1 Defence Security Manual DSM Part 2:5 Security Awareness and Training Version 4 ation date July 2015 Amendment list 17 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements Defence personnel are, and external service providers subject to the terms and conditions of their contract may be, bound by security policy contained in the DSM and Information Security Manual (ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in action under the relevant contract provision or legislation including, but not limited to; the Defence Force Discipline Act 1982, the Service Act 1999, and the Crimes Act Mandatory requirements in the DSM and ISM are identified through the use of the terms must / must not and should / should not. Compliance with these requirements is mandatory unless the appropriate authority, if applicable, has considered the justification for non-compliance and accepted the associated risk through the granting of a dispensation. The terms recommend and may are used to denote a sensible security practice and noncompliance need not be approved or documented. Note: Non-compliance with a sensible security practice ought to be informed by sound risk management principles. The DSM compliance regime, including the authority to approve non-compliance with mandatory requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed in DSM Part 2:1 Dispensations. Copyright Commonwealth of Australia 2010 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Department of Defence. Requests and inquiries concerning reproduction and rights should be addressed to Defence Publishing Services, Department of Defence.
2 Introduction 1. A strong security culture, supported by a high level of security awareness and training, is a critical element of effective protective security. 2. The purpose of Defence Security Manual (DSM) Part 2:5 is to inform Defence personnel and external service providers of the security training and awareness regime in place in Defence. Policy 3. Defence personnel and external service providers are to be made aware of security threats, the protective security measures to counter these threats, and their responsibilities. Where required, they are to receive security training for the effective conduct of security roles and functions. Mandatory Security Awareness Process 4. Defence personnel and external service providers must complete: a. a security awareness briefing on appointment; b. a security awareness brief annually thereafter, in accordance with Defence mandatory training requirements; and Note: The mandatory security awareness compliance responsibility can be met by completion of the national component via the Defence Security and Vetting Service (DS&VS) security awareness on CAMPUS or the DS&VS approved PowerPoint presentation. c. either the national or local component (or both) of a security awareness program: (1) in response to any potential or actual threat identified or realised; and (2) at any other time as directed by command/management or under contractual arrangements. Security Awareness Program 5. A security awareness program is to contain: a. a national component, endorsed by DS&VS; and b. a local component contextualised for a specific unit, base or establishment (if required). 6. The national component of a security awareness program, developed or endorsed by DS&VS, should include: a. an overview of security and its importance to Defence; b. national threats to security; c. principles that lead to an improved security posture; DSM Part 2:5 Page 2 of 7
3 d. the framework of security policy and instructions within Defence; and e. individual security responsibilities. 7. The local component of the awareness program, developed by the relevant commander or manager should include: a. current local threats; b. risks associated with the identified threats; c. the ways in which Defence policy, standards, procedures and other controls are implemented to mitigate risks; and d. specific security issues and controls relating to a base, unit or facility including, but not limited, to: (1) the level and quantity of security classified information kept and basic instructions for its handling; (2) numbers, types and trends of security incidents; (3) problems, experiences and recommendations of commanders, managers, personnel, external service providers and security staff; (4) the degree to which employees understand and accept existing security policies and procedures; (5) security performance to date; and (6) locally-specific standing orders and standard operating procedures (SOP). 8. DS&VS does not conduct face-to-face security awareness programs as these are a unit responsibility. However, assistance with security awareness and training programs, in particular the provision of material or specialist speakers can, when necessary, be organised through DS&VS or the Service Security Authorities (SSA). Training for specialist security roles 9. Before undergoing training for, and before appointment to, a specialist security role, Defence personnel and external service providers must: a. complete the DS&VS Classified Document Handling Course; or b. have existing competency or proficiency recognised by DS&VS. 10. In order to perform the specialist security roles of Security Officer, Information Systems Security Liaison Officer (ISSLO) or Information Systems Security Officer (ISSO), Defence personnel and external service providers must: a. complete training that is particular to the role and endorsed by DS&VS; or b. have existing competency or proficiency recognised by DS&VS. 11. Certification authorities and accreditation authorities must attain proficiency as approved by the DS&VS. DSM Part 2:5 Page 3 of 7
