5 Reporting on security

Purpose

This policy details the information entities are required to report annually under the Protective Security Policy Framework (PSPF) which is assessment of the maturity of the entity's security capability. It includes considering the entity's:

  1. progress in achieving the PSPF governance, information, personnel and physical security outcomes
  2. level of implementation and management of the PSPF core and supporting requirements
  3. risk environment and tolerance for security risks
  4. strategies and timeframes to manage identified and unmitigated risks
  5. security risks to people, information and assets.

Reporting provides assurance that sound and responsible protective security practices are occurring. It also identifies security risks and vulnerabilities and the steps being taken to mitigate them.

Requirements

Core requirement

Each entity must report on security:

  1. each financial year to its portfolio minister and the Attorney-General’s Department addressing:
    1. whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
    2. the maturity of the entity's security capability
    3. key security risks to the entity's people, information and assets
    4. details of measures taken to mitigate or otherwise manage identified security risks
  2. to affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation
  3. to the Australian Signals Directorate in relation to cyber security matters.

Supporting requirements

Supporting requirements for management structures and responsibilities
# Supporting requirements

Requirement 1.
PSPF reporting model and template

Each entity must submit a report on security each financial year:

  1. through the PSPF online reporting portal for information up to PROTECTED or
  2. by submitting an offline reporting template for information classified higher than PROTECTED.

 

Requirement 2.
Reporting security incidents

Each entity must report any significant or reportable security incidents at the time they occur to:

  1. the Attorney-General’s Department
  2. the relevant lead security authority
  3. other affected entities.

Table 3 provides detailed guidance on reporting security incidents.

Requirement 3.
ASD cyber security survey

Each entity must complete the Australian Signals Directorate’s annual cyber security survey.

Guidance

All non-corporate Commonwealth entities must meet the core and supporting requirements in this policy, consistent with the requirement in section 21 of the Public Governance, Performance and Accountability Act 2013 for the Accountable Authority of a non-corporate Commonwealth entity to govern the entity in a way that is ‘not inconsistent with’ the PSPF.

The Attorney General’s Department encourages corporate Commonwealth entities and Commonwealth companies that implement the PSPF to also report on security.

Reporting to the portfolio minister and the Attorney-General’s Department

The core requirement mandates that an entity must report on security each financial year to its portfolio minister and to the Attorney-General’s Department. An entity’s annual security report summarises the maturity of its security capability and the level of implementation and management of the requirements under the PSPF.

The annual security report will show the extent to which an entity has:

  1. achieved the four protective security outcomes relating to security governance, information, personnel and physical security
  2. implemented the 16 core requirements and the supporting requirements that entities must meet to achieve the four protective security outcomes.
  3. identified the key security risks relevant to the particular entity’s people, information and assets, and
  4. implemented strategies and timeframes to manage identified and unmitigated risks.

The Attorney-General’s Department provides an online reporting portal (for information classified up to PROTECTED) or a reporting template (for information classified higher than PROTECTED) to support entities to capture relevant information and meet all the elements of the core requirement. The portal and template are based on the PSPF Maturity Self-Assessment Model, which is provided at Annex A.

The Maturity Self-Assessment Model requires entities to assess their security capability against four levels of maturity—ad hoc, developing, managing and embedded—and provides a meaningful scale to support consideration of the entity's overall security position within its specific risk environment and risk tolerances. The Maturity Self-Assessment Model helps entities acknowledge successes and progress towards implementation; and aids decision-making by highlighting areas for improvement.

Under the Maturity Self-Assessment Model the maturity levels are:

  1. ad hoc: partial or basic implementation and management of PSPF core and supporting requirements
  2. developing: substantial, but not fully effective implementation and management of PSPF core and supporting requirements
  3. managing: complete and effective implementation and management of PSPF core and supporting requirements-this is the baseline maturity level for reporting entities
  4. embedded: comprehensive and effective implementation and proactive management of PSPF core and supporting requirements and excelling at implementation of better-practice guidance

Preparing for PSPF reporting

As detailed in PSPF policy: Security maturity monitoring, entities are required to regularly monitor and assess their security capability and risk culture by considering their progress against the goals and strategic objectives identified in the security plan. Information collected through security maturity monitoring can be used to inform the entity’s annual security report. Figure 1 illustrates the possible information collection points that can be documented as an entity goes through the process of planning, managing and monitoring its path to security maturity.

