Protective Security Policy Framework
Securing Government business
• Directive on the security of Government business
• Governance arrangements, and
• Core Personnel, Information and Physical Security
Management policies
Approved June 2010
Amended July 2015
Version 1.10
© Commonwealth of Australia 2012
All material presented in this publication is provided under a Creative Commons Attribution 3.0
Australia licence (www.creativecommons.org/licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this
document.
The details of the relevant licence conditions are available on the Creative Commons website as is
the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website
(www.itsanhonour.gov.au).
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Business Law Branch
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600
Telephone: 02 6141 6666
copyright@ag.gov.au
Document details
Security classification
Unclassified
Dissemination limiting marking
Publicly available
Date of next review
June 2018
Authority
Attorney-General
Author
Protective Security Policy Section
Attorney-General’s Department
Document status
Approved 6 June 2010
Amended July 2015
i
Contents
Amendments................................................................................................................................... iv
Directive on the Security of Government Business ............................................................................1
Overarching Protective Security Policy Statement .............................................................................1
Protective Security Principles ........................................................................................................... 2
Governance ........................................................................................................................................3
Mandatory requirements ................................................................................................................. 4
Overall responsibility for protective security .................................................................................... 4
Australian Government protective security roles and responsibilities ............................................... 5
National Security Committee of Cabinet..................................................................................... 5
Secretaries Committee on National Security ............................................................................... 5
Protective Security Policy Committee ......................................................................................... 5
Inter-Agency Security Forum ...................................................................................................... 5
Homeland and Border Security Policy Coordination Group.......................................................... 5
Security Construction and Equipment Committee ....................................................................... 5
Intelligence, technical standards and protective security advice ................................................. 6
Applicability of the PSPF ................................................................................................................... 9
Protective security outside of Australia ...................................................................................... 9
Developing a security culture ......................................................................................................... 10
Security risk management .............................................................................................................. 12
Audit, reviews and reporting .......................................................................................................... 14
Security investigations.................................................................................................................... 15
Legislation ...................................................................................................................................... 16
Crimes Act 1914 and the Criminal Code 1995 ........................................................................... 16
International security agreements.................................................................................................. 17
Business continuity management ................................................................................................... 18
Contracting .................................................................................................................................... 19
Fraud control.................................................................................................................................. 20
ii
Core policies.....................................................................................................................................21
Australian Government personnel security management core policy... Error! Bookmark not defined.
Overview ................................................................................................................................. 21
Purpose ........................................................................................ Error! Bookmark not defined.
Risk management................................................................................ Error! Bookmark not defined.
Need-to-know ............................................................................... Error! Bookmark not defined.
Australian Government Security Vetting Agency ........................... Error! Bookmark not defined.
Security vetting ............................................................................. Error! Bookmark not defined.
Australian Government personnel security management protocol. Error! Bookmark not defined.
Vetting decisions – assessment of whole person............................ Error! Bookmark not defined.
Ongoing personnel security management (‘Aftercare’).................. Error! Bookmark not defined.
Australian Government information security management core policy........................................... 29
Sharing of information and other assets................................................................................... 29
Agency information security policy and planning...................................................................... 30
Information security framework and third party access ............................................................ 30
Information asset classification and control ............................................................................. 31
Operational security management ........................................................................................... 32
Information access controls ..................................................................................................... 32
Information system development and maintenance ................................................................. 33
Compliance .............................................................................................................................. 34
Australian Government physical security management core policy................................................. 35
Risk management .................................................................................................................... 35
Security-in-depth ..................................................................................................................... 35
Agency physical security policy and planning............................................................................ 35
Protection of employees........................................................................................................... 36
Physical security....................................................................................................................... 36
Work health and safety ............................................................................................................ 37
Duty of care – third parties....................................................................................................... 37
Physical security of ICT equipment and information ................................................................. 38
Physical security in emergency and increased threat situations ................................................ 38
iii
Amendments
No.
Date
Section
Amendment
1
December 2010
Mandatory requirements
Update reference to mandatory requirements,
now available in Securing Government Business
– Protective Security Guidance for Executives.
2
December 2010
Overall responsibility for
protective security
Update wording to more clearly indicate an
agency head’s ability to delegate authority.
3
December 2010
Australian Government
protective security roles and
responsibilities
Update references to Australian Government
Information Commissioner and Australian
Government Crisis Coordination Centre.
4
December 2010
Australian Government
personnel security core policy
PERSEC 2 – update wording of DSAP to reflect
Crimes Act definition replace ‘assessed’ with
‘assessment’.
5
December 2010
Australian Government
information security core policy
INFOSEC 1 – change wording to reflect INFOSEC
arrangements as part of agency security plan.
6
January 2011
Australian Government
information security core policy
Under INFOSEC 4 – update name of Australian
Government Information Security Manual (ISM).
7
January 2011
Australian Government physical
security core policy
PHYSEC 1 – change wording to reflect PHYSEC
arrangements as part of agency security plan.
8
January 2011
What is the PSPF?
Update wording to reflect replacement of the
PSM.
9
August 2011
Core policies
Remove references to PSM and include
references to protocols and guidelines.
10
September 2011 Core policies
Remove repetition of version number, creating
confusion with version of protocols.
11
September 2011 Governance arrangements
Include references to new guidelines.
12
September 2011 Introduction
Remove references to classified guidelines.
13
September 2011 Throughout
Embed hyperlinks to referenced websites.
14
June 2012
Directive on the security of
Government business
Update Attorney-General’s details
15
November 2012
Throughout
Update links
16
November 2012
Australian Government
protective security roles and
responsibilities
Update SCEC and ASIO details, remove
references to the Cyber Security Policy and
Coordination Committee and update AttorneyGeneral’s Department details
17
November 2012
Australian Government
information security core policy
Update wording under Information asset
classification and control
18
December 2012
Throughout
Remove section numbering and include
paragraph numbering
19
April 2013
INFOSEC 4
Update to include mandatory strategies to
mitigate targeted cyber intrusion
19
June 2013
Throughout
Update reference to Australian Signals
iv
Directorate (ASD) from Defence Signals
Directorate (DSD)
20
July 2014
Applicability of the PSPF
Update to reflect change to PGPA Act
21
September 2014 Personnel Security core policy
Replace personnel security core policy with new
version
22
October 2014
Directive on the security of
Government Business
Replace directive with updated version
consistent with the PGPA Act
23
November 2014
Fraud Control
Update to reflect change to Fraud Control
Framework
24
April 2015
Throughout
Update links
25
April 2015
Applicability of the PSPF
Remove reference to AGS advice on applicability
of the PSM.
26
July 2015
Sections 3.2 and 3.4
Add definition of agency head to footnotes
v
1
Directive on the Security of Government Business
1.
The Australian Government is committed to effectively managing the protective security risks
to Government business, and building increased trust, confidence and engagement with the
Australian people and our international partners.
2.
The Government requires agency heads to have in place effective protective security
arrangements to ensure:
•
their respective agency’s capacity to function
•
the safety of those employed to carry out the functions of government and those who
are clients of government, and
•
official resources and information the agency holds in trust, both from and for the
public, and those provided in confidence by other countries, agencies and organisations,
are safeguarded.
3.
To achieve this, agency heads are to apply the Protective Security Policy Framework and
promote protective security as part of their agency’s culture. A progressive protective security
culture that engages with risk will foster innovation, leading to the increased productivity of
Government business.
4.
The Australian Government, through my Department, will continue to develop and refine
protective security policy that promotes the most efficient and effective ways to secure the
continued delivery of Government business.
Senator the Hon George Brandis QC
Attorney-General
October 2014
1
2
5.
