Physical security management protocol

ApprovedJuly 2011

Amended April 2015

Version 1.5

1

© Commonwealth of Australia 2011

All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia ( ) licence.

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence
( ).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour
( website.

Contact us

Inquiries regarding the licence and any use of this document are welcome at:

Business Law Branch
Attorney-General’s Department
3-5 National Cct
BARTON ACT 2600

Telephone: (02) 6141 6666

Document details
Security classification / Unclassified
Dissemination limiting marking / Publicly available
Date of next review / July 2018
Authority / Attorney-General
Author / Protective Security Policy Section
Attorney-General’s Department
Document status / Approved 18 July 2011
Amended April 2015

Contents

Amendments

1.Scope

1.1Introduction and objectives

1.2Status and applicability

1.2.1Status

1.2.2Specific terms used in this protocol

1.2.3Applicability

1.3Intended audience

1.4Policy exceptions

1.4.1Ongoing policy exceptions

1.4.2Emergency policy exceptions

1.4.3Deliberate non-compliance with physical security policies

1.5Structure and design of this protocol

1.5.1Structure and overview

1.5.2Formatting and presentation

1.6References and supporting documents

1.6.1Documents given authority by this protocol

1.6.2Standards and guidelines referenced

1.6.3Access to SCEC and ASIO guides

1.7Document change control

2.How this protocol fits into the PSPF structure

3.Agency physical security policies and procedures

3.1Employee awareness of physical security measures

4.Agency physical security risk management and planning

4.1Risk management

4.1.1Applying risk management and assurance levels in physical security

4.1.2Security risk management

4.1.3Threat assessments

4.1.4Physical security risk assessments

4.1.5Review of risk assessments

4.1.6Risks to people

4.1.7Risks to cultural holdings

4.2Assurance levels

4.3Security-in-depth

4.4Elements of physical security planning

4.4.1Shared facilities

4.4.2Security when working away from the office

5.Physical security treatments

5.1Physical security systems

5.2Site planning

5.2.1Site selection

5.3Security Zones

5.4Accreditation of Security Zones

5.4.1Minimum requirements for protecting security classified information

5.5Measures to control access to facilities, information and physical assets

5.5.1Use of SCEC approved products

6.Protection of people

6.1Occupational health and safety considerations in physical security

6.1.1Employees

6.1.2Clients and the public

6.2Emergency procedures

7.Physical security of information and ICT equipment

7.1Single items or limited amounts of information

7.2Aggregations of information

7.2.1TOP SECRET information or an aggregation of information that could
cause catastrophic damage to Australia’s national security

7.3ICT systems

7.3.1ICT facility security

7.3.2ICT equipment security

7.3.3Additional information

8.Physical security in emergency and increased threat situations

8.1Physical security in disaster management plans

8.2Scalable security to meet increases in threat levels

8.3Involving ASAs and ITSAs in emergency response and recovery management

Annex A:Referenced Standards, Handbooks and Codes

Annex B:Protective security in an agency’s risk management and planning

Amendments

No. / Date / Location / Amendment
1. / September 2011 / Section 8 / Replace references to ISM for physical security of ICT equipment, systems and facilities with PHYSEC guidelines
2. / February 2012 / Throughout / Update all PSPF links
3. / September 2012 / Sections 1.2.2 and 2 and Annex B / Update Sections 1.2.2 and 2 to refer to PSPF—Glossary of Terms and remove Annex B – Glossary of Terms. Update Annex numbering.
4. / September 2012 / Sections 5.1.6 and 7 / Change reference from OHS Act 1991 to WHS Act 2011
5. / July 2013 / Throughout / Update references to Australian Signals Directorate (ASD) from Defence Signals Directorate (DSD)
6. / July 2013 / Section 6.4 / Replace DIO with Defence Intelligence Security (DIS) and clarify the need for DIS accreditation of SCIFs
7. / April 2015 / Throughout / Update links
8. / April 2015 / Throughout / Update references to ASIO technical notes
9. / April 2015 / Throughout / Replace reference to the Security Equipment Catalogue with the Security Evaluated Equipment List(SEEPL) and Security equipment guides (SEGs)
10. / April 2015 / Delete Section 2 / Delete Section 2 – Terms and definitions, covered in 1.2.2
11. / April 2015 / Add Section 1.6.3 / Added to provide advice on accessing Australian Security Intelligence Organisation (ASIO) and Security Construction and Equipment Committee (SCEC) guides and notes for Section 1.6
12. / April 2015 / Throughout / Insert paragraph numbering

