Online reporting portal help

• Accessing the portal
  
  • Account activation
  • Logging in
• The assessment process
  
  • Commencing the assessment—must be done by the CSO
  • Completing assessment—can be done by all entity contributors
  • Approving the assessment—must be completed offline
  • Submitting the assessment—must be completed by the CSO
• Offline reporting assessment template
• User management

The PSPF reporting portal allows Commonwealth entities to:

• complete and submit your annual security maturity self assessment online
• access benchmarking reports at the end of the submission period
• access assessments and reports from previous reporting periods (available from 2019-20).

Before accessing the portal, make sure you are familiar with the Protective Security Policy Framework (PSPF). It is designed to support you in meeting your reporting obligations under PSPF Policy 5: Reporting on security.

Accessing the portal

Registered users can access the portal through the link located under the about tab on the annual reporting page.

Account activation

New users will receive an email with a link to activate an account on the portal. Follow the link and complete the online registration.

You will be asked to accept the conditions for access and to create a password that meets the complexity requirements set out in the Australian Government Information Security Manual.

The link in your activation email will expire after 48 hours. If you need a new activation link contact your Chief Security Officer (CSO) or entity user administrator.

Note! The Attorney-General's Department maintains a list of all CSOs. CSOs accessing the portal for the first time will automatically receive their account activation email at the start of the assessment period. To request changes to an entity's CSO details, contact the PSPF reporting team at PSPFreporting@ag.gov.au or on 02 6141 3600.

Logging in

Logging in to the portal uses two-factor authentication.

Factor 1—Username and password

• Your username is your registered email address. If you forget your password, click on the 'Forgot Password?' link.

Factor 2—One-time passcode

• When you enter your username and password, the portal will send you an email with a one-time passcode. You will need to enter the one-time passcode within 15 minutes.

Requesting access

Your CSO or delegated entity user administrator manages access to the portal. Contact them to:

• request access to the porta
• change your user role
• get a new activation link.

Note: If user changes are required and the CSO or entity user administrator are not available, contact the PSPF reporting team at PSPFreporting@ag.gov.au or on 02 6141 3600.

The assessment process

There are four processes to complete to submit your annual security maturity self-assessment online.

1. CSO: Commence assessment
2. Entity contributors: Complete assessment
3. Accountable Authority: Approve assessment (offline)
4. CSO: Submit assessment

The CSO must complete processes 1 and 4.

The CSO can assign responsibility for process 2 to other users. The Accountable Authority must approve the final assessment offline (process 3). The portal will generate a printable assessment (in Microsoft Word), which the Accountable Authority can approve through standard entity procedures.

Commencing the assessment—must be done by the CSO

At the start of the new assessment period, all CSOs will receive an email advising that the PSPF assessment for the entity is available for completion. The email will provide a link to login and indicate the due date for submission. The CSO must complete the following four steps to start the assessment for the entity:

1. Reporting obligations—outlines the PSPF reporting obligations for non-corporate Commonwealth entities. PRESS 'next step' to acknowledge the reporting obligations
2. Security classification—allows entities to select the security classification of the data to be entered into the portal. The portal is security classified to accept information up to PROTECTED.
   • Selecting PROTECTED/OFFICIAL: Sensitive will allow reporting through the portal.
   • Selecting SECRET/TOP SECRET will provide a fillable offline reporting template.

PRESS 'next step' to continue.

3. Setup users—allows the CSO to delegate user administration and manage additional users.
   • (Optional) ENTER email address of the person who will administer user access in your entity
   • (Optional) PRESS '+add new user' to manage additional users – see 'user management' to complete this step

PRESS 'next step' to continue.

4. Finalise creation—creates the assessment for the reporting period. PRESS 'Create Assessment' to allow your entity to input data for the reporting period.

Note: If you are a Chief Security Officer (CSO) accessing the portal for the first time, see the account activation information.

Security classification

Some entities may need to report a small amount of information security classified at SECRET and above (eg detail about a particular security incident). In this circumstance, entities can use the portal to enter all data security classified at PROTECTED or below and contact the PSPF reporting team to arrange alternative means to submit additional information at a higher security classification.

Completing assessment—can be done by all entity contributors

The annual security maturity self assessment is comprised of 17 modules—one for each of the 16 PSPF polices and a summary module. Contributors complete the modules they have access to, noting each module can have multiple contributors.

The portal displays the most recent data input and will override any previous input. Contributors can use the Notes function (at the bottom of each screen) to indicate to other contributors if they have changed input or want to query previous input. Contributors can email notes within the portal to the applicable registered user. The Notes function is only visible to the entity and does not form part of the assessment submission.

Modules 1-16

The assessment contains a module for each of the 16 PSPF policies. Each of these modules has two parts:

• Maturity questions—Each module consists of a set of questions drawn from the core and supporting requirements in the PSPF.
• Rationale, strategies & timeframes—
  • Based on the entity’s answers to the maturity questions, the portal will suggest a maturity level for the module. This will be displayed on a chart that shows the distribution of the entity’s answers for the module.
  • The entity can confirm the suggested maturity level or select a higher or lower maturity level to reflect the entity’s self-assessment.
  • There is a text box to enter a rationale for the final selected maturity level. If the entity changes the suggested maturity level, the rationale must include a justification for the change.
  • If the maturity level for the module is ‘ad hoc’ or ‘developing’, there will be a text box to enter the proposed strategies and a separate box for the corresponding timeframes to improve the entity’s maturity level.

After completing a module, the contributor can continue to the next incomplete module they have access to or proceed to the summary module to add key risks that are relevant to the module just completed.

Summary module

The summary module provides the final assessment of the entity's overall maturity level and maturity levels for each of the PSPF outcomes. These are calculated from the entity's self-assessment at each module.

