Introduction

Personnel security describes the policies and practices used in managing risks inherent in allowing Australian Government employees and other personnel access to security classified information or resources. The central tenet of personnel security is that access to sensitive information is restricted to people with a legitimate requirement and who are reliable and aware of their responsibilities to protect such information.

Personnel security is an integral part of the framework used by Australian Government organisations to protect official information and resources. As such, effective personnel security requires a comprehensive and coordinated approach that complements other elements of protective security, particularly: physical security; information security, including information and communications technology (ICT) holdings; security in procurement and contracting; and the management of security incidents and investigations.

The Australian Government Protective Security Manual (PSM) sets out protective security policy and minimum procedural requirements for Australian Government organisations.¹ Part D of the PSM contains policies and standards relating to personnel security, including standards for the conduct and maintenance of security clearances.

Responsibility for the development, implementation and maintenance of effective personnel security functions lies with the chief executive of each organisation. In many organisations, this responsibility is exercised by a personnel security executive, supported by a security adviser and a team of dedicated security clearance staff.

Determining security clearance requirements

According to the PSM, there are two categories of security classified information or resources - national security and non-national security.² The PSM describes people requiring access to national security classified information as having a Designated Security Assessment Position (DSAP), and those requiring access to non-national security classified information as being in a Position of Trust (PoT). In this context, a person's eligibility to access security classified information is dependent on:

• a demonstrated ‘need to know'-the person will, or may be required to, access security classified information or resources in the course of carrying out their official duties; and
• the conduct of a security clearance-a comprehensive review to confirm the person's identity and assess their suitability to access security classified information.

The level of security clearance required should be determined by reference to the duties and tasks to be performed, including the security classification of the information that may be accessed. Judgements made concerning a person's eligibility for a security clearance should be subject to ongoing monitoring.

Previous audit coverage

Since 2002, three reports have been produced by the Australian National Audit Office (ANAO) and the Joint Committee of Public Accounts and Audit (JCPAA) that assessed the adequacy of personnel clearance arrangements in Australian Government organisations. These three reports were:

• ANAO Audit Report No.22 2001–02, Personnel Security-Management of Security Clearances, which made 10 recommendations to assist organisations improve personnel security arrangements;
• JCPAA Report 390, Review of Auditor-General's Reports 2001-02, which supported the ANAO's findings in Audit Report No.22 2001–02 and made three additional recommendations; and
• ANAO Audit Report No.15 2003–04, Administration of Staff Employed under the Members of Parliament (Staff) Act 1984 (MOP(S) Act), which recommended that the (then) Department of Finance and Administration (Finance) improve processes to encourage MOP(S) Act staff to gain security clearances.

As indicated above, these three reports³ made a total of 14 recommendations for improving personnel security arrangements at Australian Government organisations. All recommendations in the two audit reports were agreed by all participating organisations.⁴

Audit Approach

Audit objective, scope and criteria

The objective of this audit was to assess the effectiveness of personnel security arrangements at selected Australian Government organisations, including whether they satisfied the requirements of the PSM.

To address this objective, the audit examined the extent to which the selected organisations implemented the 14 recommendations from the three previous reports.

These recommendations represent the audit criteria. The audit scope also takes into account the update of the PSM from the 2000 version applying at the time of the previous audit to the current version released in August 2005.

Audit coverage and methodology

Personnel security arrangements at four Australian Government organisations were assessed against all ten recommendations from ANAO Audit Report No.22 2001–02 and two of the additional recommendations from JCPAA Report 390.⁵ These four organisations were:

• Australian Prudential Regulation Authority (APRA);
• Commonwealth Scientific and Industrial Research Organisation (CSIRO);
• Department of Defence (Defence); and
• Department of Immigration and Citizenship (DIAC).

These four organisations processed around 39 000 clearances between January 2005 and November 2007 and, in total, had approximately 125 000⁶ active security clearances.⁷ The ANAO held interviews with key staff at these organisations, and reviewed relevant documentation including policy and related guidance material, security risk assessments, security awareness and training programs, and management reports outlining personnel security performance. The ANAO also examined a sample of security clearances granted between January 2005 and November 2007 at these organisations.

The audit also assessed the extent to which:

• the Attorney-General's Department (AGD) had implemented Recommendation No. 9 in JCPAA Report 390, which proposed that AGD report on the cost-effectiveness of maintaining a central database of security clearances; and
• Finance had implemented Recommendation No. 1 from ANAO Audit Report No.15 2003–04, regarding security clearances for MOP(S) Act staff.