1

1.Scope

1.1Introduction and objectives

  1. The physical security protocol and associated guidelines detail the standards required to comply with core policies and meet the seven mandatory physical security requirements of the Protective Security Policy Framework(PSPF).
  2. Physical security is a combination of physical and procedural measures designed to prevent or mitigate threats or attacks against people, information and physical assets. A physical security program aims to:
  3. Deter—these are measures implemented that adversaries perceive as too difficult, or needing special tools and training to defeat.
  4. Detect—these are measures implemented to determine if an unauthorised action is occurring or has occurred.
  5. Delay—these are measures implemented to:

—impede an adversary during an attack, or

—slow the progress of a detrimental event to allow a response before agency information or physical assets are compromised.

  • Respond—these are measures taken once an agency is aware of an attack or event to prevent, resist or mitigate the attack or event.
  • Recover—these are measures taken to restore operations to normal (as possible) following an incident.
  1. Often a measure designed to meet one particular physical security goal may address others.
  2. Physical security is more than protection against national security threats. It should address all hazards an agency may face in the protection of people, information, functions and physical assets including:
  3. civil disturbance: riots, insurrections, protests, etc.
  4. crime: personal and property crimes, etc.
  5. conflicts of interest: bribery, disaffection, kickbacks, etc.
  6. workplace violence: assault, harassment, revenge attacks, etc.
  7. terrorism: bombing, extortion, white power incidents, kidnapping, etc.
  8. natural disasters: flood, bush fire, earthquake, pandemics, etc.
  9. industrial disasters: explosions, building fires, structural collapse, other major accidents, etc, and
  10. other risks: disturbed persons, traffic accidents, etc.
  11. Physical security measures complement personnel security, information handling, communications and computer security procedures.

1.2Status and applicability

1.2.1Status

  1. The Attorney-General approved the Physical Security Management Protocol on 18 July 2011.
  2. This protocol is part of the third tier of the Australian Government’s physical security policy hierarchy, as shown in Figure 1.

Figure 1: Physical security policy hierarchy

  1. This protocol draws its authority from the PSPF—Directive on the security of Government business, Governance arrangements, and the Physical security core policy. It should be read in conjunction with these higher level policy documents. It should also be read in conjunction with the subordinate supporting guidelines including:
  2. the Australian Government Personnel Security Protocol
  3. the Australian Government Information Security Management Protocol
  4. the Commonwealth Fraud Control Framework
  5. any agency specific legislation
  6. the Australian Government physical security management guidelines—Security zones and risk mitigation control measures
  7. the Australian Government physical security management guidelines—Physical security of ICT equipment systems and facilities
  8. the Australian Government physicalsecurity management guidelines—Working away from the office
  9. the Australian Government physical security management guidelines—Event security
  10. the Australian Government protective security governance guidelines—Business impact levels
  11. the Protective security better practice guide—Developing agency alert levels
  12. other guidelines issued from time to time.

1.2.2Specific terms used in this protocol

  1. In this protocol the terms:
  2. ‘need to’—refers to a legislative requirement that agencies must meet
  3. ‘are required to’ or ‘is required to’—refer to a control:

—to which agencies cannot give a policy exception, see Policy exceptions, or

—used in other protective security documents that set controls

  • ‘are to’ or ‘is to’—are directions required to support compliance with the mandatory requirements of the physical security core policy, and
  • ‘should’—refers to better practice; agencies are expected to apply better practice unless there is a reason based on their risk assessment to apply alternative controls.
  1. Additional terms used in this protocol are listed in the PSPF—Glossary of Terms.

1.2.3Applicability

  1. This protocol applies to all agencies and bodies identified in PSPF—Applicability of the PSPF. It covers all facilities, people, information, functions and physical assets owned by the Australian Government, or those entrusted to it by third parties, within Australia.
  2. Agencies are required to liaise with the Department of Foreign Affairs and Trade when determining physical security arrangements for all overseas missions.

1.3Intended audience

  1. This protocol is intended for use by:
  2. security employees such as Agency Security Advisers (ASAs), security consultants and security practitioners within agencies responsible for:

—assessing risks to agency people, information or physical assets

—everyday physical security in the agency

—specifying, designing, and building technical physical security controls at Australian Government locations, and

—developing agency-specific physical security policies and procedures used by agency employees

  • managers to meet their governance responsibilities
  • staff responsible for promoting and assessing compliance with physical security in corporate functionssuch as internal audit, human resources, risk management, compliance, legal, and occupational health and safety, and
  • external parties such as business partners, external auditors and industry regulators to understand the Australian Government’s overall physical security position and, where fitting, to evaluate or direct the operation of specific physical security controls to meet their contractual obligations.

1.4Policy exceptions

  1. Exceptional situations or emergencies may arise that prevent agencies from applying this policy. These may be either of an ongoing or an emergency nature.
  2. There is no policy exception if agencies use alternative physical security measures that provide the same functionality as, or better than, specified controls.
  3. Before agreeing to the use of alternative physical security measures an agency head, or delegate, should seek expert advice to confirm that the technical performance requirements of the proposed measures meet or exceed those of the specified control.

1.4.1Ongoing policy exceptions

  1. When an agency identifies a situation where the policies in this protocol and supporting guidelines cannot apply, the agency head, or delegate, is to take a clear, risk-based decision on whether to allow the policy exception. Before making such a decision, advice is to be sought from the ASA, Information Technology Security Adviser (ITSA), relevant information originator(s) or physical asset owner(s), and other stakeholders.
  2. If a policy exception is allowed the individual authorising the exception will reasonably assume accountability for any security incident that arises as a direct result.
  3. The ASA is responsible for establishing a system for documenting and managing policy exceptions. The agency should review any exceptions before finalising annual compliance reporting to its Portfolio Minister.
  4. Documenting policy exceptions provides a record that an agency can use to assess its level of compliance with the PSPF mandatory requirements. Therefore, exceptions granted are to inform the reporting of an agency’s compliance to its Portfolio Minister. For further information see PSPF—Governance arrangements—Audit, reviews and reporting.

1.4.2Emergency policy exceptions

  1. Where justified and necessary under exceptional circumstances, limited policy exceptions may be made without prior management approval. Where prior advice and acceptance of policy exceptions are not possible (for example in an emergency), exceptions are to be reported to the ASA or ITSA within two working days for retrospective processing under the ongoing policy exceptions process noted above.
  2. By definition, emergency exceptions are not expected to be routine in nature.

1.4.3Deliberate non-compliance with physical security policies

  1. Agencies are to treat deliberate non-compliance with these physical security policies that have not been granted an exception under 1.4.1 or 1.4.2 as a security incident and a breach of the APS Code of Conduct or equivalent for non-APS agencies.

1.5Structure and design of this protocol

1.5.1Structure and overview

  1. This protocol is organised into nine sections numbered 1 through 9. The six substantive sections cover different aspects of physical security management encompassing:

Section 3—Agency physical security policies and procedures

Section 4—Agency physical security risk management and planning

Section 5—Physical security treatments

Section 6—Protection of people

Section 7—Physical security of information and ICT equipment

Section 8—Physical security in emergency and increased threat situations.

1.5.2Formatting and presentation

  1. The sections of this protocol restate relevant mandatory requirements from the PSPF governance arrangements and physical security core policies. Each is followed by policy statements describing the supporting controls and some extra guidance.
  2. Any examples used in this protocol are not intended to be exhaustive, merely illustrative.

1.6References and supporting documents

  1. This protocol incorporates internal cross-references since certain controls are relevant to more than one section. The on-line version at contains fully functional hyperlinks.

1.6.1Documents given authority by this protocol

  1. This protocol gives policy authority to the following documents:
  2. the Australian Government physical security management guidelines—Security zones and risk mitigation control measures
  3. the Australian Security Intelligence Organisation(ASIO) Technical Note1/15—Physical Security of Zonesand supplement to the Technical Note 5/12—Physical Security of Zone 5 (TOP SECRET) Areas (for TOP SECRET information and for areas with aggregations of information where the compromise, loss of integrity or unavailability thereof would result in a catastrophic business impact level)
  4. the Security Construction and Equipment Committee (SCEC) Security equipment evaluated product list
  5. ASIO—Security Equipment Guides(SEGs)
  6. the SCEC guides for Type 1 security alarm systems:

—Type 1 Security Alarm System for Australian Government: Product Specification

—Type 1 Security Alarm Systems for Australian Government: Product Integration Specification [Addendum to the Type 1 SAS Product Specification 2010/1], and

—Type 1 Security Alarm System for Australian Government: Implementation and Operation Guide

  • sections of the Australian Signals Directorate (ASD) publication the Australian Government Information Security Manual (ISM) relating to the physical security of ICT systems and equipment, and
  • other physical security guidelines, technical notes, etc. approved by the Protective Security Policy Committee and issued from time to time.

1.6.2Standards and guidelines referenced

This protocol and supporting physical security guidelines reference Australian and International Standards, Handbooks and Codes listed at Annex A: Referenced Standards, Handbooks and Codes. They also reference:

  • the ASIO Technical Note 1/15 – Physical Security Zones
  • ASIO Protective Security Circulars (PSCs):

—PSC No.53 External Destruction of National Security Classified Matter

—PSC No.73 Classified Waste Destruction

only available to ASAs from ASIO-T4, and

  • other guidelines that give more advice on specific topics.

1.6.3Access to SCEC and ASIO guides

  1. ASIO Technical Notes, PSCs and SCEC SEGs, are available to agency security advisers (ASAs) from the Protective Security Policy Community on GovDex. Requests for access to the community should be emailed to .
  2. SCEC Type One SAS guidesmay be requested by ASAs from ASIO-T4 by email to .

1.7Document change control

  1. This protocol is approved by the Attorney-General on advice from the Protective Security Policy Committee.
  2. This protocol is subject to a strict change control process. Feedback, comments, corrections and improvement suggestions (including on areas that are not sufficiently well-covered) are welcome from any part of the Australian Government. Please send feedback to .
  3. Formal reviews will be undertaken periodically, and the version number updated.
  4. The amendments summary will record any corrections or minor amendments to improve understanding. The Attorney-General’s Department will notify ASAs of any updates.

2.How this protocol fits into the PSPF structure

  1. This protocol specifies physical security controls that are used to satisfy the mandatory requirements.
  2. The Standards and supporting guidelines to this protocol amplify the protocol. They detail how the controls should be implemented. Guidelines are developed where no suitable Standards exist. They include a mixture of mandatory and optional physical security controls, and provide advice and supporting information.
  3. These Standards and guidelines will evolve to reflect changes in technologies and the physical security risks. They are likely to change more often than the protocol. The PSPC will authorise amendments to guidelines and the use of any Standards.
  4. The policy hierarchy is supported by various protective security management activities such as reporting and audit procedures, security awareness training and several compliance measures.
  5. The protocol needs to be applied in conjunction with an agency’s other governance activities, strategies and business plans.
  6. The protocol, Standards and guidelines will inform the agency-specific physical security policy and procedures.

3.Agency physical security policies and procedures

Mandatory requirements

PHYSEC 1: Agency heads must provide clear direction on physical security through the development and implementation of an agency physical security policy and address agency physical security requirements as part of the agency securityplan.

GOV 1: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of the PSPF.

  1. Agencies are to develop specific physical security policies and procedures to meet their business needs that:
  2. are consistent with any controls in the protocol and guidelines, and
  3. complement and support other agency operational procedures.
  4. Policies and procedures are to take into account the risks created by the agency for others, as well as the risks inherited from business partners.

3.1Employee awareness of physical security measures

  1. The best agency protection comes from employees maintaining a high level of security awareness. Agencies are to inform their employees on agency physical security policies and procedures covering:
  2. measures operating in the agency’s work environment and how they provide security-in-depth
  3. what functions and resources the measures are designed to protect
  4. how the measures interact and support governance, personnel and information security measures
  5. the security responsibilities of the people working in each work area and location
  6. the requirement to report security issues or incidents in work areas, and
  7. any consequences of failing to adhere to policies and procedures.
  8. Agencies are also to inform employees of any changes to physical security arrangements following changes to the roles, risks or threat levels of agencies. Agencies should, where possible, advise employees of the reasons for the changes.
  9. See theAustralian Government personnel security guidelines—Agency personnel security responsibilitiesfor further details on implementing awareness measures.

4.Agency physical security risk management and planning

Mandatory requirements