Risk Management Agency Ag

Document Sample
Risk Management Agency Ag Powered By Docstoc
					Protective Security Policy Framework


Securing Government business




V1.0 – June 2010
Page ii
Contents
1.      Directive on the Security of Government Business ............................................................... 1
2.      Foreword ............................................................................................................................ 2
3.      Overarching Protective Security Policy Statement ................................................................ 3
4.      Protective Security Principles .............................................................................................. 3
5.      Governance ........................................................................................................................ 4
     5.1.    Mandatory requirements ........................................................................................................ 5
     5.2.    Overall responsibility for protective security .......................................................................... 5
     5.3.    Australian Government protective security roles and responsibilities ................................... 6
             National Security Committee of Cabinet ................................................................................. 6
             Secretaries Committee on National Security ........................................................................... 6
             Protective Security Policy Committee ...................................................................................... 6
             Inter-Agency Security Forum ................................................................................................... 6
             Homeland and Border Security Policy Coordination Group..................................................... 6
             Security Construction and Equipment Committee................................................................... 7
             Intelligence, technical standards and protective security advice ............................................ 7
     5.4.    Applicability of the PSPF .......................................................................................................... 9
             Protective security outside of Australia ................................................................................... 9
     5.5.    Developing a security culture ................................................................................................ 10
     5.6.    Security risk management ..................................................................................................... 12
     5.7.    Audit, reviews and reporting ................................................................................................. 13
             Australian National Audit Office ........................................................................................... 14
     5.8.    Security investigations........................................................................................................... 15
     5.9.    Legislation.............................................................................................................................. 16
             Crimes Act 1914 and the Criminal Code 1995 ....................................................................... 16
     5.10.      International security agreements .................................................................................... 17
     5.11.      Business continuity management ..................................................................................... 18
     5.12.      Contracting ........................................................................................................................ 19
     5.13.      Fraud control ..................................................................................................................... 20
6.      Core policies ..................................................................................................................... 21
     6.1.    Australian Government Personnel Security Core Policy ....................................................... 21
             Overview ................................................................................................................................ 21
             Purpose .................................................................................................................................. 21
             Issue and review .................................................................................................................... 21
             Risk management .................................................................................................................. 22
             Need-to-know ........................................................................................................................ 22

Page iii
            Security vetting ...................................................................................................................... 23
            Australian Government Personnel Security Protocol ............................................................ 23
            Vetting decisions – assessment of whole person .................................................................. 23
            Ongoing personnel security management (‘Aftercare’) ........................................................ 23
     6.2.   Australian Government Information Security Core Policy .................................................... 25
            Issue and review .................................................................................................................... 25
            Sharing of information and other assets ............................................................................... 25
            Agency information security policy and planning ................................................................. 26
            Information security framework and third party access ....................................................... 27
            Information asset classification and control ......................................................................... 27
            Operational security management........................................................................................ 28
            Information access controls................................................................................................... 28
            Information system development and maintenance ............................................................ 29
            Compliance ............................................................................................................................ 30
     6.3.   Australian Government Physical Security Core Policy .......................................................... 31
            Risk management .................................................................................................................. 31
            Security-in-depth ................................................................................................................... 31
            Issue and review .................................................................................................................... 31
            Agency physical security policy and planning ....................................................................... 32
            Protection of employees ........................................................................................................ 33
            Physical security .................................................................................................................... 33
            Occupational health and safety............................................................................................. 34
            Physical security of ICT equipment and information ............................................................. 35
            Physical security in emergency and increased threat situations ........................................... 35
7.      Understanding the Protective Security Policy Framework & Frequently Asked Questions .... 36
            What is the Protective Security Policy Framework? .............................................................. 36
            What areas does the PSPF cover? ......................................................................................... 37
            Who authorises the PSPF? ..................................................................................................... 37
            Who is the PSPF for? .............................................................................................................. 37
            How long is the transition to the PSPF expected to take? ..................................................... 37
            How do we know what is mandatory? .................................................................................. 38
            Why is the Australian Government putting its protective security measures in the public
            domain? ................................................................................................................................. 38
            How is the PSPF updated? ..................................................................................................... 38
            How do I access the security classified protocols and guidelines? ........................................ 38




Page iv
1. Directive on the Security of Government Business
The Australian Government takes appropriate measures to protect its people, information and
assets, at home and overseas. How the Government protects its people, information and assets is
critical to effective engagement with the Australian people. The Protective Security Policy
Framework is designed to help agencies:
•   identify their individual levels of security risk tolerance
•   achieve the mandatory requirements for protective security expected by Government, and
•   develop an appropriate security culture to securely meet their business goals.

The Government requires agency heads to have in place effective protective security programs that
ensure:
•   their respective agency’s capacity to function
•   the public’s confidence in the Government and its agencies
•   official resources and information the Government holds on trust, both from and for the public,
    and those provided in confidence by other countries, are safeguarded and
•   the safety of those employed to carry out the functions of government and those who are clients
    of government.

To achieve this, agency heads are to ensure that protective security is a part of their agency’s culture.
A successful culture will effectively balance the competing requirements of limiting access to those
that have a genuine ‘need to know’ with ensuring key business partners receive the information in an
appropriate timeframe (‘need-to-share’).

As the Government relies heavily on information and communication technology to deliver its
services, agencies must actively manage security risks associated with electronic data transmission,
aggregation and storage.

Agency heads are to apply the Protective Security Policy Framework with the understanding that it is
the path to successfully protecting our people, information and assets.

The Australian Government, through my Department, will continue to develop and refine protective
security policy that promotes the most effective and efficient ways to secure the continued delivery
of Government business.



The Hon Robert McClelland MP
Attorney-General
June 2010




Page 1
2. Foreword


Coming soon




Page 2
3. Overarching Protective Security Policy Statement
The appropriate application of protective security by Government agencies and bodies ensures the
operational environment necessary for the confident and secure conduct of Government business.
Managing security risks proportionately and effectively enables Government agencies and bodies to
provide the necessary protection of the Government’s people, information and assets.

4. Protective Security Principles
The Attorney-General is responsible for setting the Government’s protective security policy. Each
Australian Government minister is responsible for the protective security of their respective
departments, agencies or bodies within his or her portfolio. Agency heads are responsible to their
Minister for creating and maintaining an agency operating environment that:
•   safeguards its people and clients from foreseeable risks
•   limits the potential for compromise of the confidentiality, integrity and availability of its official
    information and assets, recognising risks to Government such as those associated with
    aggregation
•   protects official assets from loss or misuse
•   facilitates the appropriate sharing of official information in order for Government to effectively
    do business, and
•   supports the continued delivery of the agency’s essential business in the face of disruptions
    caused by all types of hazards.

Agency heads need to understand, prioritise and manage security risks to prevent harm to official
resources and disruption to business objectives. Security is not just a cost of doing business, but
enables an agency to manage risks that could adversely affect achieving its objectives. Agencies can
only achieve effective protective security if security is part of the agencies’ culture, practices and
operational plans. Therefore agencies should build protective security into government processes
rather than implementing it as an afterthought. Effective protective security and business continuity
management underpin organisational resilience.

Agency heads are to ensure that employees and contractors entrusted with their agency’s
information and assets, or who enter their agency’s premises:
•   are eligible to have access
•   have had their identity established
•   are suitable to have access, and
•   are willing to comply with the Government’s policies, standards, protocols and guidelines that
    safeguard that agency’s resources (people, information and assets) from harm.

