HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA

Transcription

1 HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA Standards for Victoria Police Law Enforcement Data Security (Standards 27, 28, 29 & 30) November 2008 Commissioner for Law Enforcement Data Security

2 Acknowledgement This report was prepared for the Commissioner by Gary Sauvarin, Senior Project Officer Information Security, Office of the Commissioner for Law Enforcement Data Security, in consultation with relevant areas and employees of Victoria Police. Appreciation is expressed for the assistance and cooperation of Victoria Police members during the conduct of this review. Published by: The Commissioner for Law Enforcement Data Security PO Box 281 World Trade Centre Melbourne Victoria 8005 November 2008 State of Victoria, 2008

3 Table of Contents Executive Summary 5 1 Introduction Background Purpose and Scope Security Classified Law Enforcement Data Standards Approach Compliance Assessment Rating Definitions and Abbreviations 9 2. Standard Observations Findings Standard Observations Findings Standard Observations Findings Standard Observations Findings Conclusions and Recommendations 17 APPENDIX A Persons Interviewed and Documents Reviewed 19 APPENDIX B Response to the report by the Chief Commissioner of Police 21

4

5 Security Classified Law Enforcement Data Executive Summary Under the Commissioner for Law Enforcement Data Security Act, 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. A high level compliance review has being undertaken of the CLEDS Standards for Victoria Police Law Enforcement Data Security on Security Classified Law Enforcement Data. Standard 27 requires the establishment of procedures for the identification and classification of law enforcement data requiring confidentiality. Standard 28 requires the establishment of policy and procedures to protect that data. Standard 29 requires that only personnel who meet the Australian Government Personnel Security Clearance requirements be given access to Australian Government classified data. Standard 30 requires that Australian Government approved products or solutions be used to protect Australian Government classified data. All four standards also require Victoria Police to ensure Approved Third Parties who access Victoria Police law enforcement data have similar requirements for Victoria Police data. An assessment rating of Compliant (where all Standard requirements are implemented and operating), Partially Compliant (where implementing all requirements is in progress) or Non Compliant (where there is no evidence of action being taken to review and implement Standard requirements) is assigned as a result of the review. Results of the Review Proper implementation of a security classification system can be problematic in many organisations. Misunderstanding about what the various levels of classification mean; how they should be applied; the various levels of protection needed, such as physical security, storage, handling, and movement; and the assumption that only material requiring confidentiality needs to be classified ( unclassified is in itself a classification); can lead to a piece-meal approach to classification and result in bad practices such as over-classification or no classification action at all. Victoria Police has documented policy and procedures for the identification and classification of data which meet the requirements of the CLEDS Standards and the Australian Government Protective Security Manual. Policy is currently under review and it is acknowledged that Victoria Police is already undertaking work to improve the implementation of its security classification system. This review identifies that work remains to be done regarding the implementation of security classified data policy and procedures. 5

6 High Level Compliance Review Standard operating procedures in the areas handling nationally classified data need to be reviewed for consistency and strengthened. Two of the three key areas handling nationally classified information comply with Australian Government requirements with regard to physical security and equipment. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance and Australian Government certification of those areas should be sought and documented. Such a security assessment needs to move beyond those areas which currently hold Australian Security Network (ASNET) equipment to the immediate environments of senior members of Corporate Committee who regularly handle nationally classified material. More generally, implementation of the documented classification procedures needs to be improved. Policy and procedures do not seem to be fully understood, nor carried out in a constant and systematic way across the organisation. A broad review of current practices is required. Identified staff are given the appropriate security clearance to access nationally classified material. However, Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. The IT systems need to be properly classified and BITS should review all IT systems to ensure that only Defence Signals Directorate Approved Products and solutions are used, where required. A security classification awareness campaign is necessary to ensure that staff fully understand how and when to classify information and the implications for protection of each level of classification. It should be noted that it is possible to over-classify, which then places a greater, although unnecessary, duty of protection on the material. Existing agreements with Approved Third Parties do not comply with relevant data security classification requirements. Victoria Police are renegotiating the agreements, after which Victoria Police will be compliant with this section of the Security Classification Standards. The Commissioner finds Victoria Police PARTIALLY COMPLIANT with Standards 27, 28, 29 and 30 of the Standards for Victoria Police Law Enforcement Data. Recommendations 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. 6

