Protective Security Governance Policy. Outlines ANAO protective security arrangements

Transcription

1 Protective Security Governance Policy Outlines ANAO protective security arrangements Version 2.0 Effective JULY 2012

2 Document management Document identification Document ID Document title Release authority SEC_0.0_GOV Protective Security Governance Policy Auditor General Document history Version Date Description 0 04 JAN 12 Initial draft BS JAN 12 Update to align with the PSPF and ISM (stratsec) JAN FEB 12 Continued update to address all Governance sections of the PSPF (stratsec) Update to include feedback from Ben Sladic (ASA) and Gary Pettigrove (ITSA) (stratsec) FEB 12 Update to include feedback from ASA (stratsec) FEB FEB FEB 12 Update to improve integration with the ANAO documentation suite (stratsec) Update to include feedback from ANAO review of policy documents (stratsec) Update to include feedback from ED CMB and edits from Anne Pang (stratsec) MAR 12 Update to reflect tighter terminology and link to other documents 0.9 MAY 12 Additional feedback post circulation to Security Committee 0.10 JUN 12 Final Review by ED CMB / ANAO Exec JUN 12 Approved by Auditor General 2.0 DEC 13 Minor updates relating to development of supplementary guidance for contracted audit firms Governance Framework 2

3 References [1] Australian Government Protective Security Policy Framework (PSPF) 2011 [2] Australian Public Service Code of Conduct [3] ANAO Risk Management Policy [4] ANAO Security Committee Charter January 2011 [5] Australian Government Protective Security Governance Management Guidelines Australian Government Business impact levels 2011 [6] ANAO Security Plan 2013 [7] Risk Review 2013 [8] ANAO ICT Security Policy (SEC_2.0_ICT) 2012 [9] ANAO Physical Security Policy (SEC_3.0_PHY) 2013 [10] ANAO Security Awareness Guidelines (SEC_4.2_PER) 2012 [11] ANAO Incidents Response Guidelines (SEC_4.5_GOV) 2012 [12] Australian Government Investigations Standards [13] ANAO Business Continuity Management Planning Guidelines June 2013 [14] ANAO Business Continuity Management Factsheet 2013 [15] Commonwealth Fraud Control Guidelines March 2011 [16] ANAO Fraud Control Policy Governance Framework 3

4 Table of Contents Auditor General s Foreword 5 Introduction 6 Purpose 6 Scope and applicability 6 Document relationship 6 Document ownership and update 6 Context 8 Overview 8 Security culture 8 Internal factors 8 External factors 9 Legislation 9 Assets 9 Protective security governance policy 11 Overview 11 Roles and responsibilities 11 The ANAO s approach to protective security 14 Overview 14 Security risk management 14 Security training and awareness 15 Audits, reviews and reporting 16 Security incidents and investigations 16 Business continuity management 18 International security agreements 19 Contracting 19 Fraud control 19 Appendix 1 PSPF Mandatory Requirements mapped to Documentation Framework 20 Governance Framework 4

5 Auditor General s Foreword Every person employed or engaged by the ANAO shares responsibility for ensuring that good security practices are employed. The ANAO is committed to protecting its people, information, intellectual property, assets, activities and facilities against misuse, loss, damage, disruption, interference, espionage or unauthorised disclosure. It is critical that we retain the confidence of those who entrust sensitive and classified information to us. Documentation implements broader Government protective security policy reflecting the minimum requirements necessary to maintain an acceptable standard for protecting our assets, those in our care and our reputation. Our protective security arrangements maintain, as a minimum, the requirements of the Australian Government Protective Security Policy Framework (PSPF) as approved by the Australian Government and issued by the Attorney General. I require all managers, particularly SES, to take and demonstrate responsibility for ensuring that the assets and resources under their control receive the appropriate level of protection. In order to do this, managers must familiarise themselves with the principles of security risk management. Managers need to ensure that ANAO personnel, including contractors and consultants, are vigilant in their approach to security and accept that they have a key role to play in maintaining effective security. Protective security should be a part of our office s culture so that we effectively balance the competing requirements of limiting access to those that have a genuine need to know with ensuring key business partners receive information in an appropriate timeframe ( need to share ). Further advice on Protective Security can be obtained from the Agency Security Adviser (ASA) on and for IT Security advice, queries should be directed to the Information Technology Security Adviser (ITSA) on Ian McPhee Auditor General Governance Framework 5

