Add to collection(s) Add to saved
  1. Social Science
  2. Law

GPO Guidelines - July 2015 - Protective Security Policy Framework

advertisement 
Guidelines for the implementation of the Public
Governance, Performance and Accountability
(Protective Security Policy) Order 2015
Contents
Part 1 – Introduction ............................................................................................................................... 1
1.
Purpose ....................................................................................................................................... 1
1.1
Applicability......................................................................................................................... 1
1.2
Objectives and scope .......................................................................................................... 1
1.3
The legislative framework ................................................................................................... 1
1.4
Use of specific terms in these Guidelines ........................................................................... 2
Part 2 – Governance Arrangements ....................................................................................................... 6
2.
Protective security policy ............................................................................................................ 6
2.1
3
Governance arrangements ................................................................................................. 6
Protective security plan .............................................................................................................. 7
Part 3 – Personnel, Information and Physical Security Arrangements ................................................... 8
4
Personnel security....................................................................................................................... 8
4.1 Personnel security Policy .......................................................................................................... 8
4.2 Suitability for employment ....................................................................................................... 8
4.3 Security clearances ................................................................................................................... 9
4.4 Waiver of an eligibility requirement for a security clearance .................................................. 9
4.5 Active monitoring of clearance holders .................................................................................. 11
4.6 Annual health check (confirmation of ongoing suitability to access official resources)......... 12
4.7 Sharing of information ............................................................................................................ 12
4.8 Reportable changes of personal circumstances ..................................................................... 13
4.9 Actions on separation of personnel ........................................................................................ 13
5
Confidentiality of information ................................................................................................. 14
6
Information security................................................................................................................. 14
6.1 Access to Commonwealth resources ...................................................................................... 14
6.2 Temporary access to classified information ........................................................................... 15
6.3 Security classifications ............................................................................................................ 16
6.4 ICT systems and networks....................................................................................................... 17
7
Physical security ........................................................................................................................ 17
7.1 Security of facilities ................................................................................................................. 18
7.2 Physical security of information.............................................................................................. 18
7.3 Minimum requirements for protecting security classified information ................................. 18
7.4 Integration of security measures during planning/modification of facilities ......................... 19
7.5 Developing agency alert levels and guides ............................................................................. 19
Part 4 – Reporting ................................................................................................................................. 21
8
Reporting security incidents ..................................................................................................... 21
8.1 Examples of security incidents ................................................................................................ 21
8.2 Procedures for ensuring staff report and record security incidents....................................... 22
8.3 Reporting security incidents to ASIO ...................................................................................... 22
8.4 Reporting cyber security incidents to ASD .............................................................................. 22
9
Annual reporting on compliance .............................................................................................. 23
Annexure A – Template deed of confidentiality for execution by an employee .................................. 24
Annexure B – Template deed of confidentiality for execution by a contractor .................................. 27
Annexure C – How to select an appropriate protective marking ......................................................... 32
Annexure D – Security violations and breaches ................................................................................... 33
Annexure E – Abbreviations and acronyms .......................................................................................... 34
2
Part 1 – Introduction
1.
Purpose
1
These Guidelines are issued by the Attorney-General’s Department to assist accountable
authorities of corporate Commonwealth entities (entities) and directors of wholly-owned
Commonwealth companies (companies) meet their obligations under the Public Governance,
Performance and Accountability (Protective Security Policy) Order 2015 (the GPO).
2
These Guidelines provide assistance and better practice guidance for entities and companies to
manage their protective security risks and arrangements.
3
These Guidelines should be read in conjunction with other relevant documents, including the
Australian Government’s Protective Security Policy Framework’s (PSPF) suite of documents
which can be found at www.protectivesecurity.gov.au and the Australian Government’s
Information Security Manual.
4
These Guidelines are available on the Attorney-General’s Department website at
www.protectivesecurity.gov.au.
1.1
5
1.2
Applicability
These Guidelines apply to entities and companies and are intended for accountable authorities
of entities, the directors of companies and their personnel.
Objectives and scope
6
The appropriate application of protective security by entities and companies ensures the
operational environment necessary for the secure conduct of Government business. Managing
security risks proportionately and effectively enables Government entities to provide the
necessary protection of the Government’s people, information and assets.
7
These Guidelines set out the Commonwealth’s expectation for better practice in the protective
security of Commonwealth resources and Commonwealth personnel. The Guidelines aim to
establish and maintain protective security arrangements that provide for:
8
1.3
9

the capacity of the entity or company to function

the safety of persons connected with the entity or company

the safeguarding of information and assets held by the entity or company, and

public confidence in the Government.
In applying these Guidelines, entities and companies should take into account their individual
circumstances. These Guidelines are not intended to cover all types of risk. For example, where
fraud or other internal or external entity risks are concerned, these Guidelines should be
considered as a useful starting point to be used in conjunction with other appropriate guidance
materials (i.e. the Commonwealth Fraud Control Framework).
The legislative framework
The GPO is prepared under subsections 22(1) and 93(1) of the Public Governance Performance
and Accountability Act 2014(PGPA Act)
1
10 The GPO aligns with the requirements contained in section 15 and 16 of the PGPA Act for
accountable authorities to establish and maintain an appropriate system of risk oversight,
management and internal control.
11 Guidance materials, including these Guidelines, provide better practice to assist accountable
authorities and directors to meet their obligations under the GPO.
12 If a conflict arises between these Guidelines and legislation (including legislative instruments),
the legislation takes precedence.
1.4
Use of specific terms in these Guidelines
13 In these Guidelines the following terms are used:

ASIO-T4 Protective Security (ASIO-T4): a protective security advisory service for Government
clients, contactable at t4ps@t4.gov.au

Australian Government Security Classification System: means the Commonwealth’s process
for assessing the value, and protecting the confidentiality of, Commonwealth information or
Commonwealth assets using the following security classifications:
(a)
PROTECTED
(b) CONFIDENTIAL
(c)
SECRET
(d) TOP SECRET
The Australian Government Security Classification System also provides the following
dissemination limiting markers (DLMs). DLMs are markings for information where disclosure
may be limited or prohibited by legislation, or where it may otherwise require special
handling:
(a)
“For Official Use Only” (FOUO)
(b) “Sensitive: Cabinet” (which must also carry the classification PROTECTED as
a minimum)
(c)
“Sensitive: Personal”
(d)
“Sensitive: Legal”
(e)
“Sensitive”

Australian Government Security Vetting Agency (AGSVA): is a centralised government
agency providing vetting services on behalf of Australian Government agencies (apart from
exempt agencies) and some state and territory agencies.

Accountable authority: the person or group of persons who has responsibility for, and
control over, an entity’s operations as set out in section 12 of the PGPA Act.

Baseline: as a security clearance, allows access to Commonwealth resources classified
PROTECTED.

Commonwealth assets: physical assets held by the entity or company in their own right, or
on behalf of, the Commonwealth (whether or not the assets belong to the Commonwealth).

Commonwealth information: information held by the entity or company in their own right,
or on behalf of, the Commonwealth (whether or not the information belongs to the
Commonwealth).
2

Commonwealth personnel:
(a) a person who holds office under laws of the Commonwealth
(b) directors of an entity or company, or the Commonwealth
(c) employees of an entity, company, or the Commonwealth
(d) contractors or subcontractors of an entity, company or the Commonwealth
(e) a person subject to the direction of an entity or company or the Commonwealth.

