act pspf 2017

Document Details

Security Classification Unclassified

Dissemination limiting marking For Official Use Only

Date of next review September 2020

Authority Attorney-General

Security & Emergency Management Committee of Cabinet

Author Security and Emergency Management Branch

Justice and Community Safety Directorate

Document Status Approved: 18 April 2017

Amendments

No. Date Section Amendment

1

2

3

4

5

6

7

8

9

10

11

ACT Government Protective Security Policy Framework

CONTENTS

1. Foreword............................................................................................................................4

2. Introduction ........................................................................................................................5

2.1 The ACT Government protective security structure......................................................5

2.2 Directive on the Security of Government Business ......................................................5

2.3 Core policies and mandatory requirements..................................................................5

2.4 Protocols, standards and guidelines ............................................................................6

2.6 Directorate specific policies and procedures................................................................6

3. Applicability of the ACT Government Protective Security Policy Framework ......................6

4. Legislation..........................................................................................................................6

5. Protective Security Mandatory Conditions..........................................................................7

5.1 Governance (GOVSEC) ..............................................................................................7

5.2 Personnel Security (PERSEC).....................................................................................9

5.3 Information Security (INFOSEC)................................................................................ 10

5.4 Physical Security (PHYSEC) ..................................................................................... 11

5.5 Cyber Security (CYBERSEC) .................................................................................... 12

3


1. FOREWORD

The ACT Government Protective Security Policy Framework (PSPF) articulates the government’s expectation for protective security as a business enabler that allows directorates, agencies and the Commonwealth to work together securely in an environment of trust and confidence.

Since the initial release of the PSPF in 2014, aspects of our protective security risk have changed. New risks have emerged and we have gained a greater understanding of how security strategies and business function must work together. The knowledge gained through the implementation and reporting on the original PSPF has been used to improve and enhance this 2017 version of the ACT Government Protective Security Policy Framework.

The 2017 PSPF has been developed to provide clarity to directorates and agencies through its mandatory requirements. To manage the governments protective security risk this new version adds cyber security to the suite of protective security pillars, being security governance, information, personnel and physical security.

This Framework, supported by the ACT Government Protective Security Operational Procedures Manual, is designed to help directorates and agencies:

a. identify vulnerabilities and their levels of security risk; b. achieve the mandatory requirements for protective security expected by the

government; c. develop an appropriate security culture and proportionate measures to securely meet

their business goals; and d. meet the expectations for the secure conduct of government business.

The government, through the Justice and Community Safety Directorate, will continue to develop and refine protective security policies that promote the most effective and efficient ways to protect and secure the continued delivery of government business.

Gordon Ramsay Attorney-General

18 April 2017

4

ACT Government Protective Security PPolicy Framework

2. INTRODUCTION N

2.1 The ACT Government t protective security structure

The Protective Security Policy FFramework (PSPF) is organised in a tiered, h hierarchical structure.

Figure 1—Protective Security PPolicy Framework

2.2 Directive on the Secu urity of Government Business

The PSPF enables the ACT Go overnment to develop a proactive security cul lture. It articulates the government’s req quirement for protective security to be a businness enabler thereby allowing directorates to work together securely in an environment of f trust and confidence.

2.3 Core policies and manndatory requirements

The PSPF outlines the governm ment’s overarching protective security manda ates. These protective security mandates co over security governance (GOVSEC), person nnel security (PERSEC), information security y (INFOSEC), physical security (PHYSEC) an nd cyber security (CYBERSEC).

The PSPF and its mandatory re equirements use a risk based approach, wherre the internal policy, type of controls and the aannual reporting against the mandatory requuirements, are based upon the individual risks facing a Directorate or Agency.

This flexibility allows for the dive ersity of the security risk faced by the ACT G Government, and application of strategies comme ensurate to the risk and the individual Directo orate capability or capacity.

5


2.4 Protocols, standards and guidelines

The ACT Government Protective Security Operational Procedures Manual contains key practice documents to be followed, which include:

• protocols for the conduct of Government specific protective security activities to meet the mandatory requirements;

• better practice guidelines; and • references and assessment tools to other protective security and risk management

documents.