Figure 1 Pathway to collect information on security maturity
 

Reporting on security outcomes and implementing and managing the requirements under the PSPF

The core requirement mandates that entities report on whether security outcomes have been achieved through effectively implementing and managing requirements under the PSPF.

There are four security outcomes:

  1. Governance – each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring: clear lines of accountability, sound planning, investigation and response, assurance and review processes and proportionate reporting.
  2. Information (including ICT) – each entity maintains the confidentiality, integrity and availability of all official information.
  3. Personnel – each entity ensures its employees and contractors are suitable to access Australian Government resources, and meet an appropriate standard of integrity and honesty.
  4. Physical – each entity provides a safe and secure physical environment for their people, information and assets.

The outcomes are achieved by implementing the PSPF policies, each of which is comprised of core and supporting requirements. By considering the entity’s effectiveness in implementing and managing the core and supporting requirements, in the context of its specific risk environment and risk tolerances, the entity can assess the maturity of its implementation of each policy. The maturity levels (ad hoc, developing, managing and embedded) for each policy are defined in the PSPF Maturity Self-Assessment Model at Annex A.

When reporting on the entity’s effectiveness in implementing and managing requirements under the PSPF, entities are asked to evaluate the degree to which implementation achieves the minimum requirements set out in the PSPF. The degree of implementation can be described as:

  1. Partial – Requirement is not implemented, is partially progressed or is not well understood across the entity.
  2. Substantial – Requirement is largely implemented but may not be fully effective or integrated into business practices.
  3. Full – Requirement is fully implemented and effective and is integrated, as applicable, into business practices.
  4. Excelled – Requirement and relevant better-practice guidance are proactively implemented in accordance with the entity's risk environment, are effective in mitigating security risk and are systematically integrated into business practices.
  5. Yes or No – For a small number of requirements, it is not possible to evaluate the degree of implementation and entities can only state whether they have or have not implemented the requirement, for example, the requirement to submit the Australian Signals Directorate’s annual cyber security survey.

For an entity to assess its implementation and management of the PSPF requirements as fully effective (managing maturity), the entity is expected to implement all of the core and supporting requirements or implement alternative protective security measures that provide the same (or exceed the level of) protection as the PSPF requirement and/or supporting requirements.

Strategies to mitigate and manage security risks

The core requirement mandates that entities provide details of measures taken to mitigate identified security risks. For each core requirement rated ‘ad hoc’ or ‘developing’, the PSPF reporting portal and template require entities to provide information on planned strategies and implementation activities to achieve maturity level ‘managing’. Each strategy or activity requires an associated timeframe.
 

Table 1 Example PSPF annual reporting against PSPF policy: Safeguarding information from cyber threats
Core requirement Safeguarding information from cyber threats

Maturity assessment

Developing

Maturity assessment rationale

Machinery of government changes temporarily affecting maturity level as the entity recalibrates ICT systems and management arrangements under the new department.

Strategies to address unmitigated risks and residual PSPF implementation

  1. Identification of security advisor positions within three months of finalising machinery of government changes.
  2. SES security governance committee to be established to ensure appropriate security arrangements are factored into new departmental procedures.
  3. ICT system and management arrangements currently under review for update.

Timeframes to improve and achieve ‘managing’ maturity

  1. December 2020
  2. June 2021
  3. September 2021

For information on risk mitigation and security risk management strategies, see the PSPF policy: Security planning and risk management.

Reporting on maturity of security capability

The core requirement mandates that the annual security report address the maturity of the entity’s security capability. Assessing the maturity of the entity’s security capability involves considering how holistically and effectively each entity:

  1. implements and meets the intent of the PSPF core and supporting requirements
  2. minimises harm and damage to government people, information and assets
  3. fosters a positive security culture
  4. responds to, and learns from, security incidents
  5. understands and manages their security risks
  6. achieves security outcomes while delivering business objectives.

While this assessment will reflect the entity’s overall maturity level under the Maturity Self-Assessment Model, it allows entities to provide a more nuanced view of the entities strengths and weaknesses within that maturity level.

