A glossary of common and complex terms used in the Protective Security Policy Framework (PSPF).
Accountable authority – The person or people responsible for, and with control over, a Commonwealth entity's operations. This is set out in Section 12 of the Public Governance, Performance and Accountability Act 2013 (Cth).
ACSC – Australian Cyber Security Centre
AFP – Australian Federal Police
AGSVA – Australian Government Security Vetting Agency
Alternative mitigation – Other security measures or controls that provide the same or a greater level of protection as the PSPF requirement.
APS – Australian Public Service
APSC – Australian Public Service Commission
ASD – Australian Signals Directorate
ASIC – Australian Securities and Investments Commission
ASIO – Australian Security and Intelligence Organisation
ASIO Outreach – ASIO's public facing outreach area. They provide advice to government, industry and academia on current and emerging security threats, and security policy.
ASIS – Australian Secret Intelligence Service
Authorised vetting agency – An Australian Government entity that is authorised to undertake security vetting and issue personnel security clearances.
Caveat owner – The entity that creates an official record that has special handling requirements in addition to its security classification. For more information see the Sensitive Material Security Management Protocol (SMSMP) on GovTEAMS.
Chief Security Officer (CSO) – The Senior Executive Service (SES) level officer that the accountable authority has appointed to oversee entity security arrangements. Provisions for appointing a CSO in an entity with fewer than 100 employees are outlined in PSPF policy 1: Role of accountable authority.
Core requirement – A requirement that entities must meet to achieve the government's desired protective security outcomes. Each of the 16 PSPF policies include a core requirement (as well as supporting requirements).
CSO – Chief Security Officer
DFAT – Department of Foreign Affairs and Trade
EACS – Electronic Access Control Systems
Eligibility waiver – An accountable authority's decision to waive the citizenship or checkable background eligibility requirement for a candidate to hold a security clearance where there is an exceptional business requirement and after conducting a risk assessment.
Entity – Any Commonwealth entity listed under paragraph 10(1) of the Public Governance, Performance and Accountability Act 2013 (Cth).
IRAP – Information Security Registered Assessor
ISM – Information Security Manual
Lead protective security entity – A Commonwealth entity with additional responsibilities as:
- lead entity in their portfolio, and/or
- provider of government protective security advice, policy, technical standards or intelligence services, and/or
- provider of shared services arrangements.
Negative vetting – An evaluation process used when obtaining certain security clearances that relies on the absence of information to the contrary in order to assess the subject's suitability for that security clearance.
OAIC – Office of the Australian Information Commissioner
ONI – Office of National Intelligence
Originator – The entity responsible for creating and classifying an official record where a record is as defined in the Archives Act 1983 (Cth). The entity remains the sole and permanent owner of the classification.
Outcomes – The protective security aims of the government relating to governance, people, information and physical assets. There are4 security outcomes for entities to achieve as part of the PSPF.
Personal security file – A record of the checks, decisions, risk assessments, mitigations, conditions and all other information relating to a security clearance.
Personnel – Employees and contractors, including secondees and any service providers that an entity engages. It also includes anyone who is given access to Australian government resources held by the entity as part of entity sharing initiatives.
PGPA Act – Public Governance, Performance and Accountability Act 2013 (Cth)
Positive vetting – A system of security checking that attempts to examine and independently verify all relevant aspects of a subject's suitability to hold certain security clearances. Positive vetting requires more extensive checks than negative vetting.
Principles – Fundamental values that guide decision–making. There are 5 principles that inform protective security settings (see Securing government business: Protective security guidance for executives).
Protective security – The protection of information, people and physical assets.
PSPF – Protective Security Policy Framework
PSPF maturity rating – The level to which an entity has addressed and implemented the core and supporting requirements in the PSPF. There are 4 levels of PSPF maturity.
Risk appetite – The risk an entity is willing to accept or retain within its tolerance levels to achieve its objectives, as defined in the Department of Finance Risk Management Policy.
Risk tolerance – The levels of risk an entity will tolerate to achieve a specific objective or manage a category of risk, as defined in the Department of Finance Risk Management Policy.
SCEC – Security Construction and Equipment Committee
Security advisors – Personnel appointed to perform security functions or specialist services related to security within an entity. These personnel support the work of the Chief Security Officer.
Security caveat – An indication of special handling requirements beyond those indicated by security classification. See Australian Government Security Caveat Guidelines on GovTEAMS for more detail.
Security culture – The characteristics, attitudes and habits within an organisation that establish and maintain security.
Security Governance Committee – A senior committee that supports an accountable authority and CSO to achieve protective security objectives and monitor performance against those objectives. Especially valuable to entities with large or complex arrangements.
Security incident – A security incident is defined as an:
- action, whether deliberate, reckless, negligent or accidental that fails to meet protective security requirements or entity–specific protective security practices and procedures that results, or may result in, the loss, damage, corruption or disclosure of official information or resources (see PSPF policy 2: Management structures and responsibilities C.7.1 Security incidents)
- approach from anybody seeking unauthorised access to official resources
- observable occurrence or event (including natural disaster events, terrorist attacks etc) that can harm Australian Government people, information or assets.
For further detail, see PSPF policy 2: Management structures and responsibilities. This also provides details about reporting channels for particular security incidents.
Security maturity – The entity's capability to holistically and appropriately manage their security risks through effectively implementing and managing the PSPF core and supporting requirements in the context of the entity's specific risk environment and risk tolerances.
Security plan – Central document detailing how the entity plans to manage and address their security risks. For further detail see PSPF policy 3: Security planning and risk management.
Security risk – Something that could result in compromise, loss, unavailability or damage to information or physical assets, or cause harm to people.
Security risk management – Managing risks related to an entity's information, people and physical assets.
Security vetting – An authorised vetting agency's assessment of a clearance subject's suitability to hold a security clearance.
SES – Senior Executive Service
SMSMP – Sensitive Material Security Management Protocol
Sponsoring entity – The Australian Government entity that sponsors an individual's security clearance.
Supporting requirement – The actions needed to implement core requirements and attain the government's desired protective security outcomes. Each of the 16 PSPF policies include supporting requirements to help implement that policy's core requirement.
T4 Protective Security (T4 or ASIO T4) – ASIO's protective security capability (T4) provides expert protective security advice and training to the Australian Government, state and territory governments, and business. This includes physical security certification advice (as defined in the PSPF), technical surveillance countermeasures, and resources for security managers to assist in the protection of their information, people and assets via the ASIO Outreach website. T4 evaluates protective security products (such as locks, alarms and detection devices) to determine their suitability for use in government facilities.
T4 provides protective security advice for Australian Government agencies. With the Attorney–General's written approval, T4 can also provide such services to state and territory governments, business enterprises and critical infrastructure owners, provided that a Commonwealth interest can be shown.
TSCMs – Technical Surveillance Countermeasures
Vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access sensitive and classified Australian Government resources.
Vetting entity – An authorised entity responsible for assessing a person's suitability to obtain and maintain a security clearance.
Vetting personnel – Vetting officers and delegates who assess a clearance subject and identify any vulnerabilities that may compromise Australian Government resources.