INFOSEC-2: Protecting official information

The INFOSEC-2: Protecting official information policy and guidance will assist agencies to achieve an effective protective security outcome within the information security domain of the TAS‑PSPF. They address core requirement 8 and its supplementary requirements.

Agencies will adopt the Australian Government’s Protective Security Policy Framework and related documentation for the classification, protective marking, transfer, handling and storage requirements of information (in any format) relative to its value, importance and sensitivity.

To achieve the standards required relating to the classification, protective marking, transfer, handling and storage requirements of information, the Accountable Authority will:

1. implement processes that ensure information is assessed, marked and managed in alignment with policies and protocols or the assigned security classification
2. provide and regularly promote awareness of information protection practices, including secure information sharing and handling expectations, along with privacy obligations
3. determine appropriate information classification based on assessment of the information and/or technology assets holding that information, applying relevant controls, protections, processes, and handling standards
4. when assessing sensitivity and security, the classification should be set at the lowest reasonable level to protect its confidentiality, integrity or availability from compromise or harm
5. ensure all information (including emails) is clearly identified with the correct protective markings^[1]
6. adopt the Tasmanian Information and Records Management Standard, particularly in the creation of metadata, when records are created or captured, and ensure metadata reflects any protective markings^[2]
7. when transferring, migrating or transmitting sensitive or security-classified information, ensure adequate processes exist to deter and detect any form of compromise to that information
8. manage and report breaches or security incidents to the Agency Security Advisor (ASA)^[3]
9. comply with storage requirements for sensitive and security-classified information, ensuring appropriate secure containers and zones are applied as necessary
10. ensure compliance with secure disposal of sensitive and security-classified information.

Agencies have varied operating environments and associated risks which influence agency risk appetite and tolerance. The TAS‑PSPF states agencies must apply protections to information, based on assessed value and business impact levels to ensure consistent application.

Accountable Authorities should consider the value of their information as an aggregate when applying mitigations and upholding compliance with the TAS‑PSPF.

1. According to the assessed value and business impact of any compromise to the information as determined necessary.

   [Back]

2. Tasmanian Information and Records Management Standard (PDF)

   [Back]

3. Types of breaches include, but are not limited to, information privacy and all data, cyber, electronic and physical information breaches/incidents.

   [Back]

Information security is a key component of your agency’s protective security regime. This policy and guidance details how to appropriately assess the sensitivity or security classification of your agency’s information and adopt marking, handling, storage, and disposal arrangements that guard against information compromise.

Official information refers to all information that is created, sent, or received as part of the work of the Tasmanian Government. This information is an official record, and it provides evidence of what an agency has done and why. It can be collected, used, stored, and transmitted in various ways, including electronic, physical, and verbal.

Information is a valuable asset, meaning that any compromise – accidental or deliberate – may have an adverse impact on your agency, another agency, the community or the Tasmanian Government. Therefore, protecting the confidentiality, integrity and availability of all information is crucial. All official information must be protected according to the assessed business impact that any compromise of the information could cause.

Information compromise may include:

• loss
• misuse
• interference
• unauthorised access
• unauthorised modification
• unauthorised disclosure.

Sensitive and security‑classified information

Determining the classification of information in the Tasmanian Government promotes responsible management of information, open and transparent government, and accountability. The originator of information (this could be your agency or an individual who created or received the information) must assess the sensitivity of that information and determine the classification based on the likely damage as a result of compromise to the information’s confidentiality. Only the originator can change the sensitivity or security classification applied to its information. Upon determining the sensitivity of the information, it should be appropriately classified and protected.

This policy (INFOSEC-2) requires agencies to implement controls to protect information holdings in proportion to their value, importance and sensitivity. While there is a focus towards sensitive and security‑classified information, all official information requires an appropriate degree of protection.

Effective protection of information requires the correct assessment, marking and management of that information, according to the assigned classification. For further information, refer to Annexure 1.

Procedures to support protection

To support protection of information, agencies are required to implement processes which ensure information is assessed, marked and managed according to the assigned classification. When developing procedures for your agency, consider limiting any access to sensitive or security‑classified information according to a ‘need to know’ (i.e. for an operational or organisational requirement). This will address the risk of unauthorised access and associated damage.

Your agency’s information security measures should be applied in accordance with your agency’s security plan. This may require you to implement protections in particular ways according to your specific risk and operating environments. You may need to apply a higher level of protection to meet business needs or to address your agency’s security risks.

When developing procedures to support the protection of information, you must consider how you will maintain the confidentiality, integrity and availability of that information, particularly in the case of compromise.

• Confidentiality – by limiting access to, and the distribution of, information to authorised individuals only.
• Integrity – by making sure that effective security measures are in place to ensure that information creation, access, amendments and deletion is only performed by authorised individuals by intended means.
• Availability – by allowing access to information by authorised people for authorised purposes, and ensuring appropriate procedures are in place to support this access when it is needed.

It is important to understand and assess your agency’s risks in relation to access to information, along with consideration of the aggregate value of your agency’s information. While some information may only be considered as sensitive on its own, when aggregated with other available information, the value and outcome of any compromise increases. Refer to Annexure 2 for questions you should consider when assessing risks to your agency’s information.

The development and implementation of information security policies and procedures should support your agency’s security plan and assist staff in understanding their responsibilities in the protection of information. Refer to Annexure 3 for example topics which may be covered in information security policies and procedures.

Applying protective markings

To provide protection to your agency’s sensitive or security‑classified information, you must use protective markings which indicate the information’s classification and any additional handling requirements. Applying protective markings helps users (as a visual) and systems (e.g. your agency’s email gateway) to control the distribution of information.

The originator of any information is responsible for assessing and applying a classification; therefore, the originator must then apply the relevant protective markings to the information.