7 Security Classified Law Enforcement Data That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. David Watts Commissioner for Law Enforcement Data Security November

8 High Level Compliance Review 1 Introduction 1.1 Background The Standards for Law Enforcement Data Security were established in July 2007 by the Commissioner for Law Enforcement Data Security (CLEDS). The Standards and associated protocols are binding on Victoria Police. Under the Commissioner for Law Enforcement Data Security Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. The Commissioner has established an ongoing program of high level compliance reviews, as well as detailed risk based audits. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet the Standards and Protocols. Security Classified Law Enforcement Data is one of fifteen categories of standards and protocols issued by CLEDS. 1.2 Purpose and Scope The scope of this compliance review is confined to examining the existence and operation of Victoria Police policy and procedures in compliance with the requirements of the CLEDS Standards 27, 28, 29 and 30 on security classified law enforcement data. 1.3 Security Classified Law Enforcement Data Standards Standards 27, 28, 29 and 30 provide that law enforcement data must be suitably classified according to the degree of its sensitivity and confidentiality, that those who access such data have commensurate security clearances and that appropriately approved products and solutions are used for nationally classified data. All four standards also require Victoria Police to ensure Approved Third Parties who access Victoria Police law enforcement data have similar requirements for Victoria Police data. 1.4 Approach The high level compliance review involved discussions with key stakeholders, analysis of policy and procedures for compliance with the requirements of the relevant CLEDS Standards, and verification of process. Agreements with Approved Third Parties for authorised access to Victoria Police law enforcement data were also reviewed for compliance with the relevant Standards. 8

9 Security Classified Law Enforcement Data 1.5 Compliance Assessment Rating The assessment of compliance was rated as one of the following: Compliant Partially Compliant Non Compliant Existing security controls meet the requirements and intent of the Standards and Protocols Existing security controls partially or inconsistently meet the requirements and intent of the Standards and Protocols Existing security controls are consistently inadequate in meeting the requirements and intent of the Standards and Protocols Recommendations are made where less than full compliance is identified. 1.6 Definitions and Abbreviations The following definitions and abbreviations are used throughout this report. ASA Agency Security Advisor ASNET Australian Security Network BITS Business Information Technology Services, Victoria Police CLEDS Commissioner for Law Enforcement Data Security CTCU Counter Terrorism Co-ordination Unit, Victoria Police DAP Defence Signals Directorate (DSD) Approved Products DSAP Designated Security Assessed Position (a designated position with a security clearance to access nationally classified data) EISP Enterprise Information Security Policy ITSA Information Technology Security Advisor POT Position of Trust (a position with a security clearance to access non-nationally classified data) PSM Australian Government Protective Security Manual SOP Standard Operating Procedure VPM Victoria Police Manual WITSEC Witness Security Unit, Victoria Police 9

10 High Level Compliance Review 2. Standard Observations Victoria Police must establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. The security classification procedures contained in VPM Instruction and the Document Security Best Practice Guideline are detailed and very clear. They reflect exactly the security classifications contained in the CLEDS Standards and the Australian Government Protective Security Manual (PSM). The definition of document for the purpose of the binding VPM Instruction is anything on which information is recorded as words, symbols, images or impressions. Examples adequately cover all forms of law enforcement data as they include (but are not restricted to): electronic data, electronic documents, correspondence, film recordings, hardcopy documents, information stored on discs or removable media, photographs, screen printouts and sound recordings. National security classified material is considered to be out of scope for VPM The Instruction, however, mandates that workplaces that receive, create and/or disseminate documents containing NATIONAL security information must protect that information by fully implementing all relevant security controls documented in the Protective Security Manual. The Victoria Police Document Security Best Practice Guideline, which predates promulgation of the CLEDS Standards, cites the Protective Security Manual as the authoritative reference for document security. The security classification regime is further reinforced by current work in two areas. The Agency Security Advisor (ASA) has widely distributed a simple two page sheet for classification and developed a comprehensive (draft) Quick Reference Guide. Business Information Technology Services (BITS) is developing a Security Classification Framework, which will lead staff through a series of questions about a document and automatically generate a security classification. The work being undertaken by the ASA and BITS will considerably assist with the implementation of Victoria Police s documented procedures for the security classification of law enforcement data. While Victoria Police have policy and procedures in place for the identification and classification of documents, implementation is a problem. Incorrect or over-classification of documents is an issue for many organisations. Documents sighted by the Reviewer indicate that Victoria Police is no different. The proper implementation of a classification system is best addressed by an organisation-wide security classification awareness campaign to distribute the clear guidance which is already available. Victoria Police IT systems are currently and notionally classified as x-in-confidence, although not given the protection that the Australian Government Protective Security Manual requires for that level of classification. There is also no doubt that parts of those systems hold data of a higher classification. 10

