PSPF Glossary of terms - Protective Security Policy Framework
advertisement
Protective Security Policy Framework Glossary of security terms Amended December 2014 Version 1.3 © Commonwealth of Australia 2011 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence (http://creativecommons.org/licenses/by/3.0/legalcode ). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website. Contact us Inquiries regarding the licence and any use of this document are welcome at: Commercial and Administrative Law Branch Attorney-General’s Department 3-5 National Cct BARTON ACT 2600 Telephone: (02) 6141 6666 copyright@ag.gov.au Document details Security classification Unclassified Dissemination limiting marking Nil—Publicly available Date of next review July 2017 Authority Protective Security Policy Committee Author Protective Security Policy Section Attorney-General’s Department Document status Approved 1 June 2012 Amended November 2014 i Amendments No. Date Location Amendment 1. July 2012 Attorney-General’s certificate Amendments to wording of definition 2. July 2012 Adverse security assessment Amendments to wording of definition 3. July 2012 Prescribed administrative action 4. July 2012 Qualified security assessment 5. July 2012 For Official Use Only Definition added 6. June 2014 Sponsoring agency Definition added 7. June 2014 Whole person Definition added 8. June 2014 Manager Definition added 9. December 2014 National interest Definition updated to include national economic wellbeing 10. December 2014 Throughout Update definitions relating to personnel security 11. December 2014 PROTECTED, CONFIDENTIAL and SECRET Update to reflect impact on the national interest, organisations and individuals 12. December 2014 TOP SECRET Update to reflect impact on the national interest Definition added Amendments to wording of definition ii 1. Purpose The purpose of this document is to define the terms, abbreviations and acronyms used in the Protective Security Policy Framework. 2. Terms and definitions Term Definition Access Obtaining knowledge or possession of information (including verbal, electronic and hard-copy information) or other resources, or obtaining admittance to an area. Access control system A system designed to limit access to facilities to authorised people whose identify has been verified. Accreditation A procedure by which an authoritative body gives formal recognition, approval, and acceptance of the associated residual security risk with the operation, of a system. Accountable material Particularly sensitive information requiring strict access and movement control – there are many types of information that could constitute accountable material, but Cabinet documents are always to be treated as accountable material. Active in reference to security clearances A maintained security clearance that is sponsored by an Australian Government agency, and being maintained by a clearance holder and sponsoring agency. Adverse security assessment An assessment from ASIO, in writing, that contains a recommendation about a prescribed administrative action that would be prejudicial to the interests of the person. For example, a recommendation that a person should not be given access to security classified material. Agency (also Australian Government agency) Includes all Australian Government non-corporate Commonwealth entities, corporate Commonwealth entities or companies under the Public Governance Performance and Accountability Act 2013 or other bodies established in relation to public purposes. Agency head The head of any Australian Government department, authority, agency or body. Agency security adviser (ASA) The officer responsible for day-to-day management and operation of the agency’s protective security. Agency security management Employees who are responsible for the day-to-day protective personnel security functions within that agency, e.g. they may undertake duties such as security risk reviews and audits, security awareness programs for agency staff, they may be involved in the preparation of agency security plans, and may provide advice on security risk management. Agency security plan The plan of action that articulates how an agency will manage its security risks. 1 Term Definition Agency specific character checks Employment screening and ongoing suitability assessments undertaken by an agency as part of its personnel security management to address specific agency risks. Agreement An instrument, agreement, treaty between the Australian Government and another government; or arrangement or MOU between an Australian Government agency and a foreign agency for the exchange and protection of information. Also see bilateral agreement, government sponsored instrument and multilateral agreement. Aggregation A term used to describe a compilation of classified or unclassified official information or assets. Annual health check (also Annual confirmation of suitability) in reference to personnel security The annual confirmation by a manager about each employee they are responsible for, including information regarding: Whether the relevant employee: - has reported any changes in circumstances - is suitable to have continued access to official resources any previously un-actioned security concerns Assessing officer A competent person who conducts personnel security clearances in accordance with the procedures outlined in the PSPF. Asset An item that has a value to an agency—including personnel, information and physical assets. Also see official resources. Attached staff APS employees from any agency, and ADF personnel, who are posted overseas and who work mainly from the chancery premises (building or office of a diplomatic or consular mission managed by DFAT). Attorney-General’s certificate A certificate from the Attorney-General that prohibits or limits the disclosure of grounds contained in the assessment or the fact there is an assessment for reasons that disclosure would be prejudicial to the interests of security. Audit An examination and verification of an agency’s systems and procedures, measured against a predetermined standard. Australian Government agency See agency. Australian Government The Australian Signals Directorate’s document suite that details Information Security Manual controls, principles and rationale for information security on ICT (ISM) systems. Australian Government Protective Security Manual (PSM) Australia’s protective security policy until it was replaced by the PSPF. Australian Government resources The collective term used for Australian Government people, information and assets. 2 Term Definition Australian New Zealand Counter Terrorism Committee (ANZCTC) An inter-governmental committee that coordinates a cooperative framework to counter terrorism. The committee meets biannually and comprises representatives from the Australian (Commonwealth, state and territory) and New Zealand Governments. Australian Privacy Principles (APPs) Contained in Schedule 1 of the Privacy Act 1988 (Cth), the APPs regulate the handling of personal information by Australian Government agencies and some private sector organisations Authorised agency in reference to security vetting A Commonwealth agency authorised to undertake security vetting and grant security clearances to meet the agency’s business needs. Authorised persons (also Specified persons) in reference to contracting Persons employed by a contractor to an agency, who are authorised by the agency to carry out work or perform duties under the contract with the agency. Authorised Commonwealth Officer (also person authorised) Section 89 of the Crimes Act 1914 (Cth) allows for the appointment of Authorised Commonwealth Officers by a Minister to direct a person to leave Commonwealth premises. A person authorised in writing by a Minister or the public authority under the Commonwealth occupying a premises may also direct a person to leave premises occupied or in use by the public authority under the Commonwealth under the Public Order (Protection of Persons and Property) Act 1971 (Cth). Availability in reference to information The desired state that allows authorised users to access defined information for authorised purposes at the time they need to do so. Baseline security clearance Security clearance required for ongoing access to security classified information at the PROTECTED level, or where a level of assurance is required of a person’s suitability to perform a role. Bilateral agreement An agreement between the Australian Government, or an Australian Government agency, and the government, or agency, of another country that provides for the reciprocal exchange of usually security classified information. The agreement also sets out the agreed handling requirements. Also see multilateral agreement and government sponsored security instrument. Breach See security breach. Briefings Additional specific training required prior to a person being given access to certain Codeword or compartmented information or sensitive sites. Business continuity planning (BCP) The development, implementation and maintenance of policies, frameworks and programs to assist agencies manage a business disruption, as well as build agency resilience. It is the capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event. 