Please note that this website contains the Australian Government Protective Security Policy
Framework, mandatory requirements and links to protocols and guidelines (where available).
Some procedural information is not publicly available. Please see ‘Understanding the PSPF’ for
more details or email <pspf@ag.gov.au>.



Page 3
5. Governance
Good protective security governance is about both:
•   conformance - how an agency uses protective security arrangements to ensure it meets the
    obligations of policy and standards and Government’s expectations, and
•   performance - how an agency uses protective security arrangements to contribute to its overall
    performance through the secure delivery of goods, services or programmes as well as ensuring
    the confidentiality, integrity and availability of its people, information and assets.

The revised protective security policy framework is based on principles of public sector governance
including:
•   accountability - being answerable for decisions and having meaningful mechanisms in place to
    ensure the agency adheres to all applicable protective security standards
•   transparency/openness - having clear roles and responsibilities for protective security functions
    and clear procedures for making decisions and exercising authority
•   efficiency - ensuring the best use of limited protective security resources to further the aims of
    the agency, with a commitment to risk-based strategies for improvement, and
•   leadership - achieving an agency-wide commitment to good protective security performance
    through leadership from the top.

For further guidance see the Australian Standards:

   AS 8000-2003: Corporate governance - Good governance principles

   AS 8001-2008: Fraud and corruption control
   AS 8002-2003: Corporate governance - Organizational codes of conduct

   AS 8003-2003: Corporate governance - Corporate social responsibility

   AS 8004-2003: Corporate governance - Whistleblower protection programs for entities

Available from SAI Global <http://www.saiglobal.com/online/>




Page 4
5.1. Mandatory requirements
The protective security guidance for executives and core policy documents in this Framework
describe the higher level mandatory requirements applicable to all agencies. Detailed protocol
documents and guidelines support the Personnel Security, Information Security and Physical Security
core policies. The protocol documents set out procedural minimum requirements. Some agencies
have specific security risks that will require them to apply more than the minimum requirements.

Summary table of Mandatory Requirements is available for download on the website.

5.2. Overall responsibility for protective security
The Government is responsible for the protective security of the Commonwealth. Individual
Ministers are responsible for securing the operation of their portfolios.

Within an agency, the agency head is responsible for the day-to-day management of the protection
of agency functions, official resources and employees (including contractors).

The Attorney-General's Department is responsible for the development and delivery of the
Protective Security Policy Framework.

All Australian Government employees, including contractors, have a collective responsibility to
ensure that government resources (people, information and assets) are protected.




Page 5
5.3. Australian Government protective security roles and responsibilities
The following committees have protective security responsibilities:
•   National Security Committee of Cabinet
•   Secretaries Committee on National Security
•   Protective Security Policy Committee
•   Inter-Agency Security Forum
•   Cyber Security Policy and Coordination Committee
•   Homeland and Border Security Policy Coordination Group, and
•   Security Construction and Equipment Committee

National Security Committee of Cabinet
The Prime Minister chairs the National Security Committee of Cabinet (NSC) which is the
Government’s highest decision-making body on Australia’s national security. NSC considers strategic
developments and issues of long term relevance to Australia’s broad national security interests. NSC
also oversees federal intelligence and security agencies.

Secretaries Committee on National Security
The Secretaries Committee on National Security (SCNS) provides advice to the Government through
NSC on matters of national security. SCNS consists of secretaries of departments and heads of
agencies with responsibility for national security matters.

Protective Security Policy Committee
The Protective Security Policy Committee (PSPC) is made up of representatives from agencies with a
strong interest in protective security. The Australian Government Attorney-General's Department
chairs the PSPC.

Inter-Agency Security Forum
The Australian Government established the Inter-Agency Security Forum to achieve and maintain
best practice in security in the Australian Intelligence Community and policy related agencies.

Cyber Security Policy and Coordination Committee

The Cyber Security Policy and Coordination (CSPaC) Committee is made up of members from a
number of agencies with a strong interest in e-security issues. The Committee coordinates e-security
policy throughout Australian Government agencies. The Australian Government Attorney-General’s
Department chairs the CSPaC Committee.

Homeland and Border Security Policy Coordination Group
The Homeland and Border Security Policy Coordination Group (HPCG) draws its representatives from
agencies with a focus on homeland and border security issues.




Page 6
Security Construction and Equipment Committee
The Security Construction and Equipment Committee (SCEC), an inter-agency committee that reports
to the PSPC, is responsible for:
       evaluating security equipment for use by Australian Government agencies, and

       preparing the Security Equipment Catalogue. To ascertain eligibility for the catalogue refer to
        < http://www.scec.gov.au/news/>.

Intelligence, technical standards and protective security advice
The following agencies provide specialist advice on intelligence, technical standards and protective
security:

       the Australian Security Intelligence Organisation collects, analyses and advises on matters
        relating to espionage, foreign interference, politically motivated violence, communal violence,
        sabotage, and attacks on Australia’s defence system1

       T4 Protective Security Group (ASIO):
        - provides advice to Australian Government agencies on protective security, risk assessment,
          evaluation of physical security products and physical security reviews, and
        - conducts security risk reviews, technical surveillance counter measures and certification of
          all TOP SECRET sites within Australia.2

       the Defence Signals Directorate (DSD) produces Australian Government ICT security policy and
        standards3




1
  The functions of the Australian Security Intelligence Organisation (ASIO) are detailed within the Australian Security
Intelligence Organisation Act 1979. Refer to <http://www.asio.gov.au/>.

In carrying out these functions ASIO is responsible for the co-ordination and production of threat assessments for national
security matters and is the central counter-espionage authority for Australia. ASIO provides protective security advice and
assistance to the Government and its agencies, particularly in respect of risk management and physical, personnel and
procedural security.

2
    ASIO-T4 contact: telephone 02 6234 1217        fax: 6234 1218.

3
  The Defence Signals Directorate (DSD), located within the Department of Defence, is Australia’s national authority for signals
intelligence and information and communications technology security.

The Intelligence Services Act 2001 requires DSD to provide material, advice and other assistance to Australian Government,
State and Territory authorities on matters relating to the security and integrity of information that is processed, stored and
communicated by electronic or similar means.

Contact: Telephone 02 6250 0197

            Email assist@dsd.gov.au

            Web <http://www.dsd.gov.au/>

Page 7
        the Department of Foreign Affairs and Trade (DFAT) provides advice on overseas security
         standards in accordance with the Prime Minister’s Directive on Guidelines for Management of
         the Australian Government Presence Overseas (February 2007) 4
        the Australian Federal Police (AFP) enforces Commonwealth law5
         - the Australian Federal Police Uniform Protection (AFP-UP) provides protective and custodial
           services in areas of special importance or sensitivity on a fee for service basis
        the Australian National Audit Office (ANAO) reviews protective security arrangements within
         agencies6
        the Federal Privacy Commissioner:
         -      oversights the operation of the Privacy Act 1988, and
         -      has the power to audit agencies’ compliance with the Information Privacy Principles (IPPs)7
        the Attorney-General’s Department:
         -      provides policy advice on the following issues:
                      protective security (queries to <pspf@ag.gov.au>)
                      e-security (queries to <espac@ag.gov.au>), and
                      firearms, drugs, crime prevention and general law enforcement
         -      in consultation with the AFP, coordinates fraud control policy. The Commonwealth Fraud
                Control Guidelines can be accessed at:
                <http://www.ag.gov.au/www/agd/agd.nsf/Page/Fraudcontrol_CommonwealthFraudControl
                Guidelines-May2002>


4
    The Department of Foreign Affairs and Trade (DFAT):

            manages all aspects of security policy affecting Australian missions and staff attached to DFAT-managed missions, and
            advises Australians about the risks they might face overseas.
The managing agency of each mission/post is responsible for:

            implementing appropriate physical, technical, information and personnel security procedures, measures and standards,
             and
            coordinating business continuity and contingency planning at each mission/post.
The managing agency is normally DFAT, though other agencies (such as AUSTRADE) can assume this responsibility where
DFAT is not represented.

