Australian Government - Attorney-General's Department

Protective
Security Policy
Framework

Achieving a Just and Secure Society

Skip breadcrumbHome » Physical Security » Australian Government Physical Security Core Policy

Australian Government Physical Security Core Policy

Non-corporate Commonwealth entities (agencies) are required to provide and maintain:

  • A safe working environment for their employees, contractors, clients and the public.
  • A secure physical environment for their official resources.

There are seven mandatory requirements covering physical security underpinned by high level controls set out below.

Physical security

PHYSEC 1

Agency heads must provide clear direction on physical security through the development and implementation of an agency physical security policy, and address agency physical security requirements as part of the agency security plan.

PHYSEC 2

Agencies must have in place policies and procedures to:

  • identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support to family members and others
  • report incidents to management, human resources, security and law enforcement authorities, as appropriate
  • provide information, training and counselling to employees
  • maintain thorough records and statements on reported incidents

PHYSEC 3

Agencies must ensure they fully integrate protective security early in the process of planning, selecting, designing and modifying their facilities.

PHYSEC 4

Agencies must ensure that any proposed physical security measure or activity does not breach relevant employer occupational health and safety obligations.

PHYSEC 5

Agencies must show a duty of care for the physical safety of those members of the public interacting directly with the Australian Government. Where an agency's function involves providing services, the agency must ensure that clients can transact with the Australian Government with confidence about their physical wellbeing.

PHYSEC 6

Agencies must implement a level of physical security measures that minimises or removes the risk of information and ICT equipment being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation.

PHYSEC 7

Agencies must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Australian Government may direct its agencies to implement heightened security levels.

Agency physical security policy and planning

PHYSEC 1: Agency heads must provide clear direction on physical security through the development and implementation of an agency physical security policy, and address agency physical security requirements as part of the agency security plan.

The policy and plan are to:

  • detail the objectives, scope and approach to the management of physical security issues and risks within the agency
  • be endorsed by the agency head
  • identify physical security roles and responsibilities
  • continuously review physical security measures to reflect changes in the threat environment and take advantage of new cost-effective technologies
  • be consistent with the requirements of the agency's protective security plan and physical security risk assessment findings
  • explain the consequences for breaching the policy or circumventing any associated protective security measure, and
  • be communicated on an on-going basis and be accessible to all agency employees.

Protection of employees

Agencies are responsible for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed. Such situations include, but are not limited to terrorism, threat letters or calls, the receipt of potentially dangerous substances, e.g. ‘white powder', stalking and assault.

PHYSEC 2: Agencies must have in place policies and procedures to:

  • identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support to family members and others
  • report incidents to management, human resources, security and law enforcement authorities, as appropriate
  • provide information, training and counselling to employees, and
  • maintain thorough records and statements on reported incidents.

Back to top

Physical security

Physical security involves the proper layout and design of facilities and the use of measures to delay and prevent unauthorised access to government assets. It includes measures to detect attempted or actual unauthorised access, and activate an appropriate response. Physical security also provides measures to safeguard employees from violence.

PHYSEC 3: Agencies must ensure they fully integrate protective security early in the process of planning, selecting, designing and modifying their facilities.

Agencies are to:

  • select, design and modify their facilities in order to facilitate the control of access
  • demarcate restricted access areas, and have the necessary entry barriers, security systems and equipment based on threat and risk assessments
  • include the necessary security specifications in planning, request for proposals and tender documentation, and
  • incorporate related costs in funding requirements.

Back to top

Work health and safety

PHYSEC 4: Agencies must ensure that any proposed physical security measure or activity does not breach relevant employer work health and safety obligations.

Agencies are to:

  • conduct a risk assessment of any proposed physical security measure or activity and develop effective risk controls in line with a reasonably practicable approach, and
  • take into account the likelihood and consequence of an accident or injury arising as a result of a physical security measure or activity and put in place appropriate control measures.

Duty of care – third parties

PHYSEC 5: Agencies must show a duty of care for the physical safety of those members of the public interacting directly with the Australian Government. Where an agency's function involves providing services, the agency must ensure that clients can transact with the Australian Government with confidence about their physical wellbeing.

Agencies are to:

  • take all reasonable precautions which could avoid or reduce the risk of harm to clients
  • choose the option which is least restrictive to the client where there are a number of effective physical security measures which would reduce the risk of harm
  • ensure the agency physical security plan addresses the risk of harm to clients, and
  • develop relevant guidelines and procedures identifying the precautions to be taken to cover the identified risk factors.

Back to top

Physical security of ICT equipment and information

PHYSEC 6: Agencies must implement a level of physical security measures that minimises or removes the risk of information and ICT equipment being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation.

Agencies are to:

  • put in place appropriate building and entry control measures for areas used in the processing and storage of security classified information
  • put in place physical security protection (which matches the assessed security risk of the aggregated information holdings) for all agency premises, storage facilities and cabling infrastructure
  • locate ICT equipment, where practical, in areas with access control measures in place to restrict use to authorised personnel only, and put in place other control methods where physical control measures are not possible
  • implement policies and processes to monitor and protect the use and/or maintenance of information, equipment, storage devices and media away from agency premises, and in situations where a risk assessment determines, put in place additional control measures
  • implement policies and processes for the secure disposal and/or reuse of ICT equipment, storage devices and media (including delegation, approval, supervision, removal methods and training of employees) which match the assessed security risk of the information holdings stored on the asset, and
  • implement general control policies including a clear desk and clear screen policy.

Physical security in emergency and increased threat situations

PHYSEC 7: Agencies must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Australian Government may direct its agencies to implement heightened security levels.

Agencies are to co-ordinate physical security plans and procedures with other emergency prevention and response plans (e.g. fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).

Back to top

Featured Links

Other Links

Downloads