These documents standardise protective security practices across ACT Government, and will facilitate information sharing, support interagency business, and help meet national security obligations.

2.6 Directorate specific policies and procedures

Directorates are to develop specific protective security policies, procedures and protocols that will support their compliance with mandatory requirements appropriate to the security risk, while meeting their business needs.

Directorate specific protective security policies and procedures must take into account the risks created by the Directorates for other areas of the ACT Government, as well as the risks inherited from business partners.

3. APPLICABILITY OF THE ACT GOVERNMENT PROTECTIVE SECURITY POLICY FRAMEWORK

As a policy of the ACT Government, Directorates must apply the ACT Government PSPF.

It is a requirement for all non-government organisations that access ACT Government and Commonwealth information to adhere to the PSPF, and comply with relevant jurisdictional regulations.

4. LEGISLATION

Although the PSPF is not legally prescribed, it supports legislation relevant to protective security, and reflects the aims and objectives of the ACT Government.

Some Directorates are responsible for collecting or processing official information for which there may already be legislated security requirements. These requirements take precedence over the ACT Governments PSPF. Where the legislation mandates lower standards than the ACT Government PSPF, Directorates are encouraged to meet the ACT Government PSPF’s higher standards.

Information must only be released in accordance with the policies, legislative requirements and directives of ACT Government. The unauthorised disclosure of information held by the ACT Government is subject to the sanction of criminal law.

The legislative obligations applicable to all Directorates are outlined below. The laws applicable to Directorates may include, but are not limited to, Section 153 of the Crimes Act 1900 (ACT), the Territory Records Act 2002 (ACT), the Public Sector Management Act 1994 (ACT), the Freedom of Information Act 1989 (Cwlth), the Privacy Act 1988 (Cwlth), Information Privacy Act 2014 (ACT), Sections 70 and 79 of the Crimes Act 1914 (Cwlth) and section 91.1 of the Criminal Code 1995 (Cwlth).

6


5. PROTECTIVE SECURITY MANDATORY CONDITIONS

5.1 Security Governance (GOVSEC)

Protective security governance is based on conformance, compliance, capability and performance. The ACT Government aims to foster a professional culture ensuring accountability, transparency, efficiency and leadership. Directorates and agencies are to implement the ACT Government PSPF governance arrangements and:

• use Australian and International standards of risk management principles, and policies appropriate to Directorate functions and the security risks faced, when developing, implementing and maintaining: – protective security measures; – business continuity plans; and – fraud control plans.

• monitor and review their security policies and protocols to ensure they are complying with mandatory requirements;

• report annually to the ACT Government Security and Emergency Management Senior Officials Group (SEMSOG) on their capability to comply with the PSPF;

• adequately train all employees and contractors, where relevant to ensure they fully understand their security responsibilities;

• remain accountable for the efficient and secure performance of outsourced functions; and • have processes in place to investigate security incidents promptly and with sensitivity.

Security Governance mandatory requirements.

GOVSEC

1 Directorates and agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of the Protective Security Policy Framework, where relevant.

2 a) To fulfil their security obligations, Directorates and agencies must appoint: • a member of the Senior Executive Service as the Agency Security Executive

(ASE), responsible for the Directorate protective security policy and oversight of protective security practices; and

• an Agency Security Adviser (ASA) responsible for providing advice on security risk and helping managers, employers and others devise and implement appropriate physical, personnel and information security measures and plans.

Shared Services ICT must appoint:

• an Information Technology Security Advisor (ITSA) responsible for Information Communication Technology (ICT) security advice.

b) Directorates and agencies must ensure that the Agency Security Executive (ASE), Agency Security Adviser (ASA) and Agency Security Officer/s (ASO) have detailed knowledge of directorate-specific protective security policy, protocols and mandatory protective security requirements in order to fulfil their protective security responsibilities.

7


GOVSEC (cont.)

3 Directorates and agencies must:

• adopt a risk management approach to cover all areas of protective security across their organisation; and

• adopt whole of government or develop their own or protective security policies, procedures and plans to manage their security risks.