6 Introduction Purpose 1. The Australian National Audit Office (ANAO) Protective Security Governance Policy outlines the ANAO s overall protective security documentation, the roles and responsibilities of individuals and ANAO committees, and summarises key elements of ANAO s approach to protective security. 2. The Protective Security Governance Policy has been developed based on: Australian government best practices; Attorney General s Department s PSPF; and ANAO specific requirements. Scope and applicability 3. The arrangements outlined in this document apply to all ANAO personnel, information and physical assets. Document relationship 4. The Governance Policy is the overarching document within our protective security documentation as shown in Figure 1 ANAO protective security documentation. Document ownership and update 5. The Agency Security Adviser (ASA) is responsible for the periodic review and maintenance of this policy. The ASA is responsible for reviewing this policy for currency and applicability prior to 31 Jul 2014 or as a result of changes to the PSPF or ANAO s environment which impacts this policy. Governance Framework 6

7 Figure 1 ANAO protective security documentation Governance Framework 7 UNCLASSIFIED

8 Context Overview 6. The Australian National Audit Office (ANAO) provides a range of audit and assurance services to the Parliament and public sector entities with the Australian Parliament as its primary client. 7. ANAO staff, contractors and contractor employees, consultants, and the staff of other Government Agencies that work for or on behalf of the ANAO are referred to collectively as ANAO personnel. 8. The ANAO s principal asset is its reputation. If this were tarnished by an incident of note, then it would become difficult for ANAO to conduct its business. ANAO s reputation is underpinned by three core abilities: ANAO s ability to protect its information assets from disclosure, compromise or loss; ANAO s ability to provide its services in an accurate and timely manner; and ANAO s ability to remain relevant in its service offerings. Security culture 9. The ANAO takes a proactive and positive attitude towards protective security. All ANAO personnel share responsibility for ensuring good security practice is employed. 10. Managing security risks proportionately and effectively enables the ANAO to provide the necessary protection of its key assets (our people, property, information and reputation). 11. Protective security is a part of the ANAO culture. The ANAO seeks to effectively balance the competing requirements of limiting access to those that have a genuine need to know with ensuring key business partners receive information in an appropriate timeframe ( need toshare ). 12. Security is more than a collection of documents outlining policy and procedures. It is a fundamental consideration in every task conducted by ANAO personnel. Internal factors 13. The Attorney General s Department released the PSPF [1] in July 2010 and has been releasing Security Management Protocols and Guidelines since this date. Governance Framework 8

9 14. The Attorney General wrote to Agency Heads in December 2011 informing them of the compliance timelines for implementing policy. Those deadlines were: Agencies must implement the new policy by 31 July 2012; Agencies can grandfather existing policy to 31 July 2013; and Initial Ministerial report due in August The ANAO established a timeline to implement the policy to meet this timeframe. The implementation of the PSPF [1] involves reworking internal policies and procedures in order for personnel to understand the new framework and the ANAO s implementation of it. External factors 16. The ANAO collects information from external agencies in order to conduct its audit activities. 17. As a result, the ANAO must maintain its reputation to protect the confidentiality, integrity and availability of the information it collects, processes and stores on behalf of its stakeholders. 18. Any significant reputational damage to ANAO could result in the loss of confidence from its stakeholders. Legislation 19. The PSPF s [1] mandatory requirements are not legally set down, but are based on legislation relating to protective security and reflect the aims and objectives of the Australian Government. 20. In addition to the mandatory requirements of the PSPF, there are additional protective security requirements relating to the ANAO set out in the Auditor General Act 1997, the Public Service Act 1999 and the APS Code of Conduct [2]. 21. The combined effect of section 36 of the Auditor General Act 1997, sections 70 and 79 of the Crimes Act 1914 and section 91.1 of the Criminal Code 1995 is that the unauthorised disclosure of information held by the Australian Government is subject to the sanction of criminal law. 22. Disclosure of official information should only occur if that disclosure is authorised. Authorisation may be granted under the express authority of an agency head, subject to the provisions of the Freedom of Information Act 1982 (the FOI Act) and, in relation to personal information, must be in compliance with the Privacy Act 1988 (the Privacy Act). Assets 23. The following ANAO assets must be effectively protected through our protective security arrangements: Governance Framework 9

