Whole of Government
Digital Security Policy
Document Control
The Western Australian Whole of Government Digital Security Policy: version 1 - May
2016
Produced and published by: Office of the Government Chief Information Officer
Acknowledgements The Policy was developed in collaboration with the Western Australian
public sector agencies.
Contact:
Office of the Government Chief Information Officer
2 Havelock Street
WEST PERTH WA 6005
Telephone: (08) 6552 5444
Email: policy@gcio.wa.gov.au
Document version history
Date
Author
Version
Revision Notes
May 2016
OGCIO
1
Release
This document, the Western Australian Whole of Government Digital Security Policy,
Version 1 is licensed under a Creative Commons Attribution 4.0 International Licence.
You are free to re-use the work under that licence, on the condition that you attribute the
Government of Western Australia (Office of the Government Chief Information Officer) as
author, indicate if changes were made, and comply with the other licence terms. The licence
does not apply to any branding or images.
License URL: https://creativecommons.org/licenses/by/4.0/legalcode
Attribution: © Government of Western Australia (Office of the Government Chief Information
Officer) 2016
Notice Identifying Other Material and/or Rights in this Publication:
The Creative Commons licence does not apply to the Government of Western Australia Coat of
Arms. Permission to reuse the Coat of Arms can be obtained from the Department of Premier
and Cabinet.
The cover image by Askold Romanov is reproduced with the permission of istock.
Purpose
The purpose of the Western Australian (WA) whole-of–government Digital Security Policy
(Policy) is to provide direction for the adoption and maintenance of security protection controls
in digital information and digital information systems.
Objectives
The Policy aims to support:
Confidentiality – access to, and disclosure of, information including government, personal
and/or proprietary information subject to appropriate authorisation
Integrity – data is protected against unauthorised alteration or destruction and any challenges
to government information authenticity are prevented, giving citizens confidence in the way WA
Government protects and handles digital information and
Availability – authorised users are provided with timely and reliable access to data and
services.
Policy Requirements
Risk assessment concerning security of data within your agency should be considered by the
business. Agencies are to take a risk based approach and apply risk-appropriate levels of
security controls to protect their critical data, infrastructure and systems from digital threats.
Agencies must develop a risk register with controls for monitoring, prevention, protection,
response and recovery of critical information systems and applications.
The risk register and controls must be reviewed regularly by an independent or trusted third
party to remain contemporary and effective and comply with policy standards.
Government agencies must comply with relevant legislation, regulations, Cabinet Conventions,
policies, and contractual obligations requiring data to be available, safe guarded or lawfully
used.
All relevant Government agency policies, standard operating procedures and work practices
must include the provisions of the standards referenced on the Office of the Government Chief
Information Officer (Office of the GCIO) website, ensuring security requirements are addressed
at the earliest opportunity.
Principles
In establishing a strategy for addressing digital security, an agency or organisation must
consider the aspects of governance, people, process and technology using principles
recommended by Australian and international standards for digital security management.
Agencies must ensure they have:
Secure – protection of government data, communications technologies, and systems, including
the systems of third parties transacting with government online.
Resilient – digital environments that demonstrate risk-appropriate standards and controls for
managing digital security and the ongoing review and improvement of digital security controls
across agencies.
Trusted – Third parties providing digital security services must be compliant with this Policy.
Page 1
Related Guidance
Agencies must ensure this Policy is incorporated into existing business processes for
continuous improvement and consistent with, and operating within any applicable legislative,
policy and strategic frameworks, including but not limited to:

Risk management is essential to the optimal operation of the public sector, as
articulated in Treasurer’s Instruction 825 Risk Management and Security.
Information and guidance on Digital Security is available from the Office of the GCIO website at
www.gcio.wa.gov.au.
Definition of Terms
Digital Security Principles have been defined in accordance with the Principles of the
Australian Government Information Security Manual 2015, Glossary of terms. Further
information
and
definitions
are
available
from:
http://www.asd.gov.au/publications/Information_Security_Manual_2015_Principles.pdf.
Page 2