Physical Security Management Guidelines Physical security of ICT equipment, systems and facilities Approved 27 October 2011 Version 1.0 © Commonwealth of Australia 2011 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence (http://creativecommons.org/licenses/by/3.0/legalcode ). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website. Contact us Inquiries regarding the licence and any use of this document are welcome at: Business Law Branch Attorney-General’s Department 3-5 National Cct BARTON ACT 2600 Telephone: (02) 6141 6666 copyright@ag.gov.au Document details Security classification Unclassified Dissemination limiting marking Publicly available Date of security classification review July 2013 Authority Protective Security Policy Committee Author Protective Security Policy Section Attorney-General’s Department Document status Approved by PSPC 27 October 2011 i Table of Contents 1. Introduction ............................................................................................................................... 1 1.1 Purpose ......................................................................................................................................... 1 1.2 Audience ....................................................................................................................................... 1 1.3 Scope............................................................................................................................................. 1 1.3.1 Use of specific terms in these guidelines .............................................................................. 1 2. 3. Background ................................................................................................................................ 3 2.1 Why were the guidelines developed? .......................................................................................... 3 2.2 Relationship to other documents ................................................................................................. 3 2.3 How are the guidelines structured? ............................................................................................. 4 Physical security of ICT equipment .............................................................................................. 5 3.1 Storage of ICT equipment when not in use .................................................................................. 5 3.2 Security of ICT equipment that cannot be kept in security containers or rooms when not in use ...................................................................................................................................................... 5 3.2.1 Equipment with solid state drives or hybrid hard drives ...................................................... 6 3.3 Auditing of ICT equipment ............................................................................................................ 6 3.3.1 Tamper evident seals ............................................................................................................ 6 4. 5. Physical security of ICT system equipment .................................................................................. 7 4.1 Physical security of servers and network devices......................................................................... 7 4.2 Network Infrastructure ................................................................................................................. 7 4.3 Deployable ICT systems ................................................................................................................ 8 4.4 ICT system gateway devices ......................................................................................................... 8 Physical security of ICT facilities .................................................................................................. 9 5.1 Accreditation of ICT facilities ........................................................................................................ 9 5.1.1 TOP SECRET or codeword information ICT facilities ............................................................. 9 5.2 Access control to ICT facilities and equipment within ICT facilities............................................ 11 5.2.1 Technical surveillance counter-measures ........................................................................... 11 5.3 Outsourced ICT facilities ............................................................................................................. 11 5.3.1 Gateway facilities ................................................................................................................ 11 5.3.2 Datacentres ......................................................................................................................... 12 6. Protection of information and ICT equipment against environmental or man-made threats ....... 13 6.1 Preservation of ICT equipment ................................................................................................... 13 6.1.1 Uninterruptable and auxiliary power supplies .................................................................... 13 6.2 Protection from environmental or man-made disasters ............................................................ 14 6.2.1 Flooding ............................................................................................................................... 14 6.2.2 Fire....................................................................................................................................... 14 6.3 Backup ICT systems ..................................................................................................................... 