UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

Similar documents
UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements

Standards for Accredited Courses

Security Awareness and Training

IRAP Policy and Procedures up to date as of 16 September 2014.

Manager, Continuing Education and Testing. Responsible Officer Policy Officer Approver. Marc Weedon-Newstead Emma Drummond Rob Forage

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

IT Security Management

Essential Standards for Registration

National VET Provider Collection Data Requirements Policy

Audit report VET Quality Framework Initial registration as a national VET regulator (NVR) registered training organisation

Qualification details

Release: 2. SIR30412 Certificate III in Business to Business Sales

Audit report VET Quality Framework Continuing registration as a national VET regulator (NVR) registered training organisation

Western Australian Auditor General s Report. Regulation of Training Organisations

Release: 1. ICT40510 Certificate IV in Telecommunications Network Planning

Police use of Firearms

Next Steps for the IBSA VET Capability Framework. Options Paper prepared for IBSA

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

RTO Delegations Guidelines

Audit report VET Quality Framework Continuing registration as a national VET regulator (NVR) registered training organisation

Auspic - Howard Moffat

HKCAS Supplementary Criteria No. 8

Standards for Registered Training Organisations (RTOs) 2015

Australian Transport Council. National Standard for the Administration of Marine Safety SECTION 5

Health and Safety Management Standards

aaca NCSA 01 The National Competency Standards in Architecture aaca Architects Accreditation Council of Australia PO Box 236 Civic Square ACT 2608

DRAFT. Advisory Circular. AC 121A-09(0) December 2003 HUMAN FACTORS AND CREW RESOURCE MANAGEMENT TRAINING

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

MSS40111 Certificate IV in Sustainable Operations

Certificate IV in Work Health and Safety Course Outline

Note that the following document is copyright, details of which are provided on the next page.

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

POSITION DESCRIPTION: NURSING IN GENERAL PRACTICE (NiGP) PROGRAM DIRECTOR

MSA71109 Vocational Graduate Certificate in Competitive Manufacturing

CPD Information Sheet (Nov 2014)

Guideline for Roles & Responsibilities in Information Asset Management

Vocational Education and Training in Schools Guidelines

South Australia Police Department POSITION INFORMATION DOCUMENT

The Skills Organisation

Causes of non-compliance and strategies to manage the risk

Records Authority. Australian Security Intelligence Organisation

Special Purpose Reports on the Effectiveness of Control Procedures

IFSMA Paper. As a result of the paper the delegates supported a resolution which is printed below.

Audit report VET Quality Framework Continuing registration as a national VET regulator (NVR) registered training organisation

Visitors in Schools Framework

ENDORSEMENT OF VOCATIONAL GRADUATE CERTIFICATE QUALIFICATION POLICY AND PROCEDURES STATEMENT CAREER INDUSTRY COUNCIL OF AUSTRALIA

Internal Audit Standards

Sector Development Ageing, Disability and Home Care Department of Family and Community Services (02)

OCCUPATION SPECIFIC DISPENSATION NURSING ASSISTANT

Nurse Practitioner Frequently Asked Questions

Protective security governance guidelines

XXX000YY Certificate IV in Government Security

National Certificate in Casino Surveillance (Supervisor) (Level 5)

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Facilitator Guide. Supporting the TAE10 Learner Guides. Version 2.0. supporting the TAE10 Training and Education Training Package

Information Pack. BSB50415 Diploma of Business Administration TOID3059

TEACHING AND TEACHING SCHOLARSHIP AT CHARLES DARWIN UNIVERSITY

Continuing registration as a national VET regulator (NVR) registered training organisation (RTO)

4 STEPS TO TAKING THE LEAD PROFESSIONAL DEVELOPMENT FOR TRAINERS AND ASSESSORS 2014

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. Annex B to DSM Part 2:61 Access Control and Identity Management - Details of Specific Cards

Information Technology Curriculum Framework

NQC RESPONSE TO THE PRODUCTIVITY COMMISSION DRAFT RESEARCH REPORT ON THE VOCATIONAL EDUCATION AND TRAINING WORKFORCE

Business Services (Administration) Curriculum Framework

Training and Education TAE10 Training Package

Recognition of Prior Learning

Rehabilitation Guidelines for Employers. Issued under section 41 of the Safety, Rehabilitation and Compensation Act 1988

APES 325 Risk Management for Firms

DRAFT. Business Services. BSB20115 Certificate II in Business. based on the BSB Business Services Training Package. Effective from Date published

NSW Government Digital Information Security Policy

Policy (Board Approved)

Corporate. Security Management Policy. Document Control Summary. Contents

Information System Audit Guide

The Management of Physical Security

ICAICT704A Direct ICT in a supply chain

Australian Transport Council. National Standard for the Administration of Marine Safety SECTION 4 SURVEYS OF VESSELS

Domestic Shipping. Safety Management System. Company:

Australian Government Information Security Manual CONTROLS

STUDENT INFORMATION GUIDE

TRAINING, ASSESSMENT & EVALUATION POLICY

Credit licensing: Competence and training

COURSE INFORMATION BSB61015 Advanced Diploma of Leadership and Management

The Role of the Workplace Rehabilitation Provider

Business Services. BSB30415 Certificate III in Business Administration. based on the BSB Business Services Training Package (version 2)

Web section 7 Non-operational training

The anglo american Safety way. Safety Management System Standards

Protective security governance guidelines

Initial registration as a national VET regulator (NVR) registered training organisation (RTO)

South Australia Police POSITION INFORMATION DOCUMENT

foundation programs and Explanatory Guide

APPLICATION PROCEDURES AND REQUIREMENTS FOR SPECIALIST ASSESSMENT

Registered and Accredited Individual Non-government Schools (NSW) Manual

Training and Assessment Strategy (TAS)

Competency Framework

Audit report VET Quality Framework Continuing registration as a national VET regulator (NVR) registered training organisation

INFORMATION MANAGEMENT STRATEGIC FRAMEWORK GENERAL NAT OVERVIEW

TAE40110 Certificate IV in Training and Assessment

Accreditation of forensic science facilities offering multi-site crime scene services

AUSTRALIAN PROFESSIONAL STANDARDS FOR TEACHERS I L C O U N C

Transcription:

Defence Security Manual DSM Part 2:5 Security Awareness and Training Version 4 ation date July 2015 Amendment list 17 Optimised for Screen; Print; Screen Reader Releasable to Compliance Requirements Defence personnel are, and external service providers subject to the terms and conditions of their contract may be, bound by security policy contained in the DSM and Information Security Manual (ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in action under the relevant contract provision or legislation including, but not limited to; the Defence Force Discipline Act 1982, the Service Act 1999, and the Crimes Act 1914. Mandatory requirements in the DSM and ISM are identified through the use of the terms must / must not and should / should not. Compliance with these requirements is mandatory unless the appropriate authority, if applicable, has considered the justification for non-compliance and accepted the associated risk through the granting of a dispensation. The terms recommend and may are used to denote a sensible security practice and noncompliance need not be approved or documented. Note: Non-compliance with a sensible security practice ought to be informed by sound risk management principles. The DSM compliance regime, including the authority to approve non-compliance with mandatory requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed in DSM Part 2:1 Dispensations. Copyright Commonwealth of Australia 2010 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Department of Defence. Requests and inquiries concerning reproduction and rights should be addressed to Defence Publishing Services, Department of Defence.

Introduction 1. A strong security culture, supported by a high level of security awareness and training, is a critical element of effective protective security. 2. The purpose of Defence Security Manual (DSM) Part 2:5 is to inform Defence personnel and external service providers of the security training and awareness regime in place in Defence. Policy 3. Defence personnel and external service providers are to be made aware of security threats, the protective security measures to counter these threats, and their responsibilities. Where required, they are to receive security training for the effective conduct of security roles and functions. Mandatory Security Awareness Process 4. Defence personnel and external service providers must complete: a. a security awareness briefing on appointment; b. a security awareness brief annually thereafter, in accordance with Defence mandatory training requirements; and Note: The mandatory security awareness compliance responsibility can be met by completion of the national component via the Defence Security and Vetting Service (DS&VS) security awareness on CAMPUS or the DS&VS approved PowerPoint presentation. c. either the national or local component (or both) of a security awareness program: (1) in response to any potential or actual threat identified or realised; and (2) at any other time as directed by command/management or under contractual arrangements. Security Awareness Program 5. A security awareness program is to contain: a. a national component, endorsed by DS&VS; and b. a local component contextualised for a specific unit, base or establishment (if required). 6. The national component of a security awareness program, developed or endorsed by DS&VS, should include: a. an overview of security and its importance to Defence; b. national threats to security; c. principles that lead to an improved security posture; DSM Part 2:5 Page 2 of 7

d. the framework of security policy and instructions within Defence; and e. individual security responsibilities. 7. The local component of the awareness program, developed by the relevant commander or manager should include: a. current local threats; b. risks associated with the identified threats; c. the ways in which Defence policy, standards, procedures and other controls are implemented to mitigate risks; and d. specific security issues and controls relating to a base, unit or facility including, but not limited, to: (1) the level and quantity of security classified information kept and basic instructions for its handling; (2) numbers, types and trends of security incidents; (3) problems, experiences and recommendations of commanders, managers, personnel, external service providers and security staff; (4) the degree to which employees understand and accept existing security policies and procedures; (5) security performance to date; and (6) locally-specific standing orders and standard operating procedures (SOP). 8. DS&VS does not conduct face-to-face security awareness programs as these are a unit responsibility. However, assistance with security awareness and training programs, in particular the provision of material or specialist speakers can, when necessary, be organised through DS&VS or the Service Security Authorities (SSA). Training for specialist security roles 9. Before undergoing training for, and before appointment to, a specialist security role, Defence personnel and external service providers must: a. complete the DS&VS Classified Document Handling Course; or b. have existing competency or proficiency recognised by DS&VS. 10. In order to perform the specialist security roles of Security Officer, Information Systems Security Liaison Officer (ISSLO) or Information Systems Security Officer (ISSO), Defence personnel and external service providers must: a. complete training that is particular to the role and endorsed by DS&VS; or b. have existing competency or proficiency recognised by DS&VS. 11. Certification authorities and accreditation authorities must attain proficiency as approved by the DS&VS. DSM Part 2:5 Page 3 of 7

