Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Policy 2: Management structures and responsibilities

  • Security governance
Publication date
Last updated


This policy details the management structures and responsibilities that provide a governance base for entities to make security decisions that will protect their people, information and assets.


Appointing a Chief Security Officer (CSO) is mandatory. The CSO provides strategic oversight of protective security across the entity, makes security-related decisions and fosters a positive security- culture. Where required, the CSO may appoint security advisors to support them to deliver protective security and perform specialist services.

Under this policy, entities must develop, use and monitor the effectiveness of security procedures.

This ensures the entity:

  • achieves all elements of their security plan
  • investigates, responds to and reports security incidents
  • meets relevant security policy or legislative obligations.

Security awareness training is an important part of protective security. It helps to implement governance, physical, information and personnel security policies, practices and procedures.

This policy mandates that entities provide all personnel, including contractors, with annual security awareness training. Entities must provide specific security awareness training for personnel in specialist and high-risk positions.

To ensure effective external security communications, entities must have a monitored email address for all security-related matters.

Return to the Security governance page