Table 2 Maturity indicators for security capability and associated level of protection

Table 2 sets out the four maturity level indicators for security capability and the level of protection associated with each maturity level. The maturity indicators link to an entity’s level of PSPF implementation and security performance within its risk environment.

Reporting on security risk

Summary of security risk environment

An entity’s security risk environment is the environment in which the entity operates and is determined after considering the threats, risks and vulnerabilities affecting the protection of the entity’s people, information and assets including:

  1. what the entity needs to protect (via a risk assessment) being the people, information and assets assessed as critical to its ongoing operation and to the national interest
  2. what it needs to protect against (via the threat assessment and business model, for example face to face contact with the public, shared facilities)
  3. how the risk will be managed within the entity.

When determining their risk environment there are a number of security risk indicators an entity may consider, including:

  1. the sensitivity and security classification of information holdings, including consideration of aggregations of information and the classification of the entity’s IT networks, see PSPF policy: Sensitive and classified information
  2. the type of information held and the impact level of compromise, eg aggregations of personal information
  3. the type of personnel (employees and contractors, security clearance holders or uncleared personnel) within the entity, see PSPF policy: Ongoing assessment of personnel
  4. categories of assets held by the entity, see PSPF policy: Physical security for entity resources
  5. the physical security zone levels defined in the entity’s facilities, see PSPF policy: Entity facilities.
Examples of threats, vulnerabilities and risks
Threats: Malicious action by trusted insider
Malicious software attack (malware, ransomware, spyware)
Cyber extortion (eg distributed denial of service attack)
Abuse of privileged access control
Exploited customer data through secondary targeting
Vulnerabilities: Unpatched or uncontrolled portable devices
Ineffectual security training or awareness
Low resilience to natural disasters
Poorly secured personal information
Lack of ineffectual cyber security monitoring
Ineffective service provider/third party contracts
Aggregated data not managed
Inadequate firewalls
Poor security culture
Weak security clearance management
Incomplete application control
Risks: Data breaches and spills
Compromise of official/protectively marked information
Incorrectly granting security clearance waiver
Low resilience to natural disasters
Poorly secured personal information
Exploited customer data through secondary targeting

Key risks to people, information and assets

Identifying the key security risks affecting an entity provides an invaluable insight for entity and government decision-makers. Analysing this information may highlight:

  1. risks identified under any of the 16 PSPF policies
  2. systemic or emerging risks
  3. significant risks not sufficiently mitigated, or
  4. significant risks that have insufficient protective security policy coverage.

The Attorney General’s Department, as well as other lead security entities, uses information collected about key security risks to inform policy and develop strategies to mitigate security threats and vulnerabilities across government.

Changes in an entity’s security risks may be influenced by factors including the security risk environment, operational priorities and security incidents. Entities may not have the same key security risks for consecutive years.

For guidance on security risk management, see PSPF policy: Security planning and risk management.

How to report

The core requirement mandates that entities submit their annual security report to the Attorney-General’s Department and to the entity’s portfolio minister. In accordance with supporting requirement 2, entities must use:

  1. the PSPF online reporting portal to complete and submit reports containing information classified as PROTECTED and below
  2. the PSPF offline reporting template to complete reports containing information classified higher than PROTECTED, which can be submitted by secure means appropriate for the security classification of the report.

PSPF online reporting portal

The PSPF reporting portal allows Commonwealth entities to complete and submit their annual security assessment online, access benchmarking reports at the conclusion of the submission period and access reports from previous reporting periods.

The PSPF reporting portal is accredited to process, store and communicate information up to PROTECTED.

At the start of the new assessment period, all CSOs will receive an email advising that the PSPF assessment for the entity is available for completion. The email will provide a link to login and indicate the due date for submission.

All CSOs must commence the assessment in the portal.

  1. For entities reporting information classified higher than PROTECTED, the PSPF online reporting portal will generate a downloadable offline reporting template. The offline reporting template is not saved in the PSPF reporting portal and can be transferred to an ICT system appropriate for the security classification of the report.

Completing the assessment

The annual security assessment is comprised of 17 modules—one for each of the 16 PSPF polices and a summary module.

