Australian Government - Attorney-General's Department

Security Policy

Achieving a Just and Secure Society

Skip breadcrumbHome » Overarching Guidance » Overarching protective security policy statement

Overarching protective security policy statement​

The appropriate application of protective security by government entities ensures the operational environment necessary for the confident and secure conduct of government business. Managing protective security risks proportionately and effectively enables government entities to provide the necessary protection of the Government’s people, information and assets. ​

Overall responsibility for protective security

The Protective Security Policy Framework (PSPF) articulates the Government’s expectation for protective security as a business enabler that allows entities to work together securely in an environment of trust and confidence.

The Attorney-General's Department is responsible for the development and delivery of the PSPF, with all applicable entities required to comply with the mandatory requirements in accordance with their risk environment.

All Commonwealth employees, including contractors, have a collective responsibility to ensure that government resources (people, information and assets) are protected.

Applicability of the Protective Security Policy Framework

The Protective Security Policy Framework (PSPF) applies to non-corporate Commonwealth entities subject to Public Governance, Performance and Accountability Act 2013 (PGPA Act) to the extent consistent with legislation. The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act.

Non-government organisations that access security classified information may be required to enter into a Deed of Agreement to apply relevant parts of the PSPF for that information.

State and territory government agencies that hold or access Commonwealth security classified information apply the PSPF to that information consistent with arrangements agreed between the Commonwealth, States and Territories.

Protective security roles and responsibilities

The accountable authority of a non-corporate Commonwealth entity (Agency Head) is accountable to the responsible Minister for the protection of their organisation’s people, information and assets.

An Agency Head may, in writing, delegate the operational responsibility of meeting the mandatory requirements of the PSPF to another appropriate person. However, the Agency Head remains ultimately responsible for the management of protective security risk within their organisation.

The following entities provide specialist advice on intelligence, protective security risk and technical standards:

Attorney-General's Department (AGD):

  • administrative responsibility for protective security policy and coordination for the Commonwealth.

Australian Security Intelligence Organisation (ASIO):

  • provides threat information to agencies to inform their protective security settings
  • collects, analyses and advises on matters relating to espionage, foreign interference, politically motivated violence, communal violence, sabotage, attacks on Australia's defence system, and serious threats to Australia's territorial and border integrity.

ASIO—T4 Protective Security (ASIO-T4):

  • provides advice to Australian Government agencies on protective security, risk assessment, evaluation of physica​l security products and physical security reviews
  • conducts security risk reviews, technical surveillance counter measures and certification of all sites storing TOP SECRET information.

Australian Signals Directorate (ASD):

  • develops and maintains the Information Security Manual (ISM - the Australian Government ICT security policy)
  • provides advice on cyber security and threats to Australian Government.

Australian Federal Police (AFP):

  • investigates and enforces Commonwealth criminal law (including national security and fraud related issues)
  • provides protective and custodial services in areas of special importance or sensitivity on a fee for service basis.

Australian Government Security Vetting Agency (AGSVA):

  • process, assess and grant security clearances for the Australian Government
  • manage reports of changes in circumstances
  • review existing clearances to assess a clearance subject's ongoing need and suitability to hold a security clearance.

Authorised vetting agencies:

  • authorised to make clearance decisions to meet their own agency business needs only
  • conduct scheduled reviews of clearance holders’ suitability
  • conduct unscheduled reviews in accordance with changing risk factors.

Only AGSVA and authorised vetting agencies can make security vetting decisions.

Department of Foreign Affairs and Trade (DFAT):  

  • provides advice on overseas security standards.