For Australian Government officials and contractors not working within or attached to a mission/post, individual agencies will
retain the responsibilities referred to above, for the programs, projects or initiatives to which those officers or contractors are
assigned. Agencies may seek advice from DFAT on threats and security countermeasures and consult with DFAT on
appropriate guidelines and standards.

5
 Under the Australian Federal Police Act 1979 the AFP holds responsibility to prevent, detect and investigate criminal offences
against Commonwealth laws, its revenue, expenditure and property. For more information refer to <http://www.afp.gov.au>.

6
  The Australian National Audit Office (ANAO) provides independent audit advice to agencies and the Federal Parliament by
undertaking performance and financial statement audits. It operates under the Auditor-General Act 1997. For more information
refer to <http://www.anao.gov.au>.

7
  The Commissioner has published a series of guidelines advising agencies about personal information handling practices,
including a detailed explanation of the IPPs. For more information, including access to the IPPs, refer to
<http://www.privacy.gov.au>.


Page 8
     -    provides an annual report to the Australian Government on the progress of fraud control
     -    runs training in protective security practices and procedures. Details are at:
          <http://www.ag.gov.au/www/agd/agd.nsf/Page/Securitytraining_PSCCTrainingCentre>, and
     -    runs the 24/7 Attorney-General's Department Coordination Centre (which includes the
          Watch Office and National Security Hotline). <http://www.nationalsecurity.gov.au/>

5.4. Applicability of the PSPF
As a policy of the Australian Government, agencies8 must apply the Protective Security Policy
Framework as follows:
•     agencies subject to the Financial Management and Accountability Act 1997 (FMA Act)
•     bodies that are:
     -    subject to the Commonwealth Authorities and Companies Act 1997 (CAC Act) 9, and
     -    have received Ministerial direction to apply the general policies of the Australian
          Government
•     other bodies established for a public purpose under a law of the Commonwealth and other
      Australian Government agencies, where the body or agency has received a notice from the
      relevant Minister that the Framework applies to them
•     State and Territory agencies that hold or access Australian Government security classified
      information, and
•     organisations that have entered a Deed of Agreement with the Australian Government to have
      access to Australian Government security classified information.

For further guidance please refer to the Australian Government Solicitor’s advice on the Applicability
of the PSM available to agency security advisers from the Protective Security Policy GOVDEX page
<http://www.govdex.gov.au/>

Protective security outside of Australia
Some requirements of this policy may be difficult to apply in certain foreign environments. In such
situations, special protocols may be developed in consultation with the Department of Foreign
Affairs and Trade (DFAT).

Restrictions may be placed on personal activities at locations where the environment is particularly
dangerous. All employees, unless on diplomatic posting and covered by the Vienna Conventions, are
automatically subject to local laws and regulations. For travel information and specific security
arrangements and limitations, employees should contact DFAT or the nearest Australian embassy.



8
 In this Framework, a reference to ‘agency’ (or ‘Australian Government agency’) means an agency or body in the first three
categories referenced above. Reference to an ‘agency head’ means the head or chief executive of an agency.

9
  Sections 28 and 43 of the CAC Act provide that a responsible Minister may notify a body that is subject to the CAC Act that the
body must comply with general policies of the Australian Government, such as the Protective Security Policy Framework. The
responsible Minister must consult with the CAC Act body on the potential application of the policy. The Minister should then
consider any views expressed by the body prior to notifying them, in writing that the policy is to apply. If notified the body is
required to carry out the general policy.


Page 9
5.5. Developing a security culture
To successfully deliver the Protective Security Policy Framework, agencies need to foster a
professional culture and a positive attitude towards protective security.

Mandatory Requirement

GOV 1: Agencies must provide all staff, including contractors, with sufficient information
and security awareness training to ensure they are aware of, and meet the requirements
of this Framework.

Agencies are to:
•   ensure that individuals who have specific security duties receive appropriate, up to date training
•   have an ongoing security awareness program to inform and regularly remind individuals of
    security responsibilities, issues and concerns
•   brief individuals on the access privileges and prohibitions attached to their security clearance
    level prior to being given access, or when required in the security clearance renewal cycle
•   brief all Australian Government employees and contracted service providers who hold a
    Negative Vetting Level 1 or higher level security clearance at least every five years as a condition
    of security clearance renewal, and
•   communicate and make available to all staff, including contractors, their protective security
    policies.
Mandatory Requirement

GOV 2: To fulfil their security obligations, agencies must appoint:
•   a member of the Senior Executive Service as the security executive, responsible for the
    agency protective security policy and oversight of protective security practices
•   an agency security adviser (ASA) responsible for the day-to-day performance of
    protective security functions, and
•   an information technology security adviser (ITSA) to advise senior management on the
    security of the agency’s Information Communications Technology (ICT) systems.

GOV-3: Agencies must ensure that the agency security adviser (ASA) and information
technology security adviser (ITSA) have detailed knowledge of agency-specific protective
security policy, protocols and mandatory protective security requirements in order to fulfil
their protective security responsibilities.

GOV-4: Agencies must prepare a security plan to manage their security risks. The security
plan must be updated or revised every two years or sooner when changes in risks and the
agency’s operating environment dictate.

GOV-5: Agencies must develop their own set of protective security policies and procedures
to meet their specific business needs.




Page 10
The policy and procedures are to:
•   detail the objectives, scope and approach to the management of protective security issues and
    risks within the agency
•   be endorsed by the agency head
•   identify protective security roles and responsibilities
•   be reviewed and evaluated in line with changes to agency business and security risks
•   be consistent with the agency’s security risk assessment findings
•   explain the consequences for breaching the policy or circumventing any associated protective
    security measure, and
•   be communicated on an on-going basis and be accessible to all agency employees, and where
    reasonable and practical be publicly available.
For further guidance please refer to the existing PSM Part A (classified SECURITY-IN-CONFIDENCE)
available to agency security advisers from the Protective Security Policy GOVDEX page
<http://www.govdex.gov.au/>.




Page 11
5.6. Security risk management
Agencies need to develop a security risk management process to:
•   identify specific risks to their people, information and assets
•   identify the agency’s level of risk tolerance
•   identify appropriate protections to reduce or remove risks, and
•   identify and accept responsibility for untreatable residual risks (such as doing business on the
    Internet).

What is appropriate will vary from agency to agency but the process should be transparent and
justifiable. Risk avoidance is not risk management.

Regardless of an agency’s functions or security concerns, the central messages for managing security
risks are:
•    security risk management is the business of each staff member including contractors in the
     agency
•    risk management, including security risk management, is part of day-to-day business
•    the process for managing security risk is logical and systematic, and should form part of the
     standard management process of the agency, and
•    changes in the threat environment are to be continuously monitored and necessary
     adjustments made to maintain an acceptable level of risk and a balance between operational
     needs and security.