For more information, refer to the section Protective markings in this guidance document.

Applying caveats and accountable material

Caveats are applied to information, as a warning, in addition to an appropriate security classification, where special protections are required above those indicated by the classification. Caveats are not a standalone classification and must only be used in connection with a classification protective marking.

For more information, refer to the section Protective markings in this guidance document.

Limiting access

The TAS-PSPF policy: Access to, and management of, official information (INFOSEC‑1) requires the ‘need to know’ principle to be applied to all access of sensitive and security‑classified information. Limiting access on a ‘need to know’ basis guards against the risk of unauthorised access or misuse of information.

Records of disclosure and access

Monitoring and auditing your agency’s access to, and dissemination of, information plays an important role in the protection of information. Highly classified information or caveated information (such as TOP SECRET information or accountable material)^[4] must be recorded in an auditable register e.g. a Classified Document Register (CDR) or electronic document management system or repository. This register should be audited, with regular spot checks, and must document all incoming and outgoing information and material and transfers or copying of that material.^[5]

4. Accountable material is information requiring the strictest control over its access and movement.

   [Back]

5. Should your agency be a participant in a national community of interest (COI), the relevant COI manual/practices/procedures will stipulate any additional requirements for information handling.

   [Back]

The Accountable Authority is responsible for ensuring their people are aware of information protection practices, implemented both from this policy and any agency‑specific policies. This includes practices pertaining to secure information sharing and handling expectations, along with privacy obligations.

Privacy obligations

There are legislative requirements which apply to certain official information, impacting the parameters surrounding disclosure, use and handling. Under Section 3 of the Personal Information Protection Act 2004 a ‘personal information custodian’ is defined as:

• a public authority^[6]
• any body, organisation or person who has entered into a personal information contract relating to personal information
• a prescribed body.

Tasmanian Government agencies are public authorities and, as such, must comply with the Personal Information Protection Principles, under Schedule 1 of the Personal Information Protection Act 2004. Agencies must ensure their people are aware of any responsibilities under the Personal Information Protection Act 2004, in addition to the requirements of this policy.

Sharing and handling of information

Your agency is required to promote information protection practices, including secure sharing and handling expectations. Sharing and handling sensitive and security‑classified information must be in accordance with the protections required by the classification. Refer to Annexure 1 for information about minimum access protections.

Demonstrating good security practices and awareness when using sensitive and security‑classified information can include:

• remaining vigilant and aware of the environment
• selecting work environments based on their suitability to use the required information
• taking all necessary steps to reduce the risk of unauthorised access, use or removal of information
• appropriate physical handling procedures when information is being carried or is not in active use.

6. As defined under the Right to Information Act 2009.

   [Back]

Classifying information enables agencies to protect their information in a consistent, organised and appropriate way. The Tasmanian Government has elected to adopt the Australian Government’s Protective Security Policy Framework in relation to the classification of information. The information below sets out the approved security classifications for use across the Tasmanian Government.

7. This is a tool only and not intended to be proscriptive. However, using this tool will help you support the consistent assessment of the confidentiality, integrity and availability of information across the Tasmanian Government.

   [Back]

The originator must set the classification at the lowest reasonable level to enable information to be accessed by the highest number of people with an identified ‘need to know’. This requirement also helps to reduce over-classification of official information.

Over-classification of information can result in:

• access to official information being unnecessarily limited or delayed
• onerous administration and procedural overheads that add to costs
• classifications being devalued or ignored by staff and receiving parties.

The sensitivity or security classification can only be changed by the originator. If you consider that the application of a particular classification is inappropriate, you can query that original classification decision with the originator.

The originator must clearly identify sensitive and security‑classified information by using the applicable protective markings.

Caveats and accountable material

There are 4 categories of caveats:

• sensitive compartmented information (codewords)
• foreign government markings
• special handling instructions
• releasability caveats.

Accountable material is information requiring the strictest control over its access and movement. Accountable material includes:

• TOP SECRET security‑classified information
• some types of caveated information –
  • all codeword information
  • select special handling instruction caveats, particularly TAS CABINET information (see explanation in table below) at any security classification
• any classified information designated as accountable material by the originator.

What constitutes accountable material may vary from agency to agency;^[8] however, each agency is responsible for and must handle caveated or accountable material in accordance with the originator’s special handling requirements. You must not change caveats without approval from the originator.

Caveat type: Sensitive compartmented information (codewords)

8. Accountable material may include budget papers, tender documents and sensitive ministerial briefing documents.

   [Back]

9. Countries are identified using 3-letter country codes from International Standard ISO 3166-1:2020 Codes for the representation of names of countries and their subdivisions – Alpha 3 codes.

   [Back]

10. IMMs are not classifications and must only appear with an appropriate classification marking.

    [Back]

11. Example of a warning notice – Legislative secrecy warning: Unless you have written consent from [insert authority or relevant position], it is an offence under section XX of the XXX Act to [insert details of restrictions].

    [Back]

12. The RGB model is a manual colour selection function available in Word documents.

    [Back]

13. A colour allocation is not a requirement; however, if colour is to be applied it must comply with the RGB configuration.

    [Back]

14. Refer to the Australian Government’s email protective marking standard (PDF).

    [Back]

The Tasmanian Information and Records Management Standard describes the minimum requirements for managing information and records. It requires that you create metadata about records when they are created and/or captured. When you are considering the required protections of the record, metadata provides critical context and controls surrounding the access and use of information.

Protective marking in metadata

Within information on ICT systems, text-based protective markings are supplemented by metadata which assist to describe the security characteristics of the information or document.

From an information security perspective, the following metadata properties of importance are:

Under this policy (INFOSEC-2), agencies must ensure adequate processes exist to deter and detect any form of compromise to sensitive or security‑classified information which is being transferred, migrated or transmitted.

