Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Governance » Reporting on security

5 Reporting on security

Purpose

This policy details the information entities are required to report annually under the Protective Security Policy Framework (PSPF) which is assessment of the maturity of the entity's security capability. It includes considering the entity's:

  1. progress in achieving the PSPF governance, information, personnel and physical security outcomes
  2. level of implementation and management of the PSPF core and supporting requirements
  3. risk environment and tolerance for security risks
  4. strategies and timeframes to manage identified and unmitigated risks
  5. security risks to people, information and assets.

Reporting provides assurance that sound and responsible protective security practices are occurring. It also identifies security risks and vulnerabilities and the steps being taken to mitigate them.

 

Back to top

Requirements

Core requirement

Each entity must report on security each financial year to:

  1. its portfolio minister and the Attorney-General's Department on:
    1. whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
    2. the maturity of the entity's security capability
    3. key risks to the entity's people, information and assets
    4. details of measures taken to mitigate or otherwise manage identified security risks
  2. affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation
  3. the Australian Signals Directorate in relation to cyber security matters.

Supporting requirements

The Attorney-General's Department provides a reporting template that sets out the PSPF Maturity Self-Assessment Model as well as the specific data to be provided under this policy.

There are no supporting requirements for reporting on security.

Back to top

Guidance

Annual security report

The core requirement mandates that each entity must report on security. Under the Public Governance, Performance and Accountability Act 2013 this requirement applies to non-corporate Commonwealth entities. The Attorney-General's Department encourages corporate Commonwealth entities that implement the PSPF to also report on security.

An entity's annual security report summarises the maturity level of its security capability and performance. The report also compiles data on how effective the entity is in managing protective security within the entity.

The Attorney-General's Department consolidates entity data into an aggregated annual security report for the Attorney-General and provides the report together with benchmarking information to entities.

As detailed in the PSPF policy: Security maturity monitoring, entities are required to regularly monitor the security capability and internal procedures and mechanisms within their risk environments.

Reporting on security outcomes

As mandated in the core requirement, entities must report on whether security outcomes have been achieved through effectively implementing and managing requirements under the PSPF.

The four key security outcomes are:

  1. Governance – the entity manages security risks and promotes a positive security culture through clear lines of accountability, sound planning, security incident management, assurance and review processes and proportionate reporting.
  2. Information (including ICT) – the entity maintains the confidentiality, integrity and availability of official information.
  3. Personnel – the entity ensures its employees and contractors are suitable to access Australian Government resources and meet an appropriate standard of integrity.
  4. Physical – the entity provides a safe and secure physical environment for people, information and assets.

When reporting on the entity's effectiveness in implementing and managing requirements under the PSPF, entities are encouraged to evaluate the degree to which implementation successfully achieves the intent of the PSPF.

Reporting on maturity of security capability

Maturity provides a meaningful scale to assess an entity's overall security position within its specific risk environment and risk tolerances. Maturity acknowledges successes and progress towards implementation; and aids decision-making by highlighting areas for improvement.

Maturity of security capability considers how holistically and effectively each entity:

  1. implements and meets the intent of the PSPF core and supporting requirements
  2. minimises harm and damage to government people, information and assets
  3. fosters a positive security culture
  4. responds to, and learns from, security incidents
  5. understands and manages their security risks
  6. achieves security outcomes while delivering business objectives.

Figure 1 illustrates the possible path an entity might take in achieving security maturity.

 

Figure 1 Possible path to security maturity

This is a visual representation of a possible path to security maturity.

There are 5 main steps an entity can follow in developing security maturity. They are set out as headings: consider, plan, manage, monitor and report.

Under these headings are other factors to be taken into account. PSPF governance-related policies provide further guidance. For example: 
Role of accountable authority recommends implementing and considering PSPF requirements.

Management structure and responsibilities recommends determining or reviewing security oversight arrangements and developing or reviewing robust security culture and awareness training.

Security planning and risk management recommeds taking four factors into account.
1. Develop/review security goals, objectives and procedures.
2. Adopt/consider effectiveness of security risk management.
3. Identify/monitor preformance indicators.
4. Approve/review security plan.

