Structure of the Protective Security Policy Framework
The Protective Security Policy Framework (PSPF) is organised in a tiered structure of principles, outcomes, policies and guidance.
There are 5 principles that underpin the PSPF and apply to every area of security.
They are the fundamental values that represent what is desirable for all entities and guide how an entity makes decisions.
- Security is everyone’s responsibility. Developing and fostering a positive security culture is critical to security outcomes.
- Security enables the business of government. It supports the efficient and effective delivery of services.
- Security measures applied proportionately protect entities’ people, information and assets in line with their assessed risks.
- Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
- A cycle of action, evaluation and learning is evident in response to security incidents.
The PSPF consists of 4 outcomes that outline the desired end-state that the government wants entities to achieve.
Each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring:
- clear lines of accountability
- sound planning
- investigation and response
- assurance and review processes
- proportionate reporting.
Each entity maintains confidentiality, integrity and availability of all official information.
Each entity ensures its employees and contractors are suitable to access Australian Government resources, and meet an appropriate standard of integrity and honesty.
Each entity provides a safe and secure physical environment for their people, information and assets.
Core requirements and guidance
Under the 4 outcomes are 16 policies, each of which have a core requirement.
The core requirements articulate what entities must do to achieve the government’s desired protective security outcomes.
Most core requirements also have supporting requirements. They help to create a standardised approach to implementing security across government.
Each policy includes guidance, which provides advice on how to effectively implement core and supporting requirements.
- Policy 1: Role of the accountable authority
- Policy 2: Management structures and responsibilities
- Policy 3: Security planning and risk management
- Policy 4: Security maturity monitoring
- Policy 5: Reporting on security
- Policy 6: Security governance for contracted goods and service providers
- Policy 7: Security governance for international sharing
- Policy 8: Sensitive and security classified information
- Policy 9: Access to information
- Policy 10: Safeguarding information form cyber threats
- Policy 11: Robust ICT systems
- Policy 12: Eligibility and suitability of personnel
- Policy 13: Ongoing assessment of personnel
- Policy 14: Separating personnel
Download a copy of the PSPF on a Page for a visual representation of the PSPF structure.