When information is in transit, the risk of compromise increases, particularly if your agency does not have control over the entire network/s.

Examples of transferring information include:

• passing information to a person within an office environment (i.e. within your agency’s facilities)
• sending information through your agency’s internal mail to a person who works in the same building
• sending information through your agency’s internal mail to a person who works in a different building
• handing or sending information to a person in another agency
• providing a person with a secure approved USB or other storage device that holds the information.

Examples of transmitting information include:

• emailing information to a person within your agency or in a different agency
• verbally communicating information to a person within your agency or another agency (e.g. by telephone or video conference).

Examples of migrating information include when your agency:

• replaces or upgrades existing storage systems and equipment
• changes from local storage to cloud‑based storage
• consolidates information systems.

If you are implementing processes to protect information in transit, start by ensuring that you apply the ‘need to know’ principle. You also need to ensure the appropriate security clearance of the recipient or security classification of the system that is performing migration.

Agencies must only transfer or transmit information for official purposes. When transferring or transmitting information for official purposes, you should identify recipients of sensitive and security‑classified information by:

• a specific position, appointment or named individual
• a full location address (not a PO Box or similar)
• an alternate individual or appointment where relevant (e.g. for TOP SECRET information)
• where information is being electronically transmitted, an email address exclusive to those individuals with a ‘need to know’ (e.g. not a mailbox with unrestricted access).

The sensitivity or classification of information being transmitted or transferred should be obscured and a tamper-evident seal used to deter and detect unauthorised access. You can achieve this by:

• using appropriate encryption methods for transferring information over a public network or through unsecured spaces
• using double envelopes for physical information, i.e. by placing security‑classified or accountable material inside 2 sealed envelopes.^[15]

Use of devices to transfer or transmit information

Devices such as laptops, notebooks, tablets, mobile phones and USBs can be used to transfer and transmit information. Protecting sensitive and security‑classified information that is being transferred or transmitted on these devices requires deterrence and detection from compromise.

Ways you can deter and detect information compromise and unauthorised access when devices are used include via password protection, multi-factor authentication, encryption of information at rest, and remote wiping capabilities.

Measures to control the transfer and transmission of information include the following.

• Receipts –
  • Receipts should identify the date and time of dispatch, the sender’s name and a unique identifying number. Use receipts for transfer and transmission of all classified information.
  • When using receipts, keep an appropriate record of each handover of information (e.g. a 2-part receipt in the inner envelope with the sender’s information, allowing the recipient to keep one portion and return the other to sender).
• Safe hand –
  • Safe hand refers to information which is dispatched to the recipient in the care of an authorised person who is responsible for the information’s carriage and safe keeping.
  • Sending information using safe hand establishes an audit trail which provides confirmation that the recipient has received the information and helps to ensure the information is transferred in an authorised and secure facility or vehicle.
  • To deter and detect any unauthorised access or information tampering, each handover of the information should include a receipt containing a unique identifying number, the time and date of the handover and the name and signature of the recipient.
  • To send information using safe hand, you must –
    • assign a unique identification number (generally this will be the receipt number)
    • transfer the information in a security briefcase^[16] or an approved mailbag^[17]
    • not leave the information/item unattended.
• Safe hand via an endorsed courier –
  • There are various couriers endorsed by the Security Construction and Equipment Committee (SCEC) who are suitable to provide safe‑hand courier services.^[18]
  • In the instance of transferring valuable or attractive assets (e.g. pharmaceuticals or money), special arrangements may be required, such as armed escorts.
  • Special handling requirements may apply to caveated information, which may preclude the use of a safe‑hand courier.

For further information about data migration, refer to Annexure 5 regarding minimum protections for information transfer or transit, and to TAS-PSPF policy: Robust technology and information systems (INFOSEC-3).

15. Double enveloping involves a) a tamper‑evident inner envelope to detect unauthorised access and b) an outer envelope to obscure the information’s sensitivity or classification and deter unauthorised access.

    The outer envelope should not be marked with the classification or other protective markings.

    The inner envelope can consist of an envelope or pouch sealed with a SCEC-approved tamper‑evident seal so that any tampering is detected, or a SCEC-approved single‑use envelope. The classification marking should be conspicuously placed on the inner envelope. Refer to the SCEC-approved SEEPL, via GovTEAMS, where users are required to register for an account and request access to the Protective Security community.

    [Back]

16. Refer to the SCEC’s Security equipment guide of Briefcases for the carriage of security‑classified information, via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

17. Refer to the SCEC-approved SEEPL via GovTEAMS for further information.

    [Back]

18. ASIO T4 Protective security circular (PSC) 172.

    [Back]

The TAS-PSPF outlines security breaches and incidents including, but not limited to, information privacy and all data, cyber, electronic and physical information breaches/incidents.

With this in mind, any suspected or actual compromise of classified information is considered a security incident. The TAS-PSPF policy: Security advice and responsibilities (GOVSEC-2) requires agencies to respond to, investigate and report on security incidents. In addition to this, agencies must notify the owner or originator of the information as soon as practicable to the suspected or actual compromise.

It is recommended that you report any suspected or actual loss or compromise of SECRET or TOP SECRET information to the Department of Premier and Cabinet (DPAC) and the Australian Security Intelligence Organisation (ASIO).^[19]

19. Contact DPAC via Resilience and Recovery Tasmania, requesting to speak with a member from the Office of Security and Emergency Management. Contact ASIO via their Outreach team (02) 6234 1668.

    [Back]

Sensitive and security‑classified information must be stored securely to protect it from compromise. This also applies to mobile devices containing sensitive and security‑classified information. Your agency must store information securely and preserve it, in an environment which prevents unauthorised access, duplication, alteration, removal or destruction.