Following the conduct of audit fieldwork, all six selected organisations were provided with a management report detailing audit findings, conclusions and, in some instances, recommendations for improvement.

Audit Conclusion

Part D of the PSM (2005) provides an effective framework for the administration of personnel security. In particular, it provides extensive guidance and sets minimum standards across the key elements of managing personnel security functions, and conducting and maintaining security clearances. Most of the recommendations from the previous reports related to the application of the minimum standards of the PSM regarding personnel security.

Two of the selected organisations had fully implemented almost all recommendations from the previous reports. These findings demonstrate that organisations with a strong focus on personnel security, including the allocation of sufficient resources, are more likely to have effective personnel security arrangements and satisfy the relevant minimum requirements of the PSM. Typically this focus involves:

• demonstrated commitment by, and regular reporting of personnel security performance to, senior management;
• a sound understanding throughout the organisation of personnel security risks and threats;
• actively managing security clearance review requirements; and
• delivery of formal and structured security awareness training, including training on personnel security responsibilities.

Conversely, two organisations had not fully implemented most of the recommendations from the previous reports. These findings indicate that those organisations without a mature personnel security function, or that had not paid sufficient attention to the specific requirements of the PSM, are unlikely to have effective personnel security arrangements. In particular, the audit identified weaknesses in:

• the management of personnel security risks, including processes to regularly assess security clearance requirements; and
• the timely identification and assessment of issues impacting on an individual's continued suitability to hold a security clearance (security aftercare).

The ANAO concludes that while there has been a general improvement in the administration of personnel security since the previous reports, there remains considerable scope for some organisations to improve many key personnel security processes.

In terms of the three main themes in personnel security—managing the personnel security function, and conducting and maintaining security clearances, overall the selected organisations had:

• partially implemented the requirements of the PSM in managing the personnel security function. The organisations generally did not have effective risk-management approaches in relation to personnel security. They also had not reviewed and revised relevant policy and procedural guidance against all key relevant aspects of the revised PSM;
• substantially implemented the requirements of the PSM when undertaking processes associated with conducting security clearances;⁸ and
• substantially implemented the requirements of the PSM in maintaining security clearances,⁹ except for providing adequate security aftercare.

A particular concern raised by the JCPAA and ANAO in previous reports was the extent of backlogs of security clearance re-evaluations.¹⁰ The current audit found a substantial improvement in this regard, and at the time of the audit, the selected organisations had minimal or no backlogs of security clearance reviews.

Similarly, improved administrative processes at Finance helped to reduce the backlog of security clearances for MOP(S) Act staff over the period May 2005 to November 2007 from a high of 45 per cent in May 2006 to a low of 16 per cent in November 2007, although this level remained higher than in the Australian Government organisations examined.¹¹

Key Findings

Key findings from the audit are outlined below according to the three main themes in personnel security—managing the personnel security function, and conducting and maintaining security clearances.

Managing the personnel security function (Chapter 2)

Key factors underpinning the effective management of personnel security functions include: comprehensive policy and guidance material; an understanding of potential risks; identifying and monitoring security clearance requirements; and access to accurate information to support decision-making. In this context, the audit examined the extent to which the selected organisations implemented: Audit Report No.22 2001–02, Recommendations No. 1, 2, 3 and 7; Audit Report No.15 2003–04, Recommendation No. 1; and JCPAA Report No. 390, Recommendation No. 8.

Policy and procedures

Audit Report No.22 2001–02, Recommendation No. 1

The ANAO recommends organisations approve and promulgate appropriate policy and procedures to support the conduct and administration of personnel security. In this regard, policy and procedures should be based on, but not necessarily limited to, the policy and guidance material contained in PSM (2000).

Finding of the current audit

One of the selected organisations had fully implemented this recommendation, two had substantially implemented it, and the other had partially implemented it.

• personnel security threats and hazards are thoroughly considered in this process; and
• organisation-specific security risks are factored into the security clearance process, as appropriate.

One organisation had fully implemented this recommendation, two had partially implemented it, and the other had not implemented it.

Three organisations had policies and processes in place to identify, assess and manage security risks. However, the ANAO considered that only one organisation had an adequate record of risks, and attendent risk-mitigation controls, associated with its personnel security function.¹³

One organisation had not systematically reviewed risks and associated controls it had identified in a security risk assessment undertaken early in 2005. In the absence of such an assessment, there was considerable uncertainty as to whether the organisation was properly informed about new or emerging risks. Another organisation did not have a current risk assessment for its personnel security operations.

At the time of the audit, the remaining organisation had not assessed, and did not have a framework for managing, security risks.