10 Table 1: ANAO assets Asset ID A1 A2 A3 A4 A5 A6 Description Confidentiality of ANAO Information Integrity of ANAO Information Availability of ANAO Information Systems ANAO s Reputation Physical Security of ANAO Assets ANAO Staff and Contractors 24. The ANAO s principal asset is its reputation. The ANAO s reputation is underpinned by its ability to: protect information assets from disclosure, compromise or loss; provide audit services in an accurate and timely manner; and remain relevant in our service offerings. 25. The term information assets within this policy refers to any form of information, including: electronic data; the software or information and communication technology (ICT) systems and networks on which the information is stored, processed or communicated; printed documents and papers; the intellectual information (knowledge) acquired by individuals; and physical items from which information regarding design, components or use could be derived. Governance Framework 10

11 Protective security governance policy Overview 26. The Governance Policy ensures that : ANAO personnel are provided with sufficient information and security awareness training to allow them to meet the requirements of the PSPF [1]; policies and procedures are in place that are effective and applicable to the ANAO context; and a security plan is in place to manage ANAO risks and that the security plan is updated in line with changing risks and the ANAO operating environment. 27. The Government is responsible for the protective security of the Commonwealth. Individual Ministers are responsible for securing the operation of their portfolios (the independent statutory office of the Auditor General reports for administrative purposes to the Prime Minister). Within an agency, the Agency Head is responsible for the protection of agency functions, official resources and employees (including contractors). 28. Implementation, management and improvement of the ANAO security framework are the responsibility of the Auditor General as the ANAO Agency Head. The Security Committee has been created to provide advice and assurance to the Auditor General in the discharge of his security responsibilities. Further information on the roles and responsibilities for protective security can be found in the Roles and responsibilities section below. 29. All ANAO personnel are required to adhere to the policies and guidelines outlined in Figure 1 ANAO protective security documentation. Roles and responsibilities Auditor General 30. Primary responsibility for the management of ANAO security rests with the Auditor General. A Security Committee has been established to provide independent assurance and assistance to the Auditor General and the Executive Board of Management (EBOM) on the ANAO s security framework. Governance Framework 11

