The Australian Government’s Protective Security Policy Framework (PSPF)
If you are part of an Australian Government agency your agency needs to be compliant with the mandatory requirements of the PSPF.
Your CEO needs to report to the portfolio minister at the end of this financial year about whether the agency meets the requirements, including ASD’s top four (more about that later). The report is also copied to the Auditor-General and the Secretary of the Attorney-General’s Department. If there are gaps, it is also made available to DSD and ASIO.
Many state and territory agencies are also adopting the PSPF. If this is you, the reporting requirements will be different, but the work to become compliant is the same.
As agencies become more sophisticated, they will require similar standards of organisations that they are dependent on. Service providers for government will need to become PSPF aware to win contracts and tenders.
We can help your agency work out what it needs to do to comply because we wrote the PSPF.
Alex Webling was the Head of Protective Security in the Attorney-General’s Department and was responsible for bringing about this major change in the way that the Australian Government does security. He understands how the PSPF is meant to be implemented and can help your organisation undertake a pain free adoption!
We’re here to help. Since 2012, we’ve been helping agencies including Australian Intelligence Community members to assess their compliance with the PSPF. Contact us on telephone 02 61002412 we’re always happy for a chat.
Why did the government change from the PSM to the PSPF?
The PSM was based on a compliance model. If an agency was compliant with the PSM, it was ok. The problem was that there were increasing numbers of agencies which were compliant but not secure.
The PSM, which was originally designed as a base defence manual in the 1960s was not fit for the purpose of protecting the diverse range of government service agencies in an information rich 21st Century environment. The PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and private information. It also didn’t recognise how some agencies need to work to engage with their clientele.
Our work on the PSPF changed the game. It requires agency heads to take a risk managed perspective to their security because they are the risk owners. This is the same approach to that taken in the financial management of agencies.
The PSPF also addresses new challenges posed by information technology and importantly additional risks from the aggregation of data. It allows more flexibility in how organisations develop their protective security, but at the same time puts more responsibility on agency heads to get it right.
Only some agencies need to do this don’t they?
At the moment yes it is mostly FMA act agencies and those that have traditionally complied with the PSM
The PSPF website states that the policy is applicable to agencies subject to the
- Financial Management and Accountability Act 1997 (FMA Act) ; and / or
- Commonwealth Authorities and Companies Act 1997 (CAC Act) and have received a ministerial direction to apply the general policies of the Australian Government.
BUT that is changing. The government has indicated that it is likely to issue a General Policy Order which will enforce compliance for all CAC Act agencies.
The Australian Government is also requiring its agencies to ensure that stakeholders accessing national security classified information apply the PSPF. This includes state/ territory government agencies such as police and premiers’ departments.
Tiers of the PSPF
There are four tiers of the PSPF which are well illustrated below.
1. Directive on the Security of Government Business.
The directive is issued by the Attorney-General on behalf of the Executive Government. The current directive was released by the then Attorney-General Nicola Roxon MP in June 2012. The directive requires agency heads to identify their level of risk tolerance, meet the mandatory requirements of the PSPF, and develop an appropriate security culture to ensure the agency meets these requirements.
2 Governance arrangements / core policies / mandatory requirements
The second tier of the PSPF includes guidance on governance arrangements including training, ASA / ITSA competencies better practice guides as well as the three protective security core policies (Personnel, Information security, Physical security). These documents outline the 33 mandatory requirements that agencies need to follow.
3 Protocols, standards and guidelines
These are more detailed personnel, information security, ICT security and physical security protocols which outline specific activities to meet the mandatory requirements. It also includes a number of better practice guidelines and references to Australian and International standards where applicable.
One of the guidelines is DSD’s 35 Strategies to Mitigate Targeted Cyber Intrusions. On recommendation of the Attorney-General, the Australian Government Protective Security Policy Framework (PSPF) was updated in April 2013 to extend mandatory requirement INFOSEC 4. This change now requires Australian Government agencies to implement ICT protective security controls as detailed in the Australian Government Information Security Manual (ISM) to meet DSD’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions.
4 Agency specific policies and procedures
Part of the PSPF is the requirement that agencies have their own protective security policies and procedures that meet their business needs. Policies are high level documents outlining what must be done, standards provide information on how the policy can be met, and guidelines support the standards and policies. Finally, procedures state how they can be implemented and provide detailed instructions.
Of course, agency policies and procedures need to complement those from stakeholder agencies and the broader PSPF requirements.
The PSPF has replaced the 2007 Protective Security Manual (PSM) which had become outdated.
Tags: PSPF, Government, Protective Security Policy