Overarching Protective Security Policy Statement
The appropriate application of protective security by Government agencies and bodies ensures
the operational environment necessary for the confident and secure conduct of Government
business. Managing security risks proportionately and effectively enables Government
agencies and bodies to provide the necessary protection of the Government’s people,
information and assets.
2.1 Protective Security Principles
6.
The Attorney-General is responsible for setting the Government’s protective security policy.
Each Australian Government Minister is responsible for the protective security of the
departments, agencies or bodies within his or her portfolio. Agency heads are responsible to
their Minister for creating and maintaining an agency operating environment that:
•
safeguards its people and clients from foreseeable risks
•
facilitates the appropriate sharing of official information in order for Government to
effectively do business
•
limits the potential for compromise of the confidentiality, integrity and availability of its
official information and assets, recognising risks to Government such as those associated
with aggregation
•
protects official assets from loss or misuse, and
•
supports the continued delivery of the agency’s essential business in the face of
disruptions caused by all types of hazards.
7.
Agency heads need to understand, prioritise and manage security risks to prevent harm to
official resources and disruption to business objectives. Security is not just a cost of doing
business, but enables an agency to manage risks that could adversely affect achieving its
objectives. Agencies can only achieve effective protective security if security is part of the
agencies’ culture, practices and operational plans. Therefore agencies should build protective
security into government processes rather than implementing it as an afterthought. Effective
protective security and business continuity management underpin organisational resilience.
8.
Agency heads are to ensure that employees and contractors entrusted with their agency’s
information and assets, or who enter their agency’s premises:
•
are eligible to have access
•
have had their identity established
•
are suitable to have access, and
•
are willing to comply with the Government’s policies, standards, protocols and
guidelines that safeguard that agency’s resources (people, information and assets) from
harm.
2
3
9.
10.
Governance
Good protective security governance is about both:
•
conformance - how an agency uses protective security arrangements to ensure it meets
the obligations of policy and standards and Government’s expectations, and
•
performance - how an agency uses protective security arrangements to contribute to its
overall performance through the secure delivery of goods, services or programmes as
well as ensuring the confidentiality, integrity and availability of its people, information
and assets.
The PSPF is based on principles of public sector governance including:
•
accountability - being answerable for decisions and having meaningful mechanisms in
place to ensure the agency adheres to all applicable protective security standards
•
transparency/openness - having clear roles and responsibilities for protective security
functions and clear procedures for making decisions and exercising authority
•
efficiency - ensuring the best use of limited protective security resources to further the
aims of the agency, with a commitment to risk-based strategies for improvement, and
•
leadership - achieving an agency-wide commitment to good protective security
performance through leadership from the top.
For further guidance see the Australian Standards:
•
AS 8000-2003: Corporate governance - Good governance principles
•
AS 8001-2008: Fraud and corruption control
•
AS 8002-2003: Corporate governance - Organizational codes of conduct
•
AS 8003-2003: Corporate governance - Corporate social responsibility
•
AS 8004-2003: Corporate governance - Whistleblower protection programs for entities
3
3.1 Mandatory requirements
11.
Securing Government Business – Protective Security Guidance for Executives as well as the
governance arrangements and core policy documents in the PSPF describe the higher level
mandatory requirements applicable to all agencies. Detailed protocol documents and
guidelines support the personnel security, information security and physical security core
policies. The protocol documents set out procedural minimum requirements. Some agencies
have specific security risks that will require them to apply more than the minimum
requirements.
3.2 Overall responsibility for protective security
12.
The Government is responsible for the protective security of the Commonwealth. Individual
Ministers are responsible for securing the operation of their portfolios.
13.
Within an agency, the Agency Head1 is responsible for the protection of agency functions,
official resources and employees (including contractors). An Agency Head may, in writing,
delegate to another person any of the Agency Head’s powers or functions prescribed in the
PSPF.
14.
The Attorney-General's Department (AGD) is responsible for the development and delivery of
the PSPF.
15.
All Australian Government employees, including contractors, have a collective responsibility to
ensure that government resources (people, information and assets) are protected.
1
Reference to an 'agency head' means the accountable authority of an entity or company. If the accountable
authority is a board or body corporate, the accountable authority can delegate the function to the chief
executive or equivalent.
4
3.3 Australian Government protective security roles and responsibilities
16.
The following committees have protective security responsibilities:
•
National Security Committee of Cabinet
•
Secretaries Committee on National Security
•
Protective Security Policy Committee
•
Inter-Agency Security Forum
•
Homeland and Border Security Policy Coordination Group, and
•
Security Construction and Equipment Committee
National Security Committee of Cabinet
17.
The Prime Minister chairs the National Security Committee of Cabinet (NSC) which is the
Government’s highest decision-making body on Australia’s national security. NSC considers
strategic developments and issues of long term relevance to Australia’s broad national security
interests. NSC also oversees federal intelligence and security agencies.
Secretaries Committee on National Security
18.
The Secretaries Committee on National Security (SCNS) provides advice to the Government
through NSC on matters of national security. SCNS consists of secretaries of departments and
heads of agencies with responsibility for national security matters.
Protective Security Policy Committee
19.
The Protective Security Policy Committee (PSPC) is made up of representatives from agencies
with a strong interest in protective security. AGD chairs the PSPC.
Inter-Agency Security Forum
20.
The Australian Government established the Inter-Agency Security Forum to achieve and
maintain best practice in security in the Australian Intelligence Community and policy related
agencies.
Homeland and Border Security Policy Coordination Group
21.
The Homeland and Border Security Policy Coordination Group (HPCG) draws its representatives
from agencies with a focus on homeland and border security issues. The Department of the
Prime Minister and Cabinet chairs the HPCG.
Security Construction and Equipment Committee
22.
The Security Construction and Equipment Committee (SCEC), an inter-agency committee that
reports to the PSPC, is responsible for:
•
evaluating security equipment for use by Australian Government agencies, and
5
•
preparing the Security Equipment Evaluated Products List. To ascertain eligibility for the
list refer to SCEC.
Intelligence, technical standards and protective security advice
23.
The following agencies provide specialist advice on intelligence, technical standards and
protective security:
•
the Australian Security Intelligence Organisation (ASIO) collects, analyses and advises on
matters relating to espionage, foreign interference, politically motivated violence,
communal violence, sabotage, attacks on Australia’s defence system, and serious
threats to Australia’s territorial and border integrity2
•
T4 Protective Security (a unit within ASIO):
- provides advice to Australian Government agencies on protective security, risk
assessment, evaluation of physical security products and physical security reviews,
and
- conducts security risk reviews, technical surveillance counter measures and
certification of all sites storing TOP SECRET information within Australia.
•
the Australian Signals Directorate (ASD) produces Australian Government ICT security
policy and standards3
2
The functions of the Australian Security Intelligence Organisation (ASIO) are detailed within the Australian Security
Intelligence Organisation Act 1979 (Cth).
In carrying out these functions ASIO is responsible for the co-ordination and production of threat assessments for national
security matters and is the central counter-espionage authority for Australia. ASIO provides protective security advice and
assistance to the Government and its agencies, particularly in respect of risk management and physical, personnel and
procedural security.
3
The Australian Signals Directorate (ASD), located within the Department of Defence, is Australia’s national authority for
signals intelligence and information and communications technology security.
The Intelligence Services Act 2001 (Cth) requires ASD to provide material, advice and other assistance to Australian
Government, State and Territory authorities on matters relating to the security and integrity of information that is
processed, stored and communicated by electronic or similar means.