14 ii Amendments No. Location Amendment iii 1. Introduction 1.1 Purpose The Australian Government physical security management guidelines–Physical security of ICT (information and communications technology) equipment, systems and facilities provide guidance to achieve a consistent approach to determining physical security controls for ICT equipment, systems and facilities holding Australian Government information. 1.2 Audience These guidelines are intended for: Australian Government security management staff Australian Government ICT security management staff contractors to the Australian Government providing physical security advice and services providers of facilities for Australian Government ICT services and functions, and any other body or person responsible for the security of Australian Government people, information or physical assets. 1.3 Scope These guidelines relate to physical security measures of ICT equipment, systems and facilities within: Australian Government agencies, or other entities handling Australian Government official information. In the absence of specific advice in these guidelines agencies should refer to SAI Global - AS/NZS ISO/IEC 27002:2006 Information Technology–Security techniques–Code of practice for information security management, Section 9 – Physical and environmental security. Note: Where legislative requirements prescribe higher controls than those identified in these guidelines the legislative controls take precedence and are to be applied. Agencies are to protect any information provided by another government in accordance with international agreements, see PSPF Governance Arrangements–4.10 International security agreements. These guidelines include advice on the Australian Government’s expectations for the protection of Australian information by foreign governments. 1.3.1 Use of specific terms in these guidelines In these guidelines the use of the terms: ‘need to’ refers to a legislative requirement that agencies must meet ‘are required to’ or ‘is required to’ refers to a control: - to which agencies cannot give a policy exception, or - used in other protective security documents that set controls. 1 ‘are to’ or ‘is to’ are directions required to support compliance with the mandatory requirements of the physical security core policy, and ‘should’ refers to better practice, agencies are expected to apply better practice unless there is a reason based on their risk assessment to apply alternative controls. For details on policy exceptions see the PSPF - Australian Government physical security management protocol (section 1.4). The following terms are also used in these guidelines: Aggregation—compilations of official information that may require a higher level of protection than their component parts. This is because the combination generates a greater value, and the consequence of compromise, loss of integrity, or unavailability creates an increase in the business impact level. Availability—the ability of an agency to make information available to conduct its normal business within a predetermined maximum acceptable outage based on the criticality of the information, see Australian Standard HB 292-2006 A practitioner’s guide to business continuity management section 4.7 for further information. ICT equipment—any device that can process, store or communicate electronic information—for example, computers, multifunction devices, landline and mobile phones, digital cameras, electronic storage media and other radio devices. - ICT system equipment—a subset of ICT equipment that is used to maintain an ICT system— for example, servers, communications network devices such as PABX, gateways and network infrastructure such as cabling and patch panels—this equipment is normally continuously operational. ICT facility—a building, a floor of a building or a designated space on the floor of a building used to house or process large quantities of data; for example, server and gateway rooms, datacentres, back up repositories, storage areas for ICT equipment, and communications and patch rooms. ICT system— a related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates. Network infrastructure—the infrastructure used to carry information between workstations and servers or other network devices. For example: cabling, junction boxes, patch panels, fibre distribution panels and structured wiring enclosures. Security container or room—Security Construction and Equipment Committee (SCEC) approved A, B or C class container or room, see PSPF - Australian Government physical security management guidelines–Security zones and risk mitigation control measures Section 5.13 and 5.14. 2 2. Background 2.1 Why were the guidelines developed? The Australian Government physical security management guidelines–Physical security of ICT equipment, systems and facilities provide a consistent and structured approach to determining: the level of control required to: - meet the assessed risk - give suitable protection to information - provide assurance to other agencies for information sharing, and the types of controls that are suitable. The guidelines will: establish consistent terminology for physical security of ICT equipment, systems and facilities holding Australian Government official information, and give agencies a framework for the assurance needed to share information. These guidelines recognise that the predominant risks to electronic information (whether held in ICT equipment, systems or facilities) are from: external cyber attack—the minimum mandatory logical controls to counter cyber attacks are detailed in the ISM, and trusted insiders—including, but not limited to disgruntled or inexperienced users, contractors, and administrators. The theft or loss of ICT equipment is another risk to electronic information. The controls identified in the ISM are used to mitigate threats to confidentiality, integrity and availability of information held on ICT equipment. Physical security measures also mitigate these risks by restricting access to people with a genuine need to know. Agencies should develop procedures to minimise the risk of oversight of information on their ICT equipment. 