entity. - 1.5 Data Offshoring Governance
Each entity must define and understand its risks associated with data offshoring. - 1.6 Secure Device Disposal Governance
Each entity must maintain oversight of the secure disposal of devices, computers or media that hold digital information. - 2.1 Cyber Security Context
To understand its cyber security context and as a basis for sound cyber security decision-making, each entity must maintain an inventory of their ICT environment including
2.1.a devices, servers and other ICT equipment
2.1.c critical databases and information assets. - 2.2 Cyber Security Risk Management
Each entity is required to assess and manage information security risks to the entity, taking account of various factors including:
2.2.d critical information managed by the entity. - 3.1 Australian Cyber Security Centre (ACSC) Controls (Personnel Management)
Each entity is required to implement ACSC Cyber Security Centre controls, including 3.1.2.5 Personnel Management. - 3.5 Physical Security of Assets
Each entity must ensure that physical access to information technology and cyber security assets is managed to prevent unauthorised use and physical damage. - 3.6 Identity and Access Management
Each entity must implement appropriate management, monitoring and review of its user, customer and system accounts to prevent unauthorised access. - 6.1 Capability to Restore Services and Information
Each entity must have the capability to restore their services and information within the timeframes as defined by the entity’s Business Continuity Plan or Incident Management Plans.
The SRO acknowledges the Department of Premier and Cabinet and the State Records Advisory Committee for contributing to the development of this advice.
Print this page