Mandatory Requirement

GOV-6: Agencies must adopt a risk management approach to cover all areas of protective
security activity across their organisation, in accordance with the Australian Standard for
Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006
Security risk management.

Agencies are to:
•    establish the scope of any security risk assessment and identify the people, information and
     assets to be safeguarded
•    determine the threats to people, information and assets in Australia and abroad, and assess the
     likelihood and impact of a threat occurring, and
•    assess the risk based on the adequacy of existing safeguards and vulnerabilities
•    implement any supplementary protective security measures that will reduce the risk to an
     acceptable level.

For further guidance please refer to:
   Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the
 Australian Standards HB 167:2006 Security risk management
Available from SAI Global <http://www.saiglobal.com/online/>

Page 12
5.7. Audit, reviews and reporting
The audit, review and reporting process aims to assess how well agencies are ensuring the
confidentiality, integrity and availability of essential resources. The audit process includes:
•    internal audit and reporting - self assessment with an annual report to portfolio ministers
•    the Australian National Audit Office (ANAO) audits of protective security, and
•    the Attorney-General's Department annual review of protective security.

Mandatory Requirement

GOV-7: For internal audit and reporting, agencies must:
•    undertake an annual security assessment against the mandatory requirements
     detailed within this Framework, and
•    report their compliance with the mandatory requirements to the relevant portfolio
     Minister.
The report must:
•    contain a declaration of compliance by the agency head, and
•    state any areas of non-compliance, including details on measures taken to lessen
     identified risks.
In addition to their portfolio Minister, agencies must send a copy of their annual report on
compliance with the mandatory requirements to:
•    the Secretary, Attorney-General’s Department, and
•    the Auditor-General.
Agencies must also advise any non-compliance with mandatory requirements to:
•    the Director, Defence Signals Directorate for matters relating to the Australian
     Government ICT Security Manual (ISM).
•    the Director-General, Australian Security Intelligence Organisation for matters relating
     to national security, and
•    the heads of any agencies whose people, information or assets may be affected by the
     non-compliance.




Page 13
Australian National Audit Office
The Australian National Audit Office (ANAO) audits the protective security arrangements within
Australian government agencies. ANAO uses the mandatory protective security standards as a
benchmark of security standards when auditing security practices. ANAO operates under the
Auditor-General Act 1997. These audits aim to:
•   enhance the management of protective security within agencies
•   improve the overall performance of public administration, and
•   provide assurance that public sector organisations are meeting their security obligations.

Using the agencies’ compliance reports, and building upon current ANAO audits of protective
security, the Attorney-General’s Department will report annually on the protective security status
across Government.




Page 14
5.8. Security investigations
Agencies need to identify and understand security risks in order address security incidents and
protect people, information and assets. A security investigation will establish the cause and extent of
an incident that has, or could have, compromised the Australian Government. Through effective
reporting and investigation of security incidents, agencies can determine vulnerabilities and reduce
the risk of future occurrence.

A security investigation should protect both the interests of the Australian Government and the
rights of affected individuals. Agencies are to apply the principles of natural justice and procedural
fairness to all security investigations.

Agencies are to consult with the Australian Federal Police and/or the Australian Security Intelligence
Organisation (ASIO) in respect of investigations that may have potentially serious issues.

Mandatory Requirement

GOV-8: Agencies must ensure investigators are appropriately trained and have in place
procedures for reporting and investigating security incidents and taking corrective action,
in accordance with the provisions of:
•   Australian Government Guidelines on Security incidents and Investigations, and/or
•   The Australian Government Investigations Standards.
Procedures are to give due regard to ensuring the security integrity of any current or future
investigation by the agency or that of another agency.

Agencies are to also report:
•    incidents suspected of constituting criminal offences to the appropriate law enforcement
     authority
•    incidents suspected of involving the compromise of information or assets classified at or above
     CONFIDENTIAL to ASIO
•   major ICT incidents to the Defence Signals Directorate, and
•   incidents involving the compromise of Cabinet material to the Cabinet Secretariat.

For further guidance please refer to the existing PSM Part G (classified SECURITY-IN-CONFIDENCE)
available to agency security advisers from the Protective Security Policy GOVDEX page
<http://www.govdex.gov.au/>.




Page 15
5.9. Legislation
The protective security mandatory requirements are not legally set down, but are based on
legislation relating to protective security and reflect the aims and objectives of the Australian
Government.

Where legislation requires an agency to manage protective security in a manner contrary to this
Framework, that legislation is to take precedence over this Framework.

Crimes Act 1914 and the Criminal Code 1995
The combined effect of sections 70 and 79 of the Crimes Act 1914 and section 91.1 of the Criminal
Code 1995 is that the unauthorised disclosure of information held by the Australian Government is
subject to the sanction of criminal law. All staff, including contractors who handle official
government material, must be aware of this legislation and how it applies to their roles.

Mandatory Requirement

GOV- 9: Agencies must give all employees, including contractors, guidance on Sections 70
and 79 of the Crimes Act 1914, section 91.1 of the Criminal Code 1995, the Freedom of
Information Act 1982 and the Information Privacy Principles contained in the Privacy Act
1988 including how this legislation relates to their role.

Laws applicable to agencies may include, but are not limited to:
•   Crimes Act 1914
•   Criminal Code Act 1995
•   Freedom of Information Act 1982 (the FOI Act)
•   Privacy Act 1988
•   Public Service Act 1999
•   Defence Act 1903
•   Australian Security Intelligence Organisation Act 1979 (the ASIO Act)
•   Intelligence Services Act 2001
•   Archives Act 1983
•   Income Tax Assessment Act 1936
•   Social Security Act 1991, and
•   National Security Information (Criminal and Civil Proceedings) Act 2004 (the NSI Act).

Agencies may have specific protective security obligations under their enabling legislation.




Page 16
5.10. International security agreements
The Australian Government is party to a range of multilateral and bilateral international agreements
governing the use, handling and protection of security classified material. Agencies involved in
sensitive work with international organisations, or those that handle another country’s protectively
marked information on their behalf, are to ensure that their internal procedures comply with the
relevant international obligation.

Mandatory Requirement

GOV-10: Agencies must adhere to any provisions concerning the security of people,
information and assets contained in multilateral or bilateral agreements and
arrangements to which Australia is a party.

For further guidance please refer to the Australian Treaties Database, see:
< http://www.dfat.gov.au/treaties/>.




Page 17
5.11. Business continuity management
Critical services and associated assets need to remain available in order to assure the health, safety,
security and economic well-being of Australians, and the effective functioning of government.
Business continuity management (BCM) is a part of an agency’s overall approach to effective risk
management. BCM is the process agencies are to follow in the event of a disruption to business. A
key risk for agencies is that they will be unable to remain operational in the event of a crisis and/or
disruption.

Mandatory Requirement

GOV-11: Agencies must establish a business continuity management (BCM) program to
provide for the continued availability of critical services and assets, and of other services
and assets when warranted by a threat and risk assessment.

