Background

All Australian Government organisations face a range of security risks. These include risks that may affect:

• their reputation and/or that of the Australian Government;
• their performance against their outputs or the achievement of the Government's outcomes;
• the safety of their staff, customers and other stakeholders; and
• the integrity of their information and physical resources.

The creation and maintenance of a sound protective security environment provides assurance to the Parliament, Government, and others that organisations are well placed to reduce their exposure to such risks.

The Attorney-General's Department (AGD) is responsible for the development and dissemination of the Protective Security Manual (PSM). The PSM is the principal source of policy, associated guidance material and the minimum requirements or standards relating to the security of Australian Government organisations' information, assets and people.

The PSM requires organisations to design their protective security arrangements on the basis of risk management principles. In particular, the PSM states that organisations should develop a systematic and coordinated program for managing security-related risks, including processes for the ongoing monitoring of risk treatment controls. The manual contains a range of guidance material on the key elements of an effective security risk management process.

The preface to the PSM indicates that the PSM applies to:

• all agencies subject to the Financial Management and Accountability Act 1997 (FMA Act);
• those organisations subject to the Commonwealth Authorities and Companies Act 1997 (CAC Act) that have received notice (under that Act) from their responsible Minister that the manual applies to them.

AGD obtained advice from the Australian Government Solicitor (AGS) in January 2008 regarding the applicability of the PSM. The AGS advised that CAC Act organisations are legally obliged to comply with the PSM when they are subject to notification by their responsible Minister that the PSM applies to them as a general policy of the Australian Government. AGS further advised that FMA Act and CAC Act organisations must comply with the PSM if their employees are engaged under the provisions of the Public Service Act 1999 (PSA), as those employees are obliged to implement government policies. The AGD advised that it disseminated the advice to Agency Security Advisers (ASA) and security executives through the Protective Security Policy (PSP) website in June 2008, and maintains a copy on the new GovDex PSP website.

The preface of the PSM has not been updated to reflect amendments to the CAC Act in 2008 that changed the way in which general policies of the Australian Government (including the PSM) are applied to CAC Act organisations. As a result of these amendments the Finance Minister may issue General Policy Orders (GPO) specifying the general policies of the Australian Government to be applied by CAC Act organisations, rather than each organisation needing to be directed to comply by its responsible Minister.

Previous audit coverage

The Australian National Audit Office (ANAO) has undertaken nine previous cross-agency protective security audits. The AGD, which is responsible for promulgating Australian Government protective security policy, has indicated its support for the conduct of these audits and acknowledged their contribution to improving the management and delivery of protective security practices in the Australian Government sector. The current audit continues the ANAO's series of cross-agency protective security audits.

Previous audits have addressed aspects of security risk management practices. Overall, the findings of these audits suggested that Australian Government organisations have not paid sufficient attention to the ongoing management of security risks.

Audit approach

Audit objective and criteria

The objective of this audit was to assess whether selected organisations had effective security risk management programs, including whether a selection of protective security risk treatment controls was working as designed.

In order to address the audit objective, the ANAO assessed whether each organisation had:

• established and implemented effective arrangements for managing security risks;
• established sufficient and appropriate monitoring arrangements for security risks; and
• Implemented effective security risk mitigation measures or treatment controls.

Audit scope, coverage and methodology

The protective security risk management arrangements at three Australian Government organisations were assessed against these audit criteria. The three organisations were the:

• Australian Agency for International Development (AusAID);
• Australian Institute of Health and Welfare (AIHW); and the
• Department of the Treasury (Treasury).

The audit did not extend to security risk management arrangements relating to overseas based personnel or operations. In addition, it did not examine security risk practices or controls relating specifically to information and communications technology (ICT).

Given their respective roles in the development of the PSM and the application of general policies of the Australian Government, the ANAO also sought responses from AGD and the Department of Finance and Deregulation.

Audit conclusion

Having a sound protective security environment is an important element in the management of an organisation's human, information and physical resources. A key element of an effective protective security environment is the identification and management of security related risks.

The PSM is the principal source of policy, associated guidance material and the minimum requirements or standards relating to the protective security of Australian Government organisations' information, assets and people. The principles and standards contained in the PSM provide organisations with a sound basis to assist in the identification and assessment of their security risks.

There is a risk that some CAC Act organisations which employ staff under the PSA are not aware of the legal advice from the AGS regarding the applicability of the PSM. The legal advice indicated that such organisations are obliged to comply with the PSM even if they have not been directed under the CAC Act to do so. There is also a lack of visibility concerning which CAC Act organisations have received a direction (from their responsible Minister) to apply the PSM.

The ANAO examined Treasury and AusAID which, as organisations subject to the FMA Act, are both required to comply with the PSM. Both organisations receive, produce, use and hold security classified information, and therefore require strong protective security measures to protect such information and the people who use it.

Overall, the audit concluded that Treasury and AusAID had established and implemented effective arrangements for managing security risks. In particular both organisations had:

• policies outlining arrangements for the management of security risks;
• Senior management involvement in security risk management issues;
• clear roles, responsibilities and appropriate training for staff with security responsibilities; and
• established sufficient and appropriate arrangements for monitoring their security environments.

Both organisations had processes in place for identifying and analysing their security risks, although there was scope to improve the documentation supporting the work undertaken. In addition, there was no written record of senior management's acceptance or otherwise of the security risks identified in either organisation. Both organisations would also benefit from better integrating the consideration of security risks in corporate risk management and business planning activities.

The AIHW is an Australian Government statutory authority that operates under the provisions of the Australian Institute of Health and Welfare Act 1987. The AIHW is defined as a body corporate subject to the CAC Act and it has not been directed to comply with the PSM. The AIHW's enabling legislation does contain specific provisions requiring it to protect the confidentiality of the information provided to it. Further, the AIHW's employees are engaged under the PSA.

In light of the legal advice from AGS, it is likely that the AIHW should comply with the PSM. However, this position has not been made clear to the AIHW. In any event, the guidance and requirements of the PSM provide a sound basis for assessing whether its security practices are effectively contributing to the management and protection of its resources.

The audit concluded that the AIHW had not established practices for identifying and managing security risks that were sufficient and appropriate when measured against the principles and guidance provided in the PSM. However, at the time of the audit, the AIHW had a number of initiatives in place to bring its security risk management practices into line with the better practice principles in the PSM. In particular, the AIHW had recognised the need to strengthen its security risk management arrangements and, amongst other things, had developed a draft security policy and commenced developing a security awareness program. Nevertheless, at the time of the audit:

• the AIHW's Audit and Finance Committee advised the Board on issues relating to risk management but the Committee