6
•
the Department of Foreign Affairs and Trade (DFAT) provides advice on overseas
security standards in accordance with the Prime Minister’s Directive on Guidelines for
Management of the Australian Government Presence Overseas (February 2007) 4
•
the Australian Federal Police (AFP) enforces Commonwealth law5
- the Australian Federal Police Uniform Protection (AFP-UP) provides protective and
custodial services in areas of special importance or sensitivity on a fee for service
basis
•
the Australian National Audit Office (ANAO) reviews protective security arrangements
within agencies6
•
Office of the Australian Information Commissioner
- the Office of the Australian Information Commissioner unites, in a single statutory
agency, the Australian Information Commissioner with the Privacy Commissioner and
the Freedom of Information Commissioner.
•
4
together the Commissioners oversight freedom of information (FOI) and privacy matters,
including the development of sound policy and best practice standards in these areas
The Department of Foreign Affairs and Trade (DFAT):
• manages all aspects of security policy affecting Australian missions and staff attached to DFAT-managed missions,
and
• advises Australians about the risks they might face overseas.
The managing agency of each mission/post is responsible for:
• implementing appropriate physical, technical, information and personnel security procedures, measures and
standards, and
• coordinating business continuity and contingency planning at each mission/post.
The managing agency is normally DFAT, though other agencies (such as AUSTRADE) can assume this responsibility where
DFAT is not represented.
For Australian Government officials and contractors not working within or attached to a mission/post, individual agencies
will retain the responsibilities referred to above, for the programs, projects or initiatives to which those officers or
contractors are assigned. Agencies may seek advice from DFAT on threats and security countermeasures and consult with
DFAT on appropriate guidelines and standards.
5
Under the Australian Federal Police Act 1979 (Cth) the AFP holds responsibility to prevent, detect and investigate criminal
offences against Commonwealth laws, its revenue, expenditure and property.
6
The Australian National Audit Office (ANAO) provides independent audit advice to agencies and the Federal Parliament by
undertaking performance and financial statement audits. It operates under the Auditor-General Act 1997 (Cth).
7
the Attorney-General’s Department:
- provides policy advice on the following issues:

protective security

identity security, and

firearms, drugs, crime prevention and general law enforcement
- in consultation with the AFP, coordinates fraud control policy. See the Fraud Control
Framework
- provides an annual report to the Australian Government on the progress of fraud
control
- delivers training in protective security practices and procedures at the Protective
Security Training College
- provides whole-of-government coordination of dignitary protection and special
events through the Security Coordination Branch, and
- operates the 24/7 Australian Government Crisis Coordination Centre (which includes
the Watch Office and National Security Hotline).
8
3.4 Applicability of the PSPF
24.
As a policy of the Australian Government, the following agencies7 must apply the PSPF to the
extent that their enabling legislation allows:
•
non-corporate Commonwealth entities subject to Public Governance, Performance and
Accountability Act 2013 (Cth) (PGPA Act)
•
corporate Commonwealth entities and companies subject to the PGPA Act that have
received Ministerial direction to apply the protective security policies of the Australian
Government, and
•
other bodies established for a public purpose under a law of the Commonwealth and
other Australian Government agencies, where the body or agency has received a notice
from the relevant Minister that the PSPF applies to them.
25.
The Australian Government requires non-government organisations that access security
classified information to enter into a Deed of Agreement to apply the PSPF to that information.
26.
The Commonwealth expects state and territory government agencies that hold or access
Commonwealth security classified information at CONFIDENTIAL and above to apply the PSPF
to that information.
3.4.1 Protective security outside of Australia
27.
Some requirements of this policy may be difficult for Australian Government agencies to apply
when operating in certain foreign environments. In such situations, special protocols may be
developed in consultation with DFAT.
28.
Restrictions may be placed on personal activities at locations where the environment is
particularly dangerous. All employees, unless on diplomatic posting and covered by the Vienna
Conventions, are automatically subject to local laws and regulations.
29.
For travel information and specific security arrangements and limitations, employees should
contact DFAT or the nearest Australian embassy.
7
In the PSPF, a reference to 'agency' (or 'Australian Government agency') means an entity or company in the
first three categories referenced above. Reference to an 'agency head' means the accountable authority of an
entity or company. If the accountable authority is a board or body corporate, the accountable authority can
delegate the function to the chief executive or equivalent.
9
3.5 Developing a security culture
30.
To successfully deliver the PSPF, agencies need to foster a professional culture and a positive
attitude towards protective security.
Mandatory Requirement
GOV 1: Agencies must provide all staff, including contractors, with sufficient information and
security awareness training to ensure they are aware of, and meet the requirements of the PSPF.
31.
Agencies are to:
•
ensure that individuals who have specific security duties receive appropriate, up to date
training
•
have an ongoing security awareness program to inform and regularly remind individuals
of security responsibilities, issues and concerns
•
brief individuals on the access privileges and prohibitions attached to their security
clearance level prior to being given access, or when required in the security clearance
renewal cycle
•
brief all Australian Government employees and contracted service providers who hold a
Negative Vetting Level 1 or higher level security clearance at least every five years as a
condition of security clearance renewal, and
•
communicate and make available to all staff, including contractors, their protective
security policies.
For further guidance please refer to the Australian Government personnel security guidelines—
Agency personnel security responsibilities section 8.2.
Mandatory Requirements
GOV 2: To fulfil their security obligations, agencies must appoint:
•
a member of the Senior Executive Service as the security executive, responsible for the agency
protective security policy and oversight of protective security practices
•
an agency security adviser (ASA) responsible for the day-to-day performance of protective
security functions, and
•
an information technology security adviser (ITSA) to advise senior management on the security
of the agency’s Information Communications Technology (ICT) systems.
GOV-3: Agencies must ensure that the ASA and ITSA have detailed knowledge of agency-specific
protective security policy, protocols and mandatory protective security requirements in order to fulfil
their protective security responsibilities.
For further details on the functions of ASAs and ITSAs, and the competencies needed to perform
these functions, see the Australian Government protective security governance guidelines—Agency
security adviser and IT security adviser functions and competencies.
10
Mandatory Requirements
GOV-4: Agencies must prepare a security plan to manage their security risks. The security plan must
be updated or revised every two years or sooner when changes in risks and the agency’s operating
environment dictate.
GOV-5: Agencies must develop their own set of protective security policies and procedures to meet
their specific business needs.
32.
The policy and procedures are to:
•
detail the objectives, scope and approach to the management of protective security
issues and risks within the agency
•
be endorsed by the agency head
•
identify protective security roles and responsibilities
•
be reviewed and evaluated in line with changes to agency business and security risks
•
be consistent with the agency’s security risk assessment findings
•
explain the consequences for breaching the policy or circumventing any associated
protective security measure, and
•
be communicated on an on-going basis and be accessible to all agency employees, and
where reasonable and practical be publicly available.
For further advice see the Protective security better practice guides:
•
Developing agency protective security policies, plans and procedures
•
Developing an agency classification guide, and
•
Developing agency alert levels.
11
3.6 Security risk management
33.
Agencies need to develop a security risk management process to:
•
identify specific risks to their people, information and assets
•
identify the agency’s level of risk tolerance
•
identify appropriate protections to reduce or remove risks, and
•
identify and accept responsibility for untreatable residual risks (such as doing business
on the Internet).
34.
What is appropriate will vary from agency to agency but the process should be transparent and
justifiable. Risk avoidance is not risk management.
35.
Agencies are to apply business impact levels when determining the consequences of
compromise or loss of agency information or assets, or harm to their people.
For further information see the Australian Government protective security governance guidelines—
Business impact levels.
36.
Regardless of an agency’s functions or security concerns, the central messages for managing
security risks are:
•
security risk management is the business of each staff member including contractors in
the agency
•
risk management, including security risk management, is part of day-to-day business
•
the process for managing security risk is logical and systematic, and should form part of
the standard management process of the agency, and
•
changes in the threat environment are to be continuously monitored and necessary
adjustments made to maintain an acceptable level of risk and a balance between
operational needs and security.