Position assessments¹⁴

Audit Report No.22 2001–02, Recommendation No. 3   

The ANAO recommends:

• registers of Designated Security Assessment Positions (DSAP) and Positions of Trust (PoT) are reviewed periodically to ensure they accurately reflect the organisation's continued security clearance requirements; and
•  organisations develop appropriate guidelines to assist managers to undertake position assessments.

One organisation had fully implemented this recommendation, two had substantially implemented it, and one had partially implemented it.

Two organisations had formal processes for identifying, recording and maintaining security clearance requirements for each position in their establishment. At both organisations, information obtained from these processes provided the basis for the conduct of security clearances. However, only one organisation utilised its Human Resource Management Information System (HRMIS) to record, approve and monitor the currency of security clearance requirements for each position.

Most security clearance requirements at one organisation were driven by decisions to require certain staff to have SECRET level clearances. In the remaining organisation, the need for security clearances was largely determined on a case-by-case basis depending on the clearance subject's duties.

Information management

Audit Report No.22 2001–02, Recommendation No. 7

To improve the effectiveness of security information management, the ANAO recommends organisations assess opportunities to integrate the management of personnel (including contractor) security information into the organisation's HRMIS or other appropriate corporate system.

JCPAA Report 390, Recommendation No. 8

The JCPAA recommends all agencies make the necessary changes to their HRMIS to support management reporting in relation to security clearances and appropriate access to security clearance information. 

Two organisations had fully implemented ANAO Recommendation No. 7, one had substantially implemented it and one had partially implemented it.

Two organisations had fully implemented JCPAA Recommendation No. 8, one had not implemented it, and it did not apply to the other.

Two organisations either integrated personnel security information with, or had adequate links to relevant information in, a HRMIS, while two organisations did not use a HRMIS. Of the two that had not, one organisation had commenced a program to provide adequate integration, and the other had so few clearances that integration was not warranted.

The organisations which had integrated personnel security information into their HRMIS, and the organisation with links between personnel security information and the HRMIS, were the only ones that actively monitored information on the performance of the personnel security function, including the security clearance workload. In both cases, details of performance were regularly provided to the organisation's senior executives.

Monitoring security clearances for MOP(S) Act staff

Audit Report No.15 2003–04, Recommendation No. 1

The ANAO recommends Finance strengthen monitoring procedures to ensure MOP(S) Act staff with outstanding security clearances are identified in a timely manner, and that appropriate follow-up is undertaken with relevant staff members, their employing Parliamentarians and the security vetting agency undertaking the security clearances.

Finance has implemented this recommendation. 

Finance had enhanced its administration of security clearances for MOP(S) Act staff, including by: improving the measurement and reporting of performance; and adopting more structured processes for following-up outstanding clearance packs, including introducing a formal non-compliance process for those staff who do not submit the necessary forms within a pre-determined time period.¹⁵

The proportion of clearances reported as outstanding in November 2007 (16 per cent) was the smallest since the previous audit. The ANAO considers that this result reflects improvements made by Finance in the administration of these security clearances.

Conducting security clearances (Chapter 3)

In conducting a security clearance, the organisation must obtain and evaluate sufficient information to be reasonably assured of the individual's responsibility, integrity and maturity, in light of the individuals' prospective position and the organisation's risk and threat environment. Specifically, the ANAO examined the extent to which the selected organisations implemented Audit Report No.22 2001–02, Recommendations No. 4, 5 and 6; and JCPAA Report 390, Recommendation No. 9.

Contract management

Audit Report No.22 2001–02, Recommendation No. 4

The ANAO recommends organisations adopt better practice contract management principles and standards in outsourced security clearance and vetting service arrangements.

All three organisations with outsourced arrangements had substantially implemented this recommendation.

The three organisations with outsourced arrangements had effectively managed the workload and timeliness of external providers conducting security clearances. The major shortcoming in the contracts was that they lacked information on measuring the performance of contractors, including identifying specific performance indicators.

ANAO testing found, however, that external providers typically conducted security clearance assessments to a high standard, as reflected in comprehensive documentation contained on personal security files.

Documenting security clearance assessments

Audit Report No.22 2001–02, Recommendation No. 5

The ANAO recommends organisations record all information collected during the course of a security clearance on an individual's personal security file. 

Three organisations had fully implemented this recommendation and the other had partially implemented it. 

The examination of security clearances found that all but one of the four organisations had recorded sufficient information on individuals' personal security files to fully justify the decision to grant security clearances.