Agencies are to:
•    develop a governance structure establishing authorities and responsibilities for a BCM program,
     and for the development and approval of business continuity plans
•    within the context of the identification of assets, undertake impact analysis to identify and
     prioritise the agency’s critical services and assets, including indentifying and prioritising
     information exchanges provided by, or to other agencies or external parties
•    develop plans, measures and arrangements to ensure the continued availability of critical
     services and assets, and of any other service or asset when warranted by a threat and risk
     assessment
•    undertake activities to monitor the agency’s level of overall preparedness, and
•    make provision for the continuous review, testing and audit of business continuity plans.

For further guidance please refer to:
   ANAO – better practice guide on Business Continuity Management – Building resilience in public
    sector entities see
    <http://www.anao.gov.au/director/publications/betterpracguides/currentguides.cfm>, and
   Australian Standards handbooks:

         HB 221-2004: Business Continuity Management Handbook
         292-2006: A Practitioner’s Guide to Business Continuity Management, and

         293-2006: Executive guide to Business Continuity Management

     Available from available from SAI Global <http://www.saiglobal.com/online/>




Page 18
5.12. Contracting
The Protective Security Policy Framework applies equally to the contracting process as it does to
internal government operations.

Mandatory Requirement

GOV-12: Agencies must ensure the contracted service provider complies with the
requirements of this policy and any protective security protocols.

Agencies are to:
•   apply necessary personnel security procedures to private sector organisations and individuals
    who have ongoing access to Australian Government assets, as specified in the Australian
    Government Personnel Security Protocol, and
•   ensure the safeguarding of government assets, including ICT systems by:
    -     specifying the necessary protective security requirements in the terms and conditions of
          any contractual documentation, and
    -     undertaking assessments visits to verify that the contracted service provider complies with
          the terms and conditions of any contractual documentation.

For further guidance please refer to the existing PSM Part F (classified SECURITY-IN-CONFIDENCE)
available to agency security advisers from the Protective Security Policy GOVDEX page
<http://www.govdex.gov.au/>.




Page 19
5.13. Fraud control
Fraud control measures are part of the risk management process. The Commonwealth Fraud Control
Guidelines – May 2002 outline the principles of fraud control within the Commonwealth and set
national minimum standards to help agencies carry out their responsibilities to combat fraud against
their programs. The Guidelines outline:
•   agency responsibilities for fraud prevention
•   reporting of fraud information
•   fraud investigation case handling, and
•   training of agency fraud investigators and fraud prevention officers.

Mandatory Requirement

GOV-13: The following agencies must comply with the Commonwealth Fraud Control
Guidelines – May 2002:
•   all agencies that are subject to the Financial Management and Accountability Act
    1997, and
•   Commonwealth Authorities and Companies Act 1997 agencies that are at least 50%
    budget funded for their operating costs.
Other Government agencies are encouraged to comply with the Guidelines.

The Commonwealth Fraud Control Guidelines can be accessed at:
<http://www.ag.gov.au/www/agd/agd.nsf/Page/Fraudcontrol_CommonwealthFraudControlGuidelin
es-May2002>

For further advice see the Australian Standard:

   AS8001-2008: Fraud and Corruption Control
Available from SAI Global <http://www.saiglobal.com/online/>




Page 20
6. Core policies
All applicable agencies and bodies are to comply with the mandatory requirements contained within
the three protective security core policies in the Australian Government’s Protective Security Policy
Framework. The core protective security policies are:
•   Personnel security
•   Information security, and
•   Physical security.

6.1. Australian Government Personnel Security Core Policy

Overview

The protection of classified resources across Government includes limiting access to those people
whom the Australian Government assesses to be suitable and whose work responsibilities specifically
require them to access these resources. The Government determines suitability for such access
through a robust assessment process. More detailed information is provided in the associated
protocols and guidelines, some of which are security classified and therefore not publicly available.

Purpose

The purpose of personnel security is to provide a level of assurance as to the honesty,
trustworthiness, maturity, tolerance and loyalty of individuals who access Government resources. All
staff employed by the Australian Government may be subject to security vetting.

Issue and review

The Attorney-General issued this policy in June 2010. The Protective Security Policy Committee will
review this core policy regularly.

Current Version: V1.00 (Reviewed June 2010)

Mandatory Requirement

PERSEC 1: Agencies must ensure that Australian Government employees, contractors and
temporary staff who require ongoing access to Australian Government information and
resources:
•   are eligible to have access
•   have had their identity established
•   are suitable to have access, and
•   are willing to comply with the Government’s policies, standards, protocols and
    guidelines that safeguard that agency’s resources (people, information and assets)
    from harm.
Access to higher levels of classified resources is dependent upon the granting of the
requisite security clearance.

Page 21
For further advice on employment screening see Australian Standards:
   AS4811-2006: Employment Screening

   HB323-2007: Employment Screening Handbook
Available from available from SAI Global <http://www.saiglobal.com/online/>

Risk management

Agencies are to employ a risk management approach to personnel security consistent with protective
security principles. The aim is to reduce the risk of loss, damage or compromise of Australian
Government security classified resources by application of personnel security measures before and
during employment. These measures in isolation do not provide a guarantee of reliability and must
be supported by effective line management. They are not an alternative to the correct application of
the ‘need to know’ principle, access controls and information security measures.

For further guidance please refer to:
   Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the
   Australian Standards HB 167:2006 Security risk management
Available from SAI Global <http://www.saiglobal.com/online/>

Mandatory Requirements

 PERSEC 2: Agencies must, as part of their risk management approach to protective
security, identify designated security assessed positions (DSAPs) within their organisation
that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information.
Agencies must ensure that security vetting is only applied where it is necessary.

PERSEC 3: Agencies must maintain a DSAP register.

Need-to-know

The fundamental rule of personnel security is that agencies base all access decisions on the
‘need-to-know’ principle. Agencies are to establish the existence of a legitimate need to access the
security classified resources to carry out official duties before granting access. Other justifications,
such as position of authority, or the desire to enter controlled areas for the sake of convenience, are
not valid.

Mandatory Requirement

PERSEC 4: Security clearances must be sponsored by an Australian government agency.
Security clearances are not available on demand or on a speculative basis.

Australian Government Security Vetting Agency

With the exception of specified exempt agencies, the Australian Government Security Vetting Agency
(AGSVA) is the only agency that conducts security vetting for the Australian Government.



Page 22
The security vetting process is intrusive by its very nature and agencies are to conduct the process
with care and sensitivity and in accordance with Australian Government policy.

AGSVA and exempt agencies are to resolve any doubts about the suitability of a clearance subject to
access security classified resources in favour of the Commonwealth.

Security vetting

There are four levels of security vetting, each involving more rigorous checking:
•    Baseline Vetting – entails screening to permit ongoing access to Australian Government
     resources security classified at the PROTECTED level. This screening meets the requirements
     detailed in Australian Standard AS4811:2006 – Employment screening.
•    Level 1 - Negative Vetting – a suitability assessment that permits ongoing access to PROTECTED,
     CONFIDENTIAL and SECRET resources. The suitability assessment includes Baseline Vetting plus
     additional suitability checks.
•    Level 2 - Negative Vetting – a background investigation that permits ongoing access to
     PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET resources. The investigation includes
     Baseline Vetting plus additional suitability checks as well as background interviews, and
•    Positive Vetting – permits access to resources at all classification levels, including certain types
     of caveated and codeword information, and usually relates to employment in an Australian
     Intelligence Community agency.