12. SSA should use training courses developed or approved by DS&VS (these are a combination of competency and proficiency based courses). 13. Defence personnel and external service providers in specialist security roles should undertake specialist security training as shown in Table 2:5-1. Table 2:5-1: Specialist Security Training Course Security officer ISSLO ISSO ICT security certification Physical security certification Accreditation Timing On appointment to the role. On appointment to the role. This course is a prerequisite for the ISSO course. On appointment to the role. Officers are advised to complete this course prior to undertaking ICT security certification training. Before appointment to the role. Before appointment to the role. Before appointment to the role. Roles and Responsibilities First Assistant Secretary Security and Vetting Service 14. FAS S&VS is responsible for: a. establishing security skilling requirements for Defence and Defence industry; b. developing protective security awareness and training policies and standards for Defence; c. developing national components of security awareness programs and training material to be used by Defence and Defence industry; d. conducting training for security functions for non-service Groups, joint units and Defence industry; e. conducting training for specialist security roles in Defence (except for security officer training to the Services); and f. enabling electronic delivery of training for specialist ICT security roles for use by the Groups and Services. Group Heads and Service Chiefs 15. Groups Heads and Service Chiefs are responsible for ensuring that their staff undertake adequate security awareness and training programs to: a. be made aware of security threats and appropriate protective security measures to counter the threats; b. understand their security responsibilities; and DSM Part 2:5 Page 4 of 7

c. equip those with security roles and functions with the knowledge, skills and competencies to be effective in the role or function. 16. Service Chiefs are responsible for ensuring that their Service conducts: a. security awareness programs, including the DS&VS-developed or endorsed national components; and b. training for security functions. Service Security Authorities 17. SSA are responsible for conducting security awareness and training programs, including the DS&VS developed or endorsed national components, to single Service units. Commanders and Managers 18. Commanders and managers are responsible for: a. making appropriate security awareness and training programs available to all Defence personnel and external service providers; b. ensuring that Defence personnel or external service providers with access to official resources understand and accept their security responsibilities; c. ensuring that any unit-specific security awareness material (eg, a unit-specific risk profile) complements and supports standard security awareness and training programs developed by DS&VS and SSA; d. ensuring appropriate security awareness and training records are maintained in the relevant Security Register; e. supporting Defence personnel and external service providers in their efforts to implement effective workplace security practices; f. identify any need for, and organise the conduct of, training for security functions or specialist security roles by either DS&VS or SSA; g. ensure the adequate distribution and presentation of security awareness products and notices (eg, posters); h. ensuring that Defence personnel and external service providers are provided with a security awareness debrief on departure from a unit or facility, or disengagement from Defence; and i. ensuring, where appropriate, follow-up security awareness and training is conducted to prevent recurrence of security incidents. 19. Commanders and managers are responsible for leading by example. They can generate sound security awareness by influencing staff behaviour through their own actions. Supervisors 20. Supervisors are responsible for ensuring that mandatory security awareness and training programs are incorporated into staff performance agreements. DSM Part 2:5 Page 5 of 7

Security Officers 21. Security officers are responsible for assisting their commander or manager to undertake their security management responsibilities. 22. ISSO and ISSLO are also responsible for facilitating awareness of ICT security threats and associated security responsibilities for staff. Defence Personnel and External Service Providers 23. Defence personnel and external service providers are responsible for participating in: a. mandatory security awareness and training programs; and b. a security awareness debrief on departure from a unit or facility, or disengagement from Defence. Key Definitions 24. Security awareness. The state of being aware of the security threats and risks that exist, the protective security measures in place to counter them, and the individual s security responsibilities. 25. Security training. The structured preparation for the performance of security roles and tasks. 26. Skilling. The development of workplace skills, especially through specific training programs. 27. Proficiency. A training, learning or experiential outcome achieved by an individual which is essential to satisfy a specified workplace requirement associated with an established position. 28. Competency. The successful completion of formal recognition or assessment against nationally recognised vocational training packages. Attainment of specific competencies may result in the awarding of a nationally recognised qualification. 29. Security functions. Functions that have a significant security component and require formal training. 30. Specialist security roles. The roles of security officer, Information Systems Security Liaison Officer (ISSLO), Information Systems Security Officer (ISSO), certification authority, and accreditation authority. Further Definitions 31. Further definitions for common DSM terms can be found in the Glossary DSM Part 2:5 Page 6 of 7

Annexes and Attachments N/A This part currently has no annexes or attachments. DSM Part 2:5 Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information