11 Security Classified Law Enforcement Data Existing agreements with Approved Third Parties do not include the requirement to establish clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality. Victoria Police has already agreed to renegotiate agreements with Approved Third Parties to ensure compliance with the CLEDS Standards (management response to CLEDS Relationships between Victoria Police and Approved Third Parties: Report of Compliance Review, March 2008). When all new agreements have been executed Victoria Police will be compliant with this section of Standard Findings Clear and definitive procedures for the identification and classification of law enforcement data requiring confidentiality are contained in the Victoria Police Manual (VPM Instruction Document Security), the Victoria Police Document Security Best Practice Guideline and the Enterprise Information Security Policy (EISP). The procedures documented meet the requirements of the Data Classification Scheme/Standards for Victoria Police Data Security issued by the Commissioner for Law Enforcement Data Security (Standards for Victoria Police Law Enforcement Data Security, chapter 10). It must be noted that implementation of the documented procedures needs to be improved. The existence of improperly classified documents or files indicates that staff either ignore or are not fully aware of the simple and clearly documented procedures for identifying and classifying information. Security classified data needs adequate protection. A file should be classified to the same level as the most highly classified document it contains. For the same reason, systems that hold electronic data need to be classified. Because of the large quantities of data held in electronic systems, the principle of aggregation needs to be applied to the classification of those systems (that is, that the value and therefore level of protection accorded to a large quantity of interrelated documents may be greater than that of the individual documents themselves). The Commissioner is aware that the process of classifying Victoria Police IT systems will be complex and cannot be achieved quickly. Once new CLEDS compliant agreements are executed with Approved Third Parties, Victoria Police will comply with this Standard. Victoria Police partially complies with Standard

12 High Level Compliance Review 3. Standard 28 Victoria Police must establish policy and protocols to ensure that all Security Classified law enforcement data is adequately protected. Australian Government Security Classified data must be protected in accordance with Australian Government protective security standards. Victoria Police must ensure that Agreements with Approved Third Parties establish policy and protocols to ensure that all Security Classified law enforcement data is adequately protected. 3.1 Observations VPM Instruction (section 6) gives brief procedures for the management and handling of security classified documents, including physical security, and refers staff to the Document Security Best Practice Guideline. The Guideline is not a binding instruction. It should be noted that the VPM is currently under review by the Corporate Strategy and Performance Department. The Enterprise Information Security Policy is also a key policy document for Security Classified Information. It is currently under review by Business Information Technology Services. Proper harmonisation and continuity between policy, procedure and implementation needs to be ensured. VPM clearly mandates that Australian Government Security Classified data must be protected in accordance with Australian Government protective security standards (the Protective Security Manual). The Document Security Best Practice Guideline gives considerable detail of how security classified material is to be protected. The Guideline covers (other than the identification and classification of documents) the protective marking, auditing and recording, disclosure/access, storage, movement and disposal of security classified documents. Of particular interest to the requirements of Standard 28 are the Security Procedure Tables which sit in Part 4 of the Guideline, which succinctly and very clearly tabulate the different procedures for the protection of documents at each level of classification up to, but not including, nationallyclassified material. Those procedures are reinforced in the Agency Security Advisor s (draft) Quick Reference/ Security Awareness. The Information Security Tables contained in the ASA s Quick Reference, cover all levels of classification, including nationally classified material and deal succinctly with identification, preparation and handling, removal and auditing, copying, storage and disposal, physical transfer and electronic transmission. Standard Operating Procedures sighted from areas with a high concentration of sensitive, particularly nationally classified data, are inconsistent in their coverage of procedures to protect security classified information. While all provide data protection measures, not all do this with the degree of detail given in the Guideline and not all refer the user back to VPM (although some more recent SOPs do refer the user generally to the CLEDS Standards). It should be noted that documented procedures for an area of considerable sensitivity like WITSEC are very comprehensive. 12

