2 Management structures and responsibilities
- Download Policy 2 Management structures and responsibilities [PDF 5.7MB]
- Download Policy 2 Management structures and responsibilities [DOCX 767KB]
- Management structures
- Chief Security Officer - responsibilities
- Security governance committee
- Appointing security advisors
- Protective security planning
- Protective security practices and procedures
- Investigating, responding to and reporting on security incidents
- Foster a positive security culture
- Security awareness training
- Find out more
This policy describes the management structures and responsibilities that determine how security decisions are made in accordance with security practices. This provides a governance base for entities to protect their people, information and assets.
Effective management structures and responsibilities require people to be appropriately skilled, empowered and resourced. This is essential to achieving security outcomes.
The accountable authority must:
- appoint a Chief Security Officer (CSO) at the Senior Executive Service level1 to be responsible for security in the entity
- empower the CSO to make decisions about:
- appointing security advisors within the entity
- the entity's protective security planning
- the entity's protective security practices and procedures
- investigating, responding to, and reporting on security incidents
- ensure personnel and contractors are aware of their collective responsibility to foster a positive security culture, and are provided sufficient information and training to support this.
The CSO must be responsible for directing all areas of security to protect the entity's people, information (including ICT) and assets. This includes appointing security advisors to support them in the day-to-day delivery of protective security and, to perform specialist services.
Entities must develop and use procedures that ensure:
Entities must provide all personnel, including contractors, with security awareness training at engagement and annually thereafter.
Entities must provide personnel in specialist and high-risk positions (including contractors and security incident investigators) with specific security awareness training targeted to the scope and nature of the position.
Entities must maintain a monitored email address as the central conduit for all security-related matters across governance, personnel, information (including ICT) and physical security.
The PSPF mandates a CSO must be appointed at the Senior Executive Service (SES) level and be empowered to oversee security across the entity and make security-related decisions. The CSO supports the accountable authority to protect the entity's people, information and assets and achieve the requirements outlined in PSPF policy: Role of accountable authority. Refer to Chief Security Officer - responsibilities.
The Attorney‑General's Department recommends that the CSO:
- be at an appropriately senior SES level, commensurate with managing critical security-related incidents and emergencies in the entity
- chair or oversee any security governance committees within the entity (if established), refer to security governance committee
- oversee the preparation of the entity's PSPF annual security report for the approval of the accountable authority
- report to the accountable authority on security matters (see Figure 1)
- only perform functions that are consistent with overseeing security for the entity
- oversee2 any security advisors within the entity.
Figure 1 Suggested management structure hierarchy for protective security accountability within an entity
Under section 12 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the accountable authority is the person or group of persons responsible for, and with control over, each Commonwealth entity's operations – answerable to the portfolio minister for the security of their entity (see the PSPF policy: Role of accountable authority).
Chief Security Officer
SES officer (with appropriate seniority) responsible for oversight of entity security arrangements across governance, information, personnel and physical security (refer Chief Security Officer - responsibilities).
Security governance committee
Senior committee to support the accountable authority and CSO in achieving protective security objectives and monitoring performance, particularly where the entity's arrangements are large or complex (refer Security governance committee).
Personnel appointed to perform security functions or specialist services (refer Appointing security advisors).
Responsible for positively influencing the protective security behaviour of their personnel (including contractors). See the PSPF policy: Ongoing assessment of personnel.
Entity personnel, including contractors
Responsible for understanding and applying robust security practices to protect government people, information and assets. See the PSPF policy: Ongoing assessment of personnel.
Chief Security Officer responsibilities
The CSO supports the accountable authority by providing strategic oversight of protective security across governance, information (including ICT), personnel and physical security to assist continuous delivery of business operations. The CSO is responsible for fostering a culture where personnel have a high-degree of security awareness, reinforced through practices that embed security into entity operations.
Requirement 1 states that the CSO is responsible for directing all areas of security to protect people, information (including ICT) and assets. This includes tailoring security arrangements to the scale and complexity of the entity. The CSO role is the only mandated security title under the PSPF. The intention is that as a single senior officer with central oversight and responsibility for security arrangements in the entity, they have the flexibility to delegate the day-to-day activities of protective security where required.
Specific security advisor roles and titles are not mandated under this policy. This provides flexibility for the CSO to establish and scale security arrangements. The Attorney‑General's Department recommends the CSO ensure sufficient security advisors positions are in place to perform security management functions (particularly for specialist ICT security services) and ensure continuous delivery of government business. Appointing security advisors sets out the recommended specific functions that security advisors be appointed to perform.