4 Directorates and agencies must:

• undertake an annual security assessment against the mandatory requirements detailed within this Framework; and

• report their compliance or capability with implementing the mandatory requirements to the Chair of the Security and Emergency Management Senior Officials Group.

The report must contain:

• a declaration of compliance and/or capability by the Director-General or Chief Executive Officer;

• state any areas of non-compliance or no capability; and • details on measures taken to lessen the risks arising from mandatory requirements

identified as non-compliant or no capability.

5 Directorates and agencies must give all employees, including contractors, guidance on:

• section 153 of the Crimes Act 1900 (ACT) - Disclosure of information by a Territory Officer,

• the Territory Records Act 2002 (ACT),

• the Public Sector Management Act 1994 (ACT),

• the Freedom of Information Act 1989 (C’wlth) and the Australian Privacy Principles contained in the Privacy Act 1988 (Cwlth) and the Information Privacy Act 2014 (ACT) including how this legislation relates to their role.

Directorates and agencies must give all employees, including contractors using or accessing classified information or data management systems, guidance on:

• Section 70 of the Crimes Act 1914 (Cwlth) - Disclosure of information by Commonwealth Officers

• Section 79 of the Crimes Act 1914 (Cwlth) – Official Secrets; and

• Section 91.1 of the Criminal Code 1995 (Cwlth) – Espionage and similar activities

6 Directorates and agencies must adhere to any provisions concerning the security of people, information and assets contained in agreements with other states and territories or the Commonwealth.

7 All Directorates and agencies must comply with ACT Government and other appropriate fraud control and financial management standards.

8 Directorates and agencies must have in place policy and procedures for identifying, reporting and investigating security incidents and taking corrective action. They must also ensure any person engaged to investigate security incidents is trained to the appropriate standards.

8


5.2 Personnel Security (PERSEC)

The protection of classified resources across ACT Government includes limiting access to only those people whom the government assesses to be suitable and whose work responsibilities specifically require them to access these resources. The government determines suitability for such access through a series of robust assessment processes.

Directorates are to ensure the people they employ are suitable and meet high standards of integrity, honesty and tolerance. These standards and the ACT Government’s obligations under national security arrangements may require some persons to hold a security clearance to the appropriate level.

The definition of ‘employee’ or ‘staff’ in this protocol refers to:

• ongoing and non-ongoing employees of Directorates and agencies; • government appointees; • Ministerial staff; • employees of service providers (contractors and consultants) requiring access to sensitive or

classified information or resources; and • employees of other organisations to which a Directorate provides security classified

information or resources.

Personnel Security Mandatory Requirements

PERSEC

1 Directorates and agencies must ensure that ACT Government employees and temporary staff who require ongoing access to ACT Government information and resources:

• are eligible to have access; • have had their identity established; • are suitable to have access; and • are willing to comply with the ACT Government’s policies, standards, protocols and

guidelines that safeguard that Directorate’s resources (people, information and assets) from harm.

Access to higher levels of classified information and resources is dependent upon the granting of the requisite security clearance.

2 Directorates and agencies must have personnel security maintenance arrangements in place to manage:

• the identification of Designated Security Assessed Positions (DSAP’s) and Positions of Trust (PoT’s);

• an annual review on the suitability and ongoing requirement for Designed Security Assessed Positions (DSAP’s) and Positions of Trust (PoT’s); and

• the requirement for individuals holding security clearances to advise the Security and Emergency Management Branch of any significant change in personal circumstance that may impact on their continuing suitability to access classified information, systems or resources.

9


PERSEC (cont.)

3 Directorates and agencies must have in place policies and procedures to:

• identify, protect and support employees that may come under threat of violence, based on a threat and risk assessment of their specific situations. In certain cases, directorates may have to extend protection and support to family members and others;

• report threats or incidents to management, human resources, the Agency Security Executive and law enforcement authorities, as appropriate;

• provide appropriate information, training and counselling to employees; and • maintain thorough records and statements on reported threats and security related

incidents.