4 12. SSA should use training courses developed or approved by DS&VS (these are a combination of competency and proficiency based courses). 13. Defence personnel and external service providers in specialist security roles should undertake specialist security training as shown in Table 2:5-1. Table 2:5-1: Specialist Security Training Course Security officer ISSLO ISSO ICT security certification Physical security certification Accreditation Timing On appointment to the role. On appointment to the role. This course is a prerequisite for the ISSO course. On appointment to the role. Officers are advised to complete this course prior to undertaking ICT security certification training. Before appointment to the role. Before appointment to the role. Before appointment to the role. Roles and Responsibilities First Assistant Secretary Security and Vetting Service 14. FAS S&VS is responsible for: a. establishing security skilling requirements for Defence and Defence industry; b. developing protective security awareness and training policies and standards for Defence; c. developing national components of security awareness programs and training material to be used by Defence and Defence industry; d. conducting training for security functions for non-service Groups, joint units and Defence industry; e. conducting training for specialist security roles in Defence (except for security officer training to the Services); and f. enabling electronic delivery of training for specialist ICT security roles for use by the Groups and Services. Group Heads and Service Chiefs 15. Groups Heads and Service Chiefs are responsible for ensuring that their staff undertake adequate security awareness and training programs to: a. be made aware of security threats and appropriate protective security measures to counter the threats; b. understand their security responsibilities; and DSM Part 2:5 Page 4 of 7
5 c. equip those with security roles and functions with the knowledge, skills and competencies to be effective in the role or function. 16. Service Chiefs are responsible for ensuring that their Service conducts: a. security awareness programs, including the DS&VS-developed or endorsed national components; and b. training for security functions. Service Security Authorities 17. SSA are responsible for conducting security awareness and training programs, including the DS&VS developed or endorsed national components, to single Service units. Commanders and Managers 18. Commanders and managers are responsible for: a. making appropriate security awareness and training programs available to all Defence personnel and external service providers; b. ensuring that Defence personnel or external service providers with access to official resources understand and accept their security responsibilities; c. ensuring that any unit-specific security awareness material (eg, a unit-specific risk profile) complements and supports standard security awareness and training programs developed by DS&VS and SSA; d. ensuring appropriate security awareness and training records are maintained in the relevant Security Register; e. supporting Defence personnel and external service providers in their efforts to implement effective workplace security practices; f. identify any need for, and organise the conduct of, training for security functions or specialist security roles by either DS&VS or SSA; g. ensure the adequate distribution and presentation of security awareness products and notices (eg, posters); h. ensuring that Defence personnel and external service providers are provided with a security awareness debrief on departure from a unit or facility, or disengagement from Defence; and i. ensuring, where appropriate, follow-up security awareness and training is conducted to prevent recurrence of security incidents. 19. Commanders and managers are responsible for leading by example. They can generate sound security awareness by influencing staff behaviour through their own actions. Supervisors 20. Supervisors are responsible for ensuring that mandatory security awareness and training programs are incorporated into staff performance agreements. DSM Part 2:5 Page 5 of 7
6 Security Officers 21. Security officers are responsible for assisting their commander or manager to undertake their security management responsibilities. 22. ISSO and ISSLO are also responsible for facilitating awareness of ICT security threats and associated security responsibilities for staff. Defence Personnel and External Service Providers 23. Defence personnel and external service providers are responsible for participating in: a. mandatory security awareness and training programs; and b. a security awareness debrief on departure from a unit or facility, or disengagement from Defence. Key Definitions 24. Security awareness. The state of being aware of the security threats and risks that exist, the protective security measures in place to counter them, and the individual s security responsibilities. 25. Security training. The structured preparation for the performance of security roles and tasks. 26. Skilling. The development of workplace skills, especially through specific training programs. 27. Proficiency. A training, learning or experiential outcome achieved by an individual which is essential to satisfy a specified workplace requirement associated with an established position. 28. Competency. The successful completion of formal recognition or assessment against nationally recognised vocational training packages. Attainment of specific competencies may result in the awarding of a nationally recognised qualification. 29. Security functions. Functions that have a significant security component and require formal training. 30. Specialist security roles. The roles of security officer, Information Systems Security Liaison Officer (ISSLO), Information Systems Security Officer (ISSO), certification authority, and accreditation authority. Further Definitions 31. Further definitions for common DSM terms can be found in the Glossary DSM Part 2:5 Page 6 of 7
7 Annexes and Attachments N/A This part currently has no annexes or attachments. DSM Part 2:5 Page 7 of 7