Commonwealth resources: means Commonwealth information or Commonwealth assets.

Company: a wholly-owned Commonwealth company as set out in section 90 of the PGPA
Act.

CONFIDENTIAL: The CONFIDENTIAL security classification is used when the compromise of
confidentiality of information could be expected to cause significant damage to the national
interest.

Eligibility: a requirement for a security clearance indicating that an applicant has:
(a) Australian citizenship
(b) a checkable background, and
(c) agreed to safeguard Commonwealth resources from harm.

Entity: a corporate Commonwealth entity as set out in section 22 of the PGPA Act.

ICT system: an information communication technology system.

Mandatory requirement: the high level requirements contained in the core policy
documents of the Protective Security Policy Framework (PSPF), referred to as governance
(GOV), personnel security (PERSEC), information security (INFOSEC) and physical security
(PHYSEC).

National interest: includes matters that have or could have an impact on Australia including:
a. Australian national security
b. Australian international relations
c. relations between one or more of the following:
i. the Commonwealth
ii. the States
iii. the Territories
iv. the interests of the Australian Government and Australian people and
organisations
d. law enforcement operations where compromise could hamper or prevent national
crime prevention strategies or investigations or endanger personal safety
e. Australian economic well-being
f.
Australian heritage or cultural interests.

National security: has the same meaning as security in section 4 of the Australian Security
Intelligence Organisation Act 1979.

Need to know: means a need to access information based on an operational requirement.
3

Negative Vetting Level 1: as a security clearance, allows access to Commonwealth resources
classified PROTECTED, CONFIDENTIAL and SECRET.

Negative Vetting Level 2: as a security clearance, allows access to Commonwealth resources
classified PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET.

Personnel security policy: a set of measures that manages the risk to people, information
and assets when applied in conjunction with governance, information and physical security
controls.

PGPA Act: the Public Governance, Performance and Accountability Act 2013.

Positive Vetting: as a security clearance allows access to PROTECTED, CONFIDENTIAL,
SECRET, TOP SECRET and certain types of caveated and code-word Commonwealth
resources.

PROTECTED: the PROTECTED security classification is used when the compromise of the
confidentiality of information could be expected to cause damage to the national interest.

Protective security policy: a set of controls that ensures the operational environment
necessary for the secure conduct of Government business.

Protective Security Policy Framework or PSPF: the Australian Government’s protective
security requirements for the protection of its people, information and assets, available
from www.protectivesecurity.gov.au

SECRET: the SECRET security classification is used when the compromise of the
confidentiality of information could be expected to cause serious damage to the national
interest.

Security breach: a security breach is the accidental or unintentional failure to observe an
entities or companies protective security policies or procedures other than those
categorised as a security violation

Security clearance: an acknowledgement by the Australian Government Security Vetting
Agency that a person is suitable to access security classified information, the level of
classification dependent on the clearance level granted which allows entities to authorise
ongoing access to applicable security classified information on a need to know basis.

Security incident: is a security violation or security breach and that may be required to be
reported to ASIO, and other relevant agencies, depending on the nature of the incident.

Security plan: a plan which sets out how an entity or company will manage security risks.

Security violation: means a deliberate, reckless or negligent act or omission that leads, or
could reasonably be expected to lead, to:
a. the loss, damage, corruption or disclosure of Commonwealth information held,
controlled or accessed by the entity or company; or
b. the loss, damage or corruption or disclosure of the existence of, a classified
Commonwealth asset held, controlled or accessed by the entity or company.

Suitability: means
a. in relation to a person’s employment, means the person is able to demonstrate the
required qualifications and experience for the position, including satisfaction of any
entity or company specific requirements; and
b. in relation to a person’s security clearance, means the Australian Government
Security Vetting Agency has established to the appropriate degree of satisfaction
4
that the person possesses and demonstrates the appropriate level of integrity, with
any doubts about the person’s suitability for access to security classified resources
resolved in favour of the national interest.

TOP SECRET: the TOP SECRET security classification is used when the compromise of the
confidentiality of information could be expected to cause exceptionally grave damage to the
national interest.
5
Part 2 – Governance Arrangements
2.
Protective security policy
14 To successfully deliver the GPO, entities and companies need to foster a positive attitude
towards protective security to support a strong culture of security.
15 Clause 7 of the GPO requires entities and companies to prepare, maintain and implement a
protective security policy. This clause aligns with mandatory requirement GOV-5 of the PSPF.
16 This policy should complement and support other entity or company operational procedures and
include provision for governance arrangements, personnel security, physical security and
information security.
17 An entity or company’s protective security policy can be included within other entity or company
business or governance policies.
18 A protective security policy should set out operational practices to ensure the security of
Commonwealth resources and personnel.
19 When developing a protective security policy, entities and companies are to ensure that the
operational practices are appropriate having regard to:
2.1

the functions and operations of the entity or company - in adhering to clause 7, entities
and companies should consult the Australian Standard for Risk Management AS/NZS ISO
31000:2009 and the Australian Standards HB 167:2006 Security risk management.

the value, importance and sensitivity of the resources to which they relate - in adhering
to this requirement, entities and companies should apply business impact levels when
determining the consequences of compromise of confidentiality or loss of integrity or
availability of entity or company resources, or harm to their people. Further guidance
regarding the application of business impact levels is available in the Australian
Government Protective security governance guidelines – Business impact levels.

Security classifications applying to Commonwealth resources - in adhering to this
requirement, entities and companies must apply the Australian Government Security
Classification System (AGSCS), required by clause 15(1) of the GPO. Further guidance
regarding the application of the AGSCS is set out at in Section 9 of these Guidelines.

The operational practices of entities and companies must be appropriate having regard
to the threat level and National Terrorism Public Alert System level of alert. Further
guidance regarding the development of alert levels is available in the Australian
Government Better practice guide—Developing agency alert levels.
Governance arrangements
20 An entity or company’s governance arrangements should specify the relationship between
protective security and the components of an entities or companies operational governance,
including, but not limited to:

fraud control

security components of employee and public safety

security requirements in contracts

assigning security management roles

audit and compliance reporting
6
3

processes for policy exceptions

review and amendment

business continuity and disaster recovery, and

security violation and breach investigation and management arrangements. Further
information may be obtained from the Australian Government Protective Security
Governance guidelines – Reporting incidents and conducting security investigations.
Protective security plan
21 Under clause 8 of the GPO, entities and companies must prepare, maintain and implement a
security plan. The security plan may be a component of an entity or company’s other
operational plans. This clause aligns with mandatory requirement GOV-4 of the PSPF.
22 A security plan should set out an entity or company’s individual protective security requirements
and mitigation strategies according to the threat levels and risk to Commonwealth resources or
Commonwealth personnel. In addition the plan should outline the practical steps that can be
taken that will minimise these risks and address any residual risk.
23 An entity or company should develop site security plans for each individual entity or company
site. The entity or company should assess each site separately so that the controls applied
address the specific risks at each site.
24 Further guidance regarding the development of a security plan is available in the Australian
Government Protective security better practice guide – Developing agency protective security
policies, plans and procedures.
7
Part 3 – Personnel, Information and Physical Security
Arrangements
4
Personnel security
4.1 Personnel security Policy
25 In accordance with clause 9 of the GPO, entities and companies must prepare, maintain and
implement a personnel security policy, including:

assessing and managing the ongoing suitability for engagement of Commonwealth
personnel in relation to the security of Commonwealth resources

security clearance requirements

use of temporary access arrangements, and

actions on separation of personnel.
4.2 Suitability for employment
26 Entities and companies should consider employment screening for all Commonwealth personnel
including the need for agency-specific checks. For further guidance see section 7 of the
Australian Government personnel security guidelines – Agency personnel security responsibilities.
27 Entities and companies should record the results of the employment screening for successful
applicants and any additional agency specific screening relating to each person.
28 Entities and companies should have processes to monitor and evaluate the ongoing suitability of
personnel through:

performance management

periodic suitability checks and declarations

self-reporting by personnel

reporting of concerns by other personnel, and

contract management

see section 8 of the Australian Government personnel security guidelines – Agency
personnel security responsibilities for further guidance.
29 Entities and companies should have policies and procedures to allow the exchange of
information about personnel suitability to access Commonwealth resources between personnel,
managers, human resources and their security areas.
30 Entities and companies should base the personnel security component of their performance
management program on their personnel security risk assessments. For more information on
personnel security risk management see section 3 of the Australian Government Personnel
security guidelines – Agency personnel security responsibilities.
31 As part of an entity or company’s personnel security risk assessment entities and companies
should identify the periodic checks required to confirm a person’s ongoing suitability to access
entity or company resources.
32 Entity or company performance assessments should identify personnel who display behavioural
concerns including disregard for entity or company security policies and procedures.
8
4.3 Security clearances
33 In accordance with clause 10 of the GPO, entities and companies must identify, record and
review:

positions within the entity or company that require security clearances, and

the levels of security clearance required.
4.3.1 Identifying and recording positions that require a security clearance
34 Personnel requiring ongoing access to Commonwealth security classified resources are to hold a
security clearance at the appropriate level.
35 Entities or companies may use security clearances as an assurance measure in addition to their
employment screening and entity or company specific controls for positions where the entity or
company risk assessment deems the security clearance process is to apply.
36 An accountable authority or director is to decide if a role or position requires a security
clearance.
37 An accountable authority or director may require that all entity or company personnel in a
particular category be cleared to a specified level. Factors that may influence this decision
include:

the nature of the entity’s or company’s business

an entity’s or company’s risk assessment

the need to access the entity or company’s security classified information or resources
or ICT systems, or

the need for increased levels of assurance of employees’ suitability to perform particular
roles.
38 Entities and companies are to maintain a register of positions that require a clearance. Before
advertising a position, entities and companies are to identify:

if the position requires a security clearance

the level of clearance required

whether the clearance is for access to Australian Government security classified
information or to give a level of assurance, and

when the requirement for a security clearance will be reassessed.
39 Entities and companies should periodically reassess the security clearance requirement for
positions, at least each time the position becomes vacant and before it is advertised.
40 For further guidance, please refer to section 11 of the Australian Government Personnel Security
guidelines – Agency personnel security responsibilities
4.4 Waiver of an eligibility requirement for a security clearance
41 Entities and companies are to confirm all clearance subjects are eligible, by confirming
citizenship and checkable background requirements, prior to requesting a security clearance.
42 Under clause 10(3) of the GPO, entities and companies may waive an eligibility requirement for a
security clearance with respect to citizenship or a checkable background. This provision aligns
with mandatory requirement PERSEC 5 of the PSPF, as applicable to entities and companies.
9
Accountable authorities and directors need to be aware that granting an eligibility waiver, does
not guarantee that a clearance will be granted by AGSVA.
43 As set out in clause 10(3)(a) of the GPO, an eligibility requirement may be only be waived where
an exceptional operational requirement exists. An exceptional operational requirement will vary
according to the entity or company’s unique requirements.
44 Accountable authorities and directors need to be aware of the inherent risks posed from a
malicious trusted insider when granting eligibility waivers. An accountable authority or director’s
decision to waive an eligibility requirement is to be based on a thorough analysis of the risks to
the Australian Government and the possible impact on the national interest.
45 Accountable authorities and directors need to be aware that by granting a waiver, they are
taking on a risk that may be detrimental to the Australian Government. If the documents
supporting the waiver do not fully detail the risks to the National Interest, mitigations and any
residual risks, AGSVA may reject the request for security clearance.
46 An eligibility waiver is role-specific, non-transferable, finite and subject to review. The waiver
will only apply while the clearance holder remains in the position for which the clearance was
granted. Waivers are to be reassessed on a yearly basis.
47 For further guidance, please refer to section 12.of the Australian Government Personnel Security
guidelines – Agency personnel security responsibilities
4.4.1 Non-Australian citizens
48 Entities or companies may only grant an eligibility waiver with respect to citizenship where:

it has been identified that there is no Australian citizen who could fill the position, and

the entity or company understands and agrees to manage the risk.
49 Entities and companies should prepare a waiver assessment which should:

include details of the exceptional circumstances that precludes the position being filled
by an Australian citizen

include the person’s visa status and whether they are actively seeking Australian
citizenship

consider the threat assessment from ASIO on the clearance subject’s country or
countries of citizenship

detail the entity or company’s plan to ensure the clearance subject does not access
‘Australian Eyes Only’ (AUSTEO) or third country ‘EYES ONLY’ material

confirm consultation with third parties whose information may be accessed by the
person who is subject to the waiver (either foreign or other Australian agencies) and, in
the case of foreign agencies, agreement in the absence of an existing bilateral
agreement allowing information exchange

confirm specific approval from the originating or controlling agency whose TOP SECRET
information may be accessed by the person who is subject to the waiver on a case by
case basis

confirm the date of issue of the waiver and the length of time it is to apply.
10
4.4.2 Uncheckable backgrounds
50 A ‘checkable background’ exists when AGSVA has validated information provided by a clearance
subject from independent and reliable sources. A clearance subject is considered to have an
‘uncheckable background’ when AGSVA cannot complete the minimum checks and inquiries for
the relevant checking period, or the checks and inquiries do not provide adequate assurance
about the clearance subject’s life or background.
51 AGSVA may advise an entity or company that a clearance subject has an uncheckable
background and provide an opportunity for the entity or company to grant an eligibility waiver
with respect to that uncheckable background. If the entity or company wishes to grant an
eligibility waiver for uncheckable backgrounds, the entity or company should prepare a waiver
assessment which:

includes details of the uncheckable background and an assessment of the impact of the
period of uncheckability against the whole person

considers potential conflicts of interest

confirms that there are no known concerns about the individual

contains confirmation of consultation with third parties that provide information that
the person may access

confirms the date of issue of the waiver and the length of time it is to apply.
4.4.3 Conditions for clearances subject to an eligibility waiver
52 Clearances granted with eligibility waivers will be subject to strict conditions. These may include,
but are not limited to:

the continuation of the eligibility waiver being conditional on the applicant taking
Australian citizenship as soon as they are eligible where the subject has indicated they
are actively seeking citizenship or do not have a valid reason not to seek citizenship

the entity or company not allowing non-Australian citizens granted a waiver access to
‘Eyes Only’ information unless it includes the person’s country of citizenship and they
have a need to know

the entity or company not granting access to security classified information from a
foreign government without the written agreement of that foreign government or as
outlined in the provisions of any information sharing agreements, and