2.2 Relationship to other documents These guidelines support the implementation of the Protective Security Policy Framework (PSPF). They are part of a suite of documents that aid agencies to meet their physical security requirements. In particular, they support and should be read in conjunction with the: PSPF - Australian Government physical security management protocol, in particular Section 8 PSPF - Australian Government physical security management guidelines–Security zones and risk mitigation control measures PSPF - Australian Government protective Security governance guidelines–Business impact levels PSPF - Australian Government information management protocol, and Defence Signals Directorate (DSD) publication the Australian Government information security manual (ISM) 3 2.3 How are the guidelines structured? These guidelines are broadly divided into the following sections: physical security of: - ICT equipment - ICT systems - ICT facilities, and protection of information and ICT equipment from environmental or man-made threats. 4 3. Physical security of ICT equipment The primary purpose of ICT equipment is to facilitate the processing storage and communication of agency information electronically. ICT equipment that requires protection includes any device which can store information electronically, such as: computers—desktop, laptop or tablet photocopiers, multi function devices (MFDs) and printers fax machines mobile telephones digital cameras personal electronic devices, and storage media–for example, portable hard drives, USB sticks, CDs, DVDs, RFID tags and systems. The level of protection that should be given to ICT equipment is based on the higher of: business impact level that would result from the compromise, loss of integrity or unavailability of the aggregate of electronic information held on the equipment, or the loss/ unavailability of the ICT equipment itself. See the PSPF - Australian Government protective security governance guidelines–Business impact levels. 3.1 Storage of ICT equipment when not in use When ICT equipment is stored in dedicated Physical security of ICT facilities the physical security controls should meet those detailed in Table 1–Storage requirements for electronic information in ICT facilities. Where ICT equipment is not stored in dedicated ICT facilities agencies should apply the physical security controls detailed in the PSPF - Australian Government physical security management guidelines–Security zones and risk mitigation control measures. The physical security controls used are to meet either the requirements of Table 1 or the guidelines as appropriate, or exceed those required when justified by the agency security risk assessment. Where agencies cannot meet the above requirement they are to seek advice from DSD on additional logical or technological solutions that may be available to lower the risks to electronic information when the equipment is not in use. (See below.) 3.2 Security of ICT equipment that cannot be kept in security containers or rooms when not in use Agencies may not be able to secure some electronic equipment in security containers or rooms when not in use–for example, desktop computers, printers, MFDs. In some circumstances agencies may be able to fit removable non-volatile media (hard-drives) that can then be secured in an appropriate security container when not in use. 5 In cases where the non-volatile media cannot be removed agencies should determine the Zone where the equipment can be kept based on the risks of obtaining information, and the sensitivity of the information attainable, from the equipment. Agencies should seek further advice from DSD on additional logical or technological solutions that may be available to lower the risks to electronic information. Agencies should assess the risk when equipment cannot be secured when not in use, where its compromise could cause loss of integrity or availability of the information held by or accessible through that equipment. Where the business impact of the compromise, loss of integrity or unavailability of the information is very high or extreme, the equipment is to be stored in a Zone Three or above area unless additional logical controls are applied to lower the risks when not in use to a level acceptable to the agency. Where the business impact of the compromise, loss of integrity or unavailability of the information is catastrophic, the equipment is to be stored in a Zone Five area unless additional logical controls are applied to lower the risks when not in use to a level acceptable to the information originator. The logical controls described in the ISM do not constitute sanitisation and reclassification of ICT media. Therefore, the media retains its classification for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal as specified in the ISM. 3.2.1 Equipment with solid state drives or hybrid hard drives Solid state drives and hybrid hard drives cannot be made safe through normal wiping processes when switched off. Agencies wishing to use equipment fitted with solid state drives or hybrid hard drives should seek advice from DSD on other methods of securing these types of equipment–for example, encryption. 3.3 Auditing of ICT equipment For asset control of ICT equipment, agencies should: record the location and authorised custodian, and periodically audit. The period between audits should be based on the agency’s risk assessment with higher risk items audited on a more regular basis. Agencies should, based on their risk assessment, consider visually inspecting ICT equipment as part of their asset control audit to ensure that non-approved devices have not been installed. Agencies are to have procedures for employees to report the loss of ICT equipment. 