Key oversight responsibilities of the CSO include:
- supporting the accountable authority to ensure the safety of personnel (including contractors, visitors and clients), information and assets
- ensuring sufficient security advisors are appointed to perform specific security functions for the entity (see Appointing security advisors)
- embedding efficient and effective security management awareness and practices by setting the strategic direction for protective security planning and risk management (refer Protective security planning)
- establishing effective procedures to achieve security outcomes that are consistent with the PSPF and other Australian Government policies and legal requirements (refer Protective security practices and procedures)
- managing the entity's response to security-related crises, incidents and emergencies in accordance with the entity's security incident and investigation procedures, and establishing monitoring mechanisms across the entity (refer Investigating, responding to and reporting on security incidents)
- fostering a positive security culture where personnel understand their responsibilities to manage security risk (refer Foster a positive security culture)
- ensuring information and security awareness training programs are in place so personnel (including personnel and contractors located or travelling overseas) understand their security obligations (refer Security awareness training)
- establishing security performance measures to monitor procedures to achieve required protections, address risks, counter unacceptable security risks, and improve security maturity (see the PSPF policy: Security maturity monitoring)
- disseminating and managing intelligence and threat information to stakeholders across the entity
- overseeing preparation of the entity's PSPF annual security report to accurately reflect its security maturity position and detail how it is addressing areas of vulnerability (see the PSPF policy: Reporting on security).
The scope and complexity of the CSO role depends on the nature of the entity's business and its risk environment. For smaller entities, it may be that the accountable authority takes on the role of the CSO and delegates the day-to-day functions of protective security to appointed security advisors.
The Attorney‑General's Department recommends that the CSO has sufficient experience or be trained to perform the required security leadership and oversight functions.
Compatibility with other roles
Specific security advisor roles and titles (other than the CSO) are not mandated under this policy. Some entities may wish to maintain established roles of Agency Security Advisor, Information Technology Security Advisor and Chief Information Security Officer to support the CSO (refer Appointing security advisors).
The Attorney‑General's Department recommends that for entities that are large, complex or carry high-risk and require multiple senior officers to manage security-related functions, the CSO be appointed at an appropriately senior level to manage these responsibilities.
Security governance committee
Under the Public Governance, Performance and Accountability Rule 2014, entities are required to have an audit committee to review systems of risk oversight and management. Audit committees perform an important role in oversight of risk management, including security risks.
In addition, entities may choose to establish a separate security governance committee to support the accountable authority and CSO by:
- providing a cohesive and coordinated approach to risk and security
- fostering a positive security culture
- establishing longer-term protective security goals and objectives
- monitoring security plans and identifying and managing risks
- considering outcomes of security incidents and investigations
- facilitating information sharing for security improvements.
While not mandatory, where an entity has a security governance oversight committee, the Attorney‑General's Department recommends that the CSO be appointed as the Chair of the committee.
Appointing security advisors
Under the core requirement and Requirement 1, the CSO is empowered to appoint security advisors. In making these decisions, the CSO is encouraged to:
- consider the scope and responsibilities delegated to each position within the context of the entity's risk environment, complexity of business, infrastructure, size and other relevant aspects
- establish appropriate arrangements for managing the responsibilities of advisors (where this results in security advisors not reporting directly to the CSO, the CSO maintains visibility of performance and outcomes)
- appoint advisors at a level that requires only broad direction in terms of delivering objectives, mission or functions
- ensure delegations allow security advisors to undertake specific action in line with the policy of the entity, or to review previous actions or decisions in the work area
- determine the appropriate competencies, experience and specialist skills or qualifications required to undertake the appointed security role/s, including comprehensive knowledge of the PSPF.
The suggested functions listed in Table 2 align with the four security outcomes (governance, information (including ICT), personnel and physical). CSOs may determine what they delegate to advisors and what functions advisor roles cover. This may mean that an advisor is appointed to perform functions spanning the categories suggested in Table 2. They may also perform other functions where appropriate.
CSOs are responsible for encouraging a collaborative approach between security advisors to enable governance, information, personnel and physical security measures that are complementary, promote robust security practices and achieve the entity's security objectives.
Suggested security advisor functions
Assist the CSO by:
Assist the CSO by:
Assist the CSO by:
Assist the CSO by:
Given the range and complexity of security functions, it may be appropriate to the entity's operations or size to appoint separate advisors for information (including IT security), personnel and physical security matters.
Many functions of a security advisor involve specialised skills. The Attorney‑General's Department suggests such advisors demonstrate comprehensive knowledge or technical competencies in:
- the PSPF and supporting technical guidance, for example ASIO Technical Notes and the Australian Government Information Security Manual
- the application of security measures relevant to the advisor's functions (eg professional ICT certifications)
- managing security risk assessments.
The knowledge, competencies and skills can be attained through on-the-job training, prior experience in a related field or formal qualifications (eg tertiary qualifications such as the Certificate IV, Diploma in Government Security or equivalent qualification). Where entities provide training towards formal qualifications for security advisors, the Attorney‑General's Department recommends that this training be delivered by a Registered Training Organisation (RTO). RTOs are accredited training providers that offer nationally recognised training courses. A list of these organisations is available from www.training.gov.au.
Where the CSO contracts service providers for specific security functions, including where professional technical certification is required (eg SCEC security zone consultants for Type 1 and Type 1a alarm compliance and IRAP Assessors for ICT systems), the entity retains the security accountability. This does not transfer to the contractor. The Attorney‑General's Department recommends the CSO (or appointed security advisor) put in place arrangements to monitor any outsourced security service providers.
