Criterion I – Ability to ensure secure data management

I(a) How does your agency adhere to the separation principle? Example documentation to consider:

Evidence of user access management and segregation of duties (e.g. extracts from manuals or policies)
Information Security Policy and Plan

I(b) How does your agency’s audit program (internal and external) ensure the continued security of data?Example documentation to consider:

Audit plans and reports for relevant data security reviews

EITHER: Provide that your agency complies with the Australian Government Protective Security Policy Framework, or that it has to comply because it is subject to the Financial Management Accountability Act) OR ANSWER THE FOLLOWING QUESTIONS:

I(c) Do employees (including contractors) undergo police checks upon employment?Example documentation to consider:

Induction policy, procedures and checklist

I(d) How is access to your agency’s premises controlled?Example documentation to consider:

Physical security policy and procedurs
Building access request form
Building access listing
Monitoring building access logs.

I(e) How is your agency’s Internet gateway secured? Example documentation to consider:

Network diagram (ie. identifying security controls over internet gateway)
Monitoring tools and reporting

I(f) Does your agency have an Information Security Policy and procedural plan (including protective control of data, secure ICT access and documented procedures)?Example documentation to consider:

Information Security Policy and procedures.

For more information see Data security

Return to Applying for accreditation or

Continue to Criterion II - Demonstrate safe data access