Protective Security Policy Framework

Securing Government business

·  Directive on the security of Government business

·  Governance arrangements, and

·  Core Personnel, Information and Physical Security Management policies

Approved June 2010

Amended July 2015

Version 1.10

ii

© Commonwealth of Australia 2012

All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour website (www.itsanhonour.gov.au).

Contact us

Enquiries regarding the licence and any use of this document are welcome at:

Business Law Branch
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600

Telephone: 02 6141 6666

Document details
Security classification / Unclassified
Dissemination limiting marking / Publicly available
Date of next review / June 2018
Authority / Attorney-General
Author / Protective Security Policy Section
Attorney-General’s Department
Document status / Approved 6 June 2010
Amended July 2015

v

Contents

Amendments iv

Directive on the Security of Government Business 1

Overarching Protective Security Policy Statement 2

Protective Security Principles 2

Governance 3

Mandatory requirements 4

Overall responsibility for protective security 4

Australian Government protective security roles and responsibilities 5

National Security Committee of Cabinet 5

Secretaries Committee on National Security 5

Protective Security Policy Committee 5

Inter-Agency Security Forum 5

Homeland and Border Security Policy Coordination Group 5

Security Construction and Equipment Committee 5

Intelligence, technical standards and protective security advice 6

Applicability of the PSPF 9

Protective security outside of Australia 9

Developing a security culture 10

Security risk management 12

Audit, reviews and reporting 14

Security investigations 15

Legislation 16

Crimes Act 1914 and the Criminal Code 1995 16

International security agreements 17

Business continuity management 18

Contracting 19

Fraud control 20


Core policies 21

Australian Government personnel security management core policy 21

Overview 21

Purpose 21

Risk management 22

Need-to-know 22

Australian Government Security Vetting Agency 22

Security vetting 23

Australian Government personnel security management protocol 23

Vetting decisions – assessment of whole person 23

Ongoing personnel security management (‘Aftercare’) 23

Australian Government information security management core policy 25

Sharing of information and other assets 25

Agency information security policy and planning 26

Information security framework and third party access 26

Information asset classification and control 27

Operational security management 27

Information access controls 28

Information system development and maintenance 29

Compliance 29

Australian Government physical security management core policy 31

Risk management 31

Security-in-depth 31

Agency physical security policy and planning 31

Protection of employees 32

Physical security 32

Work health and safety 33

Duty of care – third parties 33

Physical security of ICT equipment and information 34

Physical security in emergency and increased threat situations 34

Amendments

No. / Date / Section / Amendment
1 / December 2010 / Mandatory requirements / Update reference to mandatory requirements, now available in Securing Government Business – Protective Security Guidance for Executives.
2 / December 2010 / Overall responsibility for protective security / Update wording to more clearly indicate an agency head’s ability to delegate authority.
3 / December 2010 / Australian Government protective security roles and responsibilities / Update references to Australian Government Information Commissioner and Australian Government Crisis Coordination Centre.
4 / December 2010 / Australian Government personnel security core policy / PERSEC 2 – update wording of DSAP to reflect Crimes Act definition replace ‘assessed’ with ‘assessment’.
5 / December 2010 / Australian Government information security core policy / INFOSEC 1 – change wording to reflect INFOSEC arrangements as part of agency security plan.
6 / January 2011 / Australian Government information security core policy / Under INFOSEC 4 – update name of Australian Government Information Security Manual (ISM).
7 / January 2011 / Australian Government physical security core policy / PHYSEC 1 – change wording to reflect PHYSEC arrangements as part of agency security plan.
8 / January 2011 / What is the PSPF? / Update wording to reflect replacement of the PSM.
9 / August 2011 / Core policies / Remove references to PSM and include references to protocols and guidelines.
10 / September 2011 / Core policies / Remove repetition of version number, creating confusion with version of protocols.
11 / September 2011 / Governance arrangements / Include references to new guidelines.
12 / September 2011 / Introduction / Remove references to classified guidelines.
13 / September 2011 / Throughout / Embed hyperlinks to referenced websites.
14 / June 2012 / Directive on the security of Government business / Update Attorney-General’s details
15 / November 2012 / Throughout / Update links
16 / November 2012 / Australian Government protective security roles and responsibilities / Update SCEC and ASIO details, remove references to the Cyber Security Policy and Coordination Committee and update Attorney-General’s Department details
17 / November 2012 / Australian Government information security core policy / Update wording under Information asset classification and control
18 / December 2012 / Throughout / Remove section numbering and include paragraph numbering
19 / April 2013 / INFOSEC 4 / Update to include mandatory strategies to mitigate targeted cyber intrusion
19 / June 2013 / Throughout / Update reference to Australian Signals Directorate (ASD) from Defence Signals Directorate (DSD)
20 / July 2014 / Applicability of the PSPF / Update to reflect change to PGPA Act
21 / September 2014 / Personnel Security core policy / Replace personnel security core policy with new version
22 / October 2014 / Directive on the security of Government Business / Replace directive with updated version consistent with the PGPA Act
23 / November 2014 / Fraud Control / Update to reflect change to Fraud Control Framework
24 / April 2015 / Throughout / Update links
25 / April 2015 / Applicability of the PSPF / Remove reference to AGS advice on applicability of the PSM.
26 / July 2015 / Sections 3.2 and 3.4 / Add definition of agency head to footnotes