12 Security Committee 31. The Security Committee (the Committee) supports the Auditor General to discharge his responsibilities. The Committee has no executive powers, supervisory functions or decisionmaking authority in relation to the operation of the ANAO; it is an advisory body only. 32. The Committee is directly responsible and accountable to the Auditor General and must report any significant security matter that may impact the operations of the ANAO to the Deputy Auditor General and/or EBOM. The Committee must report to EBOM on its operations and activities during the year (more information can be found in the Security Committee Charter [2]. 33. The Committee includes representatives from the service groups and support branches who attend each meeting as observers. The following staff with specific responsibilities for protective security comprise the membership of the Committee: Executive Director Corporate Management Branch (ED CMB) 34. The ED CMB chairs the Security Committee and is responsible for the ongoing development and oversight of the office s protective security policy and practices and for providing guidance to the ASA and ITSA. In addition to formal reporting through the Security Committee, the ED CMB is also responsible for ensuring a security brief is provided as required to each monthly meeting of EBOM. The Agency Security Adviser (ASA) 35. The ASA reports to the ED CMB and plays an integral role in the ongoing monitoring of the ANAO security procedures and systems. The ASA helps the Executive to analyse the agency s security environment and to plan to counter unacceptable security risks. The ASA also plays a key role in managing the office s personnel security program to ensure ANAO personnel are aware of their security responsibilities and obligations. The Senior Director Governance and External Relations has been appointed to this role. 36. The ASA has an Assistant Agency Security Adviser (A ASA) to support with the discharge their security responsibilities, in particular the day to day management of security. The Operations Manager has been appointed to this role. The Information Technology Security Adviser (ITSA) 37. The ITSA also reports to the ED CMB and is responsible for advising the Executive on the security measures required to ensure that the information stored, processed or communicated by the ANAO information communications technology (ICT) systems is protected in accordance with the law, Australian Government policies, and the information security requirements detailed in the ANAO Security Plan. The Chief Information Officer has been appointed to this role. Governance Framework 12

13 ANAO personnel 38. Security is everyone s responsibility. It follows that all ANAO personnel are held accountable for their actions and managers held accountable for the security of their area of responsibility. 39. ANAO personnel need to be aware of the policies and guidelines put in place to ensure that confidence and trust in the Office is maintained and our reputation and standing are upheld. This includes this policy document as well as all supporting policies and guidelines. It also includes completing mandatory annual security and awareness training. 40. The ASA and ITSA work closely together to ensure that security measures taken to protect their respective environments complement and support each other. The ASA, A ASA and ITSA are always available to assist. However, it is your responsibility to familiarise yourself with the information sources available to you on security and to seek advice in cases of uncertainty. 41. ANAO personnel should familiarise themselves with the Auditor General Instructions, the Guide to Conduct in the ANAO and the ANAO Fraud Control Plan, all of which contain information of relevance to security. For contracted firms, the ANAO has prepared summary guidelines on the key requirements from the ANAO protective security document framework for consideration in addition to this overall governance policy. Governance Framework 13

14 The ANAO s approach to protective security Overview 42. Good protective security governance is about both: conformance how an agency uses protective security arrangements to ensure it meets the obligations of policy and standards and Government s expectations; and performance how an agency uses protective security arrangements to contribute to its overall performance through the secure delivery of goods, services or programmes as well as ensuring the confidentiality, integrity and availability of its people, information and assets. 43. The ANAO security framework is a holistic approach to protective security which incorporates complementary controls for Information, ICT, Physical and Personnel security. It is based on principles of public sector governance including: accountability being answerable for decisions and having meaningful mechanisms in place to ensure the agency adheres to all applicable protective security standards; transparency/openness having clear roles and responsibilities for protective security functions and clear procedures for making decisions and exercising authority; efficiency ensuring the best use of limited protective security resources to further the aims of the agency, with a commitment to risk based strategies for improvement; and leadership achieving an agency wide commitment to good protective security performance through leadership from the top. Security risk management 44. The ANAO is committed to risk management as an integral part of its planning and operations focussing on strategies and practices designed to effectively manage the risks to achieving corporate goals and objectives. ANAO protective security arrangements are based on effective security risk management. 45. The ANAO has adopted a formal risk management framework to support this commitment. The ANAO risk management framework is based on the guidance provided by the international risk Governance Framework 14

