Australia - Security Maturity: A New Protective Security Policy Framework.

18 October, 2018

16 Core Requirements for government entities

What you need to know

A new version of the Australian Government Protective Security Policy Framework (PSPF) has been released
The new PSPF sets out 16 Core Requirements that support four key security "outcomes": governance, information security, personnel security and physical security
Non-corporate Commonwealth entities must comply with the Core Requirements
Corporate Commonwealth entities are encouraged to comply with the Core Requirements as a "best practice" initiative
The PSPF sets out "Supporting Requirements" and guidance that promote a standardised approach to security risk management across government

What you need to do

Read the new PSPF and consider your obligations under the Core Requirements
Read the Supporting Requirements and guidance for assistance in implementing the Core Requirements
Review your policies, procedures and templates and consider whether any changes are necessary to implement the Core Requirements
Seek advice on how best to implement the Core Requirements in your agreements with service providers

The Framework

Reforms to the Australian Government Protective Security Policy Framework (PSPF) went live this week, signalling a shift from a compliance model to a principles-based approach. The new PSPF contains 16 "Core Requirements" that have been designed to support protective security through governance, information security, personnel security and physical security.

The PSPF is the principal policy document for Australian Government protective security and is considered critical to maintaining the security necessary for effective government operations and outcomes. Compliance with the PSPF is mandatory for non-corporate Commonwealth entities ("relevant entities") and recommended as "best practice" for corporate Commonwealth entities. The PSPF may also be extended to non-government organisations under contracts with government entities for the provision of goods or services.

Background

The 2015 Independent Review of Whole-of-Government Internal Regulation (Review) identified the PSPF as an opportunity for reform and red tape reduction. The Review considered whether the policy struck the right balance between risk management and administrative burden.

Prior to the reforms, the PSPF comprised a compliance approach, framed by risk management principles. The Review identified that the compliance approach created a challenging administrative environment while failing to support relevant entities to effectively engage with risk. The Review recommended that the PSPF shift towards a "principles based approach".

Overview

The new PSPF consists of four "outcomes" that support protective security across government. The Core Requirements articulate what relevant entities must do to achieve the protective security outcomes. The Core Requirements are supplemented by "Supporting Requirements" and guidance, which are intended to support a standardised approach to security risk management across government.

Governance

The seven Core Requirements relating to security governance focus on the structural and cultural factors that support protective security.

Under the Public Governance, Performance and Accountability Act 2013, the "accountable authority" of a non-corporate Commonwealth entity must govern their entity in a way that is not inconsistent with the policies of the Australian Government, which include the requirements of the PSPF.

The PSPF sets out the role and responsibilities of accountable authorities in respect of the security of their entities. This includes appointing a Chief Security Officer to bear responsibility for security across the entity. Relevant entities must also comply with Core Requirements in relation to security planning, security maturity monitoring and reporting.

Core Requirement 6 states that "Each entity is accountable for the security risks arising from procuring goods and services, and must ensure contracted providers comply with relevant PSPF requirements." This aligns with and supports paragraphs 8.2 and 8.3 of the Commonwealth Procurement Rules which compel relevant entities to identify and manage procurement security risk in accordance with the PSPF.

Information Security

The four Core Requirements relating to information security aim to maintain the confidentiality, integrity and availability of information assets owned by the Australian Government, or entrusted to the Australian government by third parties, within Australia.

The Core Requirements compel relevant entities to assess the sensitivity and security classification of its information assets and implement appropriate controls relevant to the value, importance and sensitivity of that information. The controls may include security clearance requirements for accessing parties and system controls. Relevant entities are required to mitigate common and emerging cyber threats by implementing the "Strategies to Mitigate Cyber Security Incidents" set out in the Information Security Manual.

Core Requirement 11 provides that entities must have in place security measures during all stages of ICT systems development. This includes certifying and accrediting ICT systems in accordance with the Information Security Manual when implemented into the operational environment.

Personnel Security

The three Core Requirements relating to personnel security require relevant entities to ensure that their employees and contractors meet an appropriate standard of integrity and honesty. The Core Requirements relate to eligibility and suitability of personnel from the commencement of an engagement, throughout the engagement and upon separation.

Physical Security

The two Core Requirements relating to physical security aim to ensure a safe and secure physical environment for people, information and assets. The Core Requirements put the onus on entities to control the risk of harm by designing, modifying, monitoring and accrediting facilities and security zones.

Relevant entities are encouraged to implement the requirements and security measures in the PSPF in a way that is proportionate and relevant to their unique security risk environments.

For further information, please contact:

Angela Summersby, Partner, Ashurst

angela.summersby@ashurst.com

Australia – Security Maturity: A New Protective Security Policy Framework.

Thailand – Thai SEC Proposes Changes To Takeover Rules.

Thailand Reaffirms Alcoholic Beverage Packaging And Labeling Requirements.

- Atthachai Homhuan - Director, Regulatory Affairs, Tilleke & Gibbins

Privy Council Clarifies Cayman Islands Law On Shareholder Standing To Bring Personal Claims Against A Company Alleging That Shares Were Allotted For An Improper Purpose.

Jersey To Significantly Increase Compensation In Employment Cases.

India – AKP Banking & Finance Digest- November 18, 2024.

- Anuroop Omkar - AK & Partners,

Oil & Gas Sector Investment Kazakhstan Mitigating Risks In M&A Transactions.

- Raushana Chaltabayeva - Unicase Law,

Kazakhstan – Financing Renewable Energy Projects Bankability Of PPA.

- Saniya Perzadayeva - Unicase Law Firm,

Malaysia – What Companies Need To Understand About Transfer Pricing.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

CONVENTUS LAW

OTHERS

Australia – Security Maturity: A New Protective Security Policy Framework.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

- Sacha Kirk - Lawcadia,

Footer

CONVENTUS LAW

OTHERS