The Australian Government Information Management Standard requires agencies to ensure their information assets are accessible for as long as needed and are shared appropriately, according to relevant access, security and privacy rules, within a protected and trusted environment. To effectively achieve this, your agency must implement information classification practices and protective marking procedures, recognising the protections the information requires.

The protections of information ought to be removed as soon as those protections are no longer required due to changes in the sensitivity or security classification. Refer to Annexure 6 for guidance on minimum use and storage requirements.

Clear desk, session and screen locking

It is recommended that agencies establish clear desk, session and screen locking procedures. These measures provide protection from compromise or harm to unattended information or resources. These measures involve your agency’s people making sure that they:

• secure all hard-copy information
• lock any security containers as required
• not keep classified information on desks or in desk drawers
• lock device screens when not in use, or unattended.

The creation of information does not mean it lasts forever; this is dependent on the nature of the information. Information is managed for as long as it has a business need or value – once it no longer has a business need or value, your agency may not need to keep it. When your agency’s information is no longer required, you must archive, destroy, repurpose, or dispose of it in a secure manner.

Disposal of information includes the physical destruction of paper records, destruction of electronic records including deleting emails, documents or other data from business systems, transfer of records to another agency as a result of MoG changes and the transfer of records to a non-Tasmanian Government agency.

Under Section 20 of the Archives Act 1983, disposal and destruction of state records can occur under the requirement of law or with the written permission of the State Archivist, or in accordance with a practice or procedure approved in writing by the State Archivist. However, the Office of the State Archivist provides guidance on Retention and Disposal Schedules (RDS) which are a means to manage routine disposal without needing to seek authorisation from the State Archivist.^[20]

Destroying sensitive or security‑classified information

You can use various methods to securely destroy information, including:

• pulping
• burning
• pulverising – using a hammer mill
• disintegrating – by cutting and reducing the information particle size
• shredding – using crosscut shredders (standard strip shredders are not approved for the destruction of security‑classified information).

Methods for destroying digital information include:

• digital file shredding
• degaussing by demagnetising magnetic media to erase recorded data
• physical destruction of storage media through pulverisation, incineration or shredding^[21]
• reformatting, if it can be guaranteed that the process cannot be reversed.

Commercial destruction services

Your agency may use commercial destruction services to destroy classified information. You should review the appropriateness of a commercial provider’s collection process, transport, facility, procedures and approved equipment when considering engaging their destruction services. ASIO-T4 Protective Security Circular (PSC) 167 – Destruction of sensitive and security-classified information provides advice on engaging destruction services.^[22]

The criteria for commercial destruction includes ensuring that:

• classified information is attended at all times and that vehicle and storage areas are appropriately secured
• destruction is performed immediately after the material has arrived at the premises
• destruction of classified information is witnessed by a representative from your agency
• destruction service staff have a security clearance to the highest level of security‑classified information being transported and destroyed, or appropriately security cleared people from your agency escort and witness the destruction.

A number of commercial providers hold National Association for Information Destruction AAA certification for destruction services (with endorsements as specified in PSC 167 Destruction of security‑classified information). These commercial providers are able to destroy security‑classified information.^[23]

It is recommended that information classified TOP SECRET or accountable material be destroyed within your agency’s premises; the originating agency should request notification of destruction. The originator of some accountable material may apply special handling conditions that prevent information destruction being contracted out.

Refer to Annexure 7 for further information regarding the disposal of sensitive and security‑classified information.

20. Further information about RDS can be found on the website of the Office of the State Archivist website.

    [Back]

21. Refer to the Australian Government Information Security Manual for guidance on sanitation and destruction of ICT equipment and storage media.

    [Back]

22. Available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

23. To search for destruction services which are NAID AAA certified with PSPF endorsement, please visit the International Secure Information Governance & Management Association website.

    [Back]

Where is your agency vulnerable?

Identify areas where your agency may be vulnerable to information security breaches, either accidental or intentional. How might these vulnerabilities be exploited and what measures can you apply to limit the risk of compromise and harm?

What threats does your agency face?

What are the potential threats to your agency’s information security? Maintain contemporary knowledge of these threats. Who would benefit from having access to your agency’s information, what would they use it for and what is they would want?

What impact would an information security breach have?

Assess and understand how your agency would be impacted in the event your information security is breached. What is the confidentiality, integrity and availability of your information?

Are supply chain risks considered?

Supply chains are increasing in complexity, have you considered each part of your agency’s supply chain in your security risk assessment? Has your supplier verified their connections and dependencies?

Have the risks from collections of information been considered?

Any collections of information are considered as aggregated information. Aggregated information is typically more valuable than the singular pieces of information that together form the collection. In this situation, you should apply greater protections. What could be obtained from this collection if it were breached?

Aggregated information relates to both physical and ICT collections.

Are your current security measures sufficient?

Consider your existing measures – will they adequately protect your information from the risks identified? If your information security was breached and/or any data stolen – could your agency determine what has been lost and could you recover it?

• Copying of information
• Disposal of information
• Electronic transfer of information
• Handling of personal information
• Home based work security requirements
• Management of information within the office
• Management of outsourced services and functions
• Safeguarding of government information
• Use of security classifications
• The ‘need to know’ principle
• Physical transfer of informationSecurity container management
• Storage of information
• Electronic and removable media restrictions

24. Under the Personal Information Protection Act 2004, personal information is defined as: any information or opinion in any recorded format about an individual –

    1. whose identity is apparent or is reasonably ascertainable from the information or opinion; and
    2. who is alive or has not been dead for more than 25 years.
    [Back]

25. A compilation of information may be assessed as requiring a higher security classification where the compilation is significantly more valuable than its individual components. This is because the collated information reveals new and more sensitive information or intelligence than would be apparent from the main source records and would cause greater damage than individual documents. When viewed separately, the components of the information compilation retain their individual classifications.