For information on ensuring contractors comply with security requirements, see the PSPF policy: Security governance for contracted service providers.
Protective security planning
Security planning establishes the strategic direction and sets out the expectations for the efficient and effective security management practices in the entity. This includes ensuring security risks are managed effectively and consistently across the entity to adapt to change, minimise damage and disruption and build resilience.
The CSO defines the strategic direction and allocation of resources to deliver the strategy, strengthen operations and improve the entity's security maturity in order to make sound decisions about protective security planning. For information on preparing the security plan to manage risks, see the PSPF policy: Security planning and risk management.
Protective security practices and procedures
Protective security practices reflect the entity's implementation of the PSPF core and supporting governance, information, personnel and physical security requirements.
Protective security practices are more likely to be effective in achieving the required protection when they are demonstrated by senior management, embedded into day-to-day operations, and are well understood by all personnel with clear links to why they're important and what they're designed to accomplish.
Requirement 2 mandates that entities must develop procedures to cover all elements of protective security consistent with relevant PSPF policy. The Attorney‑General's Department recommends that entities develop security procedures in conjunction with other security and risk planning and update these procedures when significant changes in the risk environment occur. The Attorney‑General's Department also recommends entities put in place measures to monitor the effectiveness of procedures and security performance and update annual security awareness training with relevant messaging.
Investigating, responding to and reporting on security incidents
Managing security incidents and investigations helps monitor security performance, identify inadequacies in security procedure, and detect security risks in order to implement appropriate treatments. Through effective reporting and investigation of security incidents, entities can identify vulnerabilities and reduce the risk of future occurrence.
In addition to the annual security reporting obligations certain security incidents are reportable to other entities (see the PSPF policy: Reporting on security).
Security incident management is the process of identifying, managing, recording and analysing any irregular or adverse activities or events, threats and behaviours in a timely manner. Effective monitoring of security incidents is fundamental to good security management. In turn, good security management contains the effects of a security incident and enables recovery as quickly as possible.
Information gathered on security incidents assists the CSO to determine the adequacy of protective security practices, measures security culture, highlights vulnerabilities in security awareness training and informs security improvement activities.
A security incident might have wide-ranging and critical consequences for the entity and the Australian Government. A security incident is defined as an:
- action, whether deliberate, reckless, negligent or accidental that fails to meet protective security requirements or entity-specific protective security practices and procedures that results, or may result in, the loss, damage, corruption or disclosure of official information or resources (see Table 3)
- approach from anybody seeking unauthorised access to official resources
- observable occurrence or event (including natural disaster events, terrorist attacks etc) that can harm Australian Government people, information or assets.
A significant security incident is a deliberate, negligent or reckless action that leads, or could lead, to the loss, damage, compromise, corruption or disclosure of official resources. See Table 4 for examples of significant security incidents.
Definition of information compromise
Information compromise includes, but is not limited to:
Examples of security incidents
Examples of significant security incidents
Criminal actions such as actual or attempted theft, break and enter, vandalism or assault.
Espionage or suspected espionage.
Loss of personal information that is likely to result in serious harmNote i.
Actual or suspected compromise of material at any level, including tampering with security containers or systems.
Security classified material not properly secured or stored.
Loss, compromise, suspected compromise, theft or attempted theft of classified equipment.
Security classified material left in inappropriate waste bins or government assets to be sold or disposed of.
Actual or attempted unauthorised access to an alarm system covering a secured area where security classified information is stored.
Deliberate disregard of implementing a PSPF requirement.
Loss of material classified PROTECTED or above, or significant quantities of material of a lower classification.
Access passes or identification documents lost or left unsecured.
Recovery of previously unreported missing classified material or equipment.
Incorrect handling of security or classified marked information, such as failure to provide the required protection during transfer or transmission resulting in a data spill on an electronic information network or system.
Unauthorised disclosure of official or classified information, significant loss or compromise of cryptographic keying material, or a significant breach of ICT systems as assessed by the Australian Signals Directorate (ASD).
Compromise of keys to security locks, or of combination settings.
Continuous breaches involving the same person or work area where the combination of the incidents warrants an investigation.
Sharing computer passwords.
Loss, theft, attempted theft, recovery or suspicious incidents involving weapons, ammunitions, explosives or hazardous materials including nuclear, chemical, radiological or biological.
Actual or suspected hacking into any ICT system.
PSPF Policy: Reporting on security outlines an entity's obligation to report security incidents to external entities. Non-compliance with reporting of security incidents obligations is considered a security incident.
Where a suspected security incident involves the major compromise of official information or other resources that originate from, or are the responsibility of another entity, it is important to seek advice from the originating entity prior to instigating any investigation. The originating entity may have operational security requirements that need to be applied to the investigation. In some cases, it may be more appropriate that the originating or responsible entity carries out the investigation.