13 Security Classified Law Enforcement Data High level interviews conducted indicate that areas of Victoria Police handling nationally classified material understand the nature of the information they are receiving and holding and of the need to protect it. While issues of physical security and security clearance access are dealt with elsewhere in this report, areas handling nationally classified material are physically separated from other areas. There is not always clear separation within those of areas of security cleared staff handling nationally classified material and uncleared staff handling material of a lower classification. Procedures exist to limit access to secure stand-alone terminals and SCEC (Security Construction Equipment Committee) endorsed equipment is known to be used. The degree to which these procedures and equipment are always used to the satisfaction of PSM requirements is unknown and should be the subject of review by the Agency Security Advisor. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Policy and protocols have been established to protect Australian Government classified law enforcement data. A number of these are under review. Harmonisation needs to be ensured. Standard operating procedures could be strengthened and implementation of the documented procedures needs to be improved. While PSM compliant procedures and solutions are in place in areas handling nationally classified material, there is no certainty that they are always implemented in all such areas. Once new CLEDS compliant agreements are executed with Approved Third Parties, Victoria Police will comply with this Standard. Victoria Police partially complies with Standard

14 High Level Compliance Review 4. Standard 29 Prior to being granted access to Australian Government Security Classified law enforcement data, Victoria Police Employees, Contractors, Consultants and Approved Third Parties must meet Australian Government Personnel Security Clearance requirements for access to that data. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to meet Australian Government Personnel Security Clearance requirements prior to being granted access to Security Classified law enforcement data. 4.1 Observations Victoria Police departments/units handling Australian Government classified law enforcement data maintain spreadsheets of staff with national security clearances able to access that data. The Agency Security Advisor maintains the agency-wide, central security clearance database. Procedures are implemented in the relevant areas to ensure that only staff with the appropriate security clearance access nationally classified material. Spreadsheets of staff with national security clearances are no longer shared between departments/units. The Agency Security Advisor s central database is currently held on the CTCU G:/ drive (with limited access), but will shortly be moved to a stand-alone computer in a secure area and be populated with the proper amount of detail. The system for dealing with classified information promulgated in the Australian Government Protective Security Manual requires that certain positions are Designated Security Assessed Positions or Positions of Trust. Designated Security Assessed Positions (DSAP) are designated positions with a security clearance to access nationally classified data. Positions of Trust (POT) are positions with a security clearance to access non-nationally classified data. Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Implementation of policy to ensure that only appropriately cleared staff have access to nationally classified data depends on proper access procedures being in place. While security clearances are obtained for persons with access to nationally classified material, a system of Designated Security Assessed Positions and Positions of Trust should be introduced and access arrangements need to be reviewed to ensure policy is properly implemented. New CLEDS compliant agreements need to be executed with Approved Third Parties. Victoria Police partially complies with Standard

15 Security Classified Law Enforcement Data 5. Standard 30 When implementing security for the protection of Australian Government Security Classified law enforcement data and systems, Victoria Police must use Defence Signals Directorate (DSD) Approved Products (DAP) or solutions that are in accordance with Australian Government protective security. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to use DSD Approved Products (DAP) or solutions that are in accordance with Australian Government protective security standards for the protection of Security Classified law enforcement data. 5.1 Observations There are three principle areas of Victoria Police that handle nationally classified material the Specialist Support Department, Intelligence and Covert Support Department and the Counter Terrorism Co-ordination Unit. It should be noted that a number of senior members of Victoria Police in other areas also handle such material as required. The Agency Security Advisor has advised this reviewer that both the Specialist Support Department and Intelligence and Covert Support Department have in place physical security and equipment that meets Australian Government protective security requirements. However, no documented evidence of T4 certification was sighted by this reviewer. The Counter Terrorism Co-ordination Unit does not have T4 certification nor does the area comply with Australian Government requirements with regard to physical security/equipment. A T4 review of the area occupied by the Counter Terrorism Co-ordination Unit (CTCU) was carried out in The area failed to meet T4 standards and recommendations were made. Not all of these recommendations were implemented, particularly with regard to the physical structure of the area, audio security and compartmentalisation of security cleared staff. A further review, based on the 2006 review, was carried out by the Agency Security Advisor in 2008, with further recommendations being made. It is understood that compliance with T4 specifications for a secure area is on-hold while a refurbishment of the area occupied by this department is considered. Asnet is the agency responsible for the secure communications network used for the exchange of information related to national security between Commonwealth and State agencies. It is scheduled to make a security assessment in the final quarter of 2008 of all areas within Victoria Police holding Asnet and replacement Speakeasy (Government communications secure terminals) equipment. Asnet will now be self-accrediting for both types of equipment. The Asnet security assessment will not cover areas without Asnet/Speakeasy equipment, but which handle hardcopy Australian Government classified data, for example Deputy and Assistant Commissioners who handle highly classified information. The degree to which the protective security of the offices and office procedures of these senior members meet Australian Government requirements should be assessed. A concern, by way of example, is that while Assistant Commissioners and above have the appropriate level of security clearance to handle Australian Government classified information, their immediate staff, who would certainly physically handle and transport that information, may not. A specific issue that needs to be addressed is ensuring the appropriate clearance for temporary or short-term rotation staff officers. 15

