Policy 16: Entity facilities
Purpose
This policy describes how to plan, select, design and modify facilities to ensure people, information and assets are protected.
Overview
Entities must fully integrate protective security when they plan, select, design and modify facilities to ensure people, information and assets are protected.
To determine the access requirements for facilities and define restricted access areas (referred to as Security Zones), entities must consider the highest risk level to entity resources.
ASIO’s Technical Notes, available on GovTEAMS, support Policy 16 with information on designing and modifying government facilities and security zones. The Technical Notes provide specifications on building construction, perimeter hardware, security alarm systems and access control.
Before being used operationally, Security Zones must be certified and accredited in line with ASIO’s Technical Notes and the PSPF.
Additional Australian Signals Directorate accreditation is required for Zone Five facilities used to secure and access compartmented information. Security Zone certification is time-limited. This means that facilities may require recertification from time to time.
For outsourced ICT facilities, entities must obtain ASIO-T4 physical security certification to hold information that has a catastrophic business impact level.
Technical surveillance countermeasures (TSCM) protect security classified discussions from technical compromise. This can involve real-time audio interception using electronic transmitting and receiving equipment or a TSCM inspection that searches for surveillance devices. Where security classified discussions occur, entities must undertake TSCM inspections.