Information security FAQs

This page covers the importance of information security in NSW public offices, highlighting confidentiality, integrity, and availability. It explains compliance requirements and the roles of various stakeholders in managing sensitive data.

Last updated: 12 February 2025

Information security is the preservation of the confidentiality, integrity and availability of information.

Confidentiality involves ensuring that information is accessible only to those authorised to have access.
Integrity involves safeguarding the accuracy, completeness and authenticity of information and processing methods.
Availability involves ensuring that authorised users have access to information and associated assets when required.

Information security applies to all forms of information (digital, paper-based or other) and includes the management of the software and/or communications technology systems and networks used for storing, processing, communicating and disposal of information.

In essence, managing information security involves protecting your information assets by implementing controls including policies, procedures, organisational structures, infrastructure and software and hardware functions. It also involves regularly reviewing these.

Cyber security covers the controls organisations must put in place to protect information stored in networks and systems against unauthorised access and attacks. It includes responding to evolving threats such as viruses/malware, hacktivism or phishing attempts.

Information is one of your organisation's most valuable assets: it needs to be protected.

Security threats and breaches can affect your organisation’s ability to protect personal safety or privacy, to safeguard infrastructure or to comply with its legal and other obligations.

Breaches of security can have significant impacts on business, including damage to its reputation and competitive edge.

Recordkeeping standards

The Standard on records management establishes requirements relating to vital (that is, business critical), high risk and high value records and information (see minimum compliance requirements 2.2, 2.3 and 3.4).

Specifically, agencies must:

  • identify vital records, information, data, and systems
  • identify high risk and high value records, information, data, and systems
  • identify level of protection needed based on sensitivity, confidentiality and value
  • assign roles and responsibilities for the management of vital, high value and high-risk records and information
  • put in place controls according to their classification and relevant laws and regulations.

The Standard on the physical storage of State records also establishes requirements relating to all records in all formats, including security classified records or records which contain sensitive information (see minimum compliance requirements under Principle 6: Records are protected against theft, misuse, unauthorised access or modification).

Information collated regarding the above requirements can be used to meet some of the reporting requirements of the NSW Government Cyber Security Policy.

Agencies that hold or access Commonwealth security classified information (for example, protected, secret, top secret) need to put in place controls according to the Australian Government's Protective Security Policy Framework.

The NSW Government Cyber Security Policy applies to all NSW Government departments and agencies. State-owned corporations, local councils and universities can adopt this policy.

The policy establishes mandatory requirements such as:

  • identification of an agency’s most valuable or operationally vital systems or information
  • implementation of regular cyber security education for employees, contractors and outsourced service providers
  • implementation and maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents
  • reporting cyber security incidents to the Government Chief Information Security Officer.

This standard establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organisation. It contains best practice guidance concerning a number of areas of information security management.

Many organisations seek to or have achieved compliance with AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management. Compliance to this standard is one of the mandatory requirements set by the NSW Government Cyber Security Policy.

Information security is not just an ‘IT problem'. Technical measures need to be designed to meet real business requirements and supported by appropriate training, business rules and assigned responsibilities.

Information security, by necessity, requires a number of stakeholders. The Australian Standard recommends that a governance framework should be established to initiate and control the implementation of information security. 

This includes establishing management accountabilities, assigning roles, establishing necessary external liaisons and monitoring industry trends. A multi-disciplinary risk-based approach is encouraged.

Some of the positions with accountabilities for information security may include:

  • Business managers who need to ensure security responsibilities are addressed at the recruitment stage and monitored during an individual’s employment, ensure staff are trained and updated in security policy and procedures and act on incidents affecting security
  • Contract managers who need to deal with in-confidence material
  • Corporate records managers who need to determine the application of security classifications/DLMs to records based on the business context of the record, establish security and access controls within records systems and monitor these systems
  • Human resource management staff who need to manage personal information.
  • ICT staff who need to establish security controls in systems and protect ICT equipment from threats.
  • Risk management staff who need to identify and manage the organisation's risks
  • Users of the information service who need to report observed or suspected weaknesses in security or threats to systems or services.
  • Facilities staff who need to maintain the physical and environmental security of the building and particular secure areas.

Your organisation’s information security policy should outline the roles and responsibilities of different personnel.

The records and information management team can assist by:

  • contributing their knowledge on the high-risk business areas of the organisation to the relevant team/staff (for example, IT, information security, risk, and governance)
  • providing information on the organisation's vital or business critical, high risk and high value records and information to the relevant team/staff
  • advising on issues relating to using cloud services for security classified records and information, or sensitive records that require additional controls
  • establishing and managing disposal programs to ensure that records and information are destroyed according to relevant retention and disposal authorities.

See Relationship building: information security and information management for further advice. 

Download as PDF Print this page
Top of page