    [Back]

26. This includes official records of Cabinet, Cabinet business lists, minutes, submissions, memoranda or matters without submission, and any other information that has been submitted or proposed to be submitted to Cabinet.

    [Back]

27. Serious organised crime as defined in the Convention Against Transnational Organised Crime.

    [Back]

28. Encryption must be applied unless the residual risk of not doing so has been acknowledged and accepted by the agency.

    [Back]

29. Authorised person is a person authorised in accordance with your agency’s procedures to transfer sensitive and classified information which has been secured from unauthorised access. The authorised person may physically move the information between establishments within or outside Australia. As the information has been secured from unauthorised access, the authorised person does not require a security classification to the level of sensitive or security‑classified information being transferred.

    [Back]

Protective marking

Text-based marking for OFFICIAL documents (including emails) is optional.

It is recommended that text markings are in capitals, bold, large fonts and a distinctive colour (red preferred).

Markings should be placed at the top and bottom of each page.

There is no requirement for colour-based marking of OFFICIAL information.

For paragraph grading indicators, OFFICIAL should be written in full or abbreviated to (O) and placed at the start or end of the paragraph or in the margin adjacent to the first letter.

Access

‘Need to know’ principle should apply for OFFICIAL information.

There is no security clearance requirement to access OFFICIAL information.

Use

OFFICIAL information can be used in security Zones 1-5 and outside agency facilities.

Storage

OFFICIAL information may be left unattended, subject to agency clear desk policies.

It is recommended that mobile devices that process, store or communicate OFFICIAL information are secured if left unattended.

Apply agency procedures for storage of OFFICIAL information. It is recommended that a lockable container is use in Zone 1 areas.

Carry

When carrying OFFICIAL information outside of agency facilities, apply agency procedures.

Transfer

When transferring OFFICIAL information, apply agency procedures for transfer by hand, internal mail or courier.

For transfer outside agency facilities, it is recommended that opaque envelopes/folders are used to minimise risk of unauthorised access.

Transmit

It is recommended to encrypt OFFICIAL information for any communication that occurs over public network infrastructure, or through unsecured spaces (including Zone 1 areas).

Official travel

OFFICIAL information or mobile devices can be taken on domestic and overseas travel.

Agency procedures should be applied, and environmental risks should be considered.

Disposal

OFFICIAL information should be destroyed securely.

Protective marking

Text-based marking must be applied to OFFICIAL: Sensitive documents (including emails).

It is recommended that text markings are in capitals, bold, large fonts and a distinctive colour (red preferred). Markings should be placed at the top and bottom of each page.

If text-based markings cannot be used, colour-based markings may be used. The preferred colour for OFFICIAL: Sensitive is a yellow colour.

For paragraph grading indicators, OFFICIAL: Sensitive should be written in full or abbreviated to (O:S) and placed at the start or end of the paragraph or in the margin adjacent to the first letter.

Access

The ‘need to know’ principle applies to all OFFICIAL: Sensitive information.

There is no security clearance requirement to access OFFICIAL: Sensitive information; agency screening processes are sufficient.

Use

OFFICIAL: Sensitive information can be used in security Zones 1-5.

For work outside agency facilities, including from home, external agency offices, cafes:

1. apply agency procedures which may include conducting a security risk assessment of the proposed work environment
2. exercise judgement to assess the environmental risk.

Storage

OFFICIAL: Sensitive information may be left unattended for short periods of time, subject to agency clear desk policies. It is recommended that all OFFICIAL: Sensitive information be stored securely when unattended.

Mobile devices that process, store or communicate OFFICIAL: Sensitive information may be left unattended if in a secured state, e.g. password protected, encrypted.

When storing OFFICIAL: Sensitive information inside agency facilities (Zones 1-5), store in a lockable container.

When storing OFFICIAL: Sensitive information outside agency facilities (including at home):

1. apply requirements for carrying outside agency facilities
2. use of opaque envelopes/folders and/or lockable containers is recommended
3. for regular, ongoing home-based work, an SCEC Class C container is recommended.

When storing mobile devices which process, store or communicate OFFICIAL: Sensitive information inside agency facilities (Zones 1-5): if in a secured state, recommend storing in lockable container; if in an unsecured state, a lockable container must be used.

Storage of mobile devices outside of agency facilities:

1. apply requirements for carrying outside agency facilities
2. apply agency procedures and exercise judgement to assess environmental risk
3. if in a secured or unsecured state, recommend storage in a lockable container.

Carry

When carrying OFFICIAL: Sensitive information:

1. inside agency facilities in Zones 1-5, an opaque envelope or folder is recommended.
2. outside or between agency facilities, including for external meetings, an opaque envelope/folder is recommended.

Mobile devices that process, store or communicate OFFICIAL: Sensitive information:

1. inside agency facilities, in Zones 1-5, carry in a secured state. If unsecured, apply agency procedures.
2. outside or between agency facilities, carry in a secured state. If unsecured, apply agency procedures.

Transfer

When transferring OFFICIAL: Sensitive information inside agency facilities:

1. in Zones 1-5, an opaque envelope/folder is recommended
2. transfer by hand.

When transferring OFFICIAL: Sensitive information outside agency facilities to another facility:

1. an opaque envelope/folder is recommended
2. transfer by hand, agency safe hand, safe‑hand courier
3. tamper‑evident packaging may be used.

Transmit

Electronic transmission of unencrypted OFFICIAL: Sensitive information must be over OFFICIAL secure networks (or higher). Encrypt OFFICIAL: Sensitive information for any communication that occurs over public network infrastructure, or through unsecured spaces (including Zone 1 areas), unless the risk of not doing so has been identified and accepted by the Accountable Authority.