15 standard ISO 31000:2009 Risk Management. Further information on the ANAO risk management framework can be found within the ANAO Risk Management Policy [3]. 46. The ANAO has a low risk appetite for risks that would result in damaging the ANAO s reputation or other key organisational assets. Risk assessment and treatment 47. An overarching Protective Security Risk Review (PSRR) [7] is updated at least annually to identify the key threats and risks to the ANAO s ongoing security. Various threat sources are identified and assessed as to their potential to bring harm to the ANAO s assets. 48. The PSRR [7] is completed with reference to the Business Impact Levels (BILs) outlined in the PSPF Australian Government protective security governance guidelines Business impact levels [5]. 49. The PSRR [7] guides the security control selection to support the technical and administrative implementation of security within the ANAO and provides significant input into the ANAO Security Plan [6] which defines the security controls in use at ANAO and how they are to be implemented. 50. The PSRR is a living document and is updated annually; or in response to changes in the environment in which the ANAO operates; or if a security breach or incident is identified that would indicate a control failure or absence. The ANAO Security Plan [6] is updated at least every 2 years or in response to changes in our protective security risks. 51. The PSRR and ANAO Security Plan [6] are classified as For Official Use Only and cannot be released without the written permission of the ASA. 52. There are also a number of system related and site specific risk reviews and security plans in place for key ANAO ICT systems, Incidents and the ANAO facility at 19 National Circuit in Barton. Security training and awareness 53. The effectiveness of ANAO protective security arrangements relies on ANAO personnel being well informed and aware of their responsibilities for security under the PSPF [1]. 54. The ASA works closely with the ITSA to ensure that regular, up to date security training and awareness programs are developed and delivered to ANAO personnel. 55. The security awareness and training programs include: Security briefings (at induction, and regularly during the year for all ANAO personnel); Governance Framework 15

16 Online electronic access to security documentation; Online security awareness e learning modules; and Security flyers (provided in hard copy to ANAO personnel and available electronically via Audit Central). 56. The ASA and ITSA are also available to provide security advice directly to ANAO personnel on request. 57. Further information can be found in the ANAO Security Awareness Guidelines [10]. Audits, reviews and reporting 58. The Governance Policy and associated policies and guidelines will be reviewed at least every two years, or in response to changes flowing from the Protective Security Risk Review (PSRR) process. 59. The Security Committee is responsible for oversighting the annual security assessment against the PSPF s [1] mandatory requirements (the first report is due in August 2013). The ANAO Security Plan [6] includes complete details on our compliance with the PSPF mandatory requirements. 60. The Security Committee will advise the Auditor General through EBOM on our compliance with the requirements prior to the report being lodged with the Attorney General s Department (and other entities as required by the PSPF [1] mandatory requirement GOV 7). The Chair of the Security Committee is also an observer on the ANAO Audit Committee and will monitor internal audit strategies and programs to ensure adequate coverage of the ANAO security environment. 61. Where the ANAO identifies a situation where the policies in this security framework and supporting guidelines cannot apply, the Auditor General, or delegate, will make a clear, riskbased decision on whether to allow the policy exception. 62. Before granting a policy exception, advice will be sought from the ASA, ITSA, relevant information originators or asset owners and other stakeholders who may be affected by the non compliance. Any non compliance will then be included in the annual security assessment against the PSPF s [1] mandatory requirements. Security incidents and investigations 63. All ANAO personnel are responsible for the security of ANAO assets in their control and must ensure these are properly protected from unauthorised access by adhering with the requirements of the ANAO protective security policies and guidelines. Governance Framework 16