The security maturity monitoring policy makes three recommendations:
1. Monitor security risks, emerging issues and changes in context.
2. Monitor effectiveness of achieving security outcomes.
3. Identify opportunities for improvement in capability, performance and management of security.

The reporting on security policy recommends delivering a self-assessed PSPF annual security report.

 

Table 1 sets out the four maturity level indicators and protections for reporting entities to assess their PSPF maturity. The maturity level indicators link to an entity's level of PSPF implementation and security performance within its risk environment.

Under the PSPF Maturity Self-Assessment Model (see Annex A) the maturity levels equate to:

  1. ad hoc: partial or basic implementation and management of PSPF core and supporting requirements
  2. developing: substantial, but not fully effective implementation and management of PSPF core and supporting requirements
  3. managing: complete and effective implementation and management of PSPF core and supporting requirements-this is the baseline maturity level for reporting entities
  4. embedded: comprehensive and effective implementation and proactive management of PSPF core and supporting requirements and excelling at implementation of better-practice guidance.

 

Table 1 PSPF Maturity Self-Assessment Model indicators and protection

Maturity level

Ad hoc 

Developing 

Managing 

Embedded 

 

Maturity level description

Partial: Some PSPF core and supporting requirements are implemented although are not well understood across the entity. Security outcomes are not being achieved in some areas.

Substantial: The majority of PSPF core and supporting requirements are implemented, broadly managed and understood across the entity. Entity is largely meeting security outcomes.

 

Full: All PSPF core and supporting requirements are implemented, integrated into business practices and effectively disseminated across the entity. Entity meets security outcomes.

Excelled: All PSPF core and supporting requirements are implemented, effectively integrated and exceeding security outcomes. Entity's implementation of better-practice guidance drives high performance.

Maturity level indicators

Entity implementation and basic management of the PSPF core and supporting requirements is inconsistent and ad hoc.

Entity has implemented and managed the majority of the PSPF core and supporting requirements but not effectively. There is an established and documented pathway for remaining requirements to be implemented.

Entity has effectively implemented and is managing all PSPF core and supporting requirements. Security is considered part of the entity's business practices.

Entity has fully and effectively implemented all PSPF core and supporting requirements and integrated them into the entity's business. Security is proactively managed in response to the risk environment and better practice informs the entity's business and security decisions.

Maturity level protection

This category provides partial protection of the entity's people, information and assets, potentially exposing the government to unmitigated security risks.

This category provides substantial protection of the entity's people, information and assets, potentially exposing the government to security risks.

This category provides the minimum required protection of the entity's people, information and assets, consistent with policy requirements.

This category provides comprehensive protection of the entity's people, information and assets.

Back to top

Reporting on risks to people, information and assets

Identifying the security risks affecting an entity provides invaluable insight for entity and government decision-makers into risks that are:

  1. systemic or emerging
  2. not sufficiently mitigated
  3. that have insufficient protective security policy coverage.

This evidence informs strategies to mitigate security threats and vulnerabilities across government.

 

Table 2 Examples of threats, vulnerabilities and risks
Core requirement Maturity rating Maturity rating rationale

Malicious action by trusted insider
Malicious software attack (malware, ransomware, spyware)
Cyber extortion (eg distributed denial of service attack)
Abuse of privileged access control
Exploited customer data through secondary targeting

Unpatched or uncontrolled portable devices
Ineffectual security training or awareness
Low resilience to natural disasters
Poorly secured personal information
Lack of ineffectual cyber security monitoring
Ineffective service provider/third party contracts
Aggregated data not managed
Inadequate firewalls
Poor security culture
Weak security clearance management
Incomplete application whitelisting

Data breaches and spills
Compromise of official/protectively marked information
Incorrectly granting security clearance waiver
Low resilience to natural disasters
Poorly secured personal information
Exploited customer data through secondary targeting

Back to top

Changes in an entity's security risks may be influenced by factors including the security risk environment, operational priorities and security incidents. Entities may not have the same key security risks for consecutive years.

For guidance on security risk management, see the PSPF policy: Security planning and risk management.