Official travel

OFFICIAL: Sensitive information or mobile devices can be taken to external meetings and on domestic travel.

When travelling domestically with OFFICIAL: Sensitive information (or mobile devices that process, store or communicate OFFICIAL: Sensitive information), apply agency procedures and exercise judgement to assess environmental risk.

When travelling outside of Australia with OFFICIAL: Sensitive information:

1. apply agency procedures and exercise judgement to assess environmental risk
2. seek Department of Foreign Affairs and Trade (DFAT) advice on options to access information or devices at overseas destination.

OFFICIAL: Sensitive information (or mobile devices) should not be left unattended while travelling; however, apply agency procedures and exercise judgement to assess environmental risk.

Disposal

OFFICIAL: Sensitive information must be destroyed securely.

Protective marking

Text-based marking must be applied to PROTECTED documents (including emails).

It is recommended that text markings are in capitals, bold, large fonts and a distinctive colour (red preferred). Markings should be placed at the top and bottom of each page.

If text-based markings cannot be used, colour-based markings must be used. The preferred colour for PROTECTED is blue (RGB 79, 129, 189).

For paragraph grading indicators, PROTECTED should be written in full or abbreviated to (P) and placed at the start or end of the paragraph or in the margin adjacent to the first letter.

Access

The ‘need to know’ principle applies to all PROTECTED information.

Ongoing access to PROTECTED information requires a Baseline security clearance, or above.

Temporary access to PROTECTED information must be supervised.

Use

PROTECTED information can be used in security Zones 1-5.

Outside agency facilities (including at home):

1. apply agency procedures, which must include conducting a security risk assessment of the proposed work environment
2. for occasional home-based use, apply agency procedures and exercise judgement to assess the environmental risk.

Use of PROTECTED information outside agency facilities or the home (e.g. external agency offices, cafés) is not recommended, but if necessary:

1. apply agency procedures
2. exercise judgement to assess the environmental risk.

Storage

PROTECTED information must not be left unattended. Information must be stored securely when unattended.

Mobile devices that process, store or communicate PROTECTED information may be left unattended if in a secured state (e.g. password protected, encrypted).

When storing PROTECTED information inside agency facilities (Zones 2-5 only):

1. in Zones 4-5, store in a lockable container
2. in Zones 2-3, store in a SCEC approved Class C container.

It is not recommended to store PROTECTED information outside agency facilities (including at home), but if necessary:

1. apply requirements for carrying outside agency facilities
2. for regular, ongoing home-based work, install and store in a SCEC approved Class C or higher container
3. for occasional home-based work, retain in personal custody (positive control), or for brief absences from home, apply agency procedures and exercise judgement to assess environmental risk
4. return to agency facilities as soon as practicable.

When storing mobile devices which process, store or communicate PROTECTED information inside agency facilities (Zones 1-5):

1. in Zones 4-5, if in a secured state, recommend storing in lockable container; if in an unsecured state, you must use a lockable container
2. in Zones 2-3, if in a secured state, recommend storing in a lockable container; if in an unsecured state, store in a SCEC approved Class C container
3. in Zone 1, if in a secured state, store in a SCEC approved Class C container; if in an unsecured state, store in a higher security zone.

Storage of mobile devices outside of agency facilities:

1. apply requirements for carrying outside agency facilities
2. apply agency procedures and exercise judgement to assess environmental risk
3. if in a secured state, recommend storage in a lockable container; if in an unsecured state, store in a SCEC approved Class C container or higher.

Carry

When carrying PROTECTED information outside of agency facilities, information must be retained in personal custody (positive control) at all times.

Inside agency facilities, in Zones 1-5, in an opaque envelope or folder that indicates classification.

Outside or between agency facilities, including for external meetings, place in a security briefcase, pouch or satchel or recommended tamper-evident packaging.^[30]

Mobile devices that process, store or communicate PROTECTED information:

Inside agency facilities –

1. in Zones 2-5, if secured or unsecured, agency procedures are sufficient
2. in Zone 1, carry in a secured state.

Outside or between agency facilities, carry in a secured state; if in an unsecured state, carry inside a security briefcase, pouch or satchel and consider tamper-evident packaging.

Transfer

When transferring PROTECTED information inside agency facilities, in Zones 1-5, transfer by hand or agency safe hand, and apply all necessary handling requirements. Can be uncovered if transfer is in close proximity and there is a low risk of unauthorised viewing.

When transferring PROTECTED information outside agency facilities to another facility:

1. apply requirements for carrying outside agency facilities
2. transfer by hand, agency safe hand, safe‑hand courier rated to BIL 4, or Department of Foreign Affairs and Trade (DFAT) courier (use tamper‑evident packaging).

A receipt of transfer must be obtained.

Transmit

Electronic transmission of unencrypted PROTECTED information must be over PROTECTED secure networks (or higher). Encrypt PROTECTED information for any communication that is not over a PROTECTED network (or higher).

Official travel

PROTECTED information or mobile devices can be taken to external meetings and on domestic travel.

When travelling domestically with PROTECTED information (or mobile devices that process, store or communicated PROTECTED information):

1. requirements for carrying outside agency facilities must be applied, including tamper-evident packaging
2. information and/or device should be retained as carry-on baggage, but if not possible, try to observe entering and exiting the cargo hold and reclaim as soon as possible.

PROTECTED information (or mobile devices) should not be left unattended while travelling domestically. For brief absences from a hotel room, apply agency procedures and exercise judgement to assess environmental risk.

