Australian Government - Attorney-General's Department

Security Policy

Achieving a Just and Secure Society

Skip breadcrumbHome » Governance » Developing a security culture

Developing a security culture

An effective security culture is fundamental to securely delivering Australian Government resources. In addition to keeping an entity and its personnel safe from threats, a healthy and strong security culture helps to increase internal and external trust, create consistent positive behaviour, and engage productively with risk. Through the development of an active security culture, the threat to an organisation and its assets can be significantly decreased, highlighting why it is the responsibility of every employee, from the top down, to make security a priority.

To successfully deliver the Protective Security Policy Framework (PSPF), non-corporate Commonwealth entities (agencies) need to foster a professional culture and a positive attitude towards protective security.

GOV-1: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of the PSPF.

Agencies are to:

  • ensure that individuals who have specific security duties receive appropriate, up to date training
  • have an ongoing security awareness program to inform and regularly remind individuals of security responsibilities, issues and concerns
  • brief individuals on the access privileges and prohibitions attached to their security clearance level prior to being given access, or when required in the security clearance renewal cycle
  • brief all Australian Government employees and contracted service providers who hold a Negative Vetting Level 1 or higher level security clearance at least every five years as a condition of security clearance renewal
  • communicate and make available to all staff, including contractors, their protective security policies.

GOV-2: To fulfil their security obligations, agencies must appoint:

  • a member of the Senior Executive Service as the security executive, responsible for the agency protective security policy and oversight of protective security practices
  • an agency security adviser (ASA) responsible for the day-to-day performance of protective security functions, and
  • an information technology security adviser (ITSA) to advise senior management on the security of the agency's Information Communications Technology (ICT) systems.

GOV-3: Agencies must ensure that the ASA and ITSA have detailed knowledge of agency-specific protective security policy, protocols and mandatory protective security requirements in order to fulfil their protective security responsibilities.

GOV-4: Agencies must prepare a security plan to manage their security risks. The security plan must be updated or revised every two years or sooner when changes in risks and the agency's operating environment dictate.

GOV-5: Agencies must develop their own set of protective security policies and procedures to meet their specific business needs.

The policy and procedures are to:

  • detail the objectives, scope and approach to the management of protective security issues and risks within the entity
  • be endorsed by the Agency head
  • identify protective security roles and responsibilities
  • be reviewed and evaluated in line with changes to entity business and security risks
  • be consistent with the entity's security risk assessment findings
  • explain the consequences for breaching the policy or circumventing any associated protective security measure
  • be communicated on an on-going basis and be accessible to all entity employees, and where reasonable and practical be publicly available.

Supporting guidelines for developing a security culture

The following protective security governance guidelines support developing a security culture.

Security awareness training guidelines

The security awareness training guidelines have been incorporated into the Australian Government personnel security guidelines—Agency personnel security responsibilities Section 8.2.

ASA and ITSA functions and competencies guidelines

The Protective security governance guidelines – Agency security adviser and IT security adviser functions and competencies identify better practice and provide advice to agencies to assist them in selecting and developing the skills of agency security advisers (ASAs) and IT security advisers (ITSAs).

Better practice guide—Developing agency protective security policies, plans and procedures

The PSPF requires non-corporate Commonwealth entities to develop their own protective security policies, plans and procedures. The Better practice guide—Developing agency protective security policies, plans and procedures, provides guidance to entities in developing their protective security policies, plans and procedures. It also assists entities to achieve a consistent approach to determining personnel, information, physical and procedural controls used to manage security risks.

Better practice guide—Developing an agency classification guide

The PSPF requires non-corporate Commonwealth entities to develop their own classification policies, plans and procedures. The Better practice guide—Developing an agency classification guide provides advice to assist entities with this process. For further information refer to INFOSEC 3 in the PSPF.

Better practice guide—Developing agency alert levels

The PSPF requires non-corporate Commonwealth entities to develop plans and procedures to address emergencies or heightened threat levels (PHYSEC 7). The Better practice guide—Developing agency alert levels provides advice to assist with this process.