The Protective Security Framework requires government agencies to have in place policies, processes and physical security measures to minimise or remove the risk of unauthorised access or harm to government resources, including information, IT hardware and software, employees and other assets or resources.
The security measures implemented for a data integration project may vary depending on the physical security protocols of the Commonwealth data custodian(s) and/or the assessed risk of the project. There are a number of physical control measures that should be considered in the context of data integration projects including:
- Control of access to all buildings or areas where confidential data is accessed or stored. This is required for all security classified information according to the Protective Security Framework and should apply in the case of all high risk data integration projects.
- Sign in registers for all visitors to the building.
- Reception personnel and/or contract guards.
- Wearing of photographic security passes.
- Procedures to escort and supervise contractors, consultants and other persons on site when in secure or non-public areas.
- Security surveillance and alarm systems (closed circuit TV cameras, CCTV etc. to detect unauthorised access.
- Building access control barriers.
- Secure storage of sensitive and classified material, and high value assets, for example through clear desk and clear screen policies (required to comply with the protective security framework). When unattended, sensitive information or high value assets should be stored in locked cabinets, containers or rooms and computers should be locked by activating the screen saver or logging off.
Compliance with the Australian Government Protective Security Policy Framework will satisfy these data security requirements for data integration projects.
For more information about other aspects of data security see:
- Personnel security
- Physical security
- Information and communication technology security