Travel outside of Australia with PROTECTED information is not recommended, but if necessary:

1. seek DFAT advice on options to access information or devices at overseas destination
2. apply agency procedures for carrying outside agency facilities
3. information and/or device must be retained as carry-on baggage, and travel must not occur, if airline requires baggage to be checked
4. do not leave PROTECTED information or devices unattended. Do not store while travelling (e.g. hotel safe). If storage is required, store in an Australian agency facility.

Disposal

PROTECTED information must be destroyed using a Class B shredder.

30. Refer to the SCEC-approved SEEPL via GovTEAMS for further information.

    [Back]

Protective marking

Text-based marking must be applied to SECRET documents (including emails).

It is recommended that text markings are in capitals, bold, large fonts and a distinctive colour (red preferred). Markings should be placed at the top and bottom of each page.

If text-based markings cannot be used, colour-based markings must be used. The preferred colour for SECRET is salmon (pink) (RGB 229, 184, 183).

For paragraph grading indicators, SECRET should be written in full or abbreviated to (S) and placed at the start or end of the paragraph or in the margin adjacent to the first letter.

Access

The ‘need to know’ principle applies to all SECRET information.

Ongoing access to SECRET information requires a Negative Vetting 1 (NV1) security clearance, or above.

Temporary access to SECRET information must be supervised.

Use

SECRET information can be used in security Zones 2-5.

Outside agency facilities, SECRET information must not be used for regular or ongoing work.

Home-based work is not recommended, but if necessary:

1. written managerial approval must be obtained
2. apply agency procedures and exercise judgement to assess environmental risk.

Storage

SECRET information (or mobile devices that process, store or communicate SECRET information) must not be left unattended. Information must be stored securely when unattended.

When storing SECRET information inside agency facilities:

1. in Zones 4-5, store in a SCEC approved Class C container
2. in Zone 3, store in a SCEC approved Class B container.

It is not recommended to store SECRET information outside agency facilities (including at home), but if necessary:

1. apply requirements for carrying outside agency facilities
2. retain in personal custody (positive control) or in a SCEC approved Class B (or higher) container for brief periods away from home that has been approved as a proper place of custody by the Accountable Authority or delegate
3. return to agency facilities as soon as practicable.

When storing mobile devices which process, store or communicate SECRET information inside agency facilities (Zones 2-5 only):

1. in Zones 4-5, store in a SCEC approved Class C container
2. in Zone 3, if in a secured state, store in a SCEC approved Class C container; if in an unsecured state, store in a SCEC approved Class B container
3. in Zone 2, if in a secured state, store in a SCEC approved Class B container; if in an unsecured state, store in a higher security zone.

Storage of mobile devices outside of agency facilities is not recommended, but if necessary (see use above):

1. apply requirements for carrying outside agency facilities
2. retain in personal custody (positive control), or in a SCEC approved Class C container that has been approved for use by the Accountable Authority or delegate.

Carry

When carrying SECRET information outside of agency facilities, information must be retained in personal custody (positive control) at all times.

Inside agency facilities:

1. in Zones 2-5, in an opaque envelope or folder that indicates classification
2. in Zone 1, carry in an opaque envelope or folder that indicates classification and place in a security briefcase, pouch or satchel.

Outside or between agency facilities, including for external meetings:

1. place in a security briefcase, pouch or satchel
2. recommended tamper-evident packaging.

Mobile devices that process, store or communicate SECRET must remain in personal custody (positive control) at all times.

Inside agency facilities:

1. in Zone 5, if secured or unsecured, agency procedures are sufficient
2. in Zones 2-4, carry in a secured state. If unsecured, apply agency procedures.
3. in Zone 1, carry in a secured state; if in an unsecured state, place inside a security briefcase, pouch or satchel.

Outside or between agency facilities, carry in a secured state; if in an unsecured state, carry inside a security briefcase, pouch or satchel and consider tamper‑evident seals.

Transfer

When transferring SECRET information inside agency facilities, in Zones 1-5, transfer by hand or agency safe hand, and apply all necessary handling requirements. Can be uncovered if transfer is in close proximity and there is a low risk of unauthorised viewing.

When transferring SECRET information outside agency facilities to another facility:

1. apply requirements for carrying outside agency facilities
2. transfer by hand, agency safe hand, safe‑hand courier rated to BIL 4, or Department of Foreign Affairs and Trade (DFAT) courier (use tamper‑evident packaging).

A receipt of transfer must be obtained.

Transmit

Electronic transmission of unencrypted SECRET information must be over SECRET secure networks (or higher). Australian Signals Directorate (ASD)’s High Assurance Cryptographic Equipment^[31] must be used to encrypt SECRET information for any communication that is not over a SECRET network (or higher).

Official travel

Travelling inside or outside of Australia with SECRET information or mobile devices is not recommended, but if necessary:

1. requirements for carrying outside agency facilities must be applied, including tamper-evident packaging
2. information and/or device must be retained as carry-on baggage, and travel must not occur if airline requires baggage to be checked.

SECRET information must not be left unattended. Do not store while travelling (e.g. hotel room safes). If storage is required, it must be within an appropriate Australian agency facility.

If access to SECRET information or mobile devices provided at overseas destination:

1. seek DFAT advice on options to access information or devices at overseas destination
2. requirements for carrying outside agency facilities must be applied
3. information and devices must be retained in personal custody (positive control) at all times or stored in an Australian agency’s facilities.

Disposal

SECRET information must be destroyed using a Class A shredder.

31. Refer to the Australian Cyber Security Centre Guidelines for Cryptography.

    [Back]

Protective marking

Text-based marking must be applied to TOP SECRET documents (including emails).

It is recommended that text markings are in capitals, bold, large font and a distinctive colour (red preferred). Markings should be placed at the top and bottom of each page.