The main shortcomings identified in the other organisation were that: none of the personal security files contained a formal request for security clearance; approximately 12 per cent of personal security files did not contain a copy of the clearance subject's full birth certificate; around 24 per cent of the copies of birth certificates and 15 per cent of the copies of marriage certificates were not properly certified; and there was a general lack of evidence to indicate that the clearance subject's background had been assessed.

Suitability indicators

Audit Report No.22 2001–02, Recommendation No. 6

The ANAO recommends organisations develop suitability indicators for use in security clearance assessments that are informed by organisation-specific risk factors.

Two organisations had fully implemented this recommendation, one had partially implemented it and the other had not implemented it. 

ANAO testing of security clearances found an appropriate level of evidence of the consideration or assessment of suitability in two of the selected organisations. One of these organisations advised that it had recently introduced a new form for use in the conduct of security clearances which required officers to explicitly make an assessment against a range of suitability factors and, as necessary, develop a risk management regime to deal with any concerns.

The ANAO found there was generally insufficient evidence available to indicate that the suitability of clearance subjects had been evaluated during security clearance process in one organisation.

Portability of security clearances

JCPAA Report 390, Recommendation No. 9

The Committee recommends the Attorney-General's Department report to the Committee on the cost‑effectiveness of maintaining a central database of security clearances.  

The Attorney-General's Department implemented this recommendation.

In November 2003, the Attorney-General's Department (AGD) formally responded to the above recommendation, concluding: ‘there are fundamental reasons why such an approach … would not be effective'. AGD advised the JCPAA that the issue of portability would be addressed as part of a comprehensive review of existing personnel security policy. This review culminated in the release of the upgraded PSM in August 2005.

The ANAO considers that enhancements to the PSM released in 2005 provide a sound framework for improving the portability ¹⁶ of security clearances amongst Australian Government organisations.

The ANAO notes that concerns remain about the portability of security clearances, particularly clearances for contracted service providers. In this regard, AGD is currently examining the feasibility of a central record of clearances for ICT professionals. The results of this work should enable AGD to identify and assess opportunities of using a centralised system to record and administer Australian Government security clearances more broadly.

Maintaining security clearances (Chapter 4)

Effective maintenance of security clearances involves: promoting security awareness throughout the organisation; periodically reviewing each security clearance; and monitoring any issues impacting on the continued suitability of a clearance subject to hold a security clearance. In this context, the ANAO examined the extent to which the selected organisations implemented Audit Report No.22, 2001–02, Recommendations No. 8, 9 and 10; and JCPAA Report 390, Recommendation No. 7.

Security clearance reviews

Audit Report No.22 2001–02, Recommendation No. 8

It is recommended organisations consider taking concerted efforts to overcome the current backlog in the conduct of security clearance reviews as a matter of priority and ensure these processes are carried out in a timely manner in the future. 

Two organisations had fully implemented this recommendation, one had substantially implemented it, and one organisation had partially implemented it.

The audit found a substantial improvement in the level of out-of-date security clearance reviews. In particular, two relatively large organisations that were included in the previous audit had considerably reduced the level of out-of-date security clearance reviews.

Two organisations did not have any overdue security clearance reviews at the time of the audit. At the other two organisations, the proportion of SECRET and TOP SECRET security clearance re-evaluations that were overdue at the time of the audit was relatively small—around five per cent in both cases. However, a number of these had been overdue for more than 12 months.

The audit found a significant improvement in processes used to manage security clearance reviews. For example, all of the selected organisations had arrangements in place to identify and action security clearance review requirements in a timely manner.

Resources

JCPAA Report 390, Recommendation No. 7

The JCPAA recommends organisations allocate the resources necessary to bring their security clearance processes in line with the requirements of the PSM. 

Three organisations had fully implemented this recommendation and one had partially implemented it.

Since the previous audit, three organisations had increased the level of resources allocated to the conduct and administration of security clearances. The remaining organisation outsourced its security clearance requirements and at the time of the audit, did not require any additional resources to meet its security clearance workload.

Security awareness

Audit Report No.22 2001–02, Recommendation No. 9

The ANAO recommends organisations review the effectiveness of personnel security awareness and education programs to improve the identification, monitoring and promotion of personnel security issues. 

Three organisations had fully implemented this recommendation and one had partially implemented it.

Three organisations had provided regular, structured personnel security awareness training to their staff, either face-to-face or through an on-line application. A range of measures were used at two organisations to complement formal training, including:

• regularly publishing a dedicated security newsletter;
• providing staff with a series of pamphlets and booklets setting out their various security responsibilities; and
• requiring certain staff to complete an on-line security awareness questionnaire.