Detecting security incidents
Early detection of a security incident and timely reporting to the CSO or security advisor is critical to expedite protection, containment and recovery. Establishing simple channels for personnel, contractors and personnel travelling or working remotely to report security incidents, or suspected incidents, is an effective approach to ensuring timely reporting.
Many potential security incidents are observed by personnel. It is important that all personnel, including contractors, understand how and when to report potential incidents or concerns. The Attorney‑General's Department recommends that security incident reporting and consequences, with practical examples, be included in security awareness training.
While reporting of security incidents by personnel is a common means of detection, the Attorney‑General's Department recommends that the CSO consider other identification and monitoring methods to supplement reporting of incidents.
For details on security incident reporting involving contracted goods and service providers, see the PSPF policy: Security governance for contracted goods and service providers.
Managing security incidents
Requirement 2 mandates the entity must establish procedures for managing security incidents.
The Attorney‑General's Department recommends that procedures are consistent, appropriate and fair and ensure the entity is ready to respond to any security incidents that may arise. They may include:
- personnel, including contractors, immediately reporting security incidents to a centralised point in the entity (CSO or security advisors) and include arrangements for personnel travelling or working remotely
- formal procedures and mechanisms to make it easy to report security incidents (including responding to and investigating incidents that occur outside of the entity's premises)
- security advisors maintaining records of reported incidents and any other security incidents
- handling procedures once a security incident has been reported, including:
- clearly defined roles and responsibilities (of personnel involved in the administration of security incidents and the conduct of investigations)
- escalation points, relationships and connection points (internal or external) and communication channels
- timeframes for incident response and recovery
- assessment and categorisation of the level of harm or compromise
- technical requirements and continuity
- prioritisation where multiple incidents or events occur simultaneously
- addressing entity-specific issues or incident types
- linkages to other entity procedures such as business continuity or disaster recovery plans
- reporting to the CSO and security governance committee
- testing and review cycles
- suitable feedback processes to ensure that personnel reporting information security events are notified of results after the issue has been dealt with and closed.
Where security investigation functions are shared across entity work areas or with an outsourced service provider, the Attorney‑General's Department recommends that the CSO (or another delegated SES officer) maintain oversight of the investigation and establish mechanisms to monitor the investigation and ensure communication of issues, findings and decisions to all relevant parties.
Refer to Annex B for further guidance on security incident management.
Recording security incidents
Recording security incidents provides a valuable source of data to obtain insight into an entity's security environment and performance. For example, multiple minor security incidents could indicate poor security awareness and could alert the entity to the need for increased security training and education.
The Attorney‑General's Department recommends that the CSO maintains oversight of these records and regularly analyses security incidents to identify trends and systemic issues. Entities can develop mechanisms for recording incidents that best suit their security environment and operational requirements.
Not all security incidents warrant investigation6. The CSO determines when a security incident is serious or significant enough to commence an investigation. Investigating security incidents (actual or suspected), may be necessary to resolve an existing breach or vulnerability and remediate the impact. An investigation may provide valuable information for future risk reviews and assessments and will help entities to evaluate current security plans and procedures.
The audit found that entities can encounter a wide range of security incidents including the theft or loss of assets, the inappropriate handling or suspected compromise of classified information, instances of unauthorised access to information or restricted work areas and the physical or threatened assault of staff. The number and type of security incidents generally reflects the nature of each entity's work, including the level of classified or sensitive information. It may also be influenced by factors such as the conduct of regular security inspections, the strength of security awareness among staff, and the ease of reporting security incidents.
The audit also found that the majority of security incidents (recorded by the audited entities) related to matters that did not warrant a formal investigation. For example, many security incidents were of a minor or procedural nature and were dealt with by local managers or supervisors taking remedial action or were addressed through the conduct of routine inquiries.
Minor security incidents were generally addressed by less formal mechanisms, such as procedural inquiries, and more serious incidents were the subject of formal investigation. In some cases, preliminary investigations were conducted if, for example, all the details or the extent of the impact of a security incident were not known before deciding whether or not to conduct a formal investigation.
A security investigation:
- is a formal process of examining the cause and extent of a security incident that has, or could have, caused harm to individuals, the entity, another entity or the national interest
- gathers evidence that may be admissible for any subsequent action whether under criminal, civil penalty, civil, disciplinary or administrative sanctions
- prevents re-occurrence of the incident by implementing improvements to entity systems or procedures
- protects both the interests of the Australian Government and the rights of affected individuals.
Once the CSO or appointed security advisor has established the need for an investigation, they are encouraged to assess:
- the seriousness or complexity of the incident
- the nature of the possible outcome of the investigation (administrative, disciplinary, civil or criminal)
- if the incident is criminal in nature and needs to be referred to an external entity
- the resources needed to conduct the investigation
- who is the best placed or qualified person to complete the investigation and what support they need
- an agreed investigation process including timeframes
- the authorisation needed to undertake the investigation
- decision-makers and reporting obligations.