17 64. ANAO Security Staff undertake periodic afterhours security checks within ANAO facilities at 19 National Circuit to ensure ANAO personnel are complying with their close of business responsibilities. ANAO personnel also have an important role in alerting ANAO Security Staff on instances of suspected intrusion or the occurrence of a security incident. The reporting and investigation of security incidents is an essential element in monitoring and managing the risks to ANAO assets. Additional guidance is contained in the ANAO Personnel Incident Response Guidelines [11].The ASA has responsibility to determine if a security incident will result in a security breach being issued to ANAO personnel. The ASA will make this determination after taking into account the circumstances and severity of the identified incident. 65. Incidents identified as a result of the afterhours security checks or the reporting of security incidents more broadly may fall into either of the following categories: Security Breaches: which relate to the accidental or unintentional failure to observe ANAO security policies and guidelines e.g. failure to properly secure official information and unsecured portable and attractive items; and Security Violations: which relate to deliberate actions that lead, or could lead to the loss, damage or corruption or disclosure of official information and assets and results in a formal investigation. Any suspected security violation will be considered as a possible breach of the APS Code of Conduct and may be reported to the Australian Federal Police. 66. ANAO personnel responsible for a security breach will be issued with a breach notice and Security Staff will advise their Executive Director (or Engagement Manager for contracted firms). ANAO personnel will need to explain the reasons for the breach and the actions taken to ensure it will not reoccur. 67. Personnel who incur three (3) security breaches during their employment or engagement with the ANAO must provide an explanation report to their responsible Group Executive Director and a copy to the Deputy Auditor General. Personnel who incur more than three (3) security breaches within 12 months may be considered to have breached the APS Code of Conduct and may have their employment or contract terminated. 68. The ASA is responsible for maintaining a register of ANAO security incidents and reported incidents. Aggregated information on security incidents and breaches is reported monthly to EBOM. 69. Where necessary, investigations are conducted by the ASA, ITSA or A ASA in accordance with the type, size and impact of a security breach. External assistance is sought, as required, to satisfy the Australian Government Investigations Standards [12]. Access logs relating to ANAO personnel entering and exiting 19 National Circuit, as well as CCTV footage of the Zone One General Reception Area may also be also be used to assist security investigations. Governance Framework 17

18 70. The ASA or ITSA will report: incidents suspected of constituting criminal offences to the appropriate law enforcement authority ; incidents suspected of involving the compromise of information or assets classified at or above CONFIDENTIAL to ASIO; major ICT incidents to the Defence Signals Directorate; incidents involving the compromise of Cabinet material to the Cabinet Secretariat; and to AGSVA for maintenance of security clearances. Business continuity management 71. Critical services and associated assets need to remain available in order to assure the health, safety, security and economic well being of Australians, and the effective functioning of government. 72. Business continuity management (BCM) is a part of the ANAO s overall approach to effective risk management. 73. Business continuity planning is a process whereby key risks to ANAO business operations as a result of an emergency are identified, assessed and controls are identified to enable the ANAO to manage the immediate crisis and restore business operations as soon as possible. 74. The ASA is also responsible for the coordination of the ANAO BCM development and maintenance, including: identifying essential services; identifying key resource dependencies; developing crisis management and business continuity teams; developing crisis communications protocols; conducting simulated crisis exercises; and development and maintenance of contingency arrangements. 75. The ANAO Business Continuity Management Planning Guidelines [13] and associated Fact Sheets [14] which detail the ANAO emergency and crisis management procedures are available on Audit Central. Governance Framework 18

19 International security agreements 76. The ANAO has not entered into any agreements to share protectively marked information with international organisations, or those that handle another country s protectively marked information on their behalf. Contracting 77. The ANAO protective security policies and procedures are also applicable to private sector organisations and individuals who have ongoing access to ANAO assets. The ANAO will provide access to training and awareness materials and conduct information sessions for contractors as part of its overall training and awareness strategy. This includes the development of specific guidelines for contracted firms delivering audit services on behalf of the ANAO, which are updated annually and made available, along with this policy, on the ANAO extranet. 78. The ANAO will specify protective security requirements in the terms and conditions of any contractual documentation. 79. The ANAO will obtain independent assurance as required to verify that the contracted service provider complies with the terms and conditions of any contractual documentation. Fraud control 80. Fraud control measures are part of the risk management process. The Commonwealth Fraud Control Guidelines [15] outline the principles of fraud control within the Commonwealth and set national minimum standards to help agencies carry out their responsibilities to combat fraud against their programs. 81. The Auditor General has delegated responsibility for fraud control management to the ED CMB who works with the Chief Finance Officer (CFO) to manage the fraud control plan and fraud risk assessment process. 82. Further information can be found in the ANAO Fraud Control Policy [16]. Governance Framework 19