The summary module also includes three sections with text boxes that must be completed:

1. Summary of risk environment and security capability
   • Summary of risk environment
   • Maturity of security capability
2. Key risks to the entity's people, information and assets
   • Entity’s top 3-5 security risks
   • Significant security incidents – prefilled from ongoing reporting of significant security incidents in the PSPF reporting portal
   • Summary of significant security incidents during the reporting period – free text for significant security incidents not recorded in the reporting period
   • Exceptional circumstances (if applicable) – prefilled from Module 1 Role of the accountable authority
3. Personnel security clearances
   • Active clearances sponsored by the entity.
   • Personnel security clearance waivers—prefilled from Module 12 Eligibility and suitability of personnel and Module 13 Ongoing assessment of personnel.

Contributors can enter summary module information at any time while the assessment is open.

Acknowledgement of reporting obligations

Before providing the assessment report to the entity’s Accountable Authority for approval, the reporting obligations must be acknowledged, consistent with PSPF Policy 5: Reporting on security. Where applicable, explanatory comments should be provided in the text boxes.

Acknowledgements include:

• This entity has reported all unmitigated security risks, security incidents or vulnerabilities in PSPF implementation to other entities whose interests or security arrangements could be affected or has assessed its maturity as developing or below for Policy 5 (reporting to affected entities).
• This entity completed the ACSC Cyber Security Survey for Commonwealth Entities or has assessed its maturity as developing or below for Policy 5 (reporting to ASD).
• This entity has reported to ASIO any significant security incidents or vulnerabilities relating to national security or has assessed its maturity as developing or below for Policy 5 (reporting to ASIO).

Approving the assessment—must be completed offline

When all modules are complete, the entity's Accountable Authority must approve the final assessment. To generate a printable (Word) version of the assessment press 'Download completed assessment (DOCX)' on the top of any module screen. The printed report provides a place for the Accountable Authority to sign to indicate approval.

Submitting the assessment—must be completed by the CSO

Once the Accountable Authority has approved the assessment report a copy must be sent to the entity's portfolio minister. The entity is able to acknowledge an expected future date this will be done. Once the CSO completes the acknowledgement of reporting obligations, they can press submit to send the assessment report to the Attorney-General's Department.

Benchmark reports – available immediately after the reporting period closes

At the official close of the reporting period, benchmarking reports are immediately available to the entity’s CSO and any user with the role of full contributor and user administrator.

Offline Reporting Assessment – 2019/20 reporting period

2019/20 PSPF offline reporting assessment

The offline reporting assessment must be used by entities reporting at security classification SECRET and above. Entities reporting up to security classification PROTECTED can use this template as a reference document only and must complete their assessment using the online reporting portal in line with Policy 5 – Reporting on security – Requirement 1. PSPF reporting model and template.

User management

The portal has four different user roles to control access and permissions, allowing entities to establish reporting processes that are appropriate to their entity's size, organisation structure and governance arrangements.

Table 1 Roles and responsibilities

Role	Access and permissions	What this means
Submitter	Commence the annual assessment Manage entity users Contribute to all modules Use Notes function Provide the final assessment to the accountable authority Complete the final assessment page Submit the final assessment through the portal to the Attorney-General's Department	You are the key contact for the assessment and you have been assigned the submitter role. Depending on the size of your entity and your entity's reporting governance arrangements you will manage users' access the portal or assign this function to an entity administrator. Even if you delegate this function, you can continue to manage users. As soon as entity users are assigned roles the users can access the assessment and complete or review their nominated modules. As CSO, you can also contribute to and review the modules. Once the 16 modules have been completed you will finalise the submission information, obtain approval for the assessment from the accountable authority, provide the assessment to the relevant portfolio minister and submit the assessment to the Attorney-General's Department.
Entity Administrator	Manage entity users	The CSO has delegated the user administration of the portal to you. You will only see information on the users and be able to edit their details, add new users or deactivate existing users. If you are required to see assessment information, the CSO can assign you an entity viewer role.
Contributor	Contribute to assigned modules and the summary module Use Notes function	As a contributor you will be assigned modules to complete. Your entity reporting process will determine whether you need to answer some or all maturity questions and what other data you need to input. This may include determining the self-assessed maturity level for modules you have been assigned providing a rationale for the maturity level and where you have varied the maturity level from the suggested maturity level providing strategies and timelines to improve the maturity level if the module has been assessed at ad-hoc or developing identifying key risks to the entity's people, information and assets. You may also be assigned entity viewer access to other modules. You can see details of all the portal users and can change your own contact details.
Entity Viewer	View assessment information, reports, users and modules they have been given access to Use Notes function	As an entity viewer you can access all the portal reports, see all the users and see draft and completed modules to which you have been given access. Any feedback to the CSO or module contributor(s) you wish to provide is actioned outside the reporting portal.

The role of Submitter is assigned by the Attorney-General's Department and can only be undertaken by the entity CSO. Other user roles can be assigned by the CSO, including delegation of user management by assigning the role of Entity Administrator.

Table 2 Example scenarios based on the entity size

Small	Medium	Large
CSO commences assessment	CSO commences assessment	CSO commences assessment
CSO manages users	Separate user administrator	Separate user administrator(s)
CSO and one or two contributors input data for all modules	A number of contributors for each module and outcomes	Lead contributors for some outcomes/modules Several contributors per module
CSO reviews all modules	A number of reviewers	Several reviewers
Viewers are limited	Viewers are limited	Many viewers
CSO obtains accountable authority approval	CSO obtains accountable authority approval	CSO obtains accountable authority approval
CSO submits	CSO submits	CSO submits