The Attorney-General's Department recommends that, where possible, entities apply the Australian Government Investigations Standards (AGIS) to maintain a minimum quality standard within investigations.
The principles of procedural fairness apply to all investigations. These principles require that individuals whose rights, interests or expectations are adversely affected, be informed of the case against them and be given an opportunity to be heard by an unbiased decision-maker. Procedural fairness also applies to actions taken as the result of an investigation. Procedural fairness gives regard to ensuring the security integrity of any current or future investigation of the entity or of another entity.
Requirement 2 mandates that the CSO must establish procedures to investigate, respond to, and report on security incidents. The Attorney‑General's Department recommends investigation procedures cover:
- terms of reference and the investigation plan, authorised by the CSO or other SES officer
- responsibilities, including the investigator, approving officer and other relevant parties
- qualifications and training (as mandated in Requirement 4) required for investigators
- procedural fairness and standards of ethical behaviour to ensure the investigator is impartial, without actual or apparent conflict of interest in the matter being investigated
- actions on receiving a complaint or allegation, including anonymous allegations or reports from whistle blowers
- case management procedures to ensure any case records, activities, recommendations and decisions adhere to the agreed process (AGIS is the recommended standard)
- procedures for operational practices such as interviewing anyone whose interests could be adversely affected by the outcome of a security investigation, or anyone who may be able to assist with a security investigation
- referral points to ASIO, the relevant law enforcement service and ASD
- decision points and agreed escalation and approval phases, including keeping the CSO or delegated officer informed of the investigation's progress
- major findings and recommendations
- final report requirements.
Refer to Annex B for guidance on conducting security investigations.
Foster a positive security culture
Fostering a positive protective security culture is critical to achieving security outcomes. Through a robust security culture, the threat to an entity and its assets can be significantly decreased.
As mandated in the core requirement, the accountable authority must ensure personnel, including contractors, are aware of their collective responsibility to foster a positive security culture and are provided sufficient information and training. The CSO, supported by any appointed security advisors, is responsible for providing security leadership and promoting a culture where personnel value, protect and use entity information and assets appropriately.
In addition to keeping an entity and its personnel safe, a strong and healthy security culture helps to increase internal and external trust, embed consistent positive behaviour and support personnel to engage productively with risk.
A positive security culture is one where:
- security is prioritised and promoted across the entity by the accountable authority and senior leadership
- security is built into an entity's business operations
- security is an enabler of business, supporting accessibility of services
- security risks are identified and managed and personnel understand those risks and their responsibilities in relation to them
- security awareness training is effective in ensuring personnel, including contractors, are:
- aware that security is everyone's business
- able to understand and comply with security-related obligations and entity-specific practices and procedures
- equipped and supported to engage with risk and make risk-based decisions
- aware of the consequences of non-compliance with security practices and procedures
- comfortable to challenge others on non-compliance with entity security practices and procedures
- confident in making decisions on applying protective markings, storing and sharing government information
- security incidents and breaches are reported, recorded and investigated appropriately according to clear entity procedures
- implementation of protective security policies is mature and well-managed
- entity security procedures are easy to understand, current and visible to all personnel
- sensitive and classified information is protected from unauthorised disclosure or compromise and personnel apply the need-to-know principles
- security improvements are encouraged and promoted within the entity.
The Attorney General's Department recommends the CSO establishes appropriate metrics to measure the maturity of the entity's security culture. See the PSPF policy: Security maturity monitoring.
Security awareness training
The core requirement mandates that entities ensure personnel and contractors are provided with sufficient information on their responsibilities under the PSPF, and their entity-specific security responsibilities.
The core requirement is supported by:
- Requirement 3 that mandates all personnel, including contractors, are provided with security awareness training upon engagement and annual refresher training
- Requirement 4 that mandates all personnel in specialist and high-risk positions, including contractors and security incident investigators, must be provided with specific security awareness training targeted to the scope and nature of the position.
Security awareness training is an important element of protective security and supports implementation of physical, information and personnel security policies, practices and procedures. The Attorney‑General's Department recommends that entities use their security plan to identify areas to include in their security awareness training program.
Security awareness training is most effective when it:
- delivers an ongoing security awareness program to inform and regularly remind individuals of security responsibilities, issues and concerns
- briefs personnel on the access privileges and prohibitions attached to their security clearance level prior to being given access, or when required in the security clearance renewal cycle
- ensures that personnel who have specific security duties receive appropriate and up-to-date training
- fulfils security clearance renewal briefing requirements for all personnel and contracted service providers who hold a security clearance of Negative Vetting Level 1 or higher
- clearly communicates to all personnel, including contractors, the entity's protective security practices and procedures.
Entities are encouraged to strengthen security awareness through:
- campaigns that address the ongoing needs of the entity and the specific needs of sensitive areas, activities or periods of time
- security instructions and reminders via publications, electronic bulletins and visual displays such as posters
- protective security-related questions in personnel selection interviews
- drills and exercises
- inclusion of security awareness and attitudes in the entity performance management program.
