Go to top of page

13: Security

Information supplied by:

In the current international environment, effective security in Government is imperative to Australia’s national interest. It is important for agency heads to be aware of their security responsibilities to ensure the safety of employees and Australian citizens and protection of Government information and assets.

The Protective Security Policy Framework (PSPF) sets out the Australian Government policy and guidance on protective security. All agency protective security policies are to be based on this Framework.

The Framework supersedes the Protective Security Manual (PSM), and is publicly available. It is necessary to limit access to some protocol and guideline material for security reasons. Protective security policies will differ according to the range of business and security risks faced by each agency. However, the minimum security requirements are mandatory for all agencies. Compliance with mandatory requirements provides assurance needed for the secure sharing of information across Government. The Framework supports agencies in implementing the Government’s protective security policy.

Protective security is a combination of procedural, physical, personnel, and information security measures designed to provide Government information, functions, resources, employees and clients with protection against security threats.

The PSM was the primary source of protective security policy, minimum standards, procedures and guidelines for government. It set out the Government’s policy on its own internal security. Because it contained some specific protective security controls and procedures it was classified at SECURITY-IN-CONFIDENCE. Therefore it was not publicly available. The PSM has been superseded by the PSPF, and much of the PSPF is publicly available at www.ag.gov.au/pspf.

The PSPF covers Australian Government protective security and security risk management policy, procedures and guidelines. It includes:

For more information:

13.1 Security and character checking of employees

Information supplied by:

An agency head is responsible for ensuring appropriate levels of security and character clearance of persons engaged or who move to an agency. This would normally be done through imposing such clearance as a condition of engagement or as an essential qualification. Section 22 of the Public Service Act 1999 allows an agency head to engage an employee subject to the employee meeting certain specified conditions (including possession of or gaining of Australian citizenship and the meeting of specified security and character clearances) which have been notified to the employee prior to engagement. An agency head can impose essential qualifications on a set or sets of duties. These qualifications must then be met by anyone who is selected to perform the duties.

For more information:

13.2 Online security

Information supplied by:

Information security is the responsibility of agencies, but risk is increasingly shared across agencies as ICT online services are delivered on a multi-agency, multi-jurisdictional or whole-of-government basis.

Australian Government agencies are bound by the Australian Government Protective Security Manual (PSM), issued by the Attorney-General’s Department (AGD), and the Australian Government Information and Communications Technology Security Manual (ISM), which is issued by the Defence Signals Directorate (DSD).

The PSM is the principal means for disseminating Australian Government protective security policies, principles, standards and procedure, to be followed by all Australian Government agencies for the protection of official resources.

The ISM is the primary source of information security policy and guidance for agencies. It provides policy and guidance to agencies on how to protect their ICT systems. Australian Government agencies are required by the PSM to comply with the ISM. It has been written to be consistent with the relevant Australian standards, including:

  • AS/NZS ISO/IEC 27001:2006 Information Security Management;
  • AS/NZS ISO/IEC 17799:2006 Amendment 1: 2008 Information Technology Code of Practice; and
  • AS/NZS 4360:2004 Risk Management.

The Australian Government Information Management Office (AGIMO) provides advice and assistance about whole of government ICT usage and business continuity to the Australian Government and prepares best practice guides to increase the information available to departments to manage their ICT risks. AGIMO works closely with agencies, other tiers of government and the ICT industry to enhance the security of government information and systems.

For more information:

13.2.1 Privacy issues in Australian Government internet sites

Information supplied by:

To assist agencies to comply with the Privacy Act 1988, and adopt best practice in relation to privacy, the Privacy Commissioner has developed Guidelines for Federal and ACT Government Websites for agencies to use when implementing websites.

For more information:

13.2.2 Lead Agency Authentication Services

Information supplied by:

The Government has appointed three Lead Agencies for the provision of authentication services to other government agencies who need to ensure that people and organisations dealing with agencies online are who they claim to be. The lead agencies are:

  • the Department of Human Services for the provision of people to government authentication services;
  • the Australian Taxation Office (ATO) and the Department of Innovation, Industry, Science and Research (DIISR) to provide business to government authentication services; and
  • the ATO and DIISR for the provision of government to government authentication services.

The appointment of lead agencies will minimis duplication of authentication infrastructures within government and ensure authentication solutions are consistent with Commonwealth policies and relevant standards.

For more information:

  • Appointment of Lead Agencies to Provide Government Authentication Services

13.2.3 The National e-Authentication Framework (NeAF)

Information supplied by:

The NeAF comprises a set of principles, a standardised set of assurance levels and a standardised approach and process for determining assurance levels and related electronic authentication (e-Authentication) solutions. It positions e-Authentication within the broader context of an agency’s approach to identity and risk management and provides guidance on developing the processes and technology required to provide the desired level of confidence. It encompasses e-Authentication of the identity of individuals and businesses dealing with the government as well as the authentication of government websites.

The Identity Management for Australian Government Employees Framework (IMAGE) is an integrated, better practice approach for identity management of Australian Government employees and contractors.

Gatekeeper is the Australian Government’sdigital signature strategy for the use of Public Key Infrastructure (PKI) in government for the authentication of external clients (organisations, individuals and other entities). It ensures a whole-of-government framework that delivers integrity, interoperability, authenticity and trust for Agencies and their clients.

For more information:

13.3 Commonwealth Fraud Control Guidelines

Information supplied by:

Fraud against the Australian Government is a major concern to the Government. The Government is strongly committed to the prevention, detection, investigation and prosecution of fraud against the Commonwealth.

Regulation 16A of the Financial Management and Accountability Regulations 1997 provides that the Minister for Home Affairs may issue Commonwealth Fraud Control Guidelines.

The Guidelines establish the fraud control policy framework within which agencies determine their own specific practices, plans and procedures to manage the prevention and detection of fraudulent activities within their agency, and the investigation and, where appropriate, prosecution of offenders. The Guidelines set out agency responsibilities for fraud prevention, reporting of fraud information, fraud investigation case handling and training of agency fraud investigators and fraud prevention officers.

The Guidelines apply to all agencies that are subject to the Financial Management and Accountability Act 1997 and some bodies under the Commonwealth Authorities and Companies Act 1997. All Government agencies are encouraged to comply with the Guidelines.

Under the Guidelines, agencies are required put in place a comprehensive fraud control program to protect Australian Government revenue, expenditure and property from attempts to gain illegal benefits.

For more information:

Last reviewed: 
29 March 2018