3 Term Definition Business impact level The level of impact on an agency’s ability to operate or on the national interest, organisations or individuals, resulting from the compromise of confidentiality, loss of integrity or loss of availability of people, information or assets. Business information See Official information. Cabinet documents Material agencies prepare that is intended for submission to the Cabinet (generally Cabinet submissions and attached material, including audio visual presentations); and documents dealing with Cabinet meetings (business lists, Cabinet minutes and notes taken by Cabinet note takers). For further information refer to the Cabinet Handbook. Cabinet-in-Confidence A legacy protective marking replaced by Sensitive: Cabinet. Cancel in reference to vetting decisions Circumstances where a security clearance is initiated, but not completed by the vetting agency as: the sponsorship of the clearance was removed at the request of the sponsoring agency the sponsorship or clearance requirement could not be confirmed, or the clearance subject was non-compliant with the clearance process. Caveat See security caveat. Ceased in reference to security clearances Circumstances where a security clearance: has been denied or revoked may have time-based conditions on when a clearance subject or holder can reapply for a security clearance, or where the clearance subject or holder is ineligible to hold or maintain a security clearance. Certification Formal procedure by which an accredited or authorized person or agency assesses and verifies (and attests in writing by issuing a certificate) the attributes, characteristics, quality, qualification, or status of individuals or organizations, goods or services, procedures or processes, or events or situations, in accordance with established requirements or standards. See Audit. Change of circumstance A change to an employee’s personal circumstances (i.e. change of address, marriage/divorce, overseas travel) that may influence how a person behaves or may make them vulnerable to coercion by an external party. Class A secure room A room constructed and secured in accordance with ASIO specifications – doors are fitted with two endorsed combination locks; for further information refer to ASIO Technical Note 7-06 – Class A Secure Room available to agency security advisers from the Protective Security Policy community on GovDex. Class A security container A steel-lined concrete-strengthened container secured with an endorsed combination lock manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL. 4 Term Definition Class B secure room A room constructed and secured in accordance with ASIO specifications – doors are fitted with one endorsed combination lock; for further information refer to ASIO Technical Note 8-06 – Class B Secure Room available to agency security advisers from the Protective Security Policy community on GovDex. Class B security container A security container manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL. Class C secure room A room constructed and secured in accordance with ASIO specifications and locked using one lock endorsed for the protection of security classification information; for further information refer to ASIO Technical Note 9-06 – Class C Secure Room available to agency security advisers from the Protective Security Policy community on GovDex. Class C security container A security container manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL. Classification system See security classification system. Classified document register (CDR) A register that includes details of all accountable material produced, received or sent; including TOP SECRET security classified documents, and other security classified documents as required by agencies’ information security policies. Clear desk policy A policy requiring a person to ensure that official information and other valuable resources are secured appropriately when the person is absent from their workstation or work place. Clear screen policy A supplementary policy to the clear desk policy that requires a person to ensure that information on ICT equipment is secured appropriately when the person is absent from the work station, e.g. by locking the ICT equipment. Clearance See security clearance. Clearance process in reference to personnel security The process of assessing a person’s suitability for access to security classified information. Codeword A type of security caveat – a codeword is a word that indicates that the information it covers is in a special ‘need-to-know’ category. Those with a need to access the information will be cleared and briefed about the significance of this type of information. See also security caveat and source codeword. Compromise or misuse The means by which harm could be caused to resources, especially loss, damage, corruption or disclosure of information, whether deliberate or accidental. 5 Term Definition Communications security (COMSEC) All measures (including the use of cryptographic security, transmission security, emission security and physical security measures) applied to protect government telecommunications from unauthorised interception and exploitation and to ensure the authenticity of such telecommunications. COMSEC officer The person in an agency who is responsible for authorising and controlling cryptographic access. CONFIDENTIAL A security classification that shows that compromise of confidentiality of official information could cause significant damage to the national interest, organisations or individuals. Confidential information Information provided with an expectation of confidentiality and that it will only be used by and made available to people with a genuine need-to-know. The meaning is broader than, and is not to be confused with, CONFIDENTIAL security classified information. Confidentiality in reference to information The limiting of official information to authorised users for approved purposes - the confidentiality requirement is determined by reference to the likely consequences of unauthorised disclosure of official information. The Australian Government’s security classification system has been developed to help agencies identify information that has confidentiality requirements. Conflict of interest An interest or obligation, either inside or outside Australia, that could interfere with, or hinder, a person’s performance of their duties; or be perceived to interfere or hinder a person’s performance of their duties. Contact See Security contact. Contact Reporting Scheme A scheme administered by ASIO that assists in identifying intelligence or hostile activity directed against Australia and its interests, government employees and contractors, and people who hold an Australian Government security clearance. See the Australian Government personnel security guidelines—Agency personnel security responsibilities. Contract A legally enforceable agreement in which the parties to the contract set out the terms and conditions of the agreement, the rights and obligations or responsibilities of each party and the agreed outcomes of the relationship. Contracted service provider (also contractor) A person or business entity that has contracted with an agency for the performance of services for, or supply of goods to, that agency. Control (also counter-measures) A measure used to protect official information from compromise of confidentiality, or mitigate an identified threat to an agency’s people, information or assets. 