Reporting on mitigating and managing security risks

The core requirement mandates entities provide details of measures taken to mitigate identified security risks. The PSPF annual security report template seeks information on implementation activities for each core requirement rated 'ad hoc' or 'developing' to achieve maturity level 'managing'.

 

Table 3 Example PSPF annual reporting against PSPF policy: Safeguarding information from cyber threats
Core requirement Maturity rating Maturity rating rationale Strategies and timeframes to address unmitigated risks and residual PSPF implementation

Safeguarding information from cyber threats

Developing

Maturity level reduced to 'developing' (from 'managing'). Machinery of government changes temporarily affecting maturity level as the entity recalibrates ICT systems and management arrangements under new department.

  1. Identification of security advisor positions within three months of finalising machinery of government changes.
  2. SES security governance committee to be established to ensure appropriate security arrangements are factored into new departmental procedures.
  3. ICT system and management arrangements expected to be resolved by next financial year.

Back to top

For information on risk mitigation and security risk management strategies, see the PSPF policy: Security planning and risk management.

How to report – reporting template

The PSPF annual security report template guides entities through annual security reporting obligations. The template seeks:

  1. self-assessed maturity ratings for each core requirement and a rationale for the rating
  2. proposed future activities and timeframes to improve maturity and address identified risks (required for 'ad hoc' or 'developing' ratings)
  3. a summary of entity risk environments and security capability
  4. details of an entity's key security risks, including those identified for each security outcome (governance, information (including ICT), personnel and physical) as well as the mitigations used to address identified risks
  5. details of exceptional circumstances affecting implementation of the PSPF (see the PSPF policy: Role of accountable authority and remedial action taken to reduce the risk)
  6. security clearance level, type and number of each type of active security clearances waivers (see the PSPF policy: Eligibility and suitability of personnel)
  7. a summary of significant security incidents during the reporting period (see the PSPF policy: Management structure and responsibilities)
  8. confirmation that an entity has submitted the Australian Signals Directorate (ASD) annual survey.

An entity may identify a core requirement as not applicable to the entity's business. Where a core PSPF requirement is not applicable, the entity may maintain a managing maturity level for that requirement and their overall security maturity will not be penalised. For example the PSPF policy: Security governance for international sharing may not be applicable where the entity is confident it does not access any information or assets governed by international agreements or arrangements to which Australia is a party. In this case the entity is to report a managing maturity level.

An entity's overall maturity rating is automated, based on the average of all the individual self-assessed maturity levels selected for each core requirement. Separate to the overall maturity rating, a stand-alone entity maturity rating is calculated for each security outcome (ie governance, information, personnel and physical) based on the average of the applicable core requirements.

Guidance and information is provided in the template and is accessed by moving the cursor over any cell with a red triangle in the top right-hand corner. See examples below.

PSPF annual security report template (under development)

Figure 2 Example reporting on PSPF policy: Sensitive and classified information

This figure is an example of how to report on PSPF policy in the area of sensitive and classified information.

The details on how to do this reporting are set out in section C.2, paragraphs 22 - 25.

 

 

Figure 3 Example indicators for each of the four maturity levels – PSPF policy: Sensitive and classified information

This figure sets out an example of reporting the maturity level reached in each protective security policy. In this case it is assessing the maturity level reached regarding the PSPF policy: Sensitive and classified information.

The details of how to do such reporting are set out in section C.2, paragraphs 22-25.

 

Once the report is complete, the entity determines the appropriate classification of the report (see the PSPF policy: Sensitive and classified information) and lodges it with their portfolio minister and the Attorney-General's Department by 31 August annually and according to the requirements of Table 4.

 

Table 4 Lodgement requirements for annual security report

Report sensitivity or classification

Lodgement details

Lodgement contacts

OFFICIAL, OFFICIAL: Sensitive or PROTECTED

Email: PSPF@ag.gov.au

Phone 02 6141 3600

Applicable portfolio minister

Secretary, Attorney-General's Department
3-5 National Circuit
Barton ACT 2600
PSPF@ag.gov.au

Affected entities and reporting requirements– refer Reporting to affected entities

Australian Signals Directorate asd.assist@defence.gov.au

Australian Security Intelligence Organisation
asa@asio.gov.au

Other entities as required.