Australian Government Personnel Security Protocol

Mandatory Requirement

PERSEC 5: All Government agencies must follow the Australian Government Personnel
Security Protocol for personnel security as contained in supplementary material within the
Protective Security Policy Framework. Only the Australian Government Security Vetting
Agency and exempt agencies can grant, continue, deny, revoke or vary a security
clearance. Exempt agencies can only issue clearances for their own agency.

Vetting decisions – assessment of whole person

All vetting decisions are based on an assessment of the whole person and at all stages are to be
made in accordance with the principles of natural justice and procedural fairness.

Ongoing personnel security management (‘Aftercare’)

Personnel security is an important element of an agency’s effective protective security regime as well
as sound overall management practice. The initial security vetting process only provides a snapshot
of an individual at a particular time. Aside from formal periodic and AGSVA initiated reviews of the
security clearance, agencies’ senior and line managers are responsible for providing support,
awareness and education as part of agencies’ aftercare regime.

Agencies are to have in place processes that provide for the timely identification and assessment of
issues impacting on an individual’s continued suitability to hold a security clearance (security

Page 23
aftercare). These processes are to complement, but not substitute the clearance review and security
education processes. These processes are to:

•   include tailored agency-specific security aftercare management programs

•   provide clear instructions and guidelines in agency aftercare policy and procedures, and

• regularly reinforce through security education and training the requirement for staff to report
significant changes in personal circumstances and contacts.

Mandatory Requirement

PERSEC 6: Agencies must have in place personnel security aftercare arrangements,
including the requirement for individuals holding security clearances to advise the AGSVA
or the relevant exempt agency of any significant change in personal circumstance that may
impact on their continuing suitability to access security classified resources.

The personnel security protocol is currently under development. For further guidance please refer to
the existing PSM Part D (classified SECURITY-IN-CONFIDENCE) available to agency security advisers
from the Protective Security Policy GOVDEX page <http://www.govdex.gov.au/>.




Page 24
6.2. Australian Government Information Security Core Policy
The Australian Government collects and receives information to fulfil its functions and expects all
those who access or hold this information to protect it. Agencies are to develop, document,
implement and review appropriate security measures to protect this information from unauthorised
use or accidental modification, loss or release by:
•    establishing an appropriate information security culture within the agency
•    implementing security measures that match the information’s value, classification and
     sensitivity, and
•    adhering to all legal requirements.

The mandatory requirements of this core policy are based on the three elements of information
security:
•    Confidentiality: ensuring that information is accessible only to those authorised to have access
•    Integrity: safeguarding the accuracy and completeness of information and processing methods,
     and
•    Availability: ensuring that authorised users have access to information and associated assets
     when required.

The term ‘information assets’ within this policy refers to any form of information, including:
•    electronic data
•    the software or information and communication technology (ICT) systems and networks on
     which the information is stored, processed or communicated
•    printed documents and papers
•    the intellectual information (knowledge) acquired by individuals, and
•   physical items from which information regarding design, components or use could be derived.

Issue and review

The Attorney-General issued this policy in June 2010. The Protective Security Policy Committee will
review this core policy regularly.

Current Version: V1.00 (Reviewed June 2010)

Sharing of information and other assets

Agencies are to implement this policy when sharing Australian Government information and other
assets with other governments (including foreign, state, territory and municipal), international,
educational and private sector organisations. In these cases, agencies are to develop arrangements
that outline security responsibilities, safeguards to be applied, and terms and conditions for
continued participation.

Agencies are to treat information and other assets received from other governments (including
foreign, state, territory and municipal), international (e.g. EU), educational and private sector
organisations, in accordance with agreements or arrangements between the parties concerned.
Page 25
Agencies may share up to PROTECTED level information with non-government organisations that
screen to the level of Australian Standard AS4811:2006 – Employment screening.

Agency information security policy and planning

Mandatory Requirement

INFOSEC 1: Agency heads must provide clear direction on information security through the
development and implementation of an agency information security policy and an agency
information security plan.

The policy and plan are to:

•   detail the objectives, scope and approach to the management of information security issues and
    risks within the agency
•   be endorsed by the agency head
•   identify information security roles and responsibilities
•   detail the types of information that an employee:
    -     can lawfully disclose in the performance of his or her duties, or
    -     must obtain authority to disclose
•   be reviewed and evaluated in line with changes to agency business and information security
    risks
•   be consistent with the requirements of the agency’s protective security plan and information
    security risk assessment findings
•   address the issue of data aggregation
•   include details of the agency’s declassification program
•   explain the consequences for breaching the policy or circumventing any associated protective
    security measure, and
•   be communicated on an on-going basis and be accessible to all agency employees, and where
    reasonable and practical be publicly available.

The information security protocol is currently under development. For further guidance please refer
to the existing PSM Part A (classified SECURITY-IN-CONFIDENCE) available to agency security advisers
from the Protective Security Policy GOVDEX page <http://www.govdex.gov.au/>.




Page 26
Information security framework and third party access

Mandatory Requirement

INFOSEC 2: Each agency must establish a framework to provide direction and coordinated
management of information security. Frameworks must be appropriate to the level of
security risks to the agency’s information environment.

Agencies are to:
•   document requirements for information security when entering into outsourcing contracts and
    arrangements with contractors and consultants
•   enter into memorandums of understanding (MOU) with other agencies when regularly sharing
    information and where reasonable and practical, make the MOU publicly available
•   ensure that prior to providing third parties access to Australian Government information and ICT
    systems, security measures that match the security classification or dissemination limiting
    marker of the information or ICT system are in place, or clearly defined, in appropriate
    agreements or contracts, and
•   ensure that appropriate permissions are received before providing third parties access to
    information not originating within the agency.

Information asset classification and control

Mandatory Requirement

INFOSEC 3: Agencies must implement policies and procedures for the security classification
and protective control of information assets (in electronic and paper-based formats) which
match their value, importance and sensitivity.

When addressing security classification and control policies and procedures, agencies are to ensure
that:
•   all major information assets including hardware, software and services used in agency
    operations (including physical information assets used to process, store or transmit information)
    are identified, documented and assigned owners for the maintenance of security measures
•   the classification of all agency information is in accordance with the Australian Government
    Security Classification System
•   the control of all security classified information (including handling, storage, transmission,
    transportation and disposal) is in accordance with the Australian Government Information
    Security Protocol
•   information is appropriately marked, stored and handled in accordance with the Australian
    Government Information Security Protocol
•   a classification guide specific to the agency is developed, maintained and accessible to all agency
    employees
•   the agency’s classification guide does not limit the provisions of relevant legislative
    requirements or international obligations under which the agency operates, and
Page 27
•   disposal of public records is in accordance with legislative and regulatory requirements.

Operational security management

Mandatory Requirement

INFOSEC 4: Agencies must document and implement operational procedures and
measures to ensure information, ICT systems and network tasks are managed securely and
consistently, in accordance with the level of required security.

Agencies are to ensure that they:

•   put in place incident management procedures and mechanisms to review violations and to
    ensure appropriate responses in the event of security incidents, breaches or failures

•   put in place adequate controls to prevent, detect, remove and report attacks of malicious and
    mobile code on ICT systems and networks

•   put in place comprehensive systems maintenance processes and procedures including operator
    and audit/fault logs and information backup procedures

•   implement operational change control procedures to ensure that they appropriately approve
    and manage changes to information processing facilities or ICT systems

•   comply with legal requirements when exchanging information in all forms, between agencies
    and/or third parties

•   apply the classification schemes and measures defined in the Australian Government
    Information Security Protocol and the Australian Government Information and Communication
    Security Technology Manual when exchanging information in all forms, between agencies
    and/or third parties, and

•   apply the requirements of the National e-Authentication Framework to on-line transactions and
    services.