Mandatory Requirement
GOV-6: Agencies must adopt a risk management approach to cover all areas of protective security
activity across their organisation, in accordance with the Australian Standards AS/NZS ISO
31000:2009 Risk management—Principles and guidelines and HB 167:2006 Security risk
management.
37.
Agencies are to:
•
establish the scope of any security risk assessment and identify the people, information
and assets to be safeguarded
•
determine the threats to people, information and assets in Australia and abroad, and
assess the likelihood and impact of a threat occurring
•
assess the risk based on the adequacy of existing safeguards and vulnerabilities, and
•
implement any supplementary protective security measures that will reduce the risk to
an acceptable level.
12
For further guidance please refer to Australian Standards:
•
AS/NZS ISO 31000:2009 Risk management—Principles and guidelines
•
HB 167:2006 Security risk management, and
•
HB 327:2010 Communicating and consulting about risk.
13
3.7 Audit, reviews and reporting
38.
The audit, review and reporting process aims to assess how well agencies are ensuring the
confidentiality, integrity and availability of essential resources. The audit process includes:
•
internal audit and reporting - self assessment with an annual report to portfolio
ministers
•
the Australian National Audit Office (ANAO) audits of protective security, and
•
the Attorney-General's Department (AGD) annual review of protective security.
Mandatory Requirement
GOV-7: For internal audit and reporting, agencies must:
•
undertake an annual security assessment against the mandatory requirements detailed within
the PSPF, and
•
report their compliance with the mandatory requirements to the relevant portfolio Minister.
The report must:
•
contain a declaration of compliance by the agency head, and
•
state any areas of non-compliance, including details on measures taken to lessen identified
risks.
In addition to their portfolio Minister, agencies must send a copy of their annual report on
compliance with the mandatory requirements to:
•
the Secretary, Attorney-General’s Department, and
•
the Auditor-General.
Agencies must also advise any non-compliance with mandatory requirements to:
•
the Director, Australian Signals Directorate for matters relating to the Australian Government
Information Security Manual (ISM)
•
the Director-General, Australian Security Intelligence Organisation for matters relating to
national security, and
•
the heads of any agencies whose people, information or assets may be affected by the noncompliance.
39.
Using the agencies’ compliance reports, and building upon current ANAO audits of protective
security, AGD will report annually on the protective security status across Government.
For further information see the Australian Government protective security governance guidelines—
Compliance reporting.
14
3.8 Security investigations
40.
Agencies need to identify and understand security risks in order to address security incidents
and protect people, information and assets. A security investigation will establish the cause
and extent of an incident that has, or could have, compromised the Australian Government.
Through effective reporting and investigation of security incidents, agencies can determine
vulnerabilities and reduce the risk of future occurrence.
41.
A security investigation should protect both the interests of the Australian Government and
the rights of affected individuals. Agencies are to apply the principles of natural justice and
procedural fairness to all security investigations.
42.
Agencies are to consult with the AFP, ASIO and/or ASD if the security incident is potentially
serious.
Mandatory Requirement
GOV-8: Agencies must ensure investigators are appropriately trained and have in place procedures
for reporting and investigating security incidents and taking corrective action, in accordance with the
provisions of:
•
Australian Government protective security governance guidelines—Reporting incidents and
conducting security investigations, and/or
•
The Australian Government Investigations Standards.
43.
Procedures are to give due regard to ensuring the security integrity of any current or future
investigation by the agency or that of another agency.
44.
Agencies are to also report:
•
incidents suspected of constituting criminal offences to the appropriate law
enforcement authority
•
incidents suspected of involving the compromise of information or assets classified at or
above CONFIDENTIAL to ASIO
•
major ICT incidents to ASD, and
•
incidents involving the compromise of Cabinet material to the Cabinet Secretariat.
For further information see:
•
the Australian Government protective security governance guidelines—Reporting incidents and
conducting security investigations, and
•
the Australian Government Investigations Standard.
15
3.9 Legislation
45.
The protective security mandatory requirements are not legally set down, but are based on
legislation relating to protective security and reflect the aims and objectives of the Australian
Government.
46.
Where legislation requires an agency to manage protective security in a manner contrary to
the PSPF, that legislation is to take precedence over the PSPF.
3.9.1 Crimes Act 1914 (Cth) and the Criminal Code 1995 (Cth)
47.
The combined effect of sections 70 and 79 of the Crimes Act 1914 (Cth) and section 91.1 of the
Criminal Code Act 1995 (Cth) is that the unauthorised disclosure of information held by the
Australian Government is subject to the sanction of criminal law. All staff, including
contractors who handle official government material, need to be aware of this legislation and
how it applies to their roles.
Mandatory Requirement
GOV- 9: Agencies must give all employees, including contractors, guidance on Sections 70 and 79 of
the Crimes Act 1914 (Cth), Section 91.1 of the Criminal Code Act 1995 (Cth), the Freedom of
Information Act 1982 (Cth) and the Australian Privacy Principles contained in the
Privacy Act 1988 (Cth) including how this legislation relates to their role.
48.
49.
Laws applicable to agencies may include, but are not limited to:
•
Crimes Act 1914 (Cth)
•
Criminal Code Act 1995 (Cth)
•
Freedom of Information Act 1982 (Cth) (the FOI Act)
•
Privacy Act 1988 (Cth)
•
Public Service Act 1999 (Cth)
•
Defence Act 1903 (Cth)
•
Australian Security Intelligence Organisation Act 1979 (Cth) (the ASIO Act)
•
Intelligence Services Act 2001 (Cth)
•
Archives Act 1983 (Cth)
•
Income Tax Assessment Act 1936 (Cth)
•
Social Security Act 1991 (Cth), and
•
National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth) (the NSI
Act).
Agencies may have additional specific protective security obligations under their enabling
legislation.
16
3.10 International security agreements
50.
The Australian Government is party to a range of multilateral and bilateral international
agreements governing the use, handling and protection of security classified material.
Agencies involved in sensitive work with international organisations, or those that handle
another country’s protectively marked information on their behalf, are to ensure that their
internal procedures comply with the relevant international obligation.
Mandatory Requirement
GOV-10: Agencies must adhere to any provisions concerning the security of people, information and
assets contained in multilateral or bilateral agreements and arrangements to which Australia is a
party.
For further information see the Australian Government protective security governance guidelines—
Safeguarding foreign government information.
For details of current agreements refer to the Australian Treaties Database.
17
3.11 Business continuity management
51.
Critical services and associated assets need to remain available in order to assure the health,
safety, security and economic well-being of Australians, and the effective functioning of
government. Business continuity management (BCM) is a part of an agency’s overall approach
to effective risk management. BCM is the process agencies are to follow in the event of a
disruption to business. A key risk for agencies is that they will be unable to remain operational
in the event of a crisis and/or disruption.
Mandatory Requirement
GOV-11: Agencies must establish a business continuity management program to provide for the
continued availability of critical services and assets, and of other services and assets when warranted
by a threat and risk assessment.
52.
Agencies are to:
•
develop a governance structure establishing authorities and responsibilities for a BCM
program, and for the development and approval of business continuity plans
•
within the context of the identification of assets, undertake impact analysis to identify
and prioritise the agency’s critical services and assets, including identifying and
prioritising information exchanges provided by, or to other agencies or external parties
•
develop plans, measures and arrangements to ensure the continued availability of
critical services and assets, and of any other service or asset when warranted by a threat
and risk assessment
•
undertake activities to monitor the agency’s level of overall preparedness, and
•
make provision for the continuous review, testing and audit of business continuity plans.
For further guidance please refer to:
•
ANAO – better practice guide: Business Continuity Management – Building resilience in public
sector entities , and
•
Australian Standards handbooks:
-
HB221-2004: Business Continuity Management Handbook
-
HB292-2006: A Practitioner’s Guide to Business Continuity Management, and
-
HB293-2006: Executive Guide to Business Continuity Management.