Modules 1-16

The assessment contains a module for each of the 16 PSPF policies. Each of these modules has two parts:

Maturity questions

Each module consists of a set of questions drawn from the core and supporting requirements in the PSPF.

Rationale, strategies & timeframes

Based on the entity’s answers to the maturity questions, the portal will suggest a maturity level for the module. This will be displayed on a chart that shows the distribution of the entities answers for the module.

The entity can confirm the suggested maturity level or select a higher or lower maturity level to reflect the entity’s self-assessment.

There is a text box to enter a rationale for the selected maturity level. If the entity changed the suggested maturity level, the rationale should explain why the change is justified.

If the maturity level for the module is ad hoc or developing, there will be a set of text boxes to enter the proposed strategies and timeframes to improve the entities maturity level.

An entity may identify a core requirement as not applicable to the entity’s business. Where there is an option to assess a core or supporting PSPF requirement as not applicable, the entity’s security maturity will not be penalised. For example the PSPF policy: Security governance for international sharing may not be applicable where the entity is confident it does not access any information or assets governed by international agreements or arrangements to which Australia is a party. In this case marking not applicable will not affect the entity’s maturity.

Summary Module

The summary module provides the entity’s overall maturity rating, which is calculated based on the average of all the individual self-assessed maturity levels selected for each core requirement.

Separate to the overall maturity rating, a stand-alone entity maturity rating is calculated for each security outcome (ie governance, information, personnel and physical) based on the average of the applicable core requirements. Entities have the option of providing additional information to describe their maturity level for each outcome.

The summary module provides text boxes that must be completed:

  • Summary of risk environment
  • Maturity of security capability
  • Key risks to the entity’s people, information and assets

Within the summary module, the following information will be prefilled from answers provided in earlier modules or from elsewhere in the portal:

  • Summary of significant security incidents during the reporting period (if applicable)—prefilled from the significant security incidents reported through the online reporting portal during the financial year. Where an entity identifies that a significant security incident has not been reported through the portal, the entity is required to add the incident to the summary module
  • Exceptional circumstances (if applicable)—prefilled from Module 1 Role of the accountable authority
  • Personnel security clearances and waivers—prefilled from Module 12 Eligibility and suitability of personnel and Module 13 Ongoing assessment of personnel

Approving the assessment

The entity’s Accountable Authority is responsible for approving the report before it is submitted to the Attorney General’s Department and portfolio minister. This responsibility cannot be delegated.

The report cannot be approved in the portal. A copy of the final report can be downloaded for the Accountable Authority to approve offline. For entities using the offline template, instructions are included in the template.

Submitting the assessment

To meet the requirement to report to the entity’s portfolio minister, the entity must provide the minister with the content of the summary module from the online PSPF reporting portal or offline reporting template. This content can be provided in the format of the report downloaded directly from the PSPF reporting portal or by copying and pasting the content into a format that meets the entity’s standard procedures for communicating with their minister.

To meet the requirement to report to the Attorney General’s Department, the entity’s CSO must finalise the assessment by completing the acknowledgement of reporting obligations to confirm that:

  1. the entity has reported to affected entities whose interests or security arrangements could be affected by the outcomes of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation. If not the entity has provided explanatory comments.
  2. the entity has submitted the ACSC Cyber Security Survey for Commonwealth entities. If not the entity has provided explanatory comments.
  3. the entity has reported to ASIO any significant security incidents or vulnerabilities relating to national security. If not the entity has provided explanatory comments.
  4. the assessment has been approved by the accountable authority—confirmation and date approved
  5. the assessment has been provided to the relevant portfolio minister—confirmation and date provided

The entity can provide additional comments at this stage, for example to advise if supplementary information needs to be provided separately because it is classified above PROTECTED.

The CSO is responsible for submitting the report to the Attorney General’s Department in the online portal or by secure means appropriate for the security classification of the report. This responsibility cannot be delegated.

Reporting to affected entities

The core requirement mandates entities report on security to all affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in the entity’s PSPF implementation.

