Protective security governance guidelines

Transcription

1 Protective security governance guidelines Security awareness training Version 1.0 Approved September 2010

2 Contents Introduction... 1 Who gets of security awareness training/briefings?... 2 Security awareness training content... 2 Identified agency specific risk and policies... 3 Personal safety measures... 3 Asset protection... 3 Protection of official information... 4 Reporting requirements... 4 Internal reporting contacts... 4 Changes of circumstances... 5 Contact Reporting Scheme arrangements... 5 Additional security briefings... 5 i

3 Introduction These guidelines support and should be read in conjunction with: Protective Security Policy Framework - Governance Australian Government Personnel Security Protocol Australian Government Information Security core policy, and Australian Government Physical Security core policy. Security awareness training is an important element of protective security. Awareness training supports physical, information and personnel security measures as well as informing staff of their governance requirements. To truly change behaviours a security awareness campaign effectively communicates what is enforced (your policies) and in addition communicates why, then follows up the campaign with strong, visible enforcement, and rewards. See the Australian National Audit Office Audit Report No Security Awareness and Training. Employees should undertake security awareness as soon as possible after starting with the agency. It is recommended that agencies include security awareness in their induction programs. Agencies should hold regular refresher training sessions to confirm prior knowledge and inform employees of any new measures. Agencies should give additional training if the threat environment changes. Agencies can develop security awareness through: campaigns that address the ongoing needs of the agency and the specific needs of sensitive areas, activities or periods of time security instructions and reminders via publications, electronic bulletins and visual displays such as posters protective security-related questions in staff selection interviews drills and exercises, and inclusion of security attitudes and performance in the agency performance management program. It is recommended that any training program use a mixture of delivery methods and follow the principles of adult education. The Adult education guide produced by the Australian Government Financial Literacy Foundation provides an overview of these principles. 1

4 It is recommended that if training is outsourced agencies use a Registered Training Organisation (RTO). RTOs are accredited training providers who offer courses through the Australian Quality Training Framework. A list of RTOs is available from training.gov.au Who gets security awareness training/briefings? Agencies are to provide security awareness training/briefings to: their employees and any contractors based in agency facilities. It is recommended that this training be provided initially as part of the employee induction process or as soon as possible after commencement, and holders of Negative and Positive Vetting clearances on granting of the clearances, and every five years as a condition of revalidation of the clearances. The briefings are to detail the clearance holders information security responsibilities. It is recommended that agencies also provide a briefing to Baseline Vetting clearance holders every five years. It is recommended that security awareness training also be provided to employees, contractors and other people to whom the agency gives access to unclassified official information An agency should provide targeted security awareness training when the agency has an increased or changed threat environment. It is recommended that agencies undertake regular security awareness training. Security awareness training content Security awareness training should cover the following areas: Agency security procedures and policies Personal safety measures Asset protection Protection of official information from: - inappropriate use - loss, and - corruption Reporting requirements including: - changes of circumstances - incident reporting, and - the Contact Reporting Scheme Additional security briefings 2

5 Identified agency specific risk and policies Agency specific risks, and countermeasures, will be identified as part of the agency risk review and policies. Agencies should make employees and contracted service providers aware of the protective security programs operating in their area, the threat it is designed to counter, and their roles and responsibilities in relation to it. Personal safety measures Agencies have a responsibility to protect employees and visitors, see Australian Government Comcare - OHS Act, Regulations and Code. It is recommended that agencies develop an employee safety handbook that is provided to all employees as well as being readily available on agencies intranet sites. The handbook should include emergency response guidelines and contacts as well as any agency specific safety requirements and procedures. Agencies with heightened risks from the public and/or clients should ensure that the employees with whom the public react are aware of all safety measures in place in the agencies. The agencies should also hold regular exercises and drills to confirm their staff s competencies. Staff with specific emergency safety or security roles should receive regular training as w ell as participate in exercises to confirm their ongoing competency. See: Standards Australia - AS : Emergency control organisation and procedures for buildings, structures and workplaces, and Standards Australia - HB : Mailroom security. Asset protection Agencies should provide advice to staff on: access control systems legal requirements to protect assets agency specific measures to protect assets what is fraud and how to report it how to report lost, damaged or stolen assets, and asset audit and stocktake requirements. Agencies should provide the information required to allow employees to meet their responsibilities prior to taking custody for any assets. 3

6 See: Commonwealth Fraud Control Guidelines Australasian Legal Information Institute - Financial Management and Accountability Act 1997 s 42 SAI Global - AS Fraud and corruption control Protection of official information Agencies should ensure that every program area is aware of the classification and handling requirements for the resources it possesses or develops. Agencies should provide employees with training on: agency ICT system(s) security classifications special arrangements for producing documents above the ICT systems capability, and audit and accountability requirements for highly classified, codeword or caveat material. All employees, regardless of level or security clearance, need to be aware of the harm caused by the compromise of security classified resources handled in their workplace and the ways in which those resources might be vulnerable to compromise or misuse. Reporting requirements Internal reporting contacts Agencies should provide employees with a list of key agency reporting contacts. See PSPF Governance - Protective Security Investigations. It is recommended that the list of contacts be included in the employee safety handbook. The contacts list should cover, but is not limited to, how to report: suspicious behaviour threatening behaviour including letters, bomb threats and phone calls broken ICT and security equipment security infringements and breaches fraud or suspected fraud full secure waste bins, and lost credit cards. Reporting guidelines should also include any agency specific whistle blowing provisions. 4

7 Changes of circumstances See PSPF Australian Government Personnel Security - Reporting changes in personal circumstances guidelines. Contact Reporting Scheme arrangements See PSPF Australian Government Personnel Security - Contact reporting guidelines. Additional security briefings Other types of briefings given to employees may include: personal safety briefings when travelling on official business or for personal purposes briefings and debriefings for accessing TOP SECRET material briefings and debriefings to allow access to specific caveat, compartmentalised or codeword security classified information or resources overseas travel briefings and debriefings specific location briefings for high-risk destinations briefings tailored for specific categories of employment, eg, the unique security issues for IT staff, scientists and others briefings tailored to an individual s particular security needs, as part of a continuing management strategy, and risk management briefings in general and protective security in particular. 5