18
3.12 Contracting
53.
The Protective Security Policy Framework applies equally to the contracting process as it does
to internal government operations.
Mandatory Requirement
GOV-12: Agencies must ensure the contracted service provider complies with the requirements of
this policy and any protective security protocols.
54.
Agencies are to:
•
apply necessary personnel security procedures to private sector organisations and
individuals who have ongoing access to Australian Government assets, as specified in
the Australian Government personnel security protocol, and
•
ensure the safeguarding of government assets, including ICT systems by:
- specifying the necessary protective security requirements in the terms and
conditions of any contractual documentation, and
- undertaking assessment visits to verify that the contracted service provider complies
with the terms and conditions of any contract.
For further information see:
•
the Australian Government protective security governance guidelines—Security in outsourced
services and functions
•
the Australian Government information security management guidelines—Risk management of
outsourced ICT arrangements (including Cloud), and
•
ANAO better practice guide: Developing and Managing Contracts.
19
3.13 Fraud control
55.
Fraud control measures are part of the risk management process. The Commonwealth Fraud
Control Framework outlines the principles of fraud control within the Commonwealth. It sets
the minimum standards to help agencies combat fraud.
56.
The Commonwealth Fraud Control Framework consists of:
57.
•
section 10 of the Public Governance, Performance and Accountability Rule 2014 (Fraud
Rule)
•
the Commonwealth Fraud Control Policy (Fraud Policy)
•
Resource Management Guide No. 201, Preventing, detecting and dealing with fraud
(Fraud Guidance)
The Framework outlines:
•
agency responsibilities for fraud prevention
•
reporting of fraud information
•
fraud investigation case handling
•
training of agency fraud investigators and fraud prevention officers
Mandatory Requirement
GOV-13: Agencies must comply with section 10 of the Public Governance, Performance and
Accountability Rule 2014 and the Commonwealth Fraud Control Policy.
For further advice see:
•
the Commonwealth Fraud Control Framework
•
ANAO better practice guide Fraud control in Australian Government entities, and
•
Australian Standard AS8001-2008: Fraud and Corruption Control.
20
4
58.
Core policies
All applicable agencies and bodies are to comply with the mandatory requirements contained
within the three protective security core policies in the PSPF. The core protective security
management policies are:
•
personnel security
•
information security, and
•
physical security.
4.1 Australian Government personnel security core policy
4.1.1 Purpose of personnel security
59.
The purpose of personnel security is to provide a level of assurance as to the honesty,
trustworthiness, maturity, tolerance and loyalty of individuals who access Australian
Government resources8.
60.
Personnel security aims to:
61.
•
reduce the risk of loss, damage or compromise of Australian Government resources by
providing assurance about the suitability of personnel9 authorised to access those
resources
•
create an environment where those accessing Australian Government resources are
aware of the responsibilities that come with that access and abide with their obligations
under the PSPF
•
minimise potential for misuse of Australian Government resources through inadvertent
or deliberate unauthorised disclosure, and
•
support a culture of protective security.
One aspect of personnel security is security vetting. All Australian Government personnel may
be subject to security vetting. All vetting decisions are to be based on an assessment of the
whole person 10. Any doubt about the suitability of a clearance subject is to be resolved in
favour of the national interest.
8 Australian Government resources is the collective term used for Australian Government people, information and assets.
9 Personnel refers to employees, contractors and service providers as well as anybody else who is given access to agency assets as part of
agency sharing initiatives.
10 A ‘whole person’ assessment is a ‘complete assessment’ by assessing officers that evaluates all available and reliable information, both
favourable and unfavourable, about the clearance subject to assess if on balance, they are suitable to access Australian Government
resources.
21
4.1.2 Role of the personnel security core policy
62.
The personnel security core policy is a set of measures that manages the risk to people,
information and assets when applied in conjunction with governance, information and physical
security controls.
63.
These measures include:
64.
•
employment checking – including employment screening, agency specific checks and
security vetting
•
ongoing suitability assessment and management – including agency employment
conditions, security clearance maintenance and review, security training and education,
and promotion of a protective security culture, and
•
separation activity – the agency’s responsibilities in relation to departing personnel,
including those who no longer require access to resources.
This Personnel Security Core Policy establishes mandatory requirements for personnel security
which apply to:
•
all agencies with access to Australian Government resources, including security
classified resources
•
personnel as defined in this policy, and
•
vetting agencies – the Australian Government Security Vetting Agency (AGSVA) and
authorised Commonwealth vetting agencies11.
4.1.3 Employment Screening
Mandatory Requirement
PERSEC 1: Agencies must ensure that their personnel who access Australian Government resources
(people, information and assets):
•
are eligible12 to have access
•
have had their identity established
•
are suitable13 to have access, and
•
agree to comply with the Government’s policies, standards, protocols and guidelines that
safeguard the agency’s resources from harm.
11
Authorised Commonwealth vetting agencies are the Australian Federal Police, the Department of Foreign Affairs and Trade and those
Australian Intelligence Community agencies not in the Department of Defence.
12
For agencies enabled by the Public Service Act 1999 eligibility refers to the requirements for engagement of APS employees listed in
section 22 of the Public Service Act 1999. Agencies not enabled by the Public Service Act 1999 should refer to the requirements of
engagement of personnel contained within their own enabling legislation.
13
To be suitable personnel need to demonstrate qualifications and/or experience required of the position including satisfaction of any
agency specific requirements. Agency specific requirements may include demonstration and compliance with relevant codes of conduct
(e.g. APS Code of Conduct), behaviours and/or values.
22
65.
This mandatory requirement applies to all agency personnel. Agencies may apply additional
agency specific suitability requirements for personnel; however, at a minimum, agencies are to
assess that personnel are of good character14.
66.
All agencies should undertake employment screening to Australian Standard AS 4811:2006 –
Employment Screening.
67.
Agencies need to confirm that the person is an Australian Citizen or has a valid visa with work
rights, by sighting the documents in support of citizenship or visa. For further information see
the Department of Immigration and Border Protection.
68.
Agency heads can waive citizenship requirements under the Australian Public Service
Requirements15; however, agency heads cannot waive the requirement for an individual to
have work rights16.
4.1.4 Ongoing suitability for employment
Mandatory Requirement
PERSEC 2: Agencies must have policies and procedures to assess and manage the ongoing suitability
for employment of their personnel.
69.
Agency specific policies and processes allow an agency to shape the culture of its workforce by
articulating the behaviours and expectations of personnel regarding their ongoing suitability to
access Australian Government resources.
70.
Effective employee management will assist in identifying and mitigating the risk posed by a
trusted insider, who could use their position within the agency maliciously or cause harm
including:
•
disclosing or altering information
•
use resources without authorisation
•
engaging in corruption, theft or fraud
•
committing sabotage
•
facilitating unauthorised third party access to agency resources, or
•
any other action that is not in the national interest.
14
Some considerations may include demonstrating leadership, is trustworthy and acts with integrity in all that they do.
15
16
Waiving the citizenship requirement for employment in the Australian Public Service is not the same as that discussed at PERSEC5
To work, you must have a valid Australian visa with work rights. A range of temporary and permanent skilled visas are available.
Australian laws provide all employees with basic rights and protection in the workplace.
23
4.1.5 Agency security clearance requirements
4.1.5.1
Identifying positions that require security clearances
Mandatory Requirements
PERSEC 3: Agencies must identify, record and review positions that require a security clearance and
the level of clearance required.
PERSEC 4: Agencies must ensure their personnel with ongoing access to Australian Government
security classified resources hold a security clearance at the appropriate level, sponsored by an
Australian Government agency.