Delivery of security awareness training
The Attorney-General's Department recommends that the CSO decide on the most appropriate delivery method to ensure consistent delivery of training within their entity or those entities they provide training to as part of a lead security arrangement.
The Attorney-General's Department recommends that in meeting Requirement 3 to provide security awareness training upon engagement and annually thereafter, entities also provide:
- advice to personnel on entity-specific asset management and loss reporting procedures prior to them taking custody of assets, including entity fraud measures
- a safety handbook for all personnel that includes emergency response guidelines and contacts, as well as entity-specific safety requirements and procedures
- regular safety exercises and drills for personnel
- personnel with specific emergency safety or security roles with regular training, as well as assessment of their ongoing competency
- specialist training to meet entity-specific risks
- targeted security awareness training where the entity has identified a need based on their risk profile, or when the entity has an increased or changed threat environment.
If an entity elects to use an outsourced training provider to deliver the security awareness training, the Attorney-General's Department recommends they have sufficient knowledge of the PSPF and expertise in delivering adult education.
Content of security awareness training
Content for all personnel
The Attorney‑General's Department recommends that security awareness training programs or briefings include:
Previously reported or investigated security incidents can be used in security awareness training as examples demonstrating what could happen, how to respond to incidents, and how to minimise them in the future. The Attorney-General's Department recommends that information be redacted to maintain appropriate confidentiality.
Additional content for security -cleared personnel
The Attorney-General's Department recommends that, as a minimum, security awareness training programs or briefings for security-cleared personnel:
Requirement 4 mandates that entities must provide personnel in specialist and high-risk positions (including contractors and security incident investigators) with specific security awareness training to address the risks related to the nature and scope of their work or specialisations. Specialist or high-risk positions could include:
Security awareness refresher training
Under Requirement 3, entities are required to provide personnel with security awareness training annually. The CSO determines the form (eg in person, online), scope of coverage and content required for the annual training requirement to maintain sufficient awareness of security requirements and obligations to protect the entity's people, information and assets.
The Attorney General's Department recommends that the CSO consider:
- the entity's risk and current threat environment
- goals and objectives of the entity's security plan
- any identified inadequacies in previous methods of training or consistent failure to understand content, particularly when systemic or reoccurring security incidents indicate potential vulnerabilities in awareness training.
Security email address
The siloing of security information in an entity can inhibit effective security management. Silos may be the result of a number of behavioural or system problems, including something as simple as email management. To address this, Requirement 5 mandates a monitored email address for security-related matters to protect against changes in security personnel and facilitate the flow of security-related information.
The Attorney General's Department recommends that the email address:
- be generic in nature
- take the form of security@[entityname].gov.au or cso@[entityname].gov.au
- is monitored to ensure the flow of security-related information to the CSO, security advisors, committees and other areas in the entity as appropriate
- is provided to the Attorney‑General's Department (at PSPF@ag.gov.au) and other relevant entities to maintain contact with the entity and keep informed of changes in security personnel.
Where the entity is unable to provide a generic email address for security-related matters and relies on an individual's email address, entities are encouraged to ensure the flow of security information is maintained during periods of absence, or if the person leaves the position. For example, the individual's email nominated for security-related matters is monitored by another officer, or is accessible to other officers who perform security functions.
This requirement does not preclude entities from maintaining other security-related mailboxes (eg to limit information based on the need-to-know or for sensitive matters). However, the main monitored email address will be used for all PSPF related correspondence unless otherwise advised.
Find out more
Other legislation and policies include:
- Commonwealth Fraud Control Framework
- Australian Government Investigations Standards
- Public Governance, Performance and Accountability Rule 2014
- Information Security Manual – Guidelines for cyber security incidents
- ISO/IEC 27035:2016 Information technology – Security techniques – Information security incident management
- ISO/IEC 27002:2015 Information technology – Security techniques – Code of practice for information security controls information security incident management section
- Office of the Australian Information Commissioner for the Privacy Act, Guides and APP guidelines.
Annex A. Managing security incidents
Managing security incidents process
Annex A Figure 1 Managing security incidents process
Step 1: Report and record
Establishing simple channels for personnel to report security incidents or suspected incidents is an effective way to ensure timely reporting. The Attorney-General's Department recommends that entity security procedures:
- require personnel, including contractors, to report security incidents to a centralised point in the entity (for example to CSO or security advisor)
- specify the roles and responsibilities of personnel involved in the administration of security incidents and the conduct of investigations
- establish formal procedures and mechanisms to make it easy to report security incidents
- require the security advisors to maintain records of any reported incidents and any other security incidents
- have suitable feedback processes to ensure that personnel reporting information security events are notified of results after the issue has been dealt with and closed.
The Attorney-General's Department recommends entities record the details of each reported security incident, including:
- time, date and location of security incident, including how the incident was detected
- type of official resources involved
- description of the circumstances of the incident, including any personnel or locations involved
- nature or intent of the incident, eg deliberate or accidental
- assessment of the degree of compromise or harm
- whether it is an isolated incident or part of a broader reoccurring issue
- summary of immediate action (including containment or eradication) and any long-term action taken (including post-incident activities).