the entity or company limiting access to security classified information to that required
to perform the specific duty identified in the waiver.
53 Sponsoring entities and companies are to ensure a person subject to a waiver follows any
conditions placed on the clearance. Sponsoring entities or companies are to advise AGSVA of any
non-compliance with conditions of the waiver.
54 AGSVA will cease a clearance where the clearance subject does not adhere to the conditions of
the waiver.
55 The sponsoring entity or company is to undertake a new waiver and risk assessment and advise
AGSVA if a clearance subject changes duties.
4.5 Active monitoring of clearance holders
56 Clearance maintenance is a joint responsibility of the sponsoring entity or company, AGSVA and
the individual clearance holder. The purpose of clearance maintenance is to ensure the ongoing
11
suitability of an individual to hold a security clearance. It is an ongoing process throughout the
life of a security clearance.
57 AGSVA is responsible for the periodic review of clearance holders’ suitability (revalidations) and
conducting any reviews for cause when specific issues or concerns arise that may affect a
person’s ongoing suitability to hold a clearance.
58 Entities and companies are responsible for their security clearance holders (including
Contractors). Entities and companies are to:

provide security awareness training and security clearance specific briefings. For further
information on security awareness training see section 8.2 of the Personnel security
guidelines – Agency personnel security responsibilities

advise and remind clearance holders of their ongoing obligation to report changes of
circumstances and contacts that are suspicious, on-going, unusual or persistent. For
further information see the Personnel security guidelines – Agency personnel security
responsibilities

provide ongoing supervision and management of clearance subjects including their
suitability to access official resources

notify the vetting agency of other issues of security concern relating to the ongoing
suitability of clearance holders, including security incidents and any concerns relating to
integrity, and

manage any additional specific clearance maintenance requirements agreed by the
vetting agency and the sponsoring entity or company as a condition of the security
clearance.
4.6 Annual health check (confirmation of ongoing suitability to access official resources)
59 Entities and companies are to annually require:

clearance holders to confirm that they have reported to their entities or companies
security section:
- all changes of circumstances
- any suspicious, on-going, unusual or persistent contacts

clearance holders to complete any required security awareness training, and

managers responsible for personnel to confirm they have reported any concerns about
the clearance holders.
60 Entities and companies are to report any security concerns they have as to the ongoing
suitability of their clearance subjects to AGSVA.
61 The annual health check does not replace an entity or company’s ongoing responsibility for their
performance management including code of conduct investigations.
62 For further information on the annual health check see section 14 of the Personnel security
guidelines – Agency personnel security responsibilities.
4.7 Sharing of information
63 Entities and companies are to provide AGSVA with any information about the suitability of a
person to hold a security clearance. This includes but is not limited to:

negative results of entity or company specific checks (organisational suitability)
12

any changes of circumstances that may affect an individual’s ongoing suitability to hold a
security clearance

suspicious, on-going, unusual or persistent foreign contacts

incident and investigation results, and

where a breach of the code of conduct has been established or a security violation
proven or personnel management concerns that may call into question the integrity of
the person.
64 Entities and companies should not use the clearance review process to deal with personnel
management problems (e.g. underperformance). However, if it is likely that such concerns could
affect a person’s suitability to hold a clearance, line managers should notify their security section
who in turn may notify AGSVA.
65 AGSVA is to advise entities and companies of any suitability concerns raised about clearance
subjects and any pending or active reviews for cause. In such cases and based on a risk
assessment the sponsoring agency is to determine whether to limit or suspend the clearance
subject’s access to security classified resources.
4.8 Reportable changes of personal circumstances
66 Entities and companies are to require their clearance holders to advise their security section of
any reportable changes in personal circumstances. For further details on what is a reportable
change of circumstance see section 14.2 of the Personnel security guidelines – Agency personnel
security responsibilities.
67 Entities and companies are to also require personnel to advise the entity or company of changes
in personal circumstances of other clearance holders if they have concerns that may be relevant
to a clearance holder’s suitability.
68 The entity or company is to then advise AGSVA of any notified reportable changes in
circumstances.
4.9 Actions on separation of personnel
69 Under clause 9 of the GPO, entities and companies must have policies to manage security
related matters when a person leaves the employment of, or terminates their relationship with
the entity or company.
70 Entities and companies need to consider the risks to the ongoing confidentiality, integrity and
availability of their resources by personnel who are terminating their employment or are taking
long term leave.
71 Prior to separation or long term leave entities and companies should:

as part of exit procedures, confirm with the employee their ongoing confidentiality
requirements, including the use of intellectual property

where a security clearance is held, inform AGSVA of the employee’s cessation including
whether there are any outstanding issues of a protective security nature

consider conducting an audit to determine whether the employee has forwarded any
proprietary information without approval (particularly when an employee is moving into
a private sector position)

retrieve ICT equipment or physical assets that are issued to the employee, in particular
any portable devices, and
13

recover any corporate credit cards.
72 Upon separation or long term leave entities and companies should have in place procedures to:

change any shared account passwords that were known by the employee

remove access to agency ICT systems including any special access arrangements and
have processes in place to cancel that access (for example: administrator access, TOP
SECRET networks, ASNET)

disable any remote access to the ICT systems, including email and telephone voicemail

remind remaining staff of their responsibility to report any contact by previous
employees with a suspicious, persistent or unusual interest in their work or that of the
agency in general

revoke physical access to facilities and retrieve keys and/or access cards, and

change any combinations of locks—e.g., doors, safes or security containers to which the
staff member had access.
73 If the person leaving the entity or company holds a security clearance, entities and companies
are to, where appropriate:

obtain an assurance that individuals are aware of their ongoing obligations in respect to
national security and confidentiality

identify any departing staff that represent a security risk

report any identified risks and any significant security concerns associated with a
clearance holder’s separation to AGSVA

where applicable, notify compartment holders and organise a debrief from those
compartments, and

where clearance holders depart suddenly without obtaining assurances of an individual’s
ongoing obligations, undertake a risk assessment to identify any security implications
relating to the departure and report those vulnerabilities as appropriate. See section 8 –
reporting security incidents.
74 For further information about separation of personnel and contractors see section 9 and 14.4 of
the Personnel security guidelines: Agency personnel security responsibilities.
5
Confidentiality of information
75 Under clause 12 of the GPO, entities and companies must ensure that all Commonwealth
personnel agree that they are responsible for safeguarding against the loss or misuse of, or
compromise of, Commonwealth resources for which they are responsible.
76 In circumstances where Commonwealth personnel will have access to Commonwealth
resources, entities and companies should consider requiring such personnel to execute a signed
confidentiality agreement in the form contained in Annexure A or Annexure B as relevant.
6
Information security
6.1 Access to Commonwealth resources
77 Entities and companies should develop information security policies that include reasons for:

classification and business impact levels
14

information and ICT access, including ICT systems development and implementation

email and internet use, and

removal of information from entity or company premises.
78 In accordance with clause 13 of the GPO, entities and companies must ensure that
Commonwealth resources are accessed by individuals on a need to know basis and where
necessary, have the required security clearance.
79 Entities and companies are to provide information on the ‘need to know’ principle to all
personnel as part of their security awareness training.
80 Entities and companies are to ensure that the following principles of good information security
practice are applied including that:

information can only be released to organisations and individuals with a demonstrated
need to know

information is stored and processed away from public access

the removal of information from entity or company premises is on the basis of identified
need

