Risk management and organisational security are not only concerns for the corporate sector. Like any other business, government entities need to ensure that they are operating securely. In addition to ensuring the secure operation of government business, this is also a matter of national security.
The Protective Security Policy Framework (PSPF) “assists Australian government entities to protect their people, information and assets, both at home and overseas.”
The PSPF consists of five principles and four outcomes. Each outcome has associated core requirements, which outline what actions must be taken to achieve the outcomes. There are 16 core requirements in total.
Five principles
The Australian government outlines five principles – fundamental values that apply to every area of security:
- Security is everyone’s responsibility. Developing and fostering a positive security culture is critical to security outcomes.
- Security enables the business of government. It supports the efficient and effective delivery of services.
- Security measures protect entities’ people, information and assets in line with their assessed risks.
- Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
- A cycle of action, evaluation and learning is evident in response to security incidents.
Four outcomes
The four outcomes relate to the desired results the government aims to achieve across the areas of security governance, information security, personnel security and physical security.
Security governance
This outcome is stated by the Australian government as:
Each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring:
- Clear lines of accountability,
- Sound planning,
- Investigation and response,
- Assurance and review processes, and
- Proportionate reporting.
This outcome includes seven core requirements relating to:
- The role of the accountable authority. This role involves risk assessment and management, and supporting other entities.
- Management structures and responsibilities. This includes the accountable authority appointing a Chief Security Officer (CSO) with clearly defined responsibilities and powers.
- Security planning and risk management. Each entity must have in place a security plan approved by the accountable authority.
- Security maturity monitoring. Monitoring progress against goals outlined in security plan.
- Reporting on security. Annual reporting of each entity to its portfolio minister, the Attorney-General’s Department, the Australian Signals Directorate and any other affected entities.
- Security governance for contracted service providers. Contracted providers must comply with relevant PSPF requirements.
- Security governance for international sharing. Relevant to all international agreements to which Australia is a party.
Information security
This outcome is stated by the Australian government as:
Each entity maintains the confidentiality, integrity and availability of all official information.
This outcome includes four core requirements which “apply to all information assets owned by the Australian government, or those entrusted to the Australian government by third parties, within Australia.”
These core requirements relate to:
- Sensitive and classified information. Relates to the identification and classification of sensitive information, and implementation of proportionate operational controls.
- Access to information. Sharing information as required while ensuring appropriate security clearance procedures.
- Safeguarding information from cyber threats. Implementing information security best practices to mitigate cyber security incidents.
- Robust ICT systems.
Personnel security
This outcome is stated by the Australian government as:
Each entity aims to ensure its employees and contractors are suitable to access Australian government resources, and meet an appropriate standard of integrity and honesty.
This mitigates the threat of misuse of government resources by trusted insiders.
This outcome includes three core requirements:
- Eligibility and suitability of personnel. Conducting relevant checks before they gain access to resources.
- Ongoing assessment of personnel. Ensuring ongoing suitability to access resources.
- Separating personnel. Ensure continued protection of resources after someone leaves the entity.
Physical security
This outcome is stated by the Australian government as:
Each entity provides a safe and secure physical environment for their people, information and assets.
This outcome includes two core requirements:
- Physical security for entity resources. Minimising the risk of harm to people, and misuse/damage of information and assets.
- Entity facilities. Ensuring the safety of facilities.
Guidance
In addition to the five principles, four outcomes and 16 core requirements, a key element to facilitate the success of the Protective Security Policy Framework (PSPF) is ensuring that appropriate guidance is in place that provides advice on how PSPF requirements can be delivered.
The Australian government offers a range of resources to support implementation of the PSPF.