The policies under this outcome outline the roles and responsibilities of Accountable Authorities and the management structures and responsibilities that determine how security decisions are made. They set out how to plan, manage, monitor and report on protective security. They also articulate the governance arrangements for sharing Australian Government resources with contracted service providers and foreign partners.
The 7 core requirements in these policies, and the accompanying supporting requirements, set out what entities must do to achieve the security governance outcome.
Each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring:
- clear lines of accountability
- sound planning
- investigation and response
- assurance and review processes
- proportionate reporting.
Policy 1: Role of accountable authority
The accountable authority is answerable to their minister and the government for the security of their entity.
The accountable authority of each entity must:
- determine their entity's tolerance for security risks
- manage the security risks of their entity
- consider the implications their risk management decisions have for other entities, and share information on risks where appropriate
The accountable authority of a lead security entity must:
- provide other entities with advice, guidance and services related to government security
- ensure that the security support it provides helps relevant entities achieve and maintain an acceptable level of security
- establish and document responsibilities and accountabilities for partnerships or security service arrangements with other entities.
- Accountable authority role and responsibilities
- Security risk management
- Lead protective security entities
- Exceptional circumstances
Policy 2: Management structures and responsibilities
The accountable authority must:
- appoint a Chief Security Officer (CSO) at the Senior Executive Service level to be responsible for security in the entity
- empower the CSO to make decisions about:
- appointing security advisors within the entity
- the entity's protective security planning
- the entity's protective security practices and procedures
- investigating, responding to, and reporting on security incidents, and
- ensure personnel and contractors are aware of their collective responsibility to foster a positive security culture, and are provided sufficient information and training to support this.
- Management structures
- Chief Security Officer responsibilities
- Security governance committee
- Appointing security advisors
- Protective security planning
- Protective security practices and procedures
- Investigating, responding to and reporting on security incidents
- Fostering a positive security culture
- Security awareness training
Policy 3: Security planning and risk management
Each entity must have in place a security plan approved by the accountable authority to manage the entity's security risks. The security plan details the:
- security goals and strategic objectives of the entity, including how security risk management intersects with and supports broader business objectives and priorities
- threats, risks and vulnerabilities that impact the protection of an entity's people, information and assets
- entity's tolerance to security risks
- maturity of the entity's capability to manage security risks
- entity's strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF.
- Security planning approach
- Security plan
- Security threat levels
- Risk-based approach to the PSPF
Policy 4: Security maturity monitoring
Each entity must assess the maturity of its security capability and risk culture by considering its progress against the goals and strategic objectives identified in its security plan.
- Security capability maturity
- Security risk culture
- Monitoring security maturity
Policy 5: Reporting on security
Each entity must report on security:
- each financial year to its portfolio minister and the Attorney-General's Department on:
- whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
- the maturity of the entity's security capability
- key risks to the entity's people, information and assets, and
- details of measures taken to mitigate or otherwise manage identified risks
- affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation, and
- the Australian Signals directorate in relation to cyber security matters.
- Reporting to the portfolio minister and the Attorney-General’s Department
- Reporting to affected entities
- Reporting on cyber security matters
- PSPF maturity self-assessment model
Policy 6: Security governance for contracted goods and service providers
Each entity is accountable for the security risks arising from procuring goods and services, and must ensure contracted providers comply with relevant PSPF requirements.
- Assessing and managing security risks of procurement
- Protective security terms and conditions in contracts
- Ongoing management of protective security in contracts
- Completion or termination of the contract
Policy 7: Security governance for international sharing
Each entity must adhere to any provisions concerning the security of people, information and assets contained in international agreements and arrangements to which Australia is a party.
- International security agreements and arrangements
- General Security Agreement security classification equivalencies
- Handing protections for sensitive and classified resources from foreign partners
- Security clearances for access to, release and disclosure of foreign partner sensitive and classified resources
- Breaches or security violations of foreign partner resources
- Security assessment visits