Step 2: Assess and decide
Once a security incident is recorded, the Attorney-General's Department recommends it is assessed by the CSO or appointed security advisor to:
- confirm it is a genuine security incident rather than a false alarm or vexatious complaint
- determine the type of incident and scale of harm resulting from the incident
- decide what action is required to address the incident (by whom and when), for example:
- no further action
- amendments to entity procedures, systems or training
- containment, recovery or eradication action required
- training or performance management activities with the individual/s involved in the incident
- security investigation
- escalation to CSO, accountable authority or responsible minister
- external reporting or referral to appropriate authority (refer Table 5).
Step 3: Respond and recover
It is appropriate that procedures for responding to serious security violations are formal. This reflects the significance these deliberate or reckless actions may have on security.
After an incident has been contained, it may be necessary for eradication or recovery action to be taken to restore information or systems, particularly in ICT. For details on managing cyber security incidents, refer to the Information Security Management – Managing Cyber Security Incidents.
Step 4: Learn
Embedding post-incident learning into incident reports or updated procedures can provide useful insights into opportunities for improvements and emerging issues, vulnerabilities in processes and training, or personnel's understanding of how to apply security obligations. The Attorney-General's Department recommends that a process of continual improvement be applied to monitoring, evaluating, responding to and managing security incidents.
The Attorney-General's Department recommends that entities identify, document and share learnings internally (ie with and between the accountable authority, security advisors and security governance committee) and externally, where appropriate (ie with co-located entities, entities with similar risk profiles or through whole-of-Government arrangements).
Possible questions to consider once the incident is resolved:
- Were the procedures adequate to deal with the incident and were all stages of incident management followed?
- Were the right people involved and were escalation points and timeframes sufficient and useful?
- Did the incident highlight areas of vulnerability and if so, what action is being taken to address these vulnerabilities?
- Could the incident have been prevented? If so, how?
- Could the incident have been detected earlier, or damage reduced if detected earlier?
- What were the triggers and is there a way to prevent future occurrences?
- Is it a recurring incident or becoming systemic, if so what additional protection or action is required to prevent further incidents?
Annex B. Conducting security investigations
Although not mandatory for security investigations, the Australian Government Investigations Standards provides an investigations practice framework that entities are encouraged to adopt.
Determining the nature of an investigation
Once the CSO or appointed security advisor has established the need for an investigation, they are encouraged to assess from the outset:
- the seriousness or complexity of the incident
- the type of investigation based on likely outcome (administrative, administrative security, civil or criminal)
- if the incident is criminal in nature and needs to be referred to an external entity
- the resources needed to conduct the investigation
- who is the best placed or qualified person to complete the investigation and what support do they need
- timeframes for the investigation
- the authorisation needed to undertake the investigation
- the nature of the possible outcome of the investigation.
The purpose of a criminal investigation is gathering admissible evidence which may lead to placing the offender/s before the court.
As outlined in the Australian Government Investigations Standards, if a security matter is considered by the entity to be a serious crime or complex criminal investigation, it must be referred to the AFP in accordance with the AFP referral process (see www.afp.gov.au), except where:
- the entity has the capacity and appropriate skills and resources needed to investigate serious crime or conduct complex criminal investigations and meet the requirements of the Commonwealth Director of Public Prosecutions in gathering evidence and preparing briefs of evidence
- the issue involves alleged breaches of the Commonwealth Electoral Act 1918.
Where another entity has legislative investigative powers (eg Comcare and ASIO), that entity may have primacy in determining which type of investigation takes precedence.
Where a suspected Commonwealth criminal offence is not or cannot be referred to the AFP for investigation (see AFP website), or requires initial investigation prior to establishing a need to refer to the AFP, entities may need to conduct an investigation for matters such as suspected fraud, theft and unauthorised disclosure of official information. To the extent possible when investigating a suspected Commonwealth criminal or a matter that may result in a criminal investigation, entities are encouraged to consider the rules of evidence.
The rules of evidence cover:
- admissibility of evidence: whether or not the evidence can be used in court
- weight of evidence: the quality and completeness of the evidence.
For guidance on obtaining, recording and storing evidence in accordance with the rules of evidence, refer to the Australian Government Investigations Standards.
The Commonwealth Fraud Control Framework sets out procedures for investigating actual or suspected fraud against the Commonwealth.
Security investigation process
Annex B Figure 1 Security investigation process
A security investigation establishes the facts:
- who, what, why, when, where and how
- the nature of the incident and how it occurred
- the circumstances that led to the incident occurring
- the person/s involved
- the degree of damage to security interests, government people, information or assets
- procedural or system improvements needed to prevent or reduce the likelihood of recurrence.
Step 1: Appoint investigator
In the interests of procedural fairness, it is important that the investigator be impartial and not have an actual or apparent conflict of interest in the matter being investigated.