To fulfil this requirement, entities must report details of core and supporting requirements assessed, with ad hoc or developing maturity that affect and expose other entities to unmitigated security risks. This includes security risks that affect national security, cyber security and shared service arrangements. Affected entities may include:

  1. lead security entities as set out in PSPF policy: Role of accountable authority, in particular:
    1. Australian Security Intelligence Organisation (ASIO) for national security risks
    2. Australian Signals Directorate (ASD) for cyber security risks
  2. entities in shared service arrangements, for example entities such as co-tenants of premises or users of ICT infrastructure.

Reporting significant and reportable security incidents

Supporting requirement 2 mandates that entities report significant and reportable security incidents at the time they occur to:

  1. the Attorney-General’s Department
  2. the relevant lead security authority
  3. other affected entities.

A significant security incident is a deliberate, negligent or reckless action that leads, or could lead to, the loss, damage, compromise, corruption or disclosure of official resources. A significant security incident can have wide ranging and critical consequences for the entity and the Australian Government.

Reporting significant security incidents to the Attorney General’s Department

The Attorney General’s Department encourages entities to report significant security incidents to the Attorney-General’s Department via the PSPF online reporting portal.

Information gathered on significant security incidents assists the Attorney-General’s Department to:

  1. determine the adequacy of protective security policies
  2. provide an insight into entity security culture
  3. identify potential vulnerabilities in government security awareness training to inform whole-of-government security outreach activities.

Reporting security incidents to lead security authorities and other entities

Details of significant and reportable security incidents and the relevant authority to which entities report are provided in Table 3 and summarised below:

  1. Significant national security-related incidents — Australian Security Intelligence Organisation
  2. Significant cyber security incidents — Australian Signals Directorate
  3. Security incidents involving Cabinet material — Department of Prime Minister and Cabinet
  4. Security incidents involving personnel with a security clearance — Australian Government Security Vetting Agency (or entity CSO if the entity is an authorised vetting agency)
  5. Contact reporting — Australian Security Intelligence Organisation — Australian Government Contact Reporting Scheme
  6. Correspondence of security concern — Australian Security Intelligence Organisation
  7. Security incidents or unmitigated security risk that affects the protection of another entity's people, information or assets — accountable authority (or CSO) of the affected entity
  8. Security incidents involving sensitive or classified equipment and services — Security Construction and Equipment Committee
  9. Security incidents involving foreign entity assets or information — entity CSO. The incident may also need to be externally reported in line with other reportable incident categories.

In addition, some security incidents may be subject to other legislative or policy reporting requirements, for example:

  1. Eligible data breaches must be reported to the Office of the Australian Information Commissioner under the Notifiable Data Breaches Scheme
  2. Potential criminal/serious incidents must be reported to the Australian Federal Police (Commonwealth crimes) or local police (state and territory crimes)
  3. Critical incidents involving public safety must be reported to the Australian Government Crisis Coordination Centre.

Note: There may be other legislative requirements for reporting security incidents.

Table 3 – External security incident reporting or referral obligations (mandated under requirement 2)

To avoid inadvertently compromising an open security investigation entities are encouraged to contact the relevant lead security authority or affected entity as early as possible about the incident.

For further information on CSO’s responsibilities in making decisions on investigating, responding to and reporting on security incidents, see PSPF policy: Management structures and responsibilities.

Reporting to the Australian Signals Directorate on cyber security matters

The core requirement mandates entities must report on cyber security matters to the Australian Signals Directorate each financial year. To meet this requirement, entities are required to complete the annual ACSC Cyber Security survey, distributed by the Australian Signals Directorate to all government entities, to assess their cyber security posture.

The PSPF assessment report summary module requests entities confirm submission of the annual cyber security survey to the Australian Signals Directorate. Where an entity has not completed the survey they are required to provide commentary.

Use of PSPF reporting data

The Attorney-General’s Department consolidates all reporting entity’s data into an aggregated annual security report for the Attorney-General and provides the report to reporting entities via the PSPF reporting portal.

At the conclusion of the annual PSPF reporting period the Attorney-General’s Department will provide access to reporting data to the:

  1. Australian Signals Directorate
  2. Australian Security Intelligence Organisation
  3. Australian National Audit Office—in line with its responsibilities under the Auditor-General Act 1997.

Annex A. PSPF Maturity Self-Assessment Model