6 Term Definition Crime prevention through environmental design (CPTED) A multi-disciplinary approach to deterring opportunistic criminal behaviour through environmental design using features including natural surveillance (includes direct and indirect presence), access control and territorial reinforcement—that is the design of clear boundaries and use of landscaping features to define desired movement areas and delineate borders. Cryptographic information (CRYPTO) Information relating to keying material and cryptosystems used for the protection of information. See the ISM for further details on cryptographic requirements. Competitive tendering and contracting (CTC) A process of selecting the preferred provider of goods and services from a range of bidders by seeking offers and evaluating these against pre-determined selection criteria. Culture of security See security culture. Cyber espionage Espionage using ICT equipment. Data See electronic information. Day extenders See tele-worker. Deed of Confidentiality A commitment not to disclose confidential information that is the property of the Australian Government to any other party without authorisation. Denial of service Deliberate compromise of the availability of IT systems. Delegate A person authorised by another person to act on their behalf. Deny in reference to vetting decisions A determination by a vetting agency that a clearance subject is not eligible to hold an Australian Government security clearance at one or more clearance levels. Designated security assessment position (DSAP) A legacy term that refers to the definition of ‘designated position’ in section 85ZL of the Crimes Act 1914 (Cth) Disaster recovery plan (DRP) Planning and implementation of procedures for the recovery of essential systems that have a significant impact on an agency’s ability to deliver its key outcomes. Dissemination limiting marker (DLM) A protective marker that indicates access to official information should be limited. It is applied to official information that has a low to medium business impact from compromise of confidentiality— that is the level of harm does not require security classification—and should not be made public without review, or there may be a legislative reason for limiting access. Disposal Authority A legal document issued by the National Archives of Australia to authorise the disposal of Australian Government records – it specifies classes of records and the minimum length of time they should be kept. Document Anything on which information is recorded by any means, including words, symbols, images or electro-magnetic impressions. 7 Term Definition Double enveloping The use of two new opaque envelopes (an inner and an outer envelope) to help protect security classified information in transit from unauthorised access and, in the event of unauthorised access, provide evidence of this to the recipient. Duress alarm An alarm that enables people to call for a security or police presence in response to a threatening incident. Electronic access control system (EACS) An electronic system to control access to agency facilities which includes access control devices, control panel, monitoring station and the policies and procedures to limit access to personnel with verified identities. Electronic information Data or information stored or generated electronically including metadata. Eligibility waiver An agency head’s decision to waive a security clearance eligibility requirement based on a thorough analysis of the risks to the Australian Government and the possible impact on the national interest, organisations and individuals. This decision to waive the eligibility is not a guarantee that the person will be found suitable for a security clearance. Emergency access See Short term access . Emergency management A range of measures designed to manage risks to agencies from disasters and emergencies. Emergency management involves developing and maintaining arrangements to prevent or mitigate, prepare for, respond to, and recover from emergencies and disasters. Employment screening Screening undertaken by an agency prior to employment of staff or engagement of contractors to meet agency suitability criteria. Employee See personnel. Employee Undertaking See Deed of Confidentiality. Encryption The process of transforming data into an unintelligible form to enable secure transmission. Espionage A government or individual obtaining information that is considered secret or confidential without the permission of the holder of the information. Espionage is illegal. Evaluated product list (EPL) A list of ICT security products, certified against internationally recognised common criteria, for use by Australian and New Zealand government agencies. Event Includes both planned and unplanned activities run by, or on behalf of, an Australian Government agency. Event attendees All people attending an event including delegates, speakers, visitors and support staff. 8 Term Definition Event manager The person in overall control of an event—this may be an agency employee or outsourced provider. Event security officer (ESO) The agency officer, or contractor responsible for the security of people—attendees, staff and the public; information and assets at an event. Exceptional circumstances Where the exception is critical to the agency meeting its outcomes and the risks to the agency can be mitigated or managed in another way. Expired in reference to security clearances A security clearance that: is outside the revalidation period and is not sponsored by an Australian Government agency is a PV clearance and did not have an annual security appraisal completed within a two year period cannot be reactivated and reinstated, and reverts to an initial security clearance assessment process if an Australian Government agency provides sponsorship after the end of the revalidation period. Exposure The degree to which a resource is open to, or attracts, harm. External integrated system (EIS) A system that may be integrated or interoperable with a Security Alarm System, e.g. CCTV, building management systems, EACS. Facility A building, part of a building, or complex of buildings, in which an agency, or a particular agency function, is located. This can include contractors’ premises. Facility security inspection An inspection of a contractor’s premises addressing the criteria established in the contract between the contractor and the Australian Government, to ensure that a secure environment appropriate to the performance of the contracted function can be provided by the contractor. Firewall A program or device designed to prevent unauthorised access to or from a network or system. Fit and proper person checks See agency specific character checks. For Official Use Only A DLM used to identify information when its compromise may cause limited damage to the national interest, organisations or individuals. Such information should be given some protection from unauthorised access, but it does not require a security classification. This DLM is not used with a Sensitive DLM. Foreign government Any government external to Australia. This also includes multinational or supra-national government and non-government organisations, e.g. the North Atlantic Treaty Organisation, the European Union and Interpol. 9 Term Definition Foreign government information (FGI) Information received and identified under the terms of a bilateral or multilateral agreement as FGI, or information provided to the Australian Government by a foreign government or governments, with the expectation the information, the source of the information, or both, will be held in confidence. Fraud Dishonestly obtaining a benefit or causing a loss by deception or other means. Full exclusion An exclusion granted under the Spent Convictions Scheme that requires all criminal offences to be declared. Also see Partial Exclusion and No Exclusion. Government information See official information. Government sponsored security instrument An agreement between the Australian Government and another country’s government that provides for the reciprocal protection of exchanged security classified information See bilateral agreement and multinational agreement. Grant in reference to vetting decisions A determination by a vetting agency that a clearance subject is eligible and suitable to hold an Australian Government security clearance. Grant - conditional in reference to vetting decisions A determination by a vetting agency that the clearance subject is eligible and suitable to hold an Australian Government security clearance with conditions and/or maintenance requirements attached to the clearance. Harm Any negative consequence, such as compromise of, or damage to, or loss of, an asset. Hazard A source of potential harm –including threats. Holders of high office Includes current and former Governors-General and Prime Ministers, Australian Government Ministers and those Senators and Members assessed as being under threat. Home-based work The ability for an employee to carry out his or her duties while based at his or her place of residence, subject to agency approval. HIGHLY PROTECTED (HP) A legacy non-national security protective marking that is no longer in use. ICT equipment Any device that can process, store or transmit electronic information—e.g. computers, multifunction devices and copiers, landline and mobile phones, digital cameras, electronic storage media and other radio devices. ICT system equipment A subset of ICT equipment that is used to maintain an ICT system— for example, servers, communications network devices such as PABX, gateways and network infrastructure such as cabling and patch panels—this equipment is normally continuously operational. 10 Term Definition ICT facility A building, a floor of a building or a designated space on the floor of a building used to house or process large quantities of data, e.g. server and gateway rooms, datacentres, back up repositories, storage areas for ICT equipment, and communications and patch rooms. ICT system A related set of hardware and software used for the processing, storage or transmission of information and the governance framework in which it operates. In confidence In reference to FGI An exchange of foreign government information that was explicitly or implicitly understood by the provider and the receiver to be not for distribution, except where mutually agreed or understood. See Freedom of Information Act 1982 (Cth)—Section 33 (b). Inactive in reference to security clearances A security clearance that is within the revalidation period, however the clearance: is not sponsored by an Australian Government agency is not being maintained by the clearance holder for a period greater than six months due to long term absence from their role for the positive vetting level is within re-evaluation period but is unsponsored; however, an annual security check was completed within the last two years can be reactivated or reinstated provided the clearance is sponsored by an Australian Government agency before the end of the revalidation period, and cannot be reactivated until all change of circumstances notifications covering the period of inactivity have been assessed by a vetting agency. Incident reporting A scheme whereby security incidents (which can include security infringements, breaches, violations, contacts or approaches) are reported to a central point in the agency, usually the ASA – this enables the agency undertake investigations, advise other affected agencies and to collect statistics on its security vulnerabilities. Ineligible in reference to vetting decisions A determination by a vetting agency that a clearance subject is not eligible for an Australian Government security clearance as they do not hold Australian citizenship and/or have a checkable background. Information (also information assets or information resources) Documents and papers; electronic data; the software or systems and networks on which the information is stored, processed or communicated, intellectual information acquired by individuals and physical items from which information regarding design, components or use could be derived. Information security (INFOSEC) All measures used to protect official information from compromise, loss of integrity or unavailability. See also communications security. Information Security Manual See Australian Government Information Security Manual. (ISM) 11 Term Definition Information technology security adviser (ITSA) The officer responsible for information technology security management across an Australian Government agency. Infringement See security infringement. Integrity in reference to information The assurance that information has been created, amended or deleted only by the intended authorised means – integrity relates to information and communications technology (ICT) systems. Intruder resistant area A legacy term for an area secured so that it is suitable for handling, storing and processing security classified material up to and including SECRET, w This term has been replaced by Security Zone Two. Jurisdictional Relating to Australian state or territory governments. Limited higher access in reference to personnel security A legacy term for a type of temporary access that allowed a person to access security classified information one level higher than allowed by his or her existing clearance on a temporary basis only. Now covered in Short term access . Logical access controls ICT measures used to control access to ICT systems and their information—this could involve using user identifications and authenticators such as passwords. Malware Malicious software designed to disrupt computer operation, gather sensitive information, or gain unauthorised access to computer systems. Metadata Descriptive information about the content and context used to identify information – for more information see the AGLS Metadata Standard available from the National Archives of Australia. Mobile computing and communications Work from a non-fixed location using portable computing/ communications devices. Mobile employees Employees who work at multiple locations using their mobile computing device, as their primary ICT device. Multilateral agreement An agreement between the Australian Government, or an Australian Government agency, and the governments, or agencies, of multiple countries that provides for the reciprocal exchange of usually security classified information. The agreement also sets out the agreed handling requirements Also see bilateral agreement and government sponsored security instrument. 12 Term Definition National interest A matter which has or could have impact on Australia, including: National security national security international relations law and governance, including: - interstate/ territory relations - law enforcement operations where compromise could hamper or prevent national crime prevention strategies or investigations, or endanger personal safety economic wellbeing heritage culture. A term used to describe the safety of Australia from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia’s defence system, acts of foreign interference or serious organised crime, as well as the protection of Australia’s borders. National security information A legacy term used to identify official information whose compromise could affect the security of the nation including information about security from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia’s defence acts of foreign interference or serious organised crime, as well as the protection of Australia’s borders. Natural justice (also procedural fairness) The right of a person to expect that any decision being made about them is made by an unbiased decision maker and based on open and fair decision-making processes, which allows the person the opportunity to respond. National Threat Assessment Centre (NTAC) A section of ASIO that provides assessments of threats to Australia’s national security. Negative vetting in reference to security clearances An evaluation process that relies on the absence of information to the contrary in order to assess the subject’s suitability for a security clearance – see also Positive vetting. Need-to-go Access to an area should be limited to those who require access to do their work, e.g. cleaners—they do not have a need-to-know but they do have a need to go in order to do their work. Need-to-know Refers to a need to access information based on an operational requirement. Need-to-share Making information available to government personnel, organisations and individuals who need it to do their jobs or support government programs. Network infrastructure The infrastructure used to carry information between workstations and servers or other network devices, e.g. cabling, junction boxes, patch panels, fibre distribution panels and structured wiring enclosures. 13 Term Definition No exclusion There is no exclusion to the Spent Convictions Scheme. The scheme applies to all criminal offences and a person only needs to provide details of applicable offences. Also see full exclusion and partial exclusion. Non-national security information A legacy term used to identify official information whose compromise does not threaten national security but could otherwise threaten the national interest, or interests of individuals, groups, or commercial entities. Non-prejudicial security assessment An assessment from ASIO in respect of a negative or positive vetting security clearance that results in a notification in writing to the agency from the Director-General of Security stating that it is not making a recommendation against the proposed granting of a security clearance. Official information Any information generated by an Australian Government agency for an official purpose, including unclassified information, sensitive information and security classified information. Official resources See Australian Government resources. Originator in reference to information The person, or agency, responsible for preparing or creating official information or for actioning information generated outside the Australian Government—this person, or agency, is also responsible for deciding whether, and at what level, to protectively mark that information. Outsourcing Contracting out a service or function performed by an agency. Overwriting in reference to electronic information Low level reformatting, followed by multiple overwriting with zero (0) and one (1) numerals in random patterns to make the information difficult to recover from electronic media. Paragraph grading indicators Markings used to indicate the security classification of individual paragraphs. Partial exclusion An exclusion granted under the Spent Convictions Scheme that requires all specified types of offences to be declared. Also see Full exclusion and No exclusion. Partially secure area A legacy term for an area secured so that it is suitable for processing and handling security classified information up to and including SECRET level. This term has been replaced by Security Zones. Perimeter intrusion detection A Security alarm system , or part there of that covers areas external system (PIDS) to a building envelope. Personal information Information or an opinion (including information forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For further details, see the Privacy Act 1988 (Cth). Also see Sensitive personal information. 14 Term Definition Personal identity verification The method(s) used to verify a person’s identity prior to being given (PIV) access to facilities, information or assets. Normally identity is verified using something a person: has – something in the person’s possession (e.g. identity pass) knows – a person’s knowledge (e.g. password), or is – a person’s physical attributes (e.g. biometrics). Personal security file (PSF) A file containing Sensitive: Personal information and other personal information used to make a decision on a person’s suitability to hold, and continue to hold, a security clearance. This includes details of any security infringements, breaches or violations by the person. Personnel (also employee or staff) Any member of an agency’s staff or contracted service provider’s staff used to service agency contracts, or other people who provide services to the agency or access agency information or assets as part of agency sharing initiatives. Personnel security The management of personnel to assist in the protection of an agency’s people, information and assets. It includes initial and ongoing screening, and ongoing education and evaluation of personnel. Personnel security clearance See security clearance. Physical asset An item of economic, commercial or exchange value that has a tangible or material existence. It does not include personnel, official information and assets that contain official information. Physical security The part of protective security concerned with the provision and maintenance of a safe and secure environment for the protection of agency employees and clients as well as physical measures designed to prevent unauthorised access to official resources and to detect and respond to intruders. Planned event An event that allows relevant agencies sufficient lead-time to consider, discuss and implement security arrangements. Also see event. Politically motivated violence Includes acts or threats of violence or unlawful harm that are intended or likely to achieve a political objective, whether in Australia or elsewhere, including acts or threats carried on for the purpose of influencing the policy or acts of government, whether in Australia or elsewhere. Refer the Australian Security Intelligence Organisation Act 1979 (Cth). Portable storage device in reference to electronic information See removable electronic and optical media Positive vetting A system of security checking that attempts to examine and independently verify all relevant aspects of a subject’s suitability for a security clearance—positive vetting is more intensive than negative vetting. 15 Term Definition Position of Trust (PoT) A position which involves duties that require a higher level of assurance than that provided by normal agency employment screening and to which additional screening is specified. Prescribed administrative action Action that relates to or affects an individual’s access to information or a place or a thing which is controlled or limited on security grounds. See section 35(1) of the Australian Security Intelligence Organisation Act 1979 (Cth). Privacy in reference to personal information People have a right to expect that: personal information held about them is accurate and available for their inspection if their personal information is not accurate then it will be subject to amendment their personal information is properly safeguarded and protected They must also be kept fully informed of the uses to which their personal information may be put. For further details, see the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Private client facilities Facilities belonging to private industry clients which can be used by agency personnel to undertake agency work. Procedural fairness See natural justice. PROTECTED A security classification that shows that compromise of confidentiality of official information could cause damage to the national interest, organisations or individuals. Protective marking An administrative label assigned to official information that not only shows the value of the information but also defines the level of protection to be provided during use, storage, transmission, transfer and disposal of the official information—protective markings include security classifications, dissemination limiting markers and caveats. Protective security A combination of procedural, physical, personnel, and information security measures designed to protect people, information and assets from security threats. Protective security audit An audit (or system of checking for compliance to predetermined standards) on the protective security arrangements in place in an agency. Protective security plan See agency security plan. Protective Security Policy Committee (PSPC) The Australian Government interdepartmental committee that advises the Attorney-General on protective security. Protective Security Policy Framework (PSPF) The Australian Government’s protective security requirements for the protection of its people, information and assets (replaced the PSM). Protective Security Manual (PSM) See Australian Government Protective Security Manual . The precursor to the PSPF. 16 Term Definition Provisional access A form of temporary access that can be approved after a person submits all information required for a security clearance, but before the clearance is finalised to allow that person to access security classified information on a limited basis only. See temporary access. Public domain information Information that is authorised for unlimited public access and circulation (for example, agency publications or web sites). Qualified locksmith A practicing locksmith possessing a Certificate III Engineering (Locksmithing) or Certificate III (Locksmithing), or higher tertiary qualification. Practicing locksmiths also need to be licenced in the jurisdictions they operate. Qualified security assessment An assessment from ASIO, in writing, that contains information that is or could be prejudicial to a person but does not recommend that prescribed administrative action be taken or not taken. Reactivation in reference to security clearances The administrative process used to reinstate a security clearance that has not expired when sponsored by a new agency. Reactivation may include a change of circumstance assessment or a full clearance revalidation. Reasonable in law Just, rational, appropriate, ordinary or usual in the circumstances. It may refer to care, cause, compensation, doubt (in a criminal or civil trial), and a host of other actions or activities. Similarly a reasonable act is that which might fairly and properly be required of an individual. Reasonably practicable in reference to WHS law A judgment as to what is reasonably practicable is based on a consideration of the following general issues: severity of the hazard, probability of the risk, current knowledge regarding the hazard and the risk, availability of suitable hazard control/elimination methods, and cost of such control/elimination methods. Regional location Any location away from an agency’s central office or major operational centres. Releasability indicator A type of security caveat – a releasability indicator can indicate that access to the information is restricted to certain nationalities (e.g. AUSTEO means ‘Australian Eyes Only’); it can also indicate which other countries the originator will allow to have access (e.g. ‘REL GBR, NZL’ means information may be passed to the United Kingdom (Great Britain) and New Zealand but not other countries); see also Security caveat. Removable electronic and optical media Storage media that is easily removed from a system and is designed for removal, and is not an integral part of the infrastructure – for example magnetic tapes, CD/DVDs, microfilms, removable hard drives, etc. Residual risk The remaining level of risk after any risk treatments have been implemented. Resources See official resources. RESTRICTED A legacy national security classification that is no longer in use. 17 Term Definition Request for tender A request to suppliers for information and a quote to perform clearly defined works or supply certain goods. Revalidation in reference to security clearances Periodic reassessment of a security clearance subject’s continued suitability to access security classified information by assessing any relevant change of circumstances and determining whether any security concerns have arisen. Right of access in reference to contracting The right of the agency (or its agent, nominee, employee or auditor) to have access, for purposes associated with the contract including security reviews and audit requirements, security performance monitoring and any additional reviews referred to in the contract, to any premises of the contractor, to any site used in connection with the contract, and to equipment, software, data, documentation and records maintained by it and relevant to the performance of the contract. Risk The chance of something happening that will affect objectives – it is measured in terms of event likelihood and consequence. Risk acceptance An informed decision to accept a risk. Risk analysis The systematic process to understand the nature and level of risk. Risk appetite Statements that communicate the expectations of an agency’s senior management about the agency’s risk tolerance – these criteria help an agency identify risk and prepare appropriate treatments, and provide a benchmark against which the success of mitigations can be measured. Risk avoidance A decision not to become involved in a risk situation. Risk management The culture, processes and structures that are directed towards realising potential opportunities whilst managing potential adverse effects. Risk mitigation (also risk minimisation, risk reduction, risk treatment) Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk. Risk rating A rating that indicates how significant each identified potential risk is to an agency – the risk rating may be expressed qualitatively or quantitatively. Risk transfer Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Safe hand A method of transferring an article in such a way that the article is in the care of an authorised officer or succession of authorised officers who are responsible for its carriage and safekeeping—the purpose of sending an article via safe hand is to establish an audit trail that allows the sender to receive confirmation that the addressee received the information. 18 Term Definition Sanitisation The process of removing certain elements of information that will allow the protective marking that indicates the level of protection required for security classified information to be removed or reduced—this can refer to both electronic media and hard copy information. Information that is not destroyed needs the originator’s approval to be released at a lower level. Also see overwriting. SCEC Endorsed Type 1 security alarm system Alarm system endorsed by SCEC to protect SECRET or TOP SECRET information or aggregations of information where compromise would have an extreme or catastrophic impact on national security. SECRET A security classification that shows that compromise of confidentiality of official information could cause serious damage to the national interest, organisations or individuals. Secretaries Committee on National Security (SCNS) The committee provides advice to the National Security Committee of Cabinet on matters of national security. Membership includes the Secretaries of the Departments of the Prime Minister and Cabinet, Defence, Foreign Affairs and Trade, and the AttorneyGeneral’s Department, the Chief of the Australian Defence Force and the Director-General of the Office of National Assessments. Secure Area A superseded term for an area secured so that it is suitable for processing and handling security classified information up to and including TOP SECRET level. This term has been replaced by Security Zone Four and Security Zones. Security alarm system (SAS) A SAS is the combination of intrusion detection devices, control panel, monitoring station and the policies and procedures needed to ensure an appropriate response to any alarms. Security assessment in reference to security clearances An assessment sought from ASIO for a person undergoing a negative or positive vetting security clearance—a Commonwealth agency must formally request any assessments from ASIO. Security approach (also security contact) A situation where a person is approached on an unsolicited basis by another person or organisation with the intent of obtaining information which may affect the national interest, organisations or individuals for which they do not have a need-to-know. Security audit An examination and assessment of the agency’s security procedures undertaken by a competent authority or ANAO. Security breach An accidental or unintentional failure to observe the protective security mandatory requirements. See also security infringement and violation. Additional detail is available in the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations. 19 Term Definition Security caveat An additional marking (i.e. additional to the protective marking) warning the user that the information has special handling requirements in addition to those indicated by the protective marking. Caveats are not classifications in their own right and must not appear without a protective marking. There are four kinds of caveats: codewords, source codewords, releasability indicators and special-handling caveats. Security classification system A set of procedures for identifying official information whose compromise could have a business impact level of high or above for the Australian Government – it is the Government’s mechanism for protecting the confidentiality of information generated by it or provided to it by other governments and private entities; the security classification system is implemented by assigning protective markings (such as TOP SECRET, PROTECTED, etc); the protective marking not only shows the value of the information but also indicates the minimum level of protection it must be afforded to safeguard it from compromise. Security classified document register See classified document register. Security classified information / resources Official information, or resources, that if compromised could have a high, or above, impact on the national interest, organisations or individual. See the Information security management guidelines— Australian Government security classification system. Security clearance A documented determination by an authorised vetting agency that an employee is suitable to access security classified information (on a need-to-know basis) relative to the level of clearance granted. Security Construction The Australian Government interdepartmental committee that Equipment Committee (SCEC) approves protective security products and endorses protective security services. The SCEC reports to the PSPC. Security culture The characteristics and attitudes of an agency and individuals that establish security as a high priority, and security risks receive the attention warranted by their impact on operational capability. Security equipment catalogue (SEC) The catalogue of SCEC approved security products (to be progressively replaced by the Security equipment evaluated product list (SEEPL)). Security equipment The list of SCEC approved security products for the protection of evaluated product list (SEEPL) valuable information and assets, and the prevention of widespread loss of life. Security executive in reference to protective security The agency Senior Executive Service officer (or equivalent) responsible for protective security functions in that agency. 20 Term Definition Security-in-depth (also defence-in-depth) A multi-layered system, in which security counter-measures are combined to support and complement each other. This makes unauthorised access difficult, for example physical barriers should complement and support procedural security measures and vice versa. Security incident A security infringement, breach, violation, contact or approach from those seeking unauthorised access to official resources, or any other occurrence that results in negative consequences for the Australian Government. Security infringement Any incident that violates internal protective security procedures outlined in internal agency protective security procedures, other than those that can be categorised as a security breach or security violation. Additional detail is available in the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations. Security investigation An investigation carried out to establish the cause and extent of a security incident that has, or could have, compromised the Australian Government – the overall purpose of a security investigation is to prevent the incident from happening again by making improvements to the agency’s systems or procedures. Additional detail is available in the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations. Security plan See agency security plan. Security review See security risk review. Security risk Any event that could result in the compromise, loss of integrity or unavailability of official information or resources, or deliberate harm to people measured in terms of its likelihood and consequences. Security risk criteria Statements that communicate the expectations of an agency’s senior management about the agency’s security environment – these criteria help an agency identify security risk and prepare appropriate security treatments, and provide a benchmark against which the success of the security plan can be measured. See also Risk appetite. Security risk review The process used to determine risk management priorities by evaluating risk against predetermined criteria, in the context of an agency’s protective security arrangements. Security violation A deliberate, negligent or reckless action that leads, or could lead, to the loss, damage, corruption or disclosure of official information or resources. Additional detail is available in the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations. Security Zones A method of assessing the security of areas used for protecting people, or handling and storing information and physical assets based on security controls. 21 Term Definition Security Zone One Unsecured areas including out of the office working arrangements. Security Zone Two Low security area with some controls and access control for visitors. Security Zone Three Security area with higher level security controls than Security Zone Two, strict control of visitors on a needs basis and access to employees controlled. Security Zone Four Security area with higher level of controls than Security Zone Three, and strict visitor and employee access controls on a needs basis. Security Zone Five Security area with the highest level of controls, strict visitor and employee access controls on a needs basis. Sensitive information Information that may be exempt from disclosure under the Freedom of Information Act 1982 (Cth) Part IV. Sensitive Dissemination limiting marker applied to information that is covered by a specific secrecy provision of an Act and may be exempt from the Freedom of Information Act 1988 (Cth). Sensitive: Personal Dissemination limiting marker applied to all sensitive personal information as defined in the Privacy Act 1988 (Cth). Sensitive: Legal Dissemination limiting marker applied to information where legal privilege applies as defined in the Evidence Act 1995 (Cth). Sensitive: Cabinet Dissemination limiting marker assigned to all documents prepared for consideration by Cabinet, including documents in preparation. Cabinet information must also be security classified at a minimum PROTECTED. Sensitive personal information Personal information defined as ‘sensitive information’ in the Privacy Act 1988 (Cth). Short term access in reference to personnel security A form of temporary access used where access to security classified information is required by a person who does not have the appropriate security clearance. Site The discrete, separate physical location of an agency’s facility(ies). Site planning in reference to physical security A determination as to which physical control measures are to be applied at a site to mitigate agency and site specific risks. Site security plan A plan that documents measures to reduce to an accepted level the identified risks to the agency’s functions and resources at a designated site. Source codeword A type of security caveat—ie, a word or set of letters used to identify the source of certain information without revealing it to those who do not have a need-to-know. People who need to access this information must be cleared and briefed about the significance of this type of information. See also codeword and security caveat. 22 Term Definition Special-handling caveat A type of security caveat—ie, a collection of various indicators such as operation codewords, instructions to use particular communications channels and ‘EXCLUSIVE FOR (named person)’. See also security caveat. Special event A planned event of such a nature that the national interest is served by the Australian Government’s involvement in whole-ofgovernment coordination of security, normally through Emergency Management Australia (EMA) in the Attorney-General’s Department. Also see event and planned event. Specified persons See Authorised persons. Spent conviction A conviction for a Commonwealth, state, territory or foreign offence which satisfies all of the following conditions: a statutory or regulatory exclusion does not apply it is 10 years since the date of the conviction (or 5 years for child offenders) the individual has not re-offended during the 10-year (5-year for child offenders) waiting period, and the individual was not sentenced to imprisonment, or was not sentenced to imprisonment for more than 30 months. Spent Convictions Scheme A scheme that aims to prevent discrimination on the basis of old convictions, see Part VIIC of the Crimes Act 1914 (Cth). Sponsoring agency in reference to personnel security The agency that sponsors a security clearance and is responsible for the ongoing clearance maintenance. Spying See espionage. Statement of Requirements (SOR) A description of the activity or function to be contracted out in terms of required outputs and outcomes. Sub-contractor A contractor who contracts to provide goods or services to another contractor. Suitability indicators in reference to personnel security Suitability indicators for a security clearance include maturity, responsibility, tolerance, honesty and loyalty, also see the Australian Government personnel security guidelines—Vetting Practices. T4 Protective Security (T4 or ASIO-T4) The section within ASIO responsible for providing protective security advice and services including testing of physical security equipment for SCEC. Technical surveillance counter-measures Measures taken to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could aid in the conduct of a technical penetration of the surveyed facility. 23 Term Definition Tele-centre A location separate to the employee’s home and remote from the agency’s normal business premises that provides access to an office environment and may provide remote access to agency ICT systems. These facilities may be provided on an agency specific or shared basis. Tele-worker An employee that undertakes tele-work, including: Casual tele-workers—Casual tele-workers take advantage of tele-working to meet a short-term or intermittent requirement. Unless there is a formal tele-work agreement then they should be considered mobile employees Full-time tele-workers—Full-time tele-workers operate primarily from a remote, fixed location. This could be either the tele-worker's own home or a remote office/tele-centre Part-time tele-workers—Part-time tele-workers may spend part of their time working in a fixed remote location and part of their time in the office, and Day extenders—Day extenders may work a regular day in the office and then may log in from a fixed remote location, normally from home, to continue to work or meet a shortterm or intermittent requirement. Tele-work (also telework, telecommuting) Paid work conducted away from an agency’s offices in a fixed location, which requires at least periodic connection to the employer’s ICT network. Tele-work is distinguished from mobile computing by having a controlled environment and little need for portability of equipment. Tele-work is subject to a formal agreement between the agency and the employee. TEMPEST The investigation of compromising emanations from electronic equipment such as computers – also the term used for such compromising emanations. Temporary access in reference to personnel security A temporary arrangement that in exceptional circumstances provides limited access to security classified information to people who are yet to be issued with an appropriate security clearance – there are two types of temporary access: Provisional access and Short term access . Tendering The act of a potential contractor offering to perform services or supply goods for a specified cost. Thin client technology Technology which allows remote access to information without storing any information on the host computer. Third party interest in reference to competitive tendering and contracting Any legal or equitable right, interest, power or remedy (no matter the degree) in favour of any person other than the agency or the contractor in connection with the contract, including any right of repossession, receivership, control or power of sale, and any mortgage, charge, security or other interest. 24 Term Definition Threat A source of harm that is deliberate or has intent to do harm. Threat assessment Evaluation and assessment of the intentions of people who could pose a hazard to a resource or function, how they might cause harm, and their ability to carry out their intentions—threats need to be assessed to determine what potential exists for them to actually cause harm. TOP SECRET A security classification that shows that compromise of confidentiality of official information could cause exceptionally grave damage to the national interest. Unclassified in reference to information Official information that is not expected to cause harm and does not require a security classification; it may be un-labelled or it may be marked ‘Unclassified’. This type of information represents the bulk of official information. Unauthorised access in reference to information Access to official information that is not based on a legitimate needto-know, sanctioned by government policy or agency direction, or an entitlement under legislation. Unauthorised access in reference to facilities or assets Access to official facilities or assets that is not sanctioned by government policy or agency direction, or an entitlement under legislation. Unauthorised disclosure in reference to official information The communication or publication of official information where it is not based on a legitimate need-to-know, sanctioned by government policy or agency direction, or an entitlement under legislation. Unplanned event An event that occurs on short notice, is routine or otherwise does not allow, or require, for detailed planning, including security planning. Also see event. Unsecured area A legacy term for an area that does not meet the required physical security measures to be classified as an intruder resistant, partially secure or secure area. Replaced by Security Zones. Vetting Checking and assessment action to develop a realistic and informed evaluation of a person’s suitability to hold a security clearance. Vetting agency The Australian Government Security Vetting Agency (AGSVA), authorised agencies and State and Territory vetting agencies. Violation See security violation. Virus in reference to ICT systems See malware. Vulnerability in reference to risk management The degree of susceptibility and resilience of an agency to hazards. Vulnerability in reference to ICT systems and information A flaw, bug or misconfiguration that can be exploited to gain unauthorised access to a network or information. 25 Term Definition Waiver in reference to personnel security See eligibility waiver. Whole person Using all available information about the factors that affect a person’s character, from their past and present, to make an assessment of the person. X-IN-CONFIDENCE A legacy non-national security classification that is no longer in use. 26 3. Abbreviations AAT: Administrative Appeals Tribunal ABDC: Australian Bomb Data Centre AFP: Australian Federal Police AGSVA: Australian Government Security Vetting Agency, located within the Department of Defence ANAO: Australian National Audit Office ANZCTC: Australian New Zealand Counter Terrorism Committee APPs: Australian Privacy Principles ASA: Agency security adviser ASD: Australian Signals Directorate ASIO: Australian Security Intelligence Organisation ASIO-T4 or T4: ASIO-T4 Protective Security APSC: Australian Public Service Commission Archives Act: The Archives Act 1983 (Cth) BCP: Business continuity plan CCTV: Closed circuit television CDR: Classified Document Register COMSEC: Communications security CPNI: Centre for the Protection of National Infrastructure (UK Government) CPTED: Crime prevention through environmental design Crimes Act: The Crimes Act 1914 (Cth) CRYPTO: Cryptographic information CTC: Competitive tendering and contracting DFAT: Department of Foreign Affairs and Trade DIO: Defence Intelligence Organisation DRP: Disaster recovery plan DSAP: Designated security assessment position 27 DSB: Diplomatic Security Branch (part of the Department of Foreign Affairs and Trade) EACS: Electronic access control system EIS: External integrated system EPL: Evaluated product list FOI Act: The Freedom of Information Act 1982 (Cth) FGI: Foreign government information Finance (Alt DoFD): Department of Finance and Deregulation ICT: Information and communications technology INFOSEC: Information security ISM: Australian Government Information Security Manual (previously known as ASCI 33) ITSA: Information technology security adviser Malware: Malicious software NTAC: National Threat Assessment Centre (in ASIO) OH&S Act: the Occupational Health and Safety Act 1991 (Cth) replaced by the Work Health and Safety Act 2011 (Cth) PERSEC: Personnel security PGPA Act: Public Governance, Performance and Accountability Act 2013 (Cth) PHYSEC: Physical security PIDS: Perimeter intrusion detection system PIV: Personal identity verification PoT: Position of Trust PSF: Personal Security File PSM: Australian Government Protective Security Manual (precursor to the PSPF) PSPC: Protective Security Policy Committee PSPF: Protective Security Policy Framework RFT: Request for Tender SAS: Security alarm system SCEC: Security Construction Equipment Committee 28 SCNS: Secretaries Committee on National Security SEC: Security equipment catalogue SEEPL: Security equipment evaluated product list SIGINT: Signals intelligence SOR: Statement of requirements T4 or ASIO-T4: ASIO-T4 Protective Security TSCM: Technical surveillance counter-measures WHS Act: The Work Health and Safety Act 2011 (Cth) 29