The other organisation did not provide personnel security education or awareness training on a structured or regular basis. Rather, it was delivered irregularly as resources allowed. Furthermore, no records were kept of attendance at this training.

Security aftercare

Audit Report No.22 2001–02, Recommendation No. 10

The ANAO recommends organisations review and improve the effectiveness of processes for the early identification of issues related to an individual's continued suitability to hold a security clearance. 

Two organisations had fully implemented this recommendation while the other two had not implemented it.

Two organisations had a range of processes to manage the timely identification, and assessment, of issues related to an individual's continued suitability to hold a security clearance (security aftercare). These processes included: implementing tailored security aftercare management programs; providing clear instructions; and regularly reinforcing the requirement for staff to report changes in circumstances and contracts. In addition, both organisations regularly conducted security inspections.

Conversely, the two other organisations did not have clear security aftercare arrangements. In particular, they lacked formal processes, outside of clearance reviews, to systematically identify issues relevant to the ongoing suitability of individuals.

Sound and better practices

The report outlines sound and better practices highlighted during the audit. These practices were considered beneficial to improving personnel security in the selected organisations.

Table 1 Sound and better practices

Source:  ANAO.

Recommendations

The report makes two recommendations based on findings from fieldwork at the selected organisations and broader audit analysis, which are likely to be relevant to all APS agencies. Therefore, all APS agencies should assess the benefits of implementing the recommendations in light of their own circumstances, including the extent that each recommendation, or part thereof, is addressed by practices already in place.

Summary of organistations' responses

Each of the selected organisations agreed with the two recommendations.

Footnotes

^{1 Attorney-General's Department, Australian Government Protective Security Manual, Canberra, August 2005. The PSM applies to all agencies subject to the Financial Management and Accountability Act 1997 (FMA Act), and applies to bodies that are subject to the Commonwealth Authorities and Companies Act 1997 (CAC Act) which have received notice in accordance with that Act that the Manual applies to them as a general policy of the Australian Government.}

^{2 National security describes official information which, if compromised, could affect the security of Australia, including its defence systems or operations, international relations or national interests. Non national security describes official information which, if compromised, does not threaten the security of Australia, but which could threaten the security or interests of individuals, groups, commercial entities, or the safety of the community.}

^{3 These three reports are referred to, in some instances, as the previous reports.}

^{4 Australian Government organisations are not required to provide a formal response as to whether they agree or disagree with recommendations proposed by the JCPAA.}

^{5 The two relevant recommendations were Recommendation No. 7 regarding the level of resources allocated to the conduct and administration of security clearances, and Recommendation No. 8 regarding the management of personnel security information.}

^{6 One organisation had approximately 90 per cent of this total.}

^{7 These organisations granted security clearances to over 99 per cent of all individuals requiring clearances between January 2005 and November 2007. Rather than deny a clearance, organisations can adequately protect information through more moderate approaches, such as granting the security clearance subject to conditions, downgrading the clearance to a lower level or changing the duties of the individual to avoid the need for a security clearance.}

^{8 These processes included managing contractors, documenting security clearances assessments and utilising organisation-specific risk factors as part of these assessments.}

^{9 These processes included managing security review requirements and providing awareness programs and training.}

^{10 JCPAA Report 390, Review of Auditor-General's Reports 2001 02, p. 58. Further, ANAO Report No.22 2001–02, Personnel Security Management of Security Clearances, p. 51, reported that the proportion of out-of-date security clearances in the selected organisations ranged from ‘zero to around 10 per cent of total security clearances (in the best cases) and up to around 40 per cent (in the worst cases)'.}

^{11 As a result of the Federal election held on 24 November 2007, security clearances for MOP(S) Act staff employed by the previous government were suspended by Finance. Finance has commenced processing security clearances for the staff of the new government. This is likely to create a short-term increase in workload and also impact on the timeliness of clearance processing by the contracted security clearance providers.}

^{12 For example, the number of mandatory minimum standards in Part D increased from 36 in the 2000 version to approximately 120 in the 2005 version.}

^{13 In 2007, that organisation undertook a systematic review of potential threats across each dimension of protective security, including assessing the potential impact of a range of risks to its personnel security functions, including the conduct of security clearances.}

^{14 Assessment of duties and tasks to be performed in each position, role or function to determine if the occupant of the position requires access to classified material and therefore a security clearance.}

^{15 This non-compliance process establishes a timeframe of 12 weeks for MOP(S) Act staff to submit their completed security clearance packs. If packs are not provided within that period, Finance commences a clearance denial process.}

^{16 Portability refers to the transfer of an individual's security clearance between Australian Government organisations.}