3.3.1 Tamper evident seals Agencies may seal access to ICT equipment using Security Construction and Equipment Committee (SCEC) approved tamper evident wafer seals suitable for application to hard surfaces. The use of seals may give a visual indication of unauthorised access into the equipment if the seals are removed or broken. Agencies should refer to the SCEC Security Equipment Catalogue when selecting wafer seals. 6 4. Physical security of ICT system equipment In addition to the ICT equipment mentioned in Section 3, ICT system equipment that needs physical security includes: servers—including dedicated devices and laptops used as servers other communications network devices—for example, PABX the supporting network infrastructure—for example, cabling, patch panels, and gateway devices—for example routers, network access devices. 4.1 Physical security of servers and network devices Servers and network devices are to be located in security rooms/containers. The level of room/container used should be determined by the business impact of the compromise, loss of integrity or unavailability of the aggregated information accessible from the servers and network devices. Agencies should keep servers and communication network devices in dedicated Physical security of ICT facilities. Agencies are required to apply the controls identified in the PSPF - Australian Government physical security management guidelines–Security zones and risk mitigation control measures to protect the information on the servers and network devices not held in dedicated ICT facilities. 4.2 Network Infrastructure Agency information is communicated through network infrastructure. Where DSD approved encryption is applied the requirements for physical security of network infrastructure can be lowered. Agencies should protect network infrastructure using a mixture of physical security measures and encryption. Agencies are to use Security Zones suitable for the highest business impact of the compromise, loss of integrity or unavailability of information being communicated over the network infrastructure. As it may not be possible to secure all network infrastructure in security containers/rooms agencies are also to meet any system encryption requirements in the ISM. Agencies should determine the level of container required for patch panels, fibre distribution panels and structured wiring enclosures based on: the business impact of the information passing over the connections, and any other controls in place to protect the information. Panels should at a minimum be in locked containers/rooms to prevent tampering. Agencies lose control of their information when it is communicated over unsecured public network infrastructure or over infrastructure in unsecured areas as they can have no assurance of the physical security of the infrastructure or logical security of the information. Agencies are required to use the encryption standards identified in the ISM for information transmitted over public network infrastructure when the compromise, loss of integrity or 7 unavailability of the information would have a business impact of high or above. The encryption will sufficiently protect the information to allow it to be transmitted on an unclassified network. Encryption is normally applied at an agency gateway. Agencies are also required to apply the encryption standards identified in the ISM to protect information on their network infrastructure in unsecured areas. 4.3 Deployable ICT systems Agencies may have difficulty in applying suitable physical security measures when using deployable ICT systems, particularly if deployed into high risk environments. Agencies that use deployable systems are required to seek advice from DSD on suitable logical controls to help mitigate any risks they identify. 4.4 ICT system gateway devices In addition to the logical controls required in the ISM, agencies are to use physical security measures for their ICT system gateway devices to mitigate the higher business impact from: the loss of the devices, or the compromise of the aggregated information arising from physical access to the devices. Agencies using shared gateways are to apply controls to the gateway appropriate to the highest level of information passing through the gateway. Agencies are to prevent unauthorised access to gateway devices. It is recommended that these devices be located in dedicated Physical security of ICT facilities. 8 5. Physical security of ICT facilities Agencies may use dedicated ICT facilities to house ICT systems, components of their ICT Systems or ICT equipment. These facilities include, but are not limited to: server and gateway rooms datacentres backup repositories storage areas for ICT equipment that hold official information, and communications and patch rooms. Agencies should pay particular attention to the security of any access points to an ICT facility—for example, cabling and ducting. 5.1 Accreditation of ICT facilities ICT facilities are required to be within accredited Security Zones, as detailed in the PSPF - Australian Government physical security management guidelines–Security zones and risk mitigation control measures, appropriate for the aggregation of the information held. Also agencies should house ICT facilities in Security Zones dedicated to these ICT facilities, separate to other agency functions. Where an agency outsources its ICT facilities, or uses shared facilities, the agency is required to ensure their information is held in a Security Zone appropriate for the aggregation of information, see Outsourced ICT facilities. Containers used to house ICT equipment in an ICT facility may be at a lower level when the ICT facility is a separate Security Zone within an existing Security Zone that is suitable for the aggregation of the information held. See Table 1–Storage requirements for electronic information in ICT facilities. 5.1.1 TOP SECRET or codeword information ICT facilities All TOP SECRET or codeword information ICT facilities are to be in a separate Zone Five within a Zone Five work area, both of which are to be certified by ASIO-T4. TOP SECRET ICT facilities are to have either a separate zone on the agency EACS and SCEC approved Type 1 SAS, or have their own SCEC approved Type 1 SAS. In addition agencies are required to have DSD to certify all TOP SECRET ICT systems. 9 Table 1–Storage requirements for electronic information in ICT facilities The physical security containers/rooms required for holding ICT equipment can sometimes be lowered according to the following table when ICT facilities are located in an additional Security Zone within the work area Security Zone. Zone One is not to be used for ICT facilities with an aggregation of information with a business impact level of high or above. The table below details the impact of applying the ‘Security-in-Depth’ principle and provides the revised physical security standard required. Business impact level of Security Zone of aggregations of electronic the agency’s work information area Security container Additional Security Security container or or room1 ordinarily Zone within work room1 required for ICT required area for ICT facility equipment Catastrophic business impact level Zone Five (Must be Class B certified by ASIOT4) Zone Five (Must be Class C certified by ASIOT4) Extreme business impact level Zone Four Zone Four or above Lockable commercial cabinets Class C Zone Two Zone Three Very high business impact Zone Four level Zone Three Zone Two High business impact level Zone Three or above Zone Two Medium business impact level or below Class B Class C Zone Four or above Lockable commercial cabinets Zone Three Class C Zone Two Class B Class C recommended Zone Two or above Lockable commercial cabinets Class C Zone Three or above Lockable commercial cabinets Zone Two Class C Class B Zone Four or above Lockable commercial cabinets Zone Three Class C Zone Two Class B Lockable commercial cabinets No additional zone Lockable commercial required cabinets Class C Zone Three or above Lockable commercial cabinets Zone Two Class C Zone Two Lockable commercial cabinets No additional zone Lockable commercial required cabinets Zone One Class C Zone Two or above Lockable commercial cabinets Note: 1. Lockable commercial cabinets should be used within security rooms to give additional access control to individual pieces of equipment. 10 5.2 Access control to ICT facilities and equipment within ICT facilities Agencies are to control access to ICT facilities in accordance with the PSPF - Australian Government physical security guidelines–Security Zones and risk mitigation measures, Section 5.5—Access control and Section 5.7—Visitor control. Access to agency ICT facilities holding information, the compromise, loss of integrity or unavailability of which has a lower than catastrophic business impact level should be controlled by: a dedicated section of the security alarm system (SAS), or electronic access control system (EACS) where used, or a person provided with a list of people with a ‘need to know’ or ‘need to go’ into the ICT facility. Agencies are to keep ICT facilities, and security containers within ICT facilities holding ICT equipment, secured when the facilities are not occupied. Agencies may, if warranted by their risk assessment, use ‘no-lone-zones’ or ‘dual authentification’ as an additional control for ICT facilities. 5.2.1 Technical surveillance counter-measures Agencies are to have a Technical Surveillance Counter Measures (TSCM) inspection undertaken for all TOP SECRET and Codeword ICT facilities where regular TS discussions are held within the facility. A TSCM inspection may also be required to provide a high level of assurance that hardware and cabling infrastructure within an ICT facility has not been compromised. Where an agency does not regularly require its ICT facilities to handle TOP SECRET information, the requirement for a TSCM inspection, and the interval between inspections, should be based on the agency’s risk assessment, see the PSPF - Australian Government physical security guidelines–Security Zones and risk mitigation measures, Section 5.15.4—Technical surveillance counter measures and audio security. Agency security advisers should seek further advice from ASIO-T4 - t4ps@t4.gov.au. 5.3 Outsourced ICT facilities Agencies are to ensure that outsourced ICT facilities meet any controls identified in these guidelines for the protection of the aggregation of information held in the facilities. Information on the inclusion of security requirements in contracts for outsourced functions is available in the PSPF Australian Government governance guidelines–Security in outsourced services and functions. 5.3.1 Gateway facilities ASIO-T4 will certify the physical security measures in DSD certified commercial gateway facilities intended for use by multiple Australian Government agencies as listed in the AGIMO Internet Gateway Reduction Program before being used operationally. Agencies are to seek ASIO-T4 advice on the certification requirements of the physical security measures of any other commercial gateway facilities holding Australian Government official information where the compromise of the confidentiality, loss of integrity or unavailability of the information will have a catastrophic business impact level before being used operationally. 11 Gateway devices are to be given protection commensurate with the business impact of the compromise of the aggregate of the information protected by the devices. 