71.
72.
Agencies are to have in place controls that:
74.
limit access to those with an appropriate business need
•
limit ongoing access to security classified resources to those who hold the appropriate
level of security clearance, and
•
require a risk assessment17 be undertaken before allowing temporary access to security
classified resources by personnel who do not hold a security clearance at the
appropriate level.
Suitability requirements for personnel requiring security clearances will depend on the level of
access required, and the sponsoring agency’s needs and risks.
4.1.5.2
73.
•
Identifying other positions that require higher levels of assurance
Agencies may use security clearances (in addition to their agency specific controls) to provide
greater assurance for positions with a business impact of ‘High’ or above where the agency risk
assessment deems the security clearance process is to apply. Positions that have a business
impact of high or above may include:
•
those whose occupants have access to aggregations of information or assets, and
•
positions, where the nature of the position requires greater assurance about a person’s
integrity; for example to support fraud mitigation or as an anti-corruption measure.
Vetting does not replace the requirement for agency-specific controls relevant to the agency’s
business needs.
4.1.6 Eligibility waivers (citizenship and checkable background)
75.
17
To be eligible for a security clearance, an applicant is to:
•
have Australian Citizenship
•
have a checkable background, and
•
agree to comply with the Australian Government’s policies, standards, protocols and
guidelines that safeguard that agency’s resources from harm.
Risk assessments are to be documented and approved.
24
Mandatory Requirement
PERSEC 5: Before issuing an eligibility waiver (citizenship or checkable background) and prior to
requesting an Australian Government security clearance an agency must:
• justify an exceptional business requirement
• conduct and document a risk assessment
• define the period covered by the waiver (which cannot be open-ended)
• gain agreement from the clearance applicant to meet the conditions of the waiver, and
• consult with the vetting agency.
76.
Agency heads may, in exceptional circumstances18 and after conducting a risk assessment,
waive the citizenship or checkable background requirements for the issue of a security
clearance.
77.
Clearances issued with citizenship or checkable background waivers are:
•
role specific
•
time-limited
•
subject to review, and
•
not portable.
4.1.7 Security clearance process
4.1.7.1
Authorised vetting agencies
Mandatory Requirement
PERSEC 6: Agencies, other than authorised vetting agencies, must use the Australian Government
Security Vetting Agency (AGSVA) to conduct initial vetting and reviews.
78.
AGSVA is responsible for the processing, assessing and granting of security clearances for the
Commonwealth Government, while authorised vetting agencies are responsible for clearances
to meet their own agency business needs only.
79.
Only AGSVA and authorised vetting agencies can make vetting decisions.
80.
All vetting decisions are to be based on an assessment of the whole person. Any doubt about
the suitability of a clearance subject is to be resolved in favour of the National Interest.
81.
Vetting agencies are to conduct scheduled reviews of clearance holders’ suitability to continue
to hold a clearance in accordance with the minimum revalidation requirements contained in
the Personnel Security Protocol. Vetting agencies can also conduct unscheduled reviews in
accordance with changing risk factors.
82.
The Department of Foreign Affairs and Trade is responsible for vetting locally engaged staff in
Australian missions overseas in accordance with the Prime Minister's Directive on Guidelines
18
For example, where the exception is critical to the agency meeting its outcomes and the risks to the agency and the Australian
Government can be mitigated or managed in another way.
25
for Management of the Australian Government Presence Overseas. ‘Diplomatic mission
clearances’ are recognised as clearances within the mission they are granted; they are not
portable.19
4.1.8 Recognition of clearances
83.
Vetting agencies are to recognise the security clearances granted by another vetting agency,
unless:
4.1.8.1
84.
•
the clearance has exceeded its revalidation period
•
the clearance was granted with an eligibility waiver, or
•
the vetting agency has grounds that the incoming clearance subject is no longer suitable
to access Australian Government security classified resources at that clearance level.
Recognition of State and Territory clearances
Vetting agencies will recognise clearances up to Negative Vetting 2 undertaken by Australian
States and Territories, if the clearance is undertaken for their own personnel and has been
processed in accordance with the Australian Government personnel security protocol and
supporting guidelines. State and Territory clearances may be transferred between other State
and Territory agencies and the Commonwealth.
4.1.9 Agency security clearance maintenance
Mandatory Requirement
PERSEC 7: Agencies must establish, implement and maintain security clearance policies and
procedures for clearance maintenance in their agencies.
85.
Agencies are to provide support, security awareness and education as part of the agency’s
ongoing maintenance of clearance holders within the agency.
86.
Clearance maintenance requires agencies to have in place arrangements for clearance holders
to report changes of circumstances, suspicious, ongoing, unusual or persistent contact and any
other significant incidents which may impact on the clearance holder’s suitability to hold a
clearance.
Mandatory Requirement
PERSEC 8: Agencies and vetting agencies must share information that may impact on an individual’s
ongoing suitability to hold an Australian Government security clearance.
87.
Agencies and vetting agencies have a mutual responsibility to keep each other advised of any
information that may affect a clearance holder’s suitability or continuing need for the
clearance holder to hold a security clearance. This includes advice on:
•
a change of employment to a position requiring a different level of clearance
19 In addition, the Australian Trade Commission (Austrade) is a managing agency under the PM Directive for 17 Consulates in its own right.
Accordingly, Austrade conducts security screening for its locally engaged staff and for those of attached agencies where applicable.
26
•
transfer to another sponsoring agency
•
changes of personal circumstances, and
•
other events or incidents that may impact on the clearance holder’s suitability to
continue to hold a clearance.
4.1.10 Separation activity
Mandatory Requirement
PERSEC 9: Agencies must have separation policies and procedures for departing clearance holders,
which includes a requirement to:
•
inform vetting agencies when a clearance holder leaves agency employment or contract
engagement, and
•
Advise vetting agencies of any security concerns.
88.
Agencies are to advise vetting agencies when a clearance holder separates from the agency. At
the same time, vetting agencies are to be advised of any relevant circumstances behind the
clearance holder’s separation, including any security concerns or code of conduct
investigations, whether completed or not.
89.
Agencies are to have separation policies and procedures for departing clearance holders
including procedures for when a clearance holder departs suddenly and without notice.
Agencies are to inform separating employees of any ongoing legislative or personnel security
obligations as part of their separation processes.
90.
If separation is as a result of an incident or if an incident is uncovered during the separation
process, other affected agencies should be advised of potential or actual compromise of
Australian Government resources—for example, ASIO for National Security matters.
4.1.11 Additional personnel security policy and guidance
91.
This core policy gives authority to the Australian Government personnel security protocol and
supporting guidelines.
92.
The Australian Government Sensitive Material Security Management Protocol (SMSMP) is a
controlled document compiled under the auspices of the Inter-Agency Security Forum. It
provides personnel security policy direction for Positive Vetting. The SMSMP supplements the
PSPF protocols and guidelines. The SMSMP is only available to agency security advisers with a
need to know.
4.1.12 Further guidance
93.
For further guidance on specific controls to assist agencies with meeting the mandatory
requirements and principles, refer to the Australian Government personnel security protocol.
94.
For better practice advice on how to achieve controls, see the Australian Government
personnel security guidelines:
•
Agency personnel security responsibilities
27
•
95.
Vetting practices.
Additional guidance is also available from:
•
the Protective security better practice guide – Identifying and managing people of
concern
•
Managing the insider threat to your business—A personnel security handbook
•
Australian Standards
- AS 4811:2006 – Employment screening
- HB 323:2004 – Employment Screening Handbook
28
4.2 Australian Government information security management core policy
96.
97.
98.