v

1  Directive on the Security of Government Business

  1. The Australian Government is committed to effectively managing the protective security risks to Government business, and building increased trust, confidence and engagement with the Australian people and our international partners.
  2. The Government requires agency heads to have in place effective protective security arrangements to ensure:

•  their respective agency’s capacity to function

•  the safety of those employed to carry out the functions of government and those who are clients of government, and

•  official resources and information the agency holds in trust, both from and for the public, and those provided in confidence by other countries, agencies and organisations, are safeguarded.

  1. To achieve this, agency heads are to apply the Protective Security Policy Framework and promote protective security as part of their agency’s culture. A progressive protective security culture that engages with risk will foster innovation, leading to the increased productivity of Government business.
  2. The Australian Government, through my Department, will continue to develop and refine protective security policy that promotes the most efficient and effective ways to secure the continued delivery of Government business.

Senator the Hon George Brandis QC
Attorney-General

October 2014

2  Overarching Protective Security Policy Statement

  1. The appropriate application of protective security by Government agencies and bodies ensures the operational environment necessary for the confident and secure conduct of Government business. Managing security risks proportionately and effectively enables Government agencies and bodies to provide the necessary protection of the Government’s people, information and assets.

2.1  Protective Security Principles

  1. The Attorney-General is responsible for setting the Government’s protective security policy. Each Australian Government Minister is responsible for the protective security of the departments, agencies or bodies within his or her portfolio. Agency heads are responsible to their Minister for creating and maintaining an agency operating environment that:

•  safeguards its people and clients from foreseeable risks

•  facilitates the appropriate sharing of official information in order for Government to effectively do business

•  limits the potential for compromise of the confidentiality, integrity and availability of its official information and assets, recognising risks to Government such as those associated with aggregation

•  protects official assets from loss or misuse, and

•  supports the continued delivery of the agency’s essential business in the face of disruptions caused by all types of hazards.

  1. Agency heads need to understand, prioritise and manage security risks to prevent harm to official resources and disruption to business objectives. Security is not just a cost of doing business, but enables an agency to manage risks that could adversely affect achieving its objectives. Agencies can only achieve effective protective security if security is part of the agencies’ culture, practices and operational plans. Therefore agencies should build protective security into government processes rather than implementing it as an afterthought. Effective protective security and business continuity management underpin organisational resilience.
  2. Agency heads are to ensure that employees and contractors entrusted with their agency’s information and assets, or who enter their agency’s premises:

•  are eligible to have access

•  have had their identity established

•  are suitable to have access, and

•  are willing to comply with the Government’s policies, standards, protocols and guidelines that safeguard that agency’s resources (people, information and assets) from harm.