Entities are strongly encouraged to provide relevant and appropriate training for investigators, as determined by the entity. The AGIS provides guidance on recommended training or qualifications for investigators. Where insufficient power to collect available or required evidence is identified, or if a conflict of interest is identified, the investigator is encouraged to refer the investigation to another person or entity with the necessary powers.
An investigator's key responsibilities include:
- understanding the incident being investigated and the terms of reference
- identifying the relevant law, policy or procedures that apply
- making sufficient inquiries to ascertain all relevant facts
- ascertaining whether an offence or incident has occurred based on the relevant facts
- reporting the findings, identifying the reasons for the findings
- making relevant recommendations.
- applicable legislation that may determine the nature of and set the framework for the investigation
- the nature of the incident
- how serious the incident is and therefore the possible level of harm it has for the entity, or more widely, for government
- whether the incident indicates the existence of a systemic problem
- whether it is part of a pattern of conduct
- whether it may breach any Australian law, especially any criminal provision.
Step 2: Develop an investigation plan
The investigation plan identifies:
- the issues to be investigated
- any relevant legislation, particular provisions of a code of conduct, entity policy and procedures, particular standards and guidelines
- required evidence
- methods and avenues to collect the evidence
- legal requirements and procedures to be followed in collecting evidence
- the allocation of tasks, resources and timings
- arrangements in case the terms of reference or investigation plan need to be modified during the investigation.
Terms of reference for security investigations
The Attorney‑General's Department recommends that the CSO approve the terms of reference, objectives and limits for all security investigations, and is encouraged to seek regular reports on investigation progress. The terms of reference could include:
- the background
- resources allocated (people, finances etc.)
- types of inquiries to be conducted
- extent and limit of powers of the investigating officer (consistent with relevant Commonwealth and jurisdictional legislation) during the investigation to collect evidence by:
- obtaining information from people about policies, procedures and practices
- accessing relevant records and other material
- interviewing witnesses and suspects
- search and surveillance
- the format of progress reporting and the final report
- any special requirements or factors specific to the investigation.
Step 3: Gather evidence
The investigator identifies, collects and presents information or evidence that goes to proving or disproving any matters of fact relating to an incident. In an investigation, the types of evidence are:
- documentary (records)
- verbal (recollections)
- expert (technical advice).
Evidence gathered in a security investigation may not comply with the rules of evidence and therefore may not be satisfactory in a criminal investigation, or where legal proceedings might arise in relation to the incident. For guidance on obtaining, recording and storing evidence, refer to the AGIS.
Step 4: Record and store evidence
The Attorney‑General's Department recommends investigators maintain a separate file for each investigation. This is a complete record of the investigation, documenting every step, including dates and times, all discussions, phone calls, interviews, decisions and conclusions made during the course of the investigation. Investigators are encouraged to store this file and any physical evidence securely to prevent unauthorised access, damage or alteration. This is to maintain confidentiality and ensure continuity of evidence. It is important that the record includes the handling of physical evidence and any tampering with the file or physical evidence.
Step 5: Prepare the investigation report
At the conclusion of the investigation, the investigator produces a findings report to the CSO, commissioning body (eg security governance committee) or the decision-maker. The report includes reasons for the findings according to the terms of reference using supporting material, and recommendations that could include:
- disciplinary action
- dismissal of a disciplinary charge following a constituted hearing
- referral of a matter to an external entity for further investigation or prosecution
- changes to administrative or security policies, procedures or practices.
Standard of proof
In drawing conclusions regarding administrative investigations, whether conducted for security or other reasons such as disciplinary purposes, the decision-maker needs to be satisfied that the allegations are proved 'on the balance of probabilities'.
Step 6: Close the investigation
The investigation is considered closed when all reports are completed and evidence is documented and filed. It is better practice for an independent person, preferably more experienced than the investigator, to review the closed investigation. This allows an impartial assessment of the investigation that may identify improvements to investigation practices.
1Where an entity has fewer than 100 employees the accountable authority may appoint their Chief Security Officer at the Executive Level 2 (EL2), providing the EL2:
- reports directly to the accountable authority on security matters, and
- has the sufficient authority and capability to perform the responsibilities of the CSO role.
2Where another legislative obligation or structural arrangement requires a security advisor to report to another position in the entity (eg the Chief Information Officer), the CSO is recommended to retain oversight of the advisor's security related functions.
3Some entities may wish to maintain established roles of Agency Security Advisor, Information Technology Security Advisor and Chief Information Security Officer to support the CSO.
4Entitles are encouraged to consider where other legislative obligations overlap with security advisor roles. For example, the Privacy (Australian Government Agencies – Governance) APP Code 2017 requires entities to appoint a dedicated privacy officer(s) to maintain a record of the entity's personal information holdings and a register of privacy impact assessments.
6Noting that under the Notifiable Data Breach scheme a data breach likely to result in serious harm to any of the individuals to whom the information relates requires an objective assessment. Refer to guidance material on identifying eligible data breaches.