16 High Level Compliance Review Victoria Police IT systems are yet to be properly classified. Once that has taken place, the Business Information Technology Services (BITS) will need to ensure that only DAP products and solutions are being used to protect the system where relevant. DAP products are currently used in parts of the IT system, but not all. It should be noted that nationally classified information is received and stored on systems that stand alone from the BITS-controlled Victoria Police IT systems. As already mention existing agreements with Approved Third Parties do not comply with these standards but Victoria Police work in progress will ensure compliance by Victoria Police with this section of Standard Findings Victoria Police already compartmentalises areas containing sensitive data by restricting physical access to those areas. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance with the requirements of the Protective Security Manual, with particular regard to physical security, access controls, storage and handling of data. Where necessary, Australian Government certification of those areas should be sought and documented. New CLEDS compliant agreements need to be executed with Approved Third Parties. Victoria Police partially complies with Standard

17 Security Classified Law Enforcement Data 6. Conclusions and Recommendations Proper implementation of a security classification system can be problematic in many organisations. Misunderstanding about what the various levels of classification mean; how they should be applied; the various levels of protection needed, such as physical security, storage, handling, and movement; and the assumption that only material requiring confidentiality needs to be classified ( unclassified is in itself a classification); can lead to a piece-meal approach to classification and result in bad practices such as over-classification or no classification action at all. Victoria Police has documented policy and procedures for the identification and classification of data which meet the requirements of the CLEDS Standards and the Australian Government Protective Security Manual. Policy is currently under review and it is acknowledged that Victoria Police is already undertaking work to improve the implementation of its security classification system. There needs, however, to be a much broader review undertaken by the Office of the ASA to ensure the implementation of policy and procedures for the classification and protection of information, particularly of nationally classified material to PSM standards. This review identifies that work remains to be done regarding the implementation of security classified data policy and procedures. Standard operating procedures in the areas handling nationally classified data need to be reviewed for consistency and strengthened. Two of the three key areas handling nationally classified information comply with Australian Government requirements with regard to physical security and equipment. A security assessment of all areas handling Australian Government classified data should be carried out to ensure full compliance and Australian Government certification of those areas should be sought and documented. Such a security assessment needs to move beyond those areas which currently hold Australian Security Network (ASNET) equipment to the immediate environments of senior members of Corporate Committee who regularly handle nationally classified material. More generally, implementation of the documented classification procedures needs to be improved. Policy and procedures do not seem to be fully understood, nor carried out in a constant and systematic way across the organisation. A broad review of current practices is required. Identified staff are given the appropriate security clearance to access nationally classified material. However, Victoria Police has yet to introduce procedures to identify Designated Security Assessed Positions and Positions of Trust and execute all appropriate clearances. The IT systems need to be properly classified and BITS should review all IT systems to ensure that only Defence Signals Directorate Approved Products and solutions are used, where required. A security classification awareness campaign is necessary to ensure that staff fully understand how and when to classify information and the implications for protection of each level of classification. It should be noted that it is possible to over-classify, which then places a greater, although unnecessary, duty of protection on the material. Existing agreements with Approved Third Parties do not comply with relevant data security classification requirements. Victoria Police are renegotiating the agreements, after Victoria Police will be compliant with these Security Classification Standards. 17