The Australian Government collects and receives information to fulfil its functions and expects
all those who access or hold this information to protect it. Agencies are to develop, document,
implement and review appropriate security measures to protect this information from
unauthorised use or accidental modification, loss or release by:
•
establishing an appropriate information security culture within the agency
•
implementing security measures that match the information’s value, classification and
sensitivity, and
•
adhering to all legal requirements.
The mandatory requirements of this core policy are based on the three elements of
information security:
•
Confidentiality: ensuring that information is accessible only to those authorised to have
access
•
Integrity: safeguarding the accuracy and completeness of information and processing
methods, and
•
Availability: ensuring that authorised users have access to information and associated
assets when required.
The term ‘information assets’ within this policy refers to any form of information, including:
•
electronic data
•
the software or information and communication technology (ICT) systems and networks
on which the information is stored, processed or communicated
•
printed documents and papers
•
the intellectual information (knowledge) acquired by individuals, and
•
physical items from which information regarding design, components or use could be
derived.
4.2.1 Sharing of information and other assets
99.
Agencies are to implement this policy when sharing Australian Government information and
other assets with other governments (including foreign, state, territory and municipal),
international, educational and private sector organisations. In these cases, agencies are to
develop arrangements that outline security responsibilities, safeguards to be applied, and
terms and conditions for continued participation.
100. Agencies are to treat information and other assets received from other governments (including
foreign, state, territory and municipal), international (e.g. EU), educational and private sector
organisations, in accordance with agreements or arrangements between the parties
concerned.
29
101. Agencies may share limited amounts of PROTECTED level information with non-government
organisations that screen to the level of Australian Standard AS4811:2006 Employment
screening.
4.2.2 Agency information security policy and planning
Mandatory Requirement
INFOSEC 1: Agency heads must provide clear direction on information security through the
development and implementation of an agency information security policy, and address agency
information security requirements as part of the agency security plan.
102. The policy and plan are to:
•
detail the objectives, scope and approach to the management of information security
issues and risks within the agency
•
be endorsed by the agency head
•
identify information security roles and responsibilities
•
detail the types of information that an employee:
- can lawfully disclose in the performance of his or her duties, or
- needs to obtain authority to disclose
•
be reviewed and evaluated in line with changes to agency business and information
security risks
•
be consistent with the requirements of the agency’s protective security plan and
information security risk assessment findings
•
address the issue of data aggregation
•
include details of the agency’s declassification program
•
explain the consequences for breaching the policy or circumventing any associated
protective security measure, and
•
be communicated on an on-going basis and be accessible to all agency employees, and
where reasonable and practical be publicly available.
For specific control measures and further guidance see the Australian Government information
security management protocol and guidelines, and the Australian Government Information Security
Manual available from the Australian Signals Directorate.
4.2.3 Information security framework and third party access
Mandatory Requirement
INFOSEC 2: Each agency must establish a framework to provide direction and coordinated
management of information security. Frameworks must be appropriate to the level of security risks
to the agency’s information environment.
30
103. Agencies are to:
•
document requirements for information security when entering into outsourcing
contracts and arrangements with contractors and consultants
•
enter into memorandums of understanding (MOU) with other agencies when regularly
sharing information, and where reasonable and practical make the MOU publicly
available
•
ensure that prior to providing third parties access to Australian Government information
and ICT systems, security measures that match the security classification or
dissemination limiting marker of the information or ICT system are in place, or clearly
defined, in appropriate agreements or contracts, and
•
ensure that appropriate permissions are received before providing third parties access
to information not originating within the agency.
4.2.4 Information asset classification and control
Mandatory Requirement
INFOSEC 3: Agencies must implement policies and procedures for the security classification and
protective control of information assets (in electronic and paper-based formats) which match their
value, importance and sensitivity.
104. When addressing security classification and control policies and procedures, agencies are to:
•
identify, document and assign owners for the maintenance of security measures for all
major information assets including hardware, software and services used in agency
operations (including physical information assets used to process, store or transmit
information)
•
require all agency information be protectively marked/ security classified in accordance
with the Australian Government information security management guidelines—
Australian Government security classification system
•
implement controls for all security classified information (including handling, storage,
transmission, transportation and disposal) in accordance with the Australian
Government information security management protocol
•
require staff, including contractors, to mark store and handle in accordance with the
Australian Government information security management protocol, and
•
develop and maintain a classification guide specific to the agency which is accessible to
all agency employees
105. Additionally agencies are to ensure that:
•
the agency’s classification guide does not limit the provisions of relevant legislative
requirements or international obligations under which the agency operates, and
•
disposal of public records is in accordance with legislative and regulatory requirements.
31
4.2.5 Operational security management
Mandatory Requirement
INFOSEC 4: Agencies must document and implement operational procedures and measures to
ensure information, ICT systems and network tasks are managed securely and consistently, in
accordance with the level of required security. This includes implementing the mandatory ‘Strategies
to Mitigate Targeted Cyber Intrusions’ as detailed in the Australian Government Information Security
Manual.
106. Agencies are to:
•
put in place incident management procedures and mechanisms to review violations and
to ensure appropriate responses in the event of security incidents, breaches or failures
•
put in place adequate controls to prevent, detect, remove and report attacks of
malicious and mobile code on ICT systems and networks
•
put in place comprehensive systems maintenance processes and procedures including
operator and audit/fault logs and information backup procedures
•
implement operational change control procedures to ensure that they appropriately
approve and manage changes to information processing facilities or ICT systems
•
comply with legal requirements when exchanging information in all forms, between
agencies and/or third parties
•
apply the classification schemes and measures defined in the Australian Government
information security management protocol and the Australian Government Information
Security Manual (ISM) when exchanging information in all forms, between agencies
and/or third parties, and
•
apply the requirements of the National e-Authentication Framework to on-line
transactions and services.
4.2.6 Information access controls
Mandatory Requirement
INFOSEC 5: Agencies must have in place control measures based on business owner requirements
and assessed/accepted risks for controlling access to all information, ICT systems, networks
(including remote access), infrastructures and applications. Agency access control rules must be
consistent with agency business requirements and information classification as well as legal
obligations.
107. Agencies are to:
•
assess access requirements against the National e-Authentication Framework
•
require specific authorisation to access agency ICT systems
•
assign each user a unique personal identification code and secure means of
authentication
32
•
define, document and implement policies and procedures to manage operating systems
security, including user registration, authentication management, access rights and
privileges to ICT systems or application utilities
•
display restricted access and authorised use only (or equivalent) warnings upon access to
all agency ICT systems
•
where wireless communications are used, appropriately configure the security features
of the product to at least the equivalent level of security of wired communications
•
implement control measures to detect and regularly log, monitor and review ICT
systems and network access and use, including all significant security relevant events
•
conduct risk assessments and define policies and processes for mobile technologies and
teleworking facilities, and
•
assess security risks and implement appropriate controls associated with use of ICT
facilities and devices (including non-governmental equipment) within the agency such as
mobile telephony, personal storage devices and internet and email prior to connection.
4.2.7 Information system development and maintenance
Mandatory Requirement
INFOSEC 6: Agencies must have in place security measures during all stages of ICT system
development, as well as when new ICT systems are implemented into the operational environment.
Such measures must match the assessed security risk of the information holdings contained within,
or passing across, ICT networks infrastructures and applications.
108. When establishing new ICT systems or implementing improvements to current ICT systems
including off-the-shelf or outsourced software development, agencies are to:
•
address security the early phases of the system’s development life cycle, including the
system concept development and planning phases and then in the requirements
analysis and design phases
•
consult internal and/or external audit when implementing new or significant changes to
financial and critical business ICT systems
•
incorporate processes including data validity checks, audit trails and activity logging in
applications to ensure the accuracy and integrity of data captured or held in applications
•
apply the National e-Authentication Framework requirements to authentication
techniques and policies
•
carry out appropriate change control, acceptance and ICT system testing, planning and
migration control measures when upgrading or installing software in the operational
environment
•
control access to ICT system files to ensure integrity of the business systems,
applications and data, and
•
identify and implement access controls including access restrictions and
segregation/isolation of ICT systems into all infrastructures, business and user
developed applications.
