The Protective Security Policy Framework (PSPF) requires entities to report significant or reportable security incidents to the relevant authority or affected entity. This includes reporting to the Department of Home Affairs as significant security incidents arise.
The PSPF defines a significant security incident as an:
- action, whether deliberate, reckless, negligent or accidental, that fails to meet protective security requirements or entity–specific protective security practices and procedures that results in, or may result in, the loss, damage, corruption or disclosure of official information or resources
- attempt to gain unauthorised access to official information or resources
- approach from anybody seeking unauthorised access to official resources, or
- event that harms, or may harm the security of Australian Government people, information or resources.
The Chief Security Officer (CSO) is responsible for investigating, responding to and reporting on security incidents. This happens with support from the Chief Information Security Officer (CISO) for cyber security incidents. The CSO develops, implements and maintains procedures to ensure they respond to and, where required, appropriately investigate security incidents. The CSO also undertakes regular exercises of these arrangements.
The CSO and CISO are accountable to the Accountable Authority for the management of security incidents, exercises and investigations. This is in accordance with the PSPF and any other regulatory requirements. For more details, refer to the PSPF Release section 3.6.1 – Security Incident Management and Exercises.
A significant security incident is generally serious or complex and is likely to have wide-ranging and critical consequences for the entity or the Australian Government.
A security incident becomes reportable where it is:
- a specified significant security incident that, due to its nature, is significant, or it meets external incident reporting or referral obligations, or
- a significant business impact level security incident. It is assessed as significant due to the severity of the potential or actual consequences or damage to:
- Australian Government security classified people
- information or resources
- the national interest
- an organisation or individuals.