18 The Table below summarises the compliance ratings arising from this review of Victoria Police compliance with the Security Classification Standards. Standard Standard 27 Standard 28 Standard 29 Standard 30 CLEDS Compliance Level Partially Compliant Partially Compliant Partially Compliant Partially Compliant Recommendations 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. David Watts Commissioner for Law Enforcement Data Security November

19 Security Classified Law Enforcement Data APPENDIX A Persons Interviewed and Documents Reviewed The assistance and cooperation of the following Victoria Police members during the conduct of the compliance review is appreciated: Superintendent Geoff Alway, Protective Security Division, SSD Superintendent Tony Biggin, Covert Support Division, Intelligence and Covert Support Department Inspector Sue Clark, SOCAU Co-ordination Unit Mr Anthony Corso, Manager, IT Infrastructure Security, Business Information Technology Services Assistant Commissioner Stephen Fontana, Counter Terrorism Co-ordination and Emergency Management Department Commander Jim Hart, Specialist Support Department Mr Peter Kapadais, Security Specialist, Business Information Technology Services Mr Marshall Lee, Group Manager, Technical Standards and Architecture, Business Information Technology Services Inspector Bob Mayne, LEAP Management Unit Ms Diane Morland, Agency Security Advisor, Victoria Police S/Sergeant Gillian Wilson, Staff Officer, Intelligence and Covert Support Department The following Victoria Police documents were used to conduct this review: Victoria Police Manual (VPM) Victoria Police Enterprise Information Security Policy (September 2004) Victoria Police Document Security Best Practice Guidelines, version 1.3 (May 2007) Quick Reference Guide Security Awareness (Agency Security Advisor, draft, 2008) Security Requirements for Non-National Security and Cabinet-in-Confidence Information (Agency Security Advisor, 2008) Security Requirements for National Security Information (Agency Security Advisor, 2008) Special Operations Group Standard Operating Procedures (undated) System Security Plan Witness Security Unit Stand Alone Network (WSU-SAN) Information System (draft, undated) Witness Security Unit Stand Alone Network Standard Operating Procedures (draft, September 2006) Witness Security Unit Stand Alone Network Information System Security Procedures and Practices (version 1.0 draft, September 2006) 19

20 High Level Compliance Review Information security extracts from current Standard Operating Procedures for the following units of the Intelligence and Covert Department, Victoria Police: Undercover Unit Source Development Unit Special Projects Unit Information Services Unit Technical Support Unit State Surveillance Unit Security Intelligence Group Crime Stoppers Sex Offender Registry Human Source Management Operations Intelligence Unit State Intelligence Training Unit State Intelligence Services DNA Management Unit 20

21 Security Classified Law Enforcement Data APPENDIX B Response to the report by the Chief Commissioner of Police I refer to your request of 30 September 2008 for comments on the Draft Report titled High Level Compliance Monitoring of CLEDS Standards 27, 28, 29 & 30: Security Classified Law Enforcement Data September Recommendations I advise that Victoria Police has no issue with the content of the Draft Report or the proposed recommendations. 1. That Victoria Police provide a time frame for Departments and Regions to implement the policy and procedures for the identification and classification of law enforcement data and conduct a Force-wide security classification awareness campaign. 2. That consideration is given to making the Document Security Best Practice Guideline a binding instruction and that relevant Standard Operating Procedures be reviewed to ensure compliance with the CLEDS standards and Victoria Police policy on security classified data That Victoria Police establish a process and timeline for the classification of all Victoria Police IT systems, taking into account the principles of compartmentalisation and aggregation. That the Agency Security Advisor review the implementation of procedures in areas handling nationally classified material, including the offices of those members of Corporate Committee who handle nationally classified material, to ensure that Protective Security Manual requirements are always met. That Victoria Police introduce a system of Designated Security Assessed Positions (DSAPs) and Positions of Trust (POTs) and execute appropriate clearances. That the Agency Security Advisor review access arrangements in all relevant areas to ensure access is properly controlled. That Victoria Police undertake physical security assessments of all areas handling Australian Government classified data and implement the findings of those assessments. Victoria Police recognises the value of this document and the professional approach adopted during its development. I would like to thank you for the opportunity to provide comments on the Draft. Yours sincerely, Christine Nixon a p m Chief Commissioner 23/10/08 21

22 22