Information access controls

Mandatory Requirement

INFOSEC 5: Agencies must have in place control measures based on business owner
requirements and assessed/accepted risks for controlling access to all information, ICT
systems, networks (including remote access), infrastructures and applications. Agency
access control rules must be consistent with agency business requirements and
information classification as well as legal obligations.

Agencies are to ensure that they:
•   assess access requirements against the National e-Authentication Framework
•   require specific authorisation to access agency ICT systems
•   assign each user a unique personal identification code and secure means of authentication

Page 28
•   define, document and implement policies and procedures to manage operating systems
    security, including user registration, authentication management, access rights and privileges to
    ICT systems or application utilities
•   display restricted access and authorised use only (or equivalent) warnings upon access to all
    agency ICT systems
•   where wireless communications are used, appropriately configure the security features of the
    product to at least the equivalent level of security of wired communications
•   implement control measures to detect and regularly log, monitor and review ICT systems and
    network access and use, including all significant security relevant events
•   conduct risk assessments and define policies and processes for mobile technologies and
    teleworking facilities, and
•   assess security risks and implement appropriate controls associated with use of ICT facilities and
    devices (including non-governmental equipment) within the agency such as mobile telephony,
    personal storage devices and internet and email prior to connection.

Information system development and maintenance

Mandatory Requirement

INFOSEC 6: Agencies must have in place security measures during all stages of ICT system
development, as well as when new ICT systems are implemented into the operational
environment. Such measures must match the assessed security risk of the information
holdings contained within, or passing across, ICT networks infrastructures and
applications.

When establishing new ICT systems or implementing improvements to current ICT systems including
off-the-shelf or outsourced software development, agencies are to ensure that they:
•   address security the early phases of the systems development life cycle, including the system
    concept development and planning phases and then in the requirements analysis and design
    phases
•   consult internal and/or external audit when implementing new or significant changes to
    financial and critical business ICT systems
•   incorporate processes including data validity checks, audit trails and activity logging in
    applications to ensure the accuracy and integrity of data captured or held in applications
•   apply the National e-Authentication Framework requirements to authentication techniques and
    policies
•   carry out appropriate change control, acceptance and ICT system testing, planning and
    migration control measures when upgrading or installing software in the operational
    environment
•   control access to ICT system files to ensure integrity of the business systems, applications and
    data, and



Page 29
•    identify and implement access controls including access restrictions and segregation/isolation of
     ICT systems into all infrastructures, business and user developed applications.

Compliance

Mandatory Requirement

INFOSEC 7: Agencies must ensure that agency information security measures for all
information processes, ICT systems and infrastructure adhere to any legislative or
regulatory obligations under which the agency operates.

To ensure all legal, statutory, regulatory, contract or privacy obligations relating to information
security are managed appropriately agencies are to :
•    take all reasonable steps to monitor, review and audit agency information security
     effectiveness, including assigning appropriate security roles and engaging internal and/or
     external auditors and specialist organisations where required, and
•    regularly review all agency information security policies, processes and requirements including
     contracts with third parties, for compliance and report to appropriate agency management.

The information security protocol is currently under development. For further guidance please refer
to the existing PSM Parts C and H (classified SECURITY-IN-CONFIDENCE) available to agency security
advisers from the Protective Security Policy GOVDEX page <http://www.govdex.gov.au/>, and the
Australian Government Information Security Manual available from the Defence Signals Directorate <
http://www.dsd.gov.au/>




Page 30
6.3. Australian Government Physical Security Core Policy
The Australian Government requires a variety of resources i.e., people, information and assets to
make and implement its decisions. Australian Government agencies hold significant resources on
behalf of the Government and the Australian people to fulfil government functions (for example, to
develop policy, establish or implement programs, or provide services to the public). The Government
expects each of its agencies to create and maintain an appropriate physical security environment for
the protection of these functions and associated resources. The appropriate physical security
environment should support the efficient and effective performance of agency outputs, without
compromising the application of protective security measures.

Risk management

Agencies are to employ a risk management approach to physical security that conforms to the
protective security principles. Agencies are to determine the appropriate level of physical protection
for their functions and resources, including their employees, information and assets. These decisions
require a rigorous analysis of security risk.

For further guidance please refer to:
   Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the
   Australian Standards HB 167:2006 Security risk management
Available from SAI Global <http://www.saiglobal.com/online/>

Security-in-depth

Sensible management of security risk will involve finding the most appropriate and cost-effective way
of minimising risk through a combination of procedural, personnel and physical measures. This mix
establishes a series of barriers that prevent or restrict unauthorised access or harm to resources.
This is known as ‘security-in-depth’. It also puts in place mechanisms to detect and respond to
security breaches within an acceptable timeframe.

Issue and review

The Attorney-General issued this core policy in June 2010. Review of this core policy will occur on a
regular basis.

Current Version: V1.00 (Reviewed June 2010)




Page 31
Agency physical security policy and planning

Mandatory Requirement

PHYSEC 1: Agency heads must provide clear direction on physical security through the
development and implementation of an agency physical security policy and an agency
physical security plan.

The policy and plan are to:
•   detail the objectives, scope and approach to the management of physical security issues and
    risks within the agency
•   be endorsed by the agency head
•   identify physical security roles and responsibilities
•   continuously review physical security measures to reflect changes in the threat environment
    and take advantage of new cost-effective technologies
•   be consistent with the requirements of the agency’s protective security plan and physical
    security risk assessment findings
•   explain the consequences for breaching the policy or circumventing any associated protective
    security measure, and
•   be communicated on an on-going basis and be accessible to all agency employees.

For further guidance please refer to the existing PSM Part A (classified SECURITY-IN-CONFIDENCE)
available to agency security advisers from the Protective Security Policy GOVDEX page
<http://www.govdex.gov.au/>.




Page 32
Protection of employees

Agencies are responsible for the health and safety of employees at work. This responsibility extends
to situations where employees are under threat of violence because of their duties or because of
situations to which they are exposed. Such situations include, but are not limited to terrorism, threat
letters or calls, the receipt of potentially dangerous substances, eg ‘white powder’, stalking and
assault.

Mandatory Requirement

PHYSEC 2: Agencies must have in place policies and procedures to:

•   identify, protect and support employees under threat of violence, based on a threat
    and risk assessment of specific situations. In certain cases, agencies may have to
    extend protection and support to family members and others
•   report incidents to management, human resources, security and law enforcement
    authorities, as appropriate
•   provide information, training and counselling to employees, and
•   maintain thorough records and statements on reported incidents.

Physical security

Physical security involves the proper layout and design of facilities and the use of measures to delay
and prevent unauthorised access to government assets. It includes measures to detect attempted or
actual unauthorised access, and activate an appropriate response. Physical security also provides
measures to safeguard employees from violence.

Mandatory Requirement

PHYSEC 3: Agencies must ensure they fully integrate protective security early in the
process of planning, selecting, designing and modifying their facilities.

Agencies are to:
•   select, design and modify their facilities in order to facilitate the control of access
•   demarcate restricted access areas, and have the necessary entry barriers, security systems and
    equipment based on threat and risk assessments
•   include the necessary security specifications in planning, request for proposals and tender
    documentation, and
•   incorporate related costs in funding requirements.




Page 33
Occupational health and safety

Mandatory Requirement

PHYSEC 4: Agencies must ensure that any proposed physical security measure or activity
does not breach relevant employer occupational health and safety obligations.

Agencies are to ensure that they:
•   conduct a risk assessment of any proposed physical security measure or activity and develop
    effective risk controls in line with a reasonably practicable approach, and

•   take into account the likelihood and consequence of an accident or injury arising as a result of a
    physical security measure or activity and put in place appropriate control measures.

Duty of care – third parties
Mandatory Requirement

PHYSEC 5: Agencies must show a duty of care for the physical safety of those members of
the public interacting directly with the Australian Government. Where an agency’s
function involves providing services, the agency must ensure that clients can transact with
the Australian Government with confidence about their physical wellbeing.

Agencies are to:
•   take all reasonable precautions which could avoid or reduce the risk of harm to clients
•   choose the option which is least restrictive to the client where there are a number of effective
    physical security measures which would reduce the risk of harm
•   ensure the agency physical security plan addresses the risk of harm to clients, and
•   develop relevant guidelines and procedures identifying the precautions to be taken to cover the
    identified risk factors.

For further advice see the Occupational Health and Safety Act 1991, OHS Regulations and OHS
Code of practice available from Comcare at:
<http://www.comcare.gov.au/laws__and__regulations/ohs_act,_regulations__and__code>




Page 34
Physical security of ICT equipment and information

Mandatory Requirement

PHYSEC 6: Agencies must implement a level of physical security measures that minimises
or removes the risk of ICT equipment and information being made inoperable or
inaccessible, or being accessed, used or removed without appropriate authorisation.

Agencies are to ensure that they:
•   put in place appropriate building and entry control measures for areas used in the processing
    and storage of security classified information
•   put in place physical security protection (which matches the assessed security risk of the
    aggregated information holdings) for all agency premises, storage facilities and cabling
    infrastructure
•   locate ICT equipment, where practical, in areas with access control measures in place to restrict
    use to authorised personnel only, and put in place other control methods where physical control
    measures are not possible
•   implement policies and processes to monitor and protect the use and/or maintenance of
    information, equipment, storage devices and media away from agency premises, and in
    situations where a risk assessment determines, put in place additional control measures
•   implement policies and processes for the secure disposal and/or reuse of ICT equipment,
    storage devices and media (including delegation, approval, supervision, removal methods and
    training of employees) which match the assessed security risk of the information holdings
    stored on the asset, and
•   implement general control policies including a clear desk and clear screen policy.

Physical security in emergency and increased threat situations

Mandatory Requirement

PHYSEC 7: Agencies must develop plans and procedures to move up to heightened
security levels in case of emergency and increased threat. The Australian Government
may direct its agencies to implement heightened security levels.

Agencies are to co-ordinate physical security plans and procedures with other emergency prevention
and response plans (e.g. fire, bomb threats, hazardous materials, power failures, evacuations, civil
emergencies).

The physical security protocol is currently under development. For further guidance please refer to
the existing PSM Parts E and H (classified SECURITY-IN-CONFIDENCE) available to agency security
advisers from the Protective Security Policy GOVDEX page <http://www.govdex.gov.au/>.




Page 35
7. Understanding the Protective Security Policy Framework & Frequently
   Asked Questions
•   What is the Protective Security Policy Framework (PSPF)?
•   What areas does the PSPF cover?
•   Who authorises the PSPF?
•   Who is the PSPF for?
•   How long is the transition to the PSPF expected to take?
•   How do we know what is mandatory?
•   Why is the Australian Government putting its protective security measures in the public
    domain?
•   How is the PSPF updated?
•   How do I access the security classified protocols and guidelines?

What is the Protective Security Policy Framework?

The Protective Security Policy Framework (PSPF) sets out the Australian Government policy and
guidance on protective security. All agency protective security policies are to be based on this
Framework. The Framework supersedes the Protective Security Manual (PSM), and is publicly
available. It is necessary to limit access to some protocol and guideline material for security reasons.
Protective security policies will differ according to the range of business and security risks faced by
each agency. However, the minimum security requirements are mandatory for all agencies.
Compliance with mandatory requirements provides assurance needed for the secure sharing of
information across Government. The Framework supports agencies in implementing the
Government’s protective security policy.

Protective security is a combination of procedural, physical, personnel, and information security
measures designed to provide Government information, functions, resources, employees and clients
with protection against security threats.

The Protective Security Manual (PSM) was the primary source of protective security policy, minimum
standards, procedures and guidelines for government. It set out the Government’s policy on its own
internal security. Because it contained some specific protective security controls and procedures it
was classified at SECURITY-IN-CONFIDENCE. Therefore it was not publicly available. The PSM has
been superseded by the Protective Security Policy Framework, and much of the Framework is
publicly available.




Page 36
What areas does the PSPF cover?

The PSPF covers Australian Government protective security and security risk management policy,
procedures and guidelines. It includes:
•   an overarching policy statement
•   principles
•   governance arrangements
•   core policies
•   mandatory requirements
•   the Government Directive on the security of government business, and
•   protocols and guidelines.

Who authorises the PSPF?

The PSPF is endorsed by the National Security Committee of Cabinet (NSC) and approved by the
Commonwealth Attorney-General.

The Attorney-General’s Department is responsible for developing and amending the Framework
assisted by the Protective Security Policy Committee comprising:
•   Department of the Prime Minister and Cabinet
•   Department of Foreign Affairs and Trade
•   Department of Defence
•   Australian Taxation Office
•   CentreLink
•   Australian Security Intelligence Organisation
•   Defence Signals Directorate
•   Australian Federal Police, and
•   Australian National Audit Office.

Who is the PSPF for?

The PSPF applies to Government agencies and any organisations working on behalf of, or handling
Australian Government information and assets. This may include other governments, and contract
service or goods providers. Agencies are to stipulate:
•   where and what level of compliance they require of their delivery partners, and
•   where equivalent protective security policies are acceptable.

How long is the transition to the PSPF expected to take?

Introducing the new Framework requires the review of all current protective security policies,
procedures and guidelines. We expect the redrafting, approval, dissemination and incorporation of

Page 37
this work to be completed by the end of 2011. All Parts of the current PSM will remain in force until
they are replaced by new policies, protocols and guidelines under the Framework.

How do we know what is mandatory?

The mandatory requirements are labeled and highlighted. These requirements are supplemented by
further policy, protocols and /or guidelines which can be accessed by following the link entitled
“Further Guidance”. Please note that the publicly available version of the Framework does not
include any security classified material.

Why is the Australian Government putting its protective security measures in the public
domain?

Publicly publishing the PSPF reflects the Government’s commitment to greater transparency and
accountability. It allows organisations who do business with the Government access to the security
policy and procedures they may need to apply.

How is the PSPF updated?

The Protective Security Policy Committee (PSPC):
•   reviews the Framework regularly
•   issues updated protective security policies, and
•   produces a refreshed edition of the Framework as required.

The Framework documents are dated and carry version control numbers to identify current versions.

How do I access the security classified protocols and guidelines?

If you require access to security classified protocols and guidelines or have any queries about the
PSPF please email the Protective Security Policy team at pspf@ag.gov.au.




Page 38

				
DOCUMENT INFO
Description: Risk Management Agency Ag document sample