Federal Attorney-General Robert McLelland has launched a new policy framework for protective security. The Protective Security Policy Framework (PSPF) will replace the existing Protective Security Manual and among other security related roles, requires each agency to appoint an information technology security adviser.
According to the PSPF document, the central objective of the framework is to “foster a professional culture and positive attitude towards protective security”. The framework is intended to assist government agencies and associated businesses in identifying and managing security risks.
The PSPF mandates that a number of positions will be created within government agencies to ensure compliance with the core policies and requirements. Each agency must appoint:
- A member of the Senior Executive to oversee the broad implementation of security policy;
- An agency security adviser (ASA) to supervise day-to-day performance of the security protection functions; and
- An information technology security adviser (ITSA) to advise senior management on ICT security systems.
All government employees and associated contractors will be offered training in protective security.
Government agencies and businesses are expected to develop their own internal processes and procedures for ensuring compliance with the policy framework. Mr McLelland says he acknowledges the individual work and function of different organisations and agencies and that the policy framework takes this context into account.
However Mr McLelland also says a streamlined approach is necessary and that previous attempts at protective security reform were plagued by the inability of individual agencies to agree. As a result, the PSPF outlines a number of core policies and mandatory requirements that will inform internal procedures.
Agencies will be expected to develop a cohesive security and risk management approach and ensure that managing risk is part of day-to-day business. There is also a requirement to develop business continuity management programs so that the operation of government services is not interrupted by the introduction of the policy framework.
Under the new framework, the Australian National Audit Office will conduct regular audits of protective security which will complement the now mandatory internal reports and security investigations. The Attorney-General’s Department will also conduct an annual review of agencies’ compliance with the recommendations of the policy framework.
The Attorney General also suggests that the new policy framework will also increase efficiency and reduce costs. For example, Mr McLelland said that “by eliminating the intensive paper-based clearance system, security verifications will be conducted in a more rigorous, reliable and consistent manner with less unnecessary duplication”.
The policy framework was announced as part of Cyber Security Awareness Week which ended on Friday 11 June.