SECRET

Email: nationalsecuritypolicy@ag.gov.au

For safe hand procedures refer to PSPF policy: Sensitive and classified information

Back to top

Reporting to the minister

The core requirement mandates that an entity must report on security each financial year to their portfolio minister. To fulfil this requirement, entities provide Section1: Entity details and Section 2: Entity self-assessed security maturity of the PSPF annual security report to their portfolio minister.

Reporting to the Secretary, Attorney-General's Department

The core requirement mandates entities must report on security each financial year to the Secretary, Attorney-General's Department. To fulfil this requirement entities complete all sections of the PSPF annual security report to the Secretary, Attorney-General's Department.

Reporting to affected entities

The core requirement mandates entities must report on security to affected entities whose interests or security arrangements may be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in any entity's PSPF implementation. To fulfil this requirement entities must report details of core and supporting requirements assessed with ad-hoc and developing maturity that affect and expose other entities to unmitigated security risks. This includes security risks that affect national security and cyber security. Affected entities may include:

  1. lead security entities as set out in PSPF policy: Role of accountable authority, in particular:
    1. the Australian Security Intelligence Organisation (ASIO) – national security risks
    2. the Australian Signals Directorate (ASD) – cyber security risks
    3. other entities in shared-services arrangements
  2. entities such as co-tenants of premises or users of ICT infrastructure.

Back to top

Table 5 provides examples of reportable issues and the affected entity for reporting purposes.

Table 5 Specific reportable issues
Reportable issue Affected entity

Significant issues with implementing the Information Security Manual strategies to mitigate cyber incidents or suspected cyber security incidents relating to:

  1. suspicious or seemingly targeted emails with attachments or links
  2. any compromise or corruption of information
  3. unauthorised hacking
  4. any viruses
  5. any disruption or damage to services or equipment
  6. data spills.

Director, Australian Signals DirectorateNote i

asd.assist@defence.gov.au

Security incidents or situations that:

  1. involve suspected:
    1. espionage
    2. sabotage
    3. acts of foreign interference
    4. attacks on Australia's defence system
    5. politically motivated violence
    6. promotion of communal violence
    7. serious threats to Australia's territorial and border integrity
  2. may compromise security classified information:
    1. contact reporting
    2. malicious insider activity.

Director-General, Australian Security Intelligence Organisation

asa@asio.gov.au

Security incidents or unmitigated security risks that affect another entity's people, information or assets, particularly where entities are co-located or providing services to another entity.

Accountable authority of the entity whose people, information or assets may be affected (refer to the Australian Government Directory).

Table 5 notes:

iTo avoid inadvertently compromising an investigation into a cyber security incident, entities are encouraged to contact ASD as early as possible.


Back to top

For information on security incident reporting, see the PSPF policy: Management structure and responsibilities.

Reporting to the Australian Signals Directorate on cyber security matters

The core requirement mandates entities must report on cyber security matters to ASD each financial year. To meet this requirement, entities complete the annual survey distributed by ASD to all government entities to ascertain their cyber security posture.

The PSPF annual security report template requests entities confirm submission of the annual survey to ASD.

Back to top

Find out more

Additional information that may assist with reporting on security:

  1. ASIO T4 protective security guidance material (available for Australian Government entities on Govdex)
  2. Australian Standard AS/NZS ISO 31000: Risk Management – Principles and guidelines
  3. Australian Standards HB 167: Security risk management
  4. Commonwealth Risk Management Policy
  5. Australian Government Information Security Manual
  6. National Archives of Australia Information Management Standard
  7. National Archives of Australia Digital Continuity 2020 policy
  8. Essential Eight Maturity Model
  9. Office of the Australian Information Commissioner Guide to Securing Personal Information
  10. Office of the Australian Information Commissioner Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
  11. Office of the Australian Information Commissioner Privacy (Australian Government Agencies-Governance) APP Code 2017

Back to top

Annex A. PSPF Maturity Self-Assessment Model

​​

<<< Security maturity monitoring

Security governance for contracted goods and service providers >>>

​​​​​​​​​​