By Mike Rothery*
A new protective security policy has arrived, bringing with it major changes to the business of Australian Government agencies.
On 1 August, the new Protective Security Policy Framework, known as the PSPF, replaced the old Commonwealth Government Protective Security Manual (PSM); it provides guidance on securing information, physical assets and people.
Protective security is a key enabler for government business. Whether it is protecting the privacy of citizens, preventing the theft of assets, ensuring the safety of workers or making sure critical data is available when it is needed, the new PSPF aims to help agencies get their job done. A key driver for the change was a review of the old PSM by the Attorney-General’s Department, which found that the PSM was ‘compliance driven’ and lacked flexibility; impeding the ability of many agencies to effectively conduct daily business and deliver services.
Whilst effective in protecting national security information, the old PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and personal information.
The new PSPF seeks to deal with these limitations, as well as new challenges posed by information technology. The new policy considers the additional risks from the aggregation of data, in addition to the classification of the individual pieces of information. An aggregation of information may require a higher level of protection than its component parts.
For example, where the harm caused by the unauthorised access of an individual piece of unclassified information might be minor, the harm caused by the unauthorised access to a complete library of information at that same classification level may be significantly higher. This consideration is particularly important given developments in technology enabling vast amounts of information to be stored in the one place.
Consider the huge amounts of data that can be stored on small devices such as USB sticks, for example.
For this reason, the PSPF includes the Australian Government information security management guidelines of aggregated information guideline.
In keeping with the move from hard copy to electronic storage, the guideline relates specifically to the security of electronic aggregations of Australian Government information.
One of the most noticeable changes to the policy is a new security classification system. The old systems of separate classifications for national security and non-national security information have been replaced; the new policy has a simplified single classification structure.
The classifications of Restricted and Highly Protected have been abolished to leave a single structure of Protected, Confidential, Secret and Top Secret. This protected change will assist agencies in conducting their day-to-day business by allowing greater interoperability across government and facilitating both information sharing and information protection.
In place of the term ‘in-confidence’, new dissemination limiting markers have been introduced for use by agencies to restrict the availability of official information where disclosure is limited or prohibited by legislation, or requires special handling. This is particularly useful for information covered by the privacy principles.
In addition to changes to information security, the PSPF initiates important broader changes to protective security, including reforms to personnel security, physical security and governance arrangements.
The biggest change in policy is the move from a compliance based approach to one that is risk-based. This marks a significant departure from the ‘one size fits all’ nature of the PSM, and allows agencies the latitude to find the most efficient controls that suit their business.
While the PSPF specifies controls for the handling of classified information, it recognises that the bulk of sensitive information held by government relates to the private sector and the personal information of citizens. With a growing demand for the online delivery of government services, the new policy allows agencies to determine their own controls for the unclassified information they hold, including when using the Internet for service delivery.
The PSPF is engineered to be flexible, so that individual agencies can use it to develop and implement policies and practices that suit their needs while maintaining minimum requirements to protect their most sensitive information.
By actively managing risk, agencies will be able to use the Internet to engage directly with clients, while at the same time ensuring protection of networks and unauthorised access to data libraries.
In addition to the intrinsic sensitivity of information, agencies are now required to consider the full range of negative consequences from a security breach.
These are described in new Business Impact Levels or BILs. These cover such issues as damage to reputation, risk of litigation and the loss of trust with customers or partners. The BILs have been established to guide agencies in the development of their own risk management policies and procedures.
As security vetting assessments of staff are a snapshot in time, the new policy for personnel security emphasises the importance of ‘aftercare’ or whole of career considerations. The policy also supports the centralisation of the security clearance process in the Australian Government Security Vetting Agency.
The physical security policy remains largely unchanged as a result of the PSPF, with the exception of new advice on protecting culturally significant and valuable assets, achieving security for diverse worksites and incorporating physical security into disaster management.
The PSPF includes core public sector governance principles to support a proactive security culture across agencies. Governance arrangements aim to ensure that agencies adhere to applicable protective security standards, have clear roles and responsibilities for protective security functions and decision making, and make the best use of limited protective security resources.
Executive level leadership is integral to achieving agency-wide commitment to good protective security performance. An important element is the new requirement for agency heads to make an annual statement of compliance against the core security requirements to the relevant portfolio Minister.
Some State and Territory governments have expressed interest in applying selected parts of the PSPF in their jurisdictions. Discussions between
the Commonwealth and State and Territory governments on these opportunities are continuing.
To assist agencies in implementing the new policy, the PSPF and its supporting guidelines are now publicly available on a dedicated protective security policy website at www.protectivesecurity.gov.au. Here you will find all the necessary guidance material required to implement the PSPF at agency level. The Protective Security Policy team at the Attorney- General’s Department are also available to assist with protective security policy advice and can be contacted at firstname.lastname@example.org.
Coming into force in August, agencies are now in the transition stage, leading to full implementation by 31 July 2013.
*Mike Rothery is First Assistant Secretary at the Attorney General’s Department’s National Security Resilience Policy Division.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at email@example.com.
Sign up to the Government News newsletter