5.3 Information Security (INFOSEC)

The ACT Government collects and receives information to fulfil its functions and expects all persons who access or hold this information to protect it. Directorates are to develop, document, implement and review appropriate security measures to protect this information from unauthorised use or accidental modification, loss or release. Directorates are to ensure they appropriately safeguard all official information to ensure its confidentiality, integrity, and availability by applying safeguards so that:

• only authorised people, using approved processes have access to the information; • information is only used for its official purpose, retains its content integrity, and is available to

satisfy operational requirements; • information is classified and labelled as required; and • information created, stored, processed, or transmitted in or over government information and

communication technology (ICT) systems is to be properly managed and protected in accordance with the ACT Government ICT Security Policy, and the Acceptable Use of ICT Resources Policy.

Information Security Mandatory Requirements

INFOSEC

1 Directorates and agencies must adopt whole of government or develop their own protective security policies and procedures to provide direction and coordinated management of information security.

These policies and procedures must be appropriate to the level of security risks to the directorate or agencies information environment.

2 Directorates and agencies must adhere to the Protective Security Policy Framework and related documentation for the classification, protective marking, transfer, handling and storage of information (in electronic and paper-based formats) relative to its value, importance and sensitivity.

3 Directorates and agencies must ensure that their information security measures for all information processes comply with any legislative or regulatory obligations under which the directorate or agency operates.

10


5.4 Physical Security (PHYSEC)

Physical security is a combination of physical and procedural measures designed to prevent or mitigate threats or attacks against people, information and physical assets. A physical security program aims to deter, detect, delay, respond and recover from security threats.

The ACT Government requires a variety of resources (people, information and assets) to make and implement its decisions. Directorates and agencies hold significant resources on behalf of the ACT Government and the Commonwealth Government to fulfil government functions. The ACT Government requires each of its directorates and agencies to create and maintain an appropriate physical security environment for the protection of these functions and associated resources. The appropriate physical security environment should support the efficient and effective performance of directorate and agency outputs, without compromising the application of protective security measures.

Directorates and agencies are to provide and maintain:

• a safe working environment for their employees, contractors, clients and the public; and • a secure physical environment for their assets, information and resources.

Physical Security Mandatory Requirements

PHYSEC

1 Directors-General and Chief Executive Officers must provide clear direction on physical security through adopting whole of government guidelines or the development and implementation of internal policy and procedures.

These policies and procedures must be appropriate to the directorate or agencies level of security risks or business requirements.

2 Directorates and agencies must ensure they fully integrate protective physical security early in the process of planning, selecting, designing and modifying their facilities to fulfil their protective security responsibilities.

3 Directorates and agencies must ensure that any proposed physical security measure or activity does not breach relevant employer workplace, health and safety obligations.

4 Directorates and agencies must show a duty of care for the physical safety of those members of the public interacting directly with the ACT Government. Where a directorate or agency function involves providing services, the directorate or agency must ensure that clients can conduct business with the ACT Government with confidence about their physical wellbeing.

11


5.5 Cyber Security (CYBERSEC)

The threat to ICT systems has grown exponentially as easy access to sophisticated software and increasingly interconnected global networks provide the capability and opportunity for attacks against ACT Government ICT infrastructure. As the ACT Government operates on a single network, any successful compromise of ICT security has the potential to degrade the integrity of our information and ability to conduct business.

To support the ACT Government PSPF information security mandatory conditions, SS-ICT provides an ICT Security Policy which directorates and agencies across the ACT Government must implement to achieve their business goals. SS-ICT provides detailed guidance and can help directorates and agencies develop their ICT security strategies and protection processes.

Cyber Security Mandatory Requirements

CYBERSEC

1 Shared Services ICT must document and implement operational procedures and measures to ensure ICT systems and network tasks are managed securely. These measures must be cognizant of cyber security risks.

2 Directorates must consult Shared Services ICT when establishing new business units, workgroups, ICT systems or network connections to ensure they include protective security measures or controls. These measures or controls must minimise or remove the risk of information and ICT equipment being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation.

12

act pspf 2017

Documents