the disposal of information is by secure means, and

the transmission and transfer of information is by means which deter unauthorised
access—for example, external mail is sealed and electronic transmission is in accordance
with the Information Security Manual requirements.
6.2 Temporary access to classified information
81 Under clause 14 of the GPO, temporary access can be provided to Commonwealth personnel
who do not hold a security clearance in the circumstances set out in clauses 14(1) (a) to 14(1) (d)
of the GPO.
82 There are two types of temporary access arrangements:

short term access – allows an employee access to Australian Government classified
resources where they do not hold a clearance at an appropriate level and are not being
assessed for a clearance or are yet to submit a completed clearance pack and,

provisional access – allows access to Australian Government classified resources while a
clearance subject is undergoing a clearance after they have submitted a completed
clearance pack.
83 Temporary access allows limited, supervised access to security classified resources and is not a
security clearance.
84 Temporary access provisions are not to apply to positions where security clearances are used
only as a measure of assurance.
85 Entities and companies are to base any decision to approve temporary access on a documented
risk assessment.
86 Entities and companies should conduct a risk assessment of the person for whom temporary
access is proposed, which should consider any existing mitigating factors—e.g. holding a security
clearance at a lower level, employment screening or any entity or company specific checks.
87 Prior to granting temporary access the sponsoring entity or company is to confirm with AGSVA
that there are no known concerns about the person for whom temporary access is proposed.
15
88 AGSVA is to advise the entity or company of any existing or prior limitations on the person
requiring access.
89 If advised of any concerns by AGSVA, the sponsoring entity or company is to base any decision to
allow (or if already allowed, to continue) the clearance subject’s temporary access to security
classified information and resources on a documented risk assessment.
90 The sponsoring entity or company is to deny or withdraw temporary access to security classified
resources if concerns cannot be mitigated to a level acceptable by the entity or company or
other affected parties.
91 Sponsoring entities and companies are to advise AGSVA of any approved temporary access.
AGSVA is to record the access on the clearance subject’s personal security.
92 For information about providing temporary access to TOP SECRET classified resources see
section 7 of the Australian Government Personnel Security Protocol.
93 For further information on temporary access see section 10 of the Personnel security guidelines Agency personnel security responsibilities.
6.3 Security classifications
94 Entities and companies are to apply security classification levels as set out in the GPO. Entities
and companies should develop their own classification guides to assist their personnel in
classifying their entity and company information.
95 Further guidance is available in the Australian Government Protective security governance
guidelines – Business impact levels and the Australian Government’s Protective security better
practice guide – Developing an agency classification guide.
6.3.1 Protective markings
96 Information that needs protection is to be assigned a protective marking showing the level and
protection required. There are three types of protective markings:

security classifications

dissemination limiting markers (DLMs), and

caveats.
97 Information is to be protectively marked if its compromise could damage the national interest,
organisations or individuals, or requires protection under the Privacy Act 1988 (Cth) and the
Archives Act 1983 (Cth) or other legislation. Once information has been identified as requiring
some form of protection and special handling, a protective marking is to be assigned to the
information. The marking indicates:

that the confidentiality of the information needs protection, and

the level of protective procedures that are to be provided during the use, storage,
transmission, transfer and disposal of the information.
98 A summary guide on identifying information requiring a protective marking is at Annexure C of
these Guidelines.
99 Further guidance is available in the Australian Government Information Security guidelines –
Australian Government security classification system and Australian Government Protective
security governance guidelines – Business impact levels.
16
6.3.2 Foreign government information
100 Where information is provided in accordance with a bilateral or multilateral security instrument
for the reciprocal protection of exchanged official or classified information, it is to be given the
equivalent Australian protective security marking or in accordance with the agreement. See
section 6 of the Australian Government Information Security guidelines – Australian Government
security classification system.
6.4 ICT systems and networks
101 Under clause 16 of the GPO, entities and companies must implement security measures for all
stages of ICT system development, including when new ICT systems are implemented. The
measures should be appropriate, having regard to the assessed security risk of the information
holdings contained within, or passing across, ICT networks infrastructures and applications. This
clause aligns with mandatory requirement INFOSEC 6 of the PSPF, as applicable to entities and
companies. For further guidance, see the Australian Government Information Security
Management Protocol.
102 Entities and companies should use section 12 of the AS/NZS ISO/IEC 27002:2006 Information
technology—Security techniques—Code of practice for information security when developing
their operational security management procedures and measures. The Australian Government
Information Security Manual (ISM) prepared by Australian Signals Directorate should be
consulted for further information regarding operational security management procedures and
controls.
6.4.1 Operational information security management
103 Under clause 16 of the GPO, entities and companies must ensure:

ICT systems and network tasks are managed securely and consistently

the use of application whitelisting

the patch of applications and operating systems as soon as reasonably practicable giving
consideration to the criticality of the patch, and

administrative privileges are minimised.
104 The requirement under clause 16 of the GPO aligns with mandatory requirement INFOSEC 4 of
the PSPF, as applicable to entities and companies. Under INFOSEC4, entities and companies
must implement the mandatory Top 4 Strategies to Mitigate Targeted Cyber Intrusions as
detailed in the Controls manual of the ISM. For further guidance, see the Information Security
Management Protocol.
7
Physical security
105 Entities and companies must have policies and procedures in place to ensure the safety of
personnel, clients and Australian Government resources that are appropriate and meet their
business needs.
106 Entities and companies should inform their personnel of their physical security policies and
procedures covering:

measures operating in the entity’s or company’s work environment and how they
provide security

functions and resources that the measures are designed to protect
17

how their measures interact and support governance, personnel and information
security measures

the security responsibilities of the personnel working in each work area and location

the requirement to report security issues or incidents in work areas, and

any consequences of failing to adhere to policies and procedures.
7.1 Security of facilities
107 Under clause 17(2) of the GPO, entities and companies must implement physical security
measures that minimise the risk of Commonwealth resources being accessed, used, removed or
made inoperable without appropriate authorisation. This sub clause aligns with the PHYSEC
mandatory requirements of the PSPF.
108 Entities and companies are to ensure that their facilities containing Commonwealth resources
provide a level of protection commensurate with the assessed business impact of the
compromise, loss of integrity, or unavailability of the resources, both during and outside working
hours. For further information see the Australian Government Physical security management
guidelines – Security zones and risk mitigation control measures.
109 An entity or company’s physical security policy should cover:

entity or company and visitor access arrangements

site specific policies where there are different roles/risks in facilities

security and safety of people – in conjunction with other entity or company safety
policies

working outside of entity or company facilities (remotely), and

physical security of information and ICT systems.
7.2 Physical security of information
110 Entities and companies are to provide physical protection of hardcopy and electronic
information in accordance with the business impact resulting from the compromise, loss of
integrity or unavailability of the information.
111 ‘Aggregation’ is a term used to describe the compilation of classified or unclassified
Commonwealth information that may require a higher level of protection than the individual
pieces of information in the compilation. This is because the compilation of information
generates a greater value, and the consequence of compromise, loss of integrity, or
unavailability creates an increase in the business impact level.
112 Entities and companies are to implement physical security measures to mitigate the risks
associated with the impact of loss, compromise or unavailability of aggregations of information.
Further information may be obtained from the Australian Government protective security
governance guidelines—Business impact levels.
7.3 Minimum requirements for protecting security classified information
113 Entities and companies are required to comply with the security requirements set out in the
Australian Government physical security management guidelines—Security zones and risk
mitigation control measures for protecting security classified information, valuable physical
assets, or the aggregation of information and physical assets, where the compromise, loss of
availability, or loss of integrity of that material would cause extreme or catastrophic impact to
the national interest.
18
114 Entities and companies holding TOP SECRET information are also required to comply with:

ASIO Technical Note – Physical Security of Secure Areas/SR1 Rooms, and

supplement to the Technical Note – Physical Security of TOP SECRET Areas (accessible on
a need to know basis by contacting pspf@ag.gov.au).
115 If for any reason, an entity or company cannot meet these requirements, it is required to first
obtain approval from ASIO-T4, as well as the originator of the material, to hold any TOP SECRET
information or aggregation of information, the compromise, loss of integrity or unavailability of
which would cause a catastrophic impact for each site used.
7.3.1 Use of SCEC approved products
116 The Security Construction and Equipment Committee (SCEC) tests and approves security
products that primarily focus on protecting security classified information were the compromise,
loss of integrity or unavailability of which would result in a business impact level of high or
above, products that prevent widespread loss of life, and other security products that require
specialist testing. These approved items are listed in the SCEC Security Equipment Evaluated
Products List.
117 Entities and companies are to use SCEC-approved equipment for the protection of official
information as identified in the Australian Government physical security management
guidelines—Security zones and risk mitigation control measures.
7.4 Integration of security measures during planning/modification of facilities
118 Under clause 17(3) of the GPO, entities and companies must ensure that they fully integrate
protective security measures early in the process of planning, selecting, designing or modifying
its facilities. This sub clause aligns with mandatory requirement PHYSEC 3 of the PSPF as
applicable to entities and companies.
119 Entities and companies are required to follow the detailed guidance in Australian Government
physical security management guidelines—Security zones and risk mitigation control measures
to determine how they should apply the security zones categories to treat their risks and
integrate their security control measures.
120 To achieve the consistent security zone standards, entities and companies are required to apply
the control measures, the control components and individual elements detailed in Tables 4 and
5 of Australian Government physical security management guidelines—Security zones and risk
mitigation control measures. Entities and companies are to certify the application of these
measures and accredit the security zones as detailed in these guidelines.
7.5 Developing agency alert levels and guides
121 Alert level guides provide advice to employees on the measures used by an entity or company to
mitigate emergencies and heightened threat levels. Alert levels should take an ‘all hazards’
approach as physical and environmental threats may have the same, or greater, impact on an
agency’s ability to function as the traditional security threats.
122 Protective security measures should provide assurance in information and asset sharing
arrangements, as well as mitigate the risks to entity or company personnel and resources. Alert
levels allow entities and companies to scale the controls used to mitigate risks as the risks
increase or decrease.
123 The source of an entity’s or company’s physical security risks can be categorised into three
areas:
19

Event – an event is an important happening or incident impacting on the entity’s or
company’s ability to function such as a weather event (e.g. storm) or an emergency
event (e.g. fire).

Threat – a threat is a declared intent to inflict harm on entity or company staff or
property.

Activity – an activity is an action by one or more people likely to have a negative impact
on physical security (e.g. protest activity, filming in the vicinity of premises).
124 If an entity’s or company’s protective security or safety measures are damaged or breached by
an event or activity, or there is credible evidence to support a threat, then the response might
be an escalation in agency alert level.
125 Entity or company specific alert levels should be based on possible sources of risk to the entities
or companies physical security identified in their security risk assessment. The number of alert
levels an entity or company needs will be determined by their risk sources and operating
environment.
126 For further information on developing alert levels see the Protective security better practice
guide: Developing agency alert levels.
20
Part 4 – Reporting
8
Reporting security incidents
127 Under clause 18 of the GPO, entities and companies must report, as soon as reasonably
practicable, security violations, as follows:

if the violation relates to information communications technology—to the Director of
the Australian Signals Directorate asd.assist@defence.gov.au or 1300 292 371

if the violation relates to national security—to the Director-General of Security on
(02) 6249 6299, and

if the violation impacts on Commonwealth resources originating from, or a person
employed by, or subject to the direction of, another entity or company—to the
accountable authority or directors of the other entity or company.
128 Entities and companies should report any suspected criminal activity to the Australian Federal
Police or to their State or Territory Police. If entities or companies are in doubt about where they
should report they should contact the national security hotline on 1800 123400 or
hotline@nationalsecurity.gov.au .
129 If a security incident relates to a security clearance subject, entities and companies should report
it to AGSVA through the Change of Circumstance Notification Form.
130 Entities and companies should assess the harm from any security breach or violation to
determine the impact on the Australian Government of the actual or suspected loss,
compromise or disclosure. The Business Impact Levels Guidelines can assist entities in identifying
the business impacts arising from the compromise of confidentiality, integrity or availability of
Commonwealth resources or harm to individuals or organisations.
131 Entities and companies should report any security breaches that have a business impact level of
very high or above; or if multiple breaches occur.
132 Annexure D will assist entities and companies in differentiating between a violation and a
security breach.
8.1 Examples of security incidents
133 Examples of security incidents that Commonwealth personnel should report to entity or
company security staff are:

criminal actions such as actual or attempted theft, break and enter, vandalism, fraud or
assault

natural occurrences such as fire or storm damage, which may compromise agency
security

incorrect handling of protectively marked information, such as failure to:
o
provide the required protection during transfer or transmission resulting in a data
spill on an electronic information network or system
o
store security classified information in an appropriate security container
o
correctly secure security containers, or
o
hold appropriate authorisation to access official information

sharing official information with a person who is not authorised to access it

sharing computer passwords or other access control mechanisms
21

any unauthorised use of official resources, and

any deliberate non-compliance or circumvention of an entities or companies security
policies.
8.2 Procedures for ensuring staff report and record security incidents
8.2.1 Entity or company protective security policy
134 The entity’s or company’s protective security policy and procedures should make provisions for
reporting and recording security incidents by:

requiring Commonwealth personnel to report security violations or breaches

including formal procedures and mechanisms to make it easy to report security
violations or breaches

requiring the entity or company to maintain records of any reported violation or breach
and any other security incidents, and

including procedures for dealing with security violations or breaches.
8.3 Reporting security incidents to ASIO
135 Entities and companies are required to report to ASIO any security violations and security
breaches that involve suspected:

espionage

sabotage

acts of foreign interference

attacks on Australia’s defence system

politically motivated violence

promotion of communal violence, or

serious threats to Australia’s territorial and border integrity.
136 Dependent upon the assessment, ASIO will either:

recommend the entity continue with its own investigation and advise ASIO of the
outcome, or

conduct the investigation, in close consultation with the agency, and possibly in
conjunction with the Australian Federal Police (AFP).
137 The agency should strictly observe the need to know principle in relation to the details of a
security violation or major security breach and the fact that it has occurred until ASIO advises
otherwise.
8.4 Reporting cyber security incidents to ASD
138 Entities and companies are required to report suspected cyber security incidents to ASD
including:

suspicious or seemingly targeted emails with attachments or links

any compromise or corruption of information

unauthorised hacking
22

any viruses

any disruption or damage to services or equipment, and

data spills.
139 Entity or company ICT security policies and plans should require early contact with ASD to avoid
inadvertently compromising any investigation into a cyber security incident.
140 Further information on security incidents and reporting can be obtained from the Australian
Government Protective Security Governance Guide – Reporting Incidents and Conducting Security
Investigations.
9
Annual reporting on compliance
141 Under clause 19 of the GPO entities and companies are to submit a self-assessment of their
compliance with the GPO for the year ending 30 June to their relevant portfolio Minister.
Reports are to be submitted no later than 31 August of each year. Reports received after this
dates will be recorded as non-compliant.
142 The first annual report is due 31 August 2017, and thereafter annually.
143 Based on the sensitivity of the report, compliance with the GPO can be incorporated into other
reporting to the relevant Minister.
144 The annual report must identify:

any provisions of the GPO that the entity or company has not complied with during the
period covered by the report

the circumstances in which the non-compliance occurred

the reasons for the non-compliance, and

details of the risk based measures taken or to be taken to address the non-compliance,
including, where relevant, measures taken to ensure that such failures do not re occur
and timeframes for implementing measures.
145 The annual report must also state the numbers and levels of security clearances granted subject
to:

citizenship waivers, and

uncheckable background waivers.
146 Entities and companies must report to:

their portfolio Minister, and

the Secretary, Attorney General’s Department via email to pspf@ag.gov.au.
147 Entities and companies must also report any cyber security incidents to the Director of ASD and
national security issues to the Director-General Security, as detailed in section 9.
148 For further information on reporting see the Australian Government – Protective security
governance guidelines – Compliance reporting.
23
Annexure A – Template deed of confidentiality for execution by an
employee1
DEED OF CONFIDENTIALITY
DEED OF CONFIDENTIALITY
THIS DEED IS MADE ON THE
DAY OF
201[ ]
This Deed is made by:
[insert full name of person or company] [insert ABN] (the Confidant)
RECITALS
i.
In the course of the Confidant’s employment by the Commonwealth, a Confidant
may become aware of Confidential Information belonging to or in the possession
of the Commonwealth, or which is made available to the Confidant by the
Commonwealth.
ii.
Improper use or disclosure of confidential information would severely damage the
Commonwealth's ability to perform its governmental or statutory functions and
the rights of other parties.
iii.
The Confidant agrees that it is necessary to take all reasonable steps (including the
execution of this Deed) to ensure that the Confidential Information is kept
confidential.
AGREED COVENANTS
1. INTERPRETATION
1.1. In the interpretation of this Deed unless the contrary intention appears or the
context otherwise requires or admits, the following expressions shall have their respective
meanings:
‘Confidential Information' means information that;
1.1.1.
is by its nature confidential;
1.1.2.
is designated by the Commonwealth as confidential;
1.1.3.
the Confidant knows or ought to know is confidential; or
1.1.4.
is provided to the Confidant in support of the Activity after this Deed has
been signed. This includes, but is not limited to, any information which the Confidant
knows or ought to know is not to be made public,
but does not include information which:
1.1.5.
is or becomes public knowledge other than by breach of any obligation of
confidentiality owed to the Commonwealth; or
1.1.6.
1
is required to be disclosed by law.
Entities and companies should seek independent legal advice prior to utilising this template.
24
‘the Confidant’ means the person which receives Confidential Information and executes this Deed.
‘the Commonwealth’ means the Commonwealth Government of Australia, as represented by the
[insert name of entity or company].
1.2.
Unless the contrary intention appears:
1.2.1.
the clause and clause headings are for reference only and have no effect in
limiting or extending the language of the provisions to which they refer
1.2.2.
words in the singular include the plural and vice versa
1.2.3.
words importing a gender include any other gender
1.2.4.
a reference to a person includes a partnership and a body whether
corporate or otherwise
1.2.5.
a reference to a clause or a clause heading is a reference to a clause or
clauses in this Deed, and
1.2.6.
whether a word or phrase is given a particular meaning, other parts of
speech and grammatical forms of that word or phrase have corresponding meanings.
2. DISCLOSURE
2.1. Disclosure can be made by the Confidant to any person within the Commonwealth
as represented by the corporate Commonwealth entity or wholly-owned Commonwealth
company set out in clause 1.1 but only if it is necessary and essential for Confidant to carry
out his duties as an employee of the Commonwealth.
3. NON-DISCLOSURE
3.1. In circumstances other than those outlined in clause 2, the Confidant must not
disclose Confidential Information to any person or party without the prior written consent
of the Commonwealth.
3.2. The Commonwealth may grant or withhold its consent in its absolute and unfettered
discretion.
3.3.
If the Commonwealth grants its consent, it may impose conditions on that consent.
3.4. If the Commonwealth grants consent subject to conditions, the Confidant must
comply with those conditions.
3.5. The obligations of the Confidant under this Deed shall not be taken to have been
breached where the Confidential Information is legally required to be disclosed.
4. COMMONWEALTH MAY ENFORCE DEED
4.1. The Confidant agrees that the obligations in this Deed are for the benefit of the
Commonwealth, and that the Commonwealth may enforce the obligations herein.
5. NO EXCLUSION OF LAW OR EQUITY
5.1. This Deed must not be construed to exclude the operation of any principle of law or
equity intended to protect and preserve the confidentiality of the Confidential Information.
6. WAIVER
6.1. No waiver by the Commonwealth of one breach of any obligation or provision herein
contained or implied shall operate as a waiver of another breach of the same or of any
other obligation or provision herein contained or implied.
25
6.2. None of the provisions hereof shall be taken either at law or in equity to have been
varied, waived, discharged or released by the Commonwealths unless by the
Commonwealth’s express consent in writing.
7. GOVERNING LAW
7.1.
The law applying in the Australian Capital Territory applies to this Deed.2
7.2. The courts of the Australian Capital Territory have exclusive jurisdiction to decide
any matter.
Executed as a Deed
SIGNED, SEALED AND DELIVERED by:
Name of Signatory
Signature
Name of Witness
Signature
2
This template deed has been prepared to meet the requirements of the Australian Capital Territory
jurisdiction. This template deed can be used in other jurisdictions without modifying the template. If entities or
companies choose to change the jurisdiction to their own State and Territory, there may be different legal
requirements and legal advice should be sought.
26
Annexure B – Template deed of confidentiality for execution by a
contractor 3
DEED OF CONFIDENTIALITY
DEED OF CONFIDENTIALITY
THIS DEED IS MADE ON THE
DAY OF
201[ ]
This Deed is made by:
[insert full name of person or company] [insert ABN] (the Confidant)
RECITALS
i.
In the course of the Activity, a Confidant may become aware of Confidential
Information belonging to or in the possession of the Commonwealth, or which is
made available to the Confidant by the Commonwealth.
ii.
Improper use or disclosure of Confidential Information would severely damage the
Commonwealth's ability to perform its governmental or statutory functions and
the rights of other parties.
iii.
The Confidant agrees that it is necessary to take all reasonable steps (including the
execution of this Deed) to ensure that the Confidential Information is kept
confidential.
AGREED COVENANTS
1. INTERPRETATION
1.1. The Confidant agrees that the obligations and restrictions contained in this Deed
apply to the employees, agents and contractors (personnel) of the Confidant and that the
Confidant must ensure that its personnel do not breach any part of this Deed.
Definitions
1.2. In the interpretation of this Deed unless the contrary intention appears or the
context otherwise requires or admits, the following expressions shall have their respective
meanings:
‘Activity’ means [insert for example – the Confidant and the Commonwealth have agreed that
the Confidant will provide services to the Commonwealth in accordance with the contract for
[insert] dated [insert]].
‘Confidential Information' means information that;
3
1.2.1.
is by its nature confidential;
1.2.2.
is designated by the Commonwealth as confidential;
1.2.3.
the Confidant knows or ought to know is confidential; or
Entities and companies should seek independent legal advice prior to utilising this template.
27
1.2.4.
is provided to the Confidant in support of the Activity after this Deed has
been signed. This includes, but is not limited to, any information which the Confidant
knows or ought to know is not to be made public,
but does not include information which:
1.2.5.
is or becomes public knowledge other than by breach of any obligation of
confidentiality owed to the Commonwealth; or
1.2.6.
is required to be disclosed by law.
‘the Confidant’ means the person or entity which receives Confidential Information and executes this
Deed.
‘the Commonwealth’ means the Commonwealth Government of Australia, as represented by the
[insert name of entity or company].
1.3.
Unless the contrary intention appears:
1.3.1.
the clause and clause headings are for reference only and have no
effect in limiting or extending the language of the provisions to which they refer
1.3.2.
words in the singular include the plural and vice versa
1.3.3.
words importing a gender include any other gender
1.3.4.
a reference to a person includes a partnership and a body whether
corporate or otherwise
1.3.5.
a reference to a clause or a clause heading is a reference to a clause
or clauses in this Deed, and
1.3.6.
whether a word or phrase is given a particular meaning, other parts
of speech and grammatical forms of that word or phrase have corresponding
meanings.
2. DISCLOSURE
2.1. Disclosure can be made by the Confidant to any person within the Confidant’s
organisation (as applicable) but only if it is necessary and essential for the Activity.
2.2. By disclosing any Confidential Information to the aforementioned persons, it is the
Confidant’s responsibility to ensure they have been briefed on the content of this Deed.
3. NON-DISCLOSURE
3.1. In circumstances other than those outlined in clause 2, the Confidant must not
disclose Confidential Information to any person or party without the prior written consent
of the Commonwealth.
3.2. The Commonwealth may grant or withhold its consent in its absolute and unfettered
discretion.
3.3. If the Commonwealth grants its consent, it may impose conditions on that consent.
In particular, but without limiting the generality of the preceding sentence, the
Commonwealth may require that the Confidant procure the execution of a Deed in these
terms, or such other terms as it may see fit, by the person to whom the Confidant proposes
to disclose the Confidential Information.
3.4. If the Commonwealth grants consent subject to conditions, the Confidant must
comply with those conditions.
28
3.5. The obligations of the Confidant under this Deed shall not be taken to have been
breached where the Confidential Information is legally required to be disclosed, or where
disclosure by the Confidant is permitted for the purposes of the Activity as outlined in
clause 2.
4. COMMONWEALTH MAY ENFORCE DEED
4.1. The Confidant agrees that the obligations in this Deed are for the benefit of the
Commonwealth, and that the Commonwealth may enforce the obligations herein.
5. NO EXCLUSION OF LAW OR EQUITY
5.1. This Deed must not be construed to exclude the operation of any principle of law or
equity intended to protect and preserve the confidentiality of the Confidential Information.
6. WAIVER
6.1. No waiver by the Commonwealth of one breach of any obligation or provision herein
contained or implied shall operate as a waiver of another breach of the same or of any
other obligation or provision herein contained or implied.
6.2. None of the provisions hereof shall be taken either at law or in equity to have been
varied, waived, discharged or released by the Commonwealths unless by the
Commonwealth’s express consent in writing.
7. GOVERNING LAW
7.1.
The law applying in the Australian Capital Territory applies to this Deed.4
7.2. The courts of the Australian Capital Territory have exclusive jurisdiction to decide
any matter.
Executed as a Deed
SIGNED, SEALED AND DELIVERED for and on
behalf of [INSERT] (ABN [INSERT]) in accordance
with the requirements of section 127 of the
Corporations Act 2001 (Cth) by:
4
This template deed has been prepared to meet the requirements of the Australian Capital Territory
jurisdiction. This template deed can be used in other jurisdictions without modifying the template. If entities or
companies choose to change the jurisdiction to their own State and Territory, there may be different legal
requirements and legal advice should be sought.
29
Name of Director
Signature
Name of Director/Secretary
Signature
Dated
[or if by an individual]
SIGNED, SEALED AND DELIVERED by:
Name of Signatory
Signature
Name of Witness
Signature
Dated
30
[or if by a partnership]
SIGNED, SEALED AND DELIVERED by:
Name of Partner
Signature
Name of Partner
Signature
In the presence of:
Name of Witness
Signature of Witness
Dated
31
Annexure C – How to select an appropriate protective marking
32
Annexure D – Security violations and breaches
Type of incident
Definition
Security Violation
A deliberate, negligent
or reckless action that
leads, or could lead, to
the loss, damage,
corruption or
disclosure of official
resources
Security Breach
An accidental or
unintentional failure to
observe the protective
security mandatory
requirements
Examples
Examples are:

espionage or suspected espionage

loss of material classified CONFIDENTIAL or above, or significant quantities of material of a lower classification

actual or suspected compromise of material at any level including tampering with security containers or systems

actual or suspected hacking into any information and communications technology (ICT) system

loss, compromise, suspected compromise, theft or attempted theft of classified equipment

compromise of keys to security locks or of combination settings

recovery of previously unreported missing classified material or equipment

unauthorised disclosure of official or classified information, significant loss or compromise of cryptographic keying material
or a significant breach of ICT systems as assessed by ASD

actual or attempted unauthorised access to an alarm system covering a secured area where security classified information
is stored

loss, theft, attempted theft, recovery or suspicious incidents involving weapons, munitions, explosives, or hazardous
materials whether nuclear, chemical, radiological or biological, or

continuous breaches involving the same person or work area where the combination of the incidents warrants an
investigation.
Examples are:

access passes or identification documents lost or left insecure

failure to swipe access card (tailgating)

leaving sensitive information on an unattended desk

failing to lock computers before leaving a desk

leaving entrance doors unlocked after hours

security classified material left in UNCLASSIFIED waste bins, or

security classified material not properly secured or stored.
33
Annexure E – Abbreviations and acronyms
AGD
Attorney-General’s Department
AGSCS
Australian Government Security Classification System
AGSVA
Australian Government Security Vetting Agency
ASD
Australian Signals Directorate
ASIO
Australian Security Intelligence Organisation
ASIO-T4
DLM
ASIO – T4 Protective Security
Dissemination Limiting Marker
GPO Government Policy Order, namely the Public Governance, Performance and
Accountability (Protective Security Policy) Order 2015
ISM
Australian Government Information Security Manual
PGPA Act
Public Governance, Performance and Accountability Act 2013 (Cth)
PSPF
Protective Security Policy Framework
34
Related documents
C2: Risky business - the Commonwealth Risk
C2: Risky business - the Commonwealth Risk
Introduction to Comcover
Introduction to Comcover
Community provision for young people:models of working
Community provision for young people:models of working
Next Steps 16 July 2014 - Public Management Reform Agenda
Next Steps 16 July 2014 - Public Management Reform Agenda
Public Utility Mergers and Acquisitions
Public Utility Mergers and Acquisitions
presentation
presentation
Word Version - Department of Finance
Word Version - Department of Finance
Download
advertisement