3  Governance

  1. Good protective security governance is about both:

•  conformance - how an agency uses protective security arrangements to ensure it meets the obligations of policy and standards and Government’s expectations, and

•  performance - how an agency uses protective security arrangements to contribute to its overall performance through the secure delivery of goods, services or programmes as well as ensuring the confidentiality, integrity and availability of its people, information and assets.

  1. The PSPF is based on principles of public sector governance including:

•  accountability - being answerable for decisions and having meaningful mechanisms in place to ensure the agency adheres to all applicable protective security standards

•  transparency/openness - having clear roles and responsibilities for protective security functions and clear procedures for making decisions and exercising authority

•  efficiency - ensuring the best use of limited protective security resources to further the aims of the agency, with a commitment to risk-based strategies for improvement, and

•  leadership - achieving an agency-wide commitment to good protective security performance through leadership from the top.

For further guidance see the Australian Standards:

·  AS 8000-2003: Corporate governance - Good governance principles

·  AS 8001-2008:Fraud and corruption control

·  AS 8002-2003: Corporate governance - Organizational codes of conduct

·  AS 8003-2003: Corporate governance - Corporate social responsibility

·  AS 8004-2003: Corporate governance - Whistleblower protection programs for entities

3.1  Mandatory requirements

  1. Securing Government Business – Protective Security Guidance for Executives as well as the governance arrangements and core policy documents in the PSPF describe the higher level mandatory requirements applicable to all agencies. Detailed protocol documents and guidelines support the personnel security, information security and physical security core policies. The protocol documents set out procedural minimum requirements. Some agencies have specific security risks that will require them to apply more than the minimum requirements.

3.2  Overall responsibility for protective security

  1. The Government is responsible for the protective security of the Commonwealth. Individual Ministers are responsible for securing the operation of their portfolios.
  2. Within an agency, the Agency Head[1] is responsible for the protection of agency functions, official resources and employees (including contractors). An Agency Head may, in writing, delegate to another person any of the Agency Head’s powers or functions prescribed in the PSPF.
  3. The Attorney-General's Department (AGD) is responsible for the development and delivery of the PSPF.
  4. All Australian Government employees, including contractors, have a collective responsibility to ensure that government resources (people, information and assets) are protected.

3.3  Australian Government protective security roles and responsibilities

  1. The following committees have protective security responsibilities:

•  National Security Committee of Cabinet

•  Secretaries Committee on National Security

•  Protective Security Policy Committee

•  Inter-Agency Security Forum

•  Homeland and Border Security Policy Coordination Group, and

•  Security Construction and Equipment Committee

National Security Committee of Cabinet

  1. The Prime Minister chairs the National Security Committee of Cabinet (NSC) which is the Government’s highest decision-making body on Australia’s national security. NSC considers strategic developments and issues of long term relevance to Australia’s broad national security interests. NSC also oversees federal intelligence and security agencies.

Secretaries Committee on National Security

  1. The Secretaries Committee on National Security (SCNS) provides advice to the Government through NSC on matters of national security. SCNS consists of secretaries of departments and heads of agencies with responsibility for national security matters.

Protective Security Policy Committee

  1. The Protective Security Policy Committee (PSPC) is made up of representatives from agencies with a strong interest in protective security. AGD chairs the PSPC.

Inter-Agency Security Forum

  1. The Australian Government established the Inter-Agency Security Forum to achieve and maintain best practice in security in the Australian Intelligence Community and policy related agencies.

Homeland and Border Security Policy Coordination Group

  1. The Homeland and Border Security Policy Coordination Group (HPCG) draws its representatives from agencies with a focus on homeland and border security issues. The Department of the Prime Minister and Cabinet chairs the HPCG.

Security Construction and Equipment Committee

  1. The Security Construction and Equipment Committee (SCEC), an interagency committee that reports to the PSPC, is responsible for:

•  evaluating security equipment for use by Australian Government agencies, and