Management of aggregate
information (policy advice)
Page 1 of 3
Management of aggregate information (policy advice)
Understanding the aggregate of information
The Australian Government now conducts the majority of its business electronically. Accordingly,
there are substantial quantities of information being processed and stored in various forms across
government (and equally outside of Government or offshore).
A compilation of information may be assessed as requiring a higher security classification where the
compilation is significantly more valuable than its individual components. This is because the
collated information reveals new and/or more sensitive information or intelligence than would be
apparent from the main source records and would cause greater damage than that of individual
documents.
Identifying aggregate information
In identifying aggregate information, agencies are encouraged to clearly define the:
 nature and limits of each information compilation—for
example, by data type, subject, location or volume
Aggregate information can include:
 value of each information compilation

databases
 security requirements specific to each compilation,

data from IT systems
such as access and authentication requirements of
privileged users (e.g. security clearances)

information relating to
specific projects or operations
 asset owners (owners) and users of each information

information stored on media
for transport

information stored in
information systems.
compilation
 locations or media where the information is stored,
transported and/or processed.
Managing aggregate information
Simply applying a higher security classification is not the correct approach to ensuring appropriate
protection of aggregate information. Agencies are encouraged to consider the potential business
impact if something were to happen to the information and its contribution to the Government’s
functions (or its potential to impede Government’s functions) to assist in determining its value.
Page 2 of 3
It is recommended that agencies apply security controls to their aggregate information to:
 meet the mandatory controls required for the highest classified document in the compilation, or
 manage the risks to the confidentiality, integrity
or availability of the aggregate information.
When viewed separately the components of the
information compilation retain their individual
classifications.
The security classification or protective markings
applied to a compilation of information must be (at a
minimum) equivalent to the highest classification or
marking of any component.
If a compilation contains only a small number of
highly classified components, consideration should be
given to storing these separately, rather than
upgrading the classification of the whole compilation.
It is important to remember the value of a
compilation is not derived simply from the number of
documents it contains and so this should not be used
as the sole basis for evaluating a compilation’s value.
Risks to aggregate information
Potential consequences of poor
management of aggregate information:
 disrupting an agency’s ability to do
business
 eroding the trust between the agency
and its clients, customers, partners,
contractors and/or the government
 violating federal or state and territory
laws governing privacy or other types
of information held in trust
 embarrassing a federal, state and
territory, or international level
government with potential
deterioration in working relationships
 exposing agencies to legal proceedings
initiated by parties affected by the
compromise or exploitation of
information held or accessed.
As every agency faces different threats and security risks, each is responsible for developing its own
approach to managing its information—one which is appropriate to its risk environment and risk
appetite.
Risks to aggregate information can include, but are not limited to:
 the targeting of information by cyber criminals, malicious hackers or other opportunistic
individuals
 unauthorised disclosure of information by trusted insiders—this includes deliberate and
accidental data spills
 copying, modifying, disseminating, or exploiting agency information in such a way that the
agency is unaware of the changes or exploitation. The impact to aggregate information may be
operational, reputational, or monetary.
The Australian Government protective security governance guidelines—Australian Government
business impact levels can assist in determining the potential damage from compromise of
confidentiality, loss of integrity, or unavailability of information.
Page 3 of 3