20 Appendix 1 PSPF Mandatory Requirements mapped to Documentation Framework The following table references each of the PSPF mandatory requirements to relevant ANAO protective security documentation or supporting policy (with detailed compliance mapping against the PSPF mandatory requirements included as an annex to the ANAO Security Plan): Mandatory Requirement GOV 1 GOV 2 Detail Agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware of, and meet the requirements of this Framework. To fulfil their security obligations, agencies must appoint: a member of the Senior Executive Service as the security executive, responsible for the agency protective security policy and oversight of protective security practices ANAO Reference document) ANAO Security Awareness Process (SEC_4.2_PER) document) Roles and responsibilities an agency security adviser (ASA) responsible for the day to day performance of protective security functions, and an information technology security adviser (ITSA) to advise senior management on the security of the agency s Information Communications Technology (ICT) systems. GOV 3 Agencies must ensure that the agency security adviser (ASA) and information technology security adviser (ITSA) have detailed knowledge of agency specific protective security policy, protocols and mandatory protective security requirements in order to fulfil their protective security responsibilities. document) Roles and responsibilities Governance Framework 20

21 GOV 4 Agencies must prepare a security plan to manage their security risks. The security plan must be updated or revised every two years or sooner when changes in risks and the agency s operating environment dictate. ANAO Risk Management Plan document) Security risk management GOV 5 GOV 6 Agencies must develop their own set of protective security policies and procedures to meet their specific business needs. Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management. Governance Policy and associated security policies ANAO Fraud Control Plan ANAO Risk Management Policy ANAO Business Continuity Management Plan GOV 7 For internal audit and reporting, agencies must: undertake an annual security assessment against the mandatory requirements detailed within this Framework, and report their compliance with the mandatory requirements to the relevant portfolio Minister. The report must: contain a declaration of compliance by the agency head, and state any areas of non compliance, including details on measures taken to lessen identified risks. In addition to their portfolio Minister, agencies must send a copy of their annual report on compliance with the mandatory requirements to: document) Audits, reviews and Reporting ANAO Security Incident Response Plan (SEC_4.5_PER) Governance Framework 21

22 the Secretary, Attorney General s Department, and the Auditor General. Agencies must also advise any non compliance with mandatory requirements to: the Director, Defence Signals Directorate for matters relating to the Australian Government ICT Security Manual (ISM). the Director General, Australian Security Intelligence Organisation for matters relating to national security, and GOV 8 GOV 9 the heads of any agencies whose people, information or assets may be affected by the non compliance. Agencies must ensure investigators are appropriately trained and have in place procedures for reporting and investigating security incidents and taking corrective action, in accordance with the provisions of: Australian Government Guidelines on Security incidents and Investigations, and/or The Australian Government Investigations Standards. Agencies must give all employees, including contractors, guidance on Sections 70 and 79 of the Crimes Act 1914, section 91.1 of the Criminal Code 1995, the Freedom of Information Act 1982 and the Information Privacy Principles contained in the Privacy Act 1988 including how this legislation relates to their role. document) Security incidents and investigations document) Legislation ANAO Security Awareness Process (SEC_4.2_PER) GOV 10 Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which Australia is a party. document) International security agreements Governance Framework 22

23 GOV 11 Agencies must establish a business continuity management (BCM) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment. document) Business continuity management ANAO Business Continuity Management Planning Guidelines ANAO Business Continuity Management Factsheet GOV 12 PERSEC 1 PERSEC 2 Agencies must ensure the contracted service provider complies with the requirements of this policy and any protective security protocols. Agencies must ensure that Australian Government employees, contractors and temporary staff who require ongoing access to Australian Government information and resources: are eligible to have access have had their identity established are suitable to have access, and are willing to comply with the Government s policies, standards, protocols and guidelines that safeguard that agency s resources (people, information and assets) from harm. Access to higher levels of classified resources is dependent upon the granting of the requisite security clearance. Agencies must, as part of their risk management approach to protective security, identify designated security assessed positions (DSAPs) within their organisation that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information. Agencies must ensure that security vetting is only applied where it document) Contracting document) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Security Vetting Guidelines (SEC_4.1_PER) ANAO Security Awareness Guidelines (SEC_4.2_PER) ANAO Personnel Security Policy (SEC_4.0_PER) Governance Framework 23

