Protective security governance
guidelines
Security awareness training
Version 1.0
Approved
September 2010
Contents
Introduction ............................................................................................................................... 1
Who gets of security awareness training/briefings? ................................................................. 2
Security awareness training content ......................................................................................... 2
Identified agency specific risk and policies ........................................................................... 3
Personal safety measures ..................................................................................................... 3
Asset protection .................................................................................................................... 3
Protection of official information ......................................................................................... 4
Reporting requirements ........................................................................................................ 4
Internal reporting contacts ............................................................................................... 4
Changes of circumstances ................................................................................................ 5
Contact Reporting Scheme arrangements........................................................................ 5
Additional security briefings ................................................................................................. 5
i
Introduction
These guidelines support and should be read in conjunction with:

Protective Security Policy Framework - Governance

Australian Government Personnel Security Protocol

Australian Government Information Security core policy, and

Australian Government Physical Security core policy.
Security awareness training is an important element of protective security. Awareness
training supports physical, information and personnel security measures as well as informing
staff of their governance requirements.
To truly change behaviours a security awareness campaign effectively communicates what is
enforced (your policies) and in addition communicates why, then follows up the campaign
with strong, visible enforcement, and rewards.
See the Australian National Audit Office Audit Report No.25 2009-10 – Security Awareness
and Training.
Employees should undertake security awareness as soon as possible after starting with the
agency. It is recommended that agencies include security awareness in their induction
programs.
Agencies should hold regular refresher training sessions to confirm prior knowledge and
inform employees of any new measures. Agencies should give additional training if the
threat environment changes.
Agencies can develop security awareness through:

campaigns that address the ongoing needs of the agency and the specific needs of
sensitive areas, activities or periods of time

security instructions and reminders via publications, electronic bulletins and visual
displays such as posters

protective security-related questions in staff selection interviews

drills and exercises, and

inclusion of security attitudes and performance in the agency performance
management program.
It is recommended that any training program use a mixture of delivery methods and follow
the principles of adult education. The Adult education guide produced by the Australian
Government Financial Literacy Foundation provides an overview of these principles.
1
It is recommended that if training is outsourced agencies use a Registered Training
Organisation (RTO). RTOs are accredited training providers who offer courses through the
Australian Quality Training Framework. A list of RTOs is available from training.gov.au
Who gets security awareness training/briefings?
Agencies are to provide security awareness training/briefings to:

their employees and any contractors based in agency facilities. It is recommended
that this training be provided initially as part of the employee induction process or
as soon as possible after commencement, and

holders of Negative and Positive Vetting clearances on granting of the clearances,
and every five years as a condition of revalidation of the clearances. The briefings
are to detail the clearance holders’ information security responsibilities. It is
recommended that agencies also provide a briefing to Baseline Vetting clearance
holders every five years.
It is recommended that security awareness training also be provided to employees,
contractors and other people to whom the agency gives access to unclassified official
information
An agency should provide targeted security awareness training when the agency has an
increased or changed threat environment.
It is recommended that agencies undertake regular security awareness training.
Security awareness training content
Security awareness training should cover the following areas:

Agency security procedures and policies

Personal safety measures

Asset protection

Protection of official information from:


-
inappropriate use
-
loss, and
-
corruption
Reporting requirements including:
-
changes of circumstances
-
incident reporting, and
-
the Contact Reporting Scheme
Additional security briefings
2
Identified agency specific risk and policies
Agency specific risks, and countermeasures, will be identified as part of the agency risk
review and policies.
Agencies should make employees and contracted service providers aware of the protective
security programs operating in their area, the threat it is designed to counter, and their roles
and responsibilities in relation to it.
Personal safety measures
Agencies have a responsibility to protect employees and visitors, see Australian Government
Comcare - OHS Act, Regulations and Code.
It is recommended that agencies develop an employee safety handbook that is provided to
all employees as well as being readily available on agencies intranet sites. The handbook
should include emergency response guidelines and contacts as well as any agency specific
safety requirements and procedures.
Agencies with heightened risks from the public and/or clients should ensure that the
employees with whom the public react are aware of all safety measures in place in the
agencies. The agencies should also hold regular exercises and drills to confirm their staff’s
competencies.
Staff with specific emergency safety or security roles should receive regular training as w ell
as participate in exercises to confirm their ongoing competency. See:

Standards Australia - AS3745-2002: Emergency control organisation and procedures
for buildings, structures and workplaces, and

Standards Australia - HB 328-2009: Mailroom security.
Asset protection
Agencies should provide advice to staff on:

access control systems

legal requirements to protect assets

agency specific measures to protect assets

what is fraud and how to report it

how to report lost, damaged or stolen assets, and

asset audit and stocktake requirements.
Agencies should provide the information required to allow employees to meet their
responsibilities prior to taking custody for any assets.
3
See:

Commonwealth Fraud Control Guidelines

Australasian Legal Information Institute - Financial Management and Accountability
Act 1997 s 42

SAI Global - AS 8001-2008 Fraud and corruption control
Protection of official information
Agencies should ensure that every program area is aware of the classification and handling
requirements for the resources it possesses or develops.
Agencies should provide employees with training on:

agency ICT system(s) security classifications

special arrangements for producing documents above the ICT systems’ capability,
and

audit and accountability requirements for highly classified, codeword or caveat
material.
All employees, regardless of level or security clearance, need to be aware of the harm
caused by the compromise of security classified resources handled in their workplace and
the ways in which those resources might be vulnerable to compromise or misuse.
Reporting requirements
Internal reporting contacts
Agencies should provide employees with a list of key agency reporting contacts. See PSPF
Governance - Protective Security Investigations. It is recommended that the list of contacts
be included in the employee safety handbook.
The contacts list should cover, but is not limited to, how to report:

suspicious behaviour

threatening behaviour including letters, bomb threats and phone calls

broken ICT and security equipment

security infringements and breaches

fraud or suspected fraud

full secure waste bins, and

lost credit cards.
Reporting guidelines should also include any agency specific “whistle blowing” provisions.
4
Changes of circumstances
See PSPF Australian Government Personnel Security - Reporting changes in personal
circumstances guidelines.
Contact Reporting Scheme arrangements
See PSPF Australian Government Personnel Security - Contact reporting guidelines.
Additional security briefings
Other types of briefings given to employees may include:

personal safety briefings when travelling on official business or for personal
purposes

briefings and debriefings for accessing TOP SECRET material

briefings and debriefings to allow access to specific caveat, compartmentalised or
codeword security classified information or resources

overseas travel briefings and debriefings

specific location briefings for high-risk destinations

briefings tailored for specific categories of employment, eg, the unique security
issues for IT staff, scientists and others

briefings tailored to an individual’s particular security needs, as part of a continuing
management strategy, and

risk management briefings in general and protective security in particular.
5