If text-based markings cannot be used, colour-based markings must be used. The preferred colour for TOP SECRET is red (RGB 255,0,0).

For paragraph grading indicators, TOP SECRET should be written in full or abbreviated to (TS) and placed at the start or end of the paragraph or in the margin adjacent to the first letter.

Access

The ‘need to know’ principle applies to all TOP SECRET information.

Ongoing access to TOP SECRET information requires a Negative Vetting 2 (NV2) security clearance, or above.

Temporary access to TOP SECRET information can only be given to people who hold at least a Negative Vetting 1 (NV1) security clearance, and use must be supervised.

Use

TOP SECRET information can only be used in security Zones 3-5.

TOP SECRET information must not be used outside of agency facilities.

Storage

TOP SECRET information (or mobile devices that process, store or communicate TOP SECRET information) must not be left unattended. Information must be stored securely when unattended.

When storing TOP SECRET information (or mobile device) inside agency facilities:

1. in Zone 5, store in a SCEC approved Class B container
2. in Zones 3-4, store in exceptional circumstances only and for a maximum of 5 days
3. in Zone 4, store in a SCEC approved Class B container
4. in Zone 3, store in a SCEC approved class A container.

TOP SECRET information (or mobile devices) must not be stored outside agency facilities (including at home).

Carry

When carrying outside of agency facilities, TOP SECRET information must be retained in personal custody (positive control) at all times.

Inside agency facilities:

1. in Zones 3-5, in an opaque envelope or folder that indicates classification
2. carrying in Zones 1-2 is not recommended, but if necessary, carry in an opaque envelope or folder that indicates classification and place in a security briefcase, pouch or satchel.

Carrying outside or between agency facilities, including for external meetings, is not recommended, but if necessary:

1. obtain written manager approval
2. place in tamper-evident packaging within a security briefcase, pouch or satchel.

Mobile devices that process, store or communicate TOP SECRET information require explicit approval by ASD. All devices must remain in personal custody (positive control).

Inside agency facilities:

1. in Zones 3-5, carry in secured state (e.g. locked, password protected)
2. in Zones 1-2, carry in a secured state. If unsecured, place inside security briefcase, pouch or satchel.

Carrying outside or between agency facilities, including for external meetings, is not recommended, but if necessary:

1. obtain written manager approval
2. place in tamper-evident packaging within a security briefcase, pouch or satchel.

Transfer

When transferring TOP SECRET information inside agency facilities:

1. in Zones 3-5, transfer by hand or agency safe hand, and apply all necessary handling requirements. Can be uncovered if transfer is in close proximity and there is a low risk of unauthorised viewing
2. in Zones 1-2, transfer by hand or agency safe hand, apply all necessary handling requirements and obtain written manager approval.

When transferring TOP SECRET information outside agency facilities to another facility:

1. written managerial approval must be obtained
2. requirements for carrying outside agency facilities must be applied, including tamper-evident packaging
3. transfer by hand, agency safe hand, safe‑hand courier rated to BIL 5, or Department of Foreign Affairs and Trade (DFAT) courier.

A receipt of transfer must be obtained.

Transmit

Electronic transmission of unencrypted TOP SECRET information must be over TOP SECRET secure networks. ASD’s High Assurance Cryptographic Equipment must be used to encrypt TOP SECRET information for any communication that is not over a TOP SECRET network.

Official travel

TOP SECRET information and mobile devices that process, store or communicate TOP SECRET information, must not be stored or used outside appropriate agency facilities.

Travelling in Australia with TOP SECRET information or mobile devices is not recommended, but if necessary:

1. obtain written manager approval
2. requirements for carrying outside agency facilities must be applied, including tamper-evident packaging
3. information and/or device must be retained as carry-on baggage, and travel must not occur if airline requires baggage to be checked.

TOP SECRET information must not be left unattended. Do not store while travelling (e.g. hotel room safes). If storage is required, it must be within an appropriate Australian agency facility.

Do not travel overseas with TOP SECRET information or mobile devices that process, store or communicate TOP SECRET information. Seek DFAT advice on options to access information or devices at overseas destination.

If access to TOP SECRET information or mobile devices provided at overseas destination:

1. requirements for carrying outside agency facilities must be applied
2. information and devices must be retained in personal custody (positive control) at all times or stored in an Australian agency’s facilities.

Disposal

TOP SECRET information must be destroyed using a SCEC approved Class A shredder and destruction must be supervised.

• Australian Government, Protective Security Policy Framework - Policy 8: Classification system (PDF)
• Australian Government, Information Security Manual
• ASIO T4 Protective Security, Security Managers Handbook – Introduction to protective security measures available to authorised people via the GovTEAMS protective security community
• New Zealand Government, Protective Security Requirements, Information security
• South Australian Government, INFOSEC 1: Protecting Official Information (PDF)
• Tasmanian Government, Information and Records Management Standard (PDF)
• Tasmanian legislation
  • Archives Act 1983
  • Personal Information Protection Act 2004
  • Right to Information Act 2009
• Tasmanian Government, Retention and Disposal Schedules

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

• V1.0 April 2023
  • Policy issued
• V2.0 February 2024
  • Definition: 'core requirement' updated
  • Definition: 'originator' updated
  • Definition: 'protected information' removed and replaced with 'security classified'
  • Definition: 'Responsible Executive' added
  • Definition: 'supplementary requirement' updated
  • Original supplementary requirement 'k' removed – duplication of requirements
  • BILs (p.38): removed financial specifics under OFFICIAL: Sensitive and PROTECTED column to suit Tasmanian context
  • BILs (p.40): added Australian Government before 'Cabinet' under the PROTECTED column to suit national context
  • BILS (p.41): removed financial value under Economy, at SECRET level for more relevance to Tasmanian context