The Federal Attorney-General‟s Department (AGD) will overhaul the Federal Government‟s protective security regime, citing a full rewrite of the Protective Security Manual (PSM) among the changes.
ICT suppliers and agencies are expected to welcome the changes, which include mutual recognition of security clearances.
Michael Rothery, First Assistant Secretary, National Security Resilience Policy Division, Attorney-General‟s Department, outlined the proposed changes in a presentation to AIIA members in Canberra last week.
The AGD is planning a major review of Australian Government protective security policy, and is in the process of implementing the findings of the e-Security Review 2008. Some features include:
- an dual emphasis on preventing the loss, damage or compromise of assets, information and people whilst enabling essential information sharing within government and with partners such as the business community
- Restructuring of the PSM to clearly distinguish governance from technical process, and mandatory policy from advice, most likely in a modular form
- Incorporation of security design and cost of major IT projects in the Two Pass process
- a back-to first principles consideration of risk including non-national security classifications and the need to better reflect aggregation of data
Both the Gershon Report and the e-Security Review highlighted areas for improvement in the Federal Government‟s existing protective security regime. These include:
- delays in obtaining key skilled staff for ICT projects due to security clearance processing
- concerns that security compliance costs may be underplayed in business cases
- significant differences in the use and application of non-national security classifications between agencies
- a range of processes that inhibit information sharing within government, and between governments and/or other relevant stakeholders
- a Protective Security Manual which focussed more on consequences and processes to be followed than offering any perspective or practical guidance on risk or likelihood of a security breach occurring
Rothery indicated his Division would address these as priorities over the next twelve months.
Government agencies and ICT suppliers especially will welcome suggested mutual recognition of staff/contractor security clearances. At present, if a “secret” clearance provided to a contractor or staff member in one agency is not recognised by another agency, the vetting process must be repeated. This not only adds significant costs, but more seriously it can delay projects by several months.
Originally written in 1967, even today the current PSM continues to imply the common medium for classified information is paper. As a „classified‟ document, its understanding is significantly inhibited by many key stakeholders, despite being relatively easy to obtain with agency sponsorship. Rothery says the Government intends for the new rewrite to be a modular document, in a format that enables distribution of relevant parts to those affected by its processes.
In an attempt to ensure that security compliance costs are not understated in the business case with major ICT projects, Rothery added that projects subject to the Two Pass Cabinet approval process would be closely monitored to ensure this was no longer the case.
The changes outlined represent a challenging workload for AGD and other agencies. Nevertheless, Rothery and his colleagues are to be commended for addressing some key issues that have added delay, cost and considerable confusion and misunderstanding to government ICT projects.
About the National Security Resilience Policy Division
Established in March 2009, the National Security Resilience Policy Division replaces many of the functions of the former Protective Security Coordination Centre. It is responsible for policy, legislation, advice and programs that develop national resilience to the full range of natural and human made hazards, including the areas of critical infrastructure protection, chemical, electronic and identity security, and protective security policy. In this position, Mr Rothery chairs the Protective Security Policy Committee and the E-Security Policy and Coordination Committee.