24 is necessary. PERSEC 3 Agencies must maintain a DSAP register. ANAO Personnel Security Policy (SEC_4.0_PER) PERSEC 4 PERSEC 5 PERSEC 6 INFOSEC 1 INFOSEC 2 Security clearances must be sponsored by an Australian government agency. Security clearances are not available on demand or on a speculative basis. All Government agencies must follow the Australian Government Personnel Security Protocol for personnel security as contained in supplementary material within the Protective Security Policy Framework. Only the Australian Government Security Vetting Agency and exempt agencies can grant, continue, deny, revoke or vary a security clearance. Exempt agencies can only issue clearances for their own agency. Agencies must have in place personnel security aftercare arrangements, including the requirement for individuals holding security clearances to advise the AGSVA or the relevant exempt agency of any significant change in personal circumstance that may impact on their continuing suitability to access security classified resources. Agency heads must provide clear direction on information security through the development and implementation of an agency information security policy and an agency information security plan. Each agency must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risks to the agency s information environment. ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Personnel Security Policy (SEC_4.0_PER) ANAO Security Awareness Guidelines (SEC_4.2_PER) document) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) document) ANAO Information Security Policy (SEC_1.0_INF) Governance Framework 24

25 INFOSEC 3 INFOSEC 4 Agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper based formats) which match their value, importance and sensitivity. Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security. ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Classification & Handling Guidelines (SEC_1.1_INF) ANAO Data Transfer Storage & Disposal Guidelines (SEC_2.3_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) INFOSEC 5 Agencies must have in place control measures based on business owner requirements and assessed/accepted risks for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications. Agency access control rules must be consistent with agency business requirements and information classification as well as legal obligations. ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Identity & Access Management Guidelines(SEC_2.2_ICT) Governance Framework 25

26 INFOSEC 6 INFOSEC 7 Agencies must have in place security measures during all stages of ICT system development, as well as when new ICT systems are implemented into the operational environment. Such measures must match the assessed security risk of the information holdings contained within, or passing across, ICT networks infrastructures and applications. Agencies must ensure that agency information security measures for all information processes, ICT systems and infrastructure adhere to any legislative or regulatory obligations under which the agency operates. ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) ANAO Information Security Policy (SEC_1.0_INF) ANAO ICT Security Policy (SEC_2.0_ICT) PHYSEC 1 PHYSEC 2 PHYSEC 3 Agency heads must provide clear direction on physical security through the development and implementation of an agency physical security policy and an agency physical security plan. Agencies must have in place policies and procedures to: identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support to family members and others report incidents to management, human resources, security and law enforcement authorities, as appropriate provide information, training and counselling to employees, and maintain thorough records and statements on reported incidents. Agencies must ensure they fully integrate protective security early in the process of planning, selecting, designing and modifying their facilities. document) ANAO Physical Security Policy (SEC_3.0_PHY) document) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) Governance Framework 26

27 PHYSEC 4 PHYSEC 5 PHYSEC 6 PHYSEC 7 Agencies must ensure that any proposed physical security measure or activity does not breach relevant employer occupational health and safety obligations. Agencies must show a duty of care for the physical safety of those members of the public interacting directly with the Australian Government. Where an agency s function involves providing services, the agency must ensure that clients can transact with the Australian Government with confidence about their physical well being. Agencies must implement a level of physical security measures that minimises or removes the risk of ICT equipment and information being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation. Agencies must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Australian Government may direct its agencies to implement heightened security levels. ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) ANAO Physical Security Policy (SEC_3.0_PHY) END OF DOCUMENT Governance Framework 27