33
4.2.8 Compliance
Mandatory Requirement
INFOSEC 7: Agencies must ensure that agency information security measures for all information
processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under
which the agency operates.
109. To ensure all legal, statutory, regulatory, contract or privacy obligations relating to information
security are managed appropriately agencies are to:
•
take all reasonable steps to monitor, review and audit agency information security
effectiveness, including assigning appropriate security roles and engaging internal
and/or external auditors and specialist organisations where required, and
•
regularly review all agency information security policies, processes and requirements
including contracts with third parties, for compliance and report to appropriate agency
management.
For specific control measures and further guidance see the Australian Government information
security management protocol and guidelines, and the Australian Government Information Security
Manual available from the Australian Signals Directorate.
34
4.3 Australian Government physical security management core policy
110. The Australian Government requires a variety of resources i.e., people, information and assets
to make and implement its decisions. Australian Government agencies hold significant
resources on behalf of the Government and the Australian people to fulfil government
functions (for example, to develop policy, establish or implement programs, or provide services
to the public). The Government expects each of its agencies to create and maintain an
appropriate physical security environment for the protection of these functions and associated
resources. The appropriate physical security environment should support the efficient and
effective performance of agency outputs, without compromising the application of protective
security measures.
4.3.1 Risk management
111. Agencies are to employ a risk management approach to physical security that conforms to the
protective security principles. Agencies are to determine the appropriate level of physical
protection for their functions and resources, including their employees, information, assets
and clients. These decisions require a rigorous analysis of security risk.
For further guidance please refer to:
•
the Commonwealth Risk Management Policy
•
Australian Standards:
−
AS/NZS ISO 31000:2009 Risk Management—Principles and guidelines
−
HB 167:2006 Security risk management, and
−
HB 327:2010 Communicating and consulting about risk.
4.3.2 Security-in-depth
112. Sensible management of security risk will involve finding the most appropriate and costeffective way of minimising risk through a combination of procedural, personnel and physical
measures. This mix establishes a series of barriers that prevent or restrict unauthorised access
or harm to resources. This is known as ‘security-in-depth’. It also puts in place mechanisms to
detect and respond to security breaches within an acceptable timeframe.
4.3.3 Agency physical security policy and planning
Mandatory Requirement
PHYSEC 1: Agency heads must provide clear direction on physical security through the development
and implementation of an agency physical security policy, and address agency physical security
requirements as part of the agency security plan.
113. The policy and plan are to:
•
detail the objectives, scope and approach to the management of physical security issues
and risks within the agency
35
•
be endorsed by the agency head
•
identify physical security roles and responsibilities
•
continuously review physical security measures to reflect changes in the threat
environment and take advantage of new cost-effective technologies
•
be consistent with the requirements of the agency’s protective security plan and
physical security risk assessment findings
•
explain the consequences for breaching the policy or circumventing any associated
protective security measure, and
•
be communicated on an on-going basis and be accessible to all agency employees.
For specific control measures and further guidance see the Australian Government physical security
management protocol and guidelines.
4.3.4 Protection of employees
114. Agencies are responsible for the health and safety of employees at work. This responsibility
extends to situations where employees are under threat of violence because of their duties or
because of situations to which they are exposed. Such situations include, but are not limited
to terrorism, threat letters or calls, the receipt of potentially dangerous substances, e.g. ‘white
powder’, stalking and assault.
Mandatory Requirement
PHYSEC 2: Agencies must have in place policies and procedures to:
•
identify, protect and support employees under threat of violence, based on a threat and risk
assessment of specific situations. In certain cases, agencies may have to extend protection
and support to family members and others
•
report incidents to management, human resources, security and law enforcement authorities,
as appropriate
•
provide information, training and counselling to employees, and
•
maintain thorough records and statements on reported incidents.
4.3.5 Physical security
115. Physical security involves the proper layout and design of facilities and the use of measures to
delay and prevent unauthorised access to government assets. It includes measures to detect
attempted or actual unauthorised access, and activate an appropriate response. Physical
security also provides measures to safeguard employees from violence.
Mandatory Requirement
PHYSEC 3: Agencies must ensure they fully integrate protective security early in the process of
planning, selecting, designing and modifying their facilities.
116. Agencies are to:
•
select, design and modify their facilities in order to facilitate the control of access
36
•
demarcate restricted access areas, and have the necessary entry barriers, security
systems and equipment based on threat and risk assessments
•
include the necessary security specifications in planning, request for proposals and
tender documentation, and
•
incorporate related costs in funding requirements.
4.3.6 Work health and safety
Mandatory Requirement
PHYSEC 4: Agencies must ensure that any proposed physical security measure or activity does not
breach relevant employer work health and safety obligations.
117. Agencies are to:
•
conduct a risk assessment of any proposed physical security measure or activity and
develop effective risk controls in line with a reasonably practicable approach, and
•
take into account the likelihood and consequence of an accident or injury arising as a
result of a physical security measure or activity and put in place appropriate control
measures.
4.3.7 Duty of care – third parties
Mandatory Requirement
PHYSEC 5: Agencies must show a duty of care for the physical safety of those members of the public
interacting directly with the Australian Government. Where an agency’s function involves providing
services, the agency must ensure that clients can transact with the Australian Government with
confidence about their physical wellbeing.
118. Agencies are to:
•
take all reasonable precautions which could avoid or reduce the risk of harm to clients
•
choose the option which is least restrictive to the client where there are a number of
effective physical security measures which would reduce the risk of harm
•
ensure the agency physical security plan addresses the risk of harm to clients, and
•
develop relevant guidelines and procedures identifying the precautions to be taken to
cover the identified risk factors.
For further advice see the Work Health and Safety Act 2011, WHS Regulations and WHS Code of
practice available from Comcare.
37
4.3.8 Physical security of ICT equipment and information
Mandatory Requirement
PHYSEC 6: Agencies must implement a level of physical security measures that minimises or removes
the risk of information and ICT equipment being made inoperable or inaccessible, or being accessed,
used or removed without appropriate authorisation.
119. Agencies are to:
•
put in place appropriate building and entry control measures for areas used in the
processing and storage of security classified information
•
put in place physical security protection (which matches the assessed security risk of the
aggregated information holdings) for all agency premises, storage facilities and cabling
infrastructure
•
locate ICT equipment, where practical, in areas with access control measures in place to
restrict use to authorised personnel only, and put in place other control methods where
physical control measures are not possible
•
implement policies and processes to monitor and protect the use and/or maintenance
of information, equipment, storage devices and media away from agency premises, and
in situations where a risk assessment determines, put in place additional control
measures
•
implement policies and processes for the secure disposal and/or reuse of ICT
equipment, storage devices and media (including delegation, approval, supervision,
removal methods and training of employees) which match the assessed security risk of
the information holdings stored on the asset, and
•
implement general control policies including a clear desk and clear screen policy.
For further advice see the Australian Government physical security management guidelines—Physical
security of ICT equipment, systems and facilities.
4.3.9 Physical security in emergency and increased threat situations
Mandatory Requirement
PHYSEC 7: Agencies must develop plans and procedures to move up to heightened security levels in
case of emergency and increased threat. The Australian Government may direct its agencies to
implement heightened security levels.
120. Agencies are to co-ordinate physical security plans and procedures with other emergency
prevention and response plans (e.g. fire, bomb threats, hazardous materials, power failures,
evacuations, civil emergencies).
For specific control measures and further guidance see the Australian Government physical security
management protocol and guidelines.
38