Australian State Government requirements to Microsoft Purview capability mapping

This article is a component of the Australian Government Microsoft Purview Information Protection Guide. It lists the data security requirements of Australian state governments, offers suggestions on how requirements can be met via Microsoft Purview capabilities and provides links to guidance appropriate configuration.

Australian Capital Territory

The Australian Capital Territory (ACT) government makes use of the ACT Government Protective Security Policy Framework (PSPF), which is similar to the Federal Government standard in intent, required labels, and Information Management Markers (IMMs). Therefore, the guidance in this guide is directly applicable to ACT Government.

New South Wales

New South Wales State (NSW) government uses the NSW Government Information Classification, Labeling and Handling Guidelines.

These requirements align with the Federal PSPF standard at a high level as both sets of requirements make use of UNOFFICIAL to PROTECTED labels. However, the NSW standard makes use of a different set of Dissemination Limiting Markers (DLMs) that don't align with the Federal labels:

"The OFFICIAL: Sensitive label is applied by the Australian Government, and other states and territories. The NSW Government won't apply this label to its information because the six DLMs used in NSW with the OFFICIAL: Sensitive prefix allows for the specificity required in NSW. This means that information labeled OFFICIAL: Sensitive is deemed to have originated from outside of NSW Government."

This means that sensitive NSW Government information isn't marked with federal labels, but is treated separately. For example, the label of 'OFFICIAL Sensitive - NSW Government' has no PSPF equivalent so translation to a PSPF label isn't appropriate.

There are a three options that Federal Government organizations who collaborate with NSW Government should consider when designing their MPIP configuration:

• Use of hidden labels where the admin implements a set of labels that aren't published to users, but available to the auto-labeling service. Hidden labels allow for information generated by State Government organizations to receive similar protections to internal information without the need to relabel items with PSPF markings. For more information, see labels for organizations with differing label taxonomies.
• Use of Sensitive Information Types (SIT) where organizations implement a set of SITs, which identify information marked with NSW Government labels. These SITs are used in DLP and other policy types to ensure that the information is treated appropriately. For more information, see custom sensitive information types.
• Use of NSW aligned labels where organizations opt to apply labels to information received that most closely align with NSW Government markings. This can be manually actioned by users, potentially with the assistance of auto-labeling to suggest the most appropriate (OFFICIAL: Sensitive in most cases). Using this approach, NSW visual marking still apply to items and are complemented with Federal equivalents on reply emails. This would help to ensure that the information is protected in line with tenant configurations while it resides in the environment. For more information, see recommendations based on external agency markings.

These options are also relevant to NSW Government organizations who are considering how best to handle information that is received with Federal PSPF markings, or markings applied by other State’s Governments.

Northern Territory

The Northern Territory (NT) government makes use of the Northern Territory Government Public Sector Organization (NTG PSO): Security Classification System.

This system has partial alignment with Federal PSPF as UNCLASSIFIED and PROTECTED labels exist in the framework. However, it also makes use of CONFIDENTIAL and PUBLIC labels, meaning that organizations collaborating with the NT Government should consider methods for label translation or identification of NT Government CONFIDENTIAL information via the methods mentioned previously in the NSW government section in order to ensure that the information is secured while it resides in Federal Government Microsoft 365 environments.

NT Government organizations should consider the guidance in this document but add a PUBLIC label and substitute OFFICIAL: Sensitive for CONFIDENTIAL labels. The above points around protecting information from other jurisdictions are also relevant, so NT should implement Sensitive Information Types, unpublished labels, or client-based labeling recommendations as discussed in the NSW section.

Queensland

Queensland Government organizations are required to adhere to the Queensland Government Information Security Classification Framework (QGISCF)

Like NSW and NT, the Queensland government requirements differ from PSPF - but QGISCF does make use of a similar topology of OFFICIAL, SENSITIVE, and PROTECTED labels and information provided in this document is relevant.

The QGISCF is intended to be compatible with the Australian Government Protective Security Policy Framework and Australian Government Information Security Manual. Because of this, Federal Government organizations should use auto-labeling to translate the information they receive from Queensland Government organizations into equivalent PSPF labels (SENSITIVE to OFFICIAL: Sensitive for example) to ensure that such information is within the scope of DLP and other protections while it resides in Federal Government Microsoft 365 environments. The reverse is applicable to Queensland Government organizations receiving Federal Government information.

South Australia

The South Australian (SA) Protective Security Framework (SAPSF) includes a policy named 'INFOCEC1: Protecting Official Information.' This policy aligns with the federal standard at a high level, noting some variations in terms of information management markers and caveats (for example, SA CABINET and Medical in Confidence). Due to this alignment, Federal Government organizations should be able to identify and protect sensitive SA Government items without significant variation to their configurations. The guidance provided in this document is relevant to SA Government without significant need for translation into local markings.

Federal Government organizations receiving information from SA Government agencies should consider how SA Government information is protected within their environments. Establishment of SITs or nonpublished sensitivity labels to capture SA specific markings and DLP policies to apply appropriate protections (as covered under labels for organizations with differing label taxonomies), as appropriate.

SA Government organizations using this guide should consider that the SAPSF framework doesn't specify email metadata requirements such as X-Headers. This is a gap as without the specification, SA Government organizations might have difficulty maintaining classifications and associated protections as information is passed between organizations. Use of the Federal PSPF standard for this is appropriate for achieving email label translation (as covered in labeling of email during transport).

The approach used in PSPF X-Protective-Marking headers can be adapted to cover SA specific labels such as SA CABINET and Medical in Confidence. Some SA Government organizations have implemented PSPF style metadata regardless of it not being included in SAPSF. An example of this would be setting an X-Protective-Marking header of “VER=2018.6, NS=sa.gov.au, SEC=OFFICIAL”. This approach mitigates risks associated with sharing information between SA government organizations and providing a marking that other states and Federal organizations can use to determine the enclosed information’s required protections.

Tasmania

The Information Security Classification Standard for the Tasmanian (TAS) Government is a draft and under review.

For information on markings currently in use by TAS Government, see TAS Information Security Classification.

Federal Government organizations wanting to ensure that they protect information received from TAS Government should utilize controls that are in place to help protect legacy information under the previous version of the PSPF. For more information, see Recommendations based on historical markings.

Victoria

The Victorian (VIC) State Government framework is the Victorian Protective Data Security Framework (VPDSF) is similar to SA but still closely aligns with the Federal PSPF.

Victorian State Government organizations should consider the guidance provided in this guide as relevant to their own environments.

For the VIC framework, the difference to the markings applied via email x-headers for domain and version values. Victorian Government Cabinet markings also differ to that of Federal Government, so Victorian Government organizations should note a special handling x-header of 'SH:CABINET-IN-CONFIDENCE' is required in place of the 'SH:NATIONAL-CABINET.' For more information on special handling, see applying x-protective-marking headers via DLP policy.

Western Australia

The Western Australian (WA) Government has an Information Classification Policy, makes use of UNOFFICIAL, OFFICIAL, and OFFICIAL: Sensitive labels, which align closely with Federal Government PSPF classifications. However, access and other requirements differ.

The policy states "For the protection of Commonwealth security classified information, agencies are required to comply with the provisions of the relevant inter-jurisdictional agreement(s)." This means Federal Government requirements are required to be considered by WA Government Agencies.

WA Government customers should consider the guidance provided in this document for its relevance to their own configurations.

For Federal Government organizations receiving information from WA Government organizations, as WA approach aligns with Federal, the auto-labeling and other configurations covered in this guide help to ensure that such information is protected while it resides in Federal Microsoft 365 environments.