5.3.2 Datacentres Agencies are to seek ASIO-T4 advice on the certification requirements of the physical security measures of commercial datacentres holding Australian Government official information where the compromise of the confidentiality, loss of integrity or unavailability of the information will have a catastrophic business impact level before being used operationally. Agencies using datacentres are to assess the aggregation of all official information that is held in the datacentre. Agencies employing a shared datacentre arrangement are to liaise with all other agencies using the same datacentre to assess the business impact of the loss of integrity or unavailability of the aggregate of the combined information before being used operationally. Data storage devices are to be given protection commensurate with the business impact of the compromise of the aggregate of the information stored on the devices. Datacentres are selected not only for their ability to provide security of information, but also for their ability to provide continuous availability to information. ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers provides four tiers of availability in datacentres. Datacentres that comply with the Standard are available more than 99% of the time. 12 6. Protection of information and ICT equipment against environmental or man-made threats Some information held on ICT systems will be required by agencies to enable a return to normal service after an incident. Agencies should determine the availability requirements for their information as part of their disaster recovery and business continuity plans. The impact of the information not being available will influence the measures taken to protect ICT equipment against environmental and man-made threats. For further information see: PSPF – Governance – Business continuity management, and SAI Global - HB 292-2006 A practitioner’s guide to business continuity management, section 4.7. 6.1 Preservation of ICT equipment ICT equipment may require a controlled atmosphere to ensure the integrity of the information held on the equipment. ICT equipment holding information may also require a controlled environment to prevent failure of the equipment and potential loss of information. This may include, but not limited to, controlling: temperature humidity air quality—for example smoke and dust water, or light. Agencies should apply controls to meet any ICT equipment manufacturer’s identified requirements. Advice on preserving electronic information for the future is available from the National Archives of Australia. 6.1.1 Uninterruptable and auxiliary power supplies Agencies may lose information if ICT systems are unexpectedly shutdown. An uninterruptable power supply (UPS) will allow the agency to turn off systems in a controlled manner or provide power until power to the ICT system is restored. Any UPS used by an agency should provide at least enough power to allow: the controlled shutdown of ICT systems, or the startup of an auxiliary power supply. ICT equipment also needs protection from power surges (relatively lengthy increases in voltage), power sags and spikes (short very large increases in voltage). Most UPS also give some protection from surges and sags. As most environmental systems rely on mains electricity an auxiliary power supply may assist in maintaining environmental controls. Auxiliary power supplies should be maintained in accordance with the manufacturer’s directions. 13 6.2 Protection from environmental or man-made disasters Agencies should identify any threats from environmental or man-made disasters to their ICT equipment in their security risk assessment. As ICT systems may be more sensitive to environmental factors additional risk mitigation measures, over and above those used to protect people and physical assets from harm, may be needed. 6.2.1 Flooding Water is one of the major threats to any system that uses electricity, including ICT systems. Agencies should site server rooms so that they are protected from flooding. Flooding may be from external sources—for example swollen rivers, or internal sources—for example burst pipes. Agencies considering locating server rooms in basements should assess the risk of flooding from external or internal sources. 6.2.2 Fire Agencies should also protect ICT equipment from fire. ICT equipment can be damaged either through direct exposure to flames, or the effects of smoke (poor air quality) and increases in temperature in the general environment. An additional concern to ICT equipment during building fires is the potential for flooding during fire fighting operations. An agency may be able to use alternatives to water-based sprinkler systems, such as CO2 or other gaseous agents, in critical ICT facilities. An agency’s decision to use alternatives should be based on the agency’s own risk assessment. 6.3 Backup ICT systems Backup ICT systems can provide an agency with a recover point if their primary ICT systems fail, which can form part of an agency’s business continuity and disaster recovery plans. Any backup systems should be, as far as possible, fully independent of the supporting infrastructure used for the primary system so that in case of a failure of the primary ICT system the secondary ICT system does not also fail. Backup ICT systems should be regularly tested to ensure their continued operation. Agencies may use off-site or commercial backup facilities. Agencies should consider dual redundancy—that is using two backup facilities, for business critical information and ICT systems. Agencies are required to ensure any commercial ICT facilities they use meet all the security requirements of the PSPF and ISM to protect Australian Government information. An agency that uses a commercial back up facility should consider the aggregation of information held in the facility, not just the agency’s information, when determining the levels of physical and logical security needed at the facility. Information on the inclusion of security requirements in contracts for outsourced functions is available in the PSPF - Australian Government governance guidelines–Security in outsourced functions. 14