Add to collection(s) Add to saved
  1. Business
  2. Management

Better practice guide—Developing agency protective security

advertisement 
Protective security better practice guide
Developing agency protective security policies, plans
and procedures
Approved March 2012
Amended April 2015
Version 1.1
© Commonwealth of Australia 2011
All material presented in this publication is provided under a Creative Commons Attribution 3.0
Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence.
For the avoidance of doubt, this means this licence only applies to material as set out in this
document.
The details of the relevant licence conditions are available on the Creative Commons website
(accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence
(http://creativecommons.org/licenses/by/3.0/legalcode ).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour
(http://www.itsanhonour.gov.au/coat-arms/index.cfm) website.
Contact us
Inquiries regarding the licence and any use of this document are welcome at:
Business Law Branch
Attorney-General’s Department
3-5 National Cct
BARTON ACT 2600
Telephone: (02) 6141 6666
copyright@ag.gov.au
Document details
Security classification
Unclassified
Dissemination limiting marking
Publicly available
Date of security classification review
June 2018
Authority
Protective Security Policy Committee
Author
Protective Security Policy Section
Attorney-General’s Department
Document status
Approved 22 March 2012
Amended April 2015
Contents
1.
Introduction ......................................................................................................................... 1
1.1
Purpose ................................................................................................................................... 1
1.2
Audience ................................................................................................................................. 1
1.3
Scope ....................................................................................................................................... 1
1.3.1
2.
Approach ............................................................................................................................. 2
2.1
3.
Review of policies, plans and procedures ............................................................................... 3
Asset identification and risk assessment................................................................................ 4
3.1
Asset identification ................................................................................................................. 4
3.2
Risk assessment ...................................................................................................................... 4
3.2.1
4.
Threat assessment .......................................................................................................... 4
Protective security policy ...................................................................................................... 6
4.1
5.
Use of specific terms in these guidelines ........................................................................ 1
Components of protective security policy .............................................................................. 6
Protective security plans and procedures .............................................................................. 8
5.1
Classification and control of the security plan ........................................................................ 8
5.2
Components of a security plan ............................................................................................... 8
5.2.1
Governance arrangements ............................................................................................. 8
5.2.2
Personnel security ........................................................................................................... 9
5.2.3
Information security........................................................................................................ 9
5.2.4
Physical security .............................................................................................................. 9
5.3
Security plan format ............................................................................................................. 10
5.3.1
Foreword ....................................................................................................................... 10
5.3.2
Statement of purpose and objectives ........................................................................... 10
5.3.3
Security assessment ...................................................................................................... 10
5.3.4
Actions/strategies, resources, responsibilities and
outcomes/performance indicators ............................................................................... 10
5.3.5
Procedures and other attachments .............................................................................. 11
Annex A—Protective security in an agency’s risk management and planning ............................... 12
Amendments
No.
Location
Amendment
1.
Throughout
Update links
2.
Throughout
Insert paragraph numbering
1.
Introduction
1.1
Purpose
1. The Protective Security Policy Framework (PSPF) requires agencies to develop their own
protective security policies, plans and procedures. The Australian Government Protective
security better practice guide—Developing agency protective security policies, plans and
procedures provides guidance to agencies in developing their protective security policies, plans
and procedures. It also assists agencies to achieve a consistent approach to determining
personnel, information, physical and procedural controls used to manage security risks.
1.2
2.
Audience
This document is primarily intended for:


1.3
3.
Australian Government security management staff, and
any other body or person responsible for developing protective security policies, plans or
procedures on behalf of Australian Government agencies.
Scope
This guide provides better practice advice to agency security management staff. Specific controls
and risk mitigation measures used by agencies should be based on the requirements of legislation
or the PSPF, and supporting protocols and guidelines, whichever is the higher.
1.3.1
4.
Use of specific terms in these guidelines
In this guide the use of the term ‘should’ refers to better practice. Agencies are expected to apply
better practice unless there is a reason based on their risk assessment to apply alternative controls.
2.
Approach
Diagram 1—Components of agency protective security
5.
Agencies should take an integrated approach to preparing their protective security policies, plans
and procedures. All components are interdependent and can be conducted concurrently.
6.
After setting up a policy framework based on operational needs, the first stage in developing
protective security policies, plans and procedures is asset identification and risk assessment as
presented in the order of the guide. The policy, plan and procedures then become intermeshed as
the plan will include revision of the policy and procedures to mitigate and provide specific agency
risk mitigation strategies (plans) and measures (controls – includes procedures) to be implemented
over a prescribed time (plan).
7.
Agency protective security policies, plans and procedures may be a single document, separate
documents or incorporated into other agency operations documents. If agency protective security
policies, plans and procedures are not a single document they should be developed in conjunction
with each other, based on the agency risk assessment, as each document will influence the other.
8.
2.1
9.
The security policies, plans and procedures should consider the agency objectives and other agency
operational policies and outcomes. See Annex A—Protective security in an agency’s risk
management and planning.
Review of policies, plans and procedures
All protective security policies, plans and procedures should be reviewed as the risk environment
changes or at least every two years.
10. These reviews should also identify any gaps in agency policy or mitigation measures and comply
with Australian Government expectations as outlined in the PSPF.
3.
Asset identification and risk assessment
11. All protective security policies, plans and procedures should:

mitigate identified risks to agency assets—including personnel, information, physical assets
and services (including third party dependencies); or

apply controls to meet the Australian Government’s governance expectations, and

in the case of asset sharing arrangements, apply controls to meet the other agencies’
expectations
whichever is the higher.
12. In addition to meeting general Government policies, agency protective security policies should
address any applicable legislative or policy requirements that are specific to the agency.
13. Asset identification and security risk management documents can form part of an agency security
plan or be standalone and inform the agency protective security policies and plan.
3.1
Asset identification
14. Agencies should identify all assets that are critical to the ongoing operations of the agency or to the
national interest.
15. The Australian Government protective security governance guidelines—Business impact levels
provide a consistent model for agencies to use when assigning a value to assets based on the
impact arising from the compromise of confidentiality, loss of integrity or unavailability of the
assets.
3.2
Risk assessment
16. After identifying an agency’s critical assets, the agency should determine the risks to these assets.
17. The PSPF requires that agencies apply the risk management methodology detailed in AS/NZS ISO
31000:2009 Risk management—Principles and guidelines and HB 167:2006 Security risk
management to assess their security risks. Diagram 2—Security risk management process provides
a summary of the security risk management process.
18. Security risk assessment is closely related to other agency risk assessment processes and should not
be considered in isolation from other areas of risk. See Annex A—Protective security in an agency’s
risk management and planning.
3.2.1
Threat assessment
19. Agencies should identify the threats to their assets to enable them to adequately assess their risks.
20. National security threat assessments may be sourced from the Australian Security Intelligence
Organisation National Threat Assessment Centre. Agencies may also seek threat advice from other
government agencies and local authorities.
21. Agencies may also develop their own threat assessments using the guidance provided in Standards
Australia handbook HB167:2006—Security Risk Management if they feel their personnel have the
requisite skills, or to address agency specific threats.
Diagram 2—Security risk management process
(This diagram has been reproduced from Standards Australia HB167:2006 - Security Risk Management by
permission of SAI Global Ltd.)
4.
Protective security policy
22. Agency protective security policy gives authority to all protective security controls used in the
agency protective security plan and procedures. The controls mitigate the risks to agency assets or
where higher meet the Australian Government’s expectations in asset sharing arrangements.
23. The agency head, or his or her delegate, should approve protective security policy as agency policy.
This will ensure that the policy can be enforced.
24. The Australian Public Service Code of Conduct (Public Service Act 1999 (Cth) Section 13) states:
An APS employee must comply with any lawful and reasonable direction given by someone in the
employee’s Agency who has authority to give the direction.
25. Agencies operating outside of the Public Service Act will have similar provisions relating to the
requirement for employees to follow direction.
26. The agency security executive and agency security adviser should actively monitor agency security
policy to ensure that the policy continues to address the risks to the agency’s security.
4.1
Components of protective security policy
27. Protective security policies should cover:



Governance arrangements—including how protective security relates to other components
of an agency’s operational governance, including, but not limited to:
-
fraud control
-
security components of employee and public safety
-
security requirements in contracts
-
assigning security management roles
-
audit and compliance reporting
-
processes for policy exceptions, and
-
review and amendment.
Personnel security policy—including, but not limited to, the reasons supporting and authority
for:
-
agency specific checks
-
security clearance requirements
-
use of temporary access arrangements, that is emergency, limited higher and
provisional access, and
-
security violation, breach and infringement investigation and management
arrangements.
Information security policy—including, but not limited to, the reasons supporting and
authority for:
-
classification and business impact levels

-
ICT access
-
email and internet use, and
-
removal of information from agency premises.
Physical security policy—including, but not limited to, the reasons supporting and authority
for:
-
agency employee and visitor access—there may be site specific policies where there
are different roles/risks in facilities
-
access by children
-
security and safety of people—in conjunction with other agency safety policies
-
tele-working and mobile computing, and
-
physical security of information.
5.
Protective security plans and procedures
28. An agency’s protective security plan and procedures should mitigate an agency’s security risks, and
facilitate sharing arrangements. Protective security procedures supplement the security plan and,
while they may form part of the plan, can be used as standalone advices to employees.
29. Each agency’s security plan will be different. It will reflect an agency’s individual protective security
requirements and mitigation strategies according to the levels of threat and risk to its assets. As
such, a plan should be as comprehensive as possible and developed with attention to detail. This
can be achieved by:

developing the plan through consultation with representatives from every section within an
agency, and

having extensive liaison with other staff directly involved with providing agency security
infrastructure (e.g. Information Technology Security Adviser, security guards and building
maintenance staff) throughout the whole developmental process and during its ongoing
review.
30. A security plan is also a means by which an agency can review the degree of security risk that exists
in different areas of its operations and make plans to mitigate the risks. The objectives of a security
plan are to:

identify areas of security risk through appropriate security risk assessment, and

outline practical steps that can be taken that will minimise these risks.
31. An agency needs to develop site security plans for each individual agency site. The agency should
assess each site separately so that the controls applied address the specific risks at each site.
32. Agency protective security plans and procedures will only be successful if senior management input
and support is gained.
5.1
Classification and control of the security plan
33. The classification and control of the complete security plan should be carefully considered against
the business impact of the compromise of the confidentiality of the plan. Individual elements of the
plan should be classified as appropriate to each element.
5.2
Components of a security plan
34. The protective security plan covers controls to address all elements of protective security.
5.2.1
Governance arrangements
35. Governance arrangements should include, but not be limited to:

contract service provider and third party security

fraud control

disaster recovery and business continuity planning

reporting incidents and conducting security investigations

audit and compliance reporting

review and amendment, and

roles and responsibilities.
(Governance arrangements may be standalone plans managed by other sections of the agency; if so
agency security management personnel should be consulted in the development of the individual
plans.)
5.2.2
Personnel security
36. Personnel security arrangements should include, but not be limited to:

personnel security provisions in the recruitment process—in conjunction with agency human
resource management

designated security assessment position list

contact reporting

security clearance aftercare, and

ongoing security awareness training.
5.2.3
Information security
37. Information security arrangements should include, but not be limited to:

ICT access

classified and sensitive information archival—in conjunction with agency records
management

cyber security, and

information handling—within the agency as well as when in transit or out of the office.
5.2.4
Physical security
38. Physical security arrangements should include but not be limited to:

site security plans

physical security of employees, visitors and the public on agency sites—in conjunction with
the agency safety plans

physical security of information

protection of physical assets—in conjunction with the fraud control plans

access control systems

security alarm systems

measures to increase security if the National Alert Level or agency specific threats increase

security of disaster recovery or alternate agency sites—in conjunction with business
continuity plans, and

physical security for tele-working.
5.3
Security plan format
39. The following is a suggested format for security plans.
5.3.1
Foreword
40. The foreword to the security plan allows the agency head to state the importance of, and endorse
the plan as well as outline the need for effective security risk management.
5.3.2
Statement of purpose and objectives
41. The statement of purpose and objectives links the security plan to the security policy. It sets out
the role and responsibility of the agency or department and links this to the security practices
required to ensure minimal disruption to its operation and resources. In other words, what the
agency considers its vital tasks and how security relates to its ability to perform these tasks. It also
takes into consideration the strategies reflected in an agency’s corporate plan. The objectives of
the security plan should be set out clearly.
5.3.3
Assessment of existing security measures
42. The assessment evaluates the agency’s current protective security arrangements and details
current exposure as well as any potential threats. This may be in the form of a formal threat
assessment undertaken by competent agency personnel or a contracted service provider.
5.3.4
Actions/strategies, resources, responsibilities and outcomes/performance
indicators
43. The actions/strategies, resources needed, responsibilities and outcomes/performance indicators of
the plan can be separate documents or incorporated into a single spreadsheet
Actions/strategies
44. The actions/strategies are an outline of what needs to be done to meet the objectives and treat the
security risks identified in the threat assessments, or meet the controls needed to give assurance in
asset sharing agreements. This section includes a timetable for these actions to occur.
Resources and responsibilities
45. The resources and responsibilities describe what resources are needed and who is responsible for
implementing the strategies. In addition, this section details what ongoing resources are needed to
maintain the required level of protective security and identifies resources that may be needed to
implement additional precautions if the threat level increases. (Note: such an event may happen at
short notice.)
Outcomes/ performance indicators
46. The desired outcomes and performance indicators are detailed to allow an assessment of whether
the objectives have been met. Indicators need to be measurable both in scope and time. Examples
of a performance indicator could be:

reduction in risk levels to the agency’s physical premises (possibly achieved by using crime
prevention through environmental design concepts) to a level acceptable to the agency; or

reduction in fraud, theft or losses to agency resources or assets (possibly achieved by
implementing a fraud control plan) to a level acceptable to the agency.
47. Outcomes/ performance indicators can also be used to inform an agency’s compliance report to its
Minister.
5.3.5
Procedures and other attachments
48. Any procedures developed to support the plan should be included as attachments. These
procedures may also be released as standalone documents to help inform employees.
49. Other attachments may include, but are not limited to:

the security risk assessment

site plans

policy documents

an agency specific PSPF compliance tracking/mapping spreadsheet, and

links to other agency operational and compliance plans.
Annex A—Protective security in an agency’s risk management and planning
Agency risk
management
Operational risk
management
Financial risk management
including fraud risk
Security risk
management
Personnel risk review elements
incorporating:
 agency requirements
 program requirements
 sub-program requirements
 key individual requirements
Physical risk review elements
incorporating:
 agency requirements
 site requirements
 area requirements
Information risk review elements
incorporating:
 agency requirements
 site requirements
 compartmental requirements
Agency business plan
Operational plan
Personnel security policy and
procedures elements:
 eligibility policy
 employment conditions
policy
 security clearance policy
 ongoing suitability
maintenance policy
Security plan
Physical security policy and
plan elements including:
 site security plans
 personal safety and
security measures
 physical asset protection
measures
 information protection
measures
Business continuity
plan
ICT and information security
policy and plan elements
including:
 ICT plan
 information classification
policy
 access and availability
policies
Financial plan including fraud
control plan
Security and fraud governance
policies and procedures
elements including
 contractor security/fraud
management policy
 security/fraud awareness
training, investigations and
review policy
 audit and reporting policy
International
obligations
Related documents
Polarization-Holographic Protection System
Polarization-Holographic Protection System
Protective Practices - Department for Education and Child
Protective Practices - Department for Education and Child
five protective factors - Interface Children & Family Services
five protective factors - Interface Children & Family Services
River-bed erosion due to changing boundary conditions
River-bed erosion due to changing boundary conditions
Material Safety Data Sheet
Material Safety Data Sheet
Parts Cleaner Tank
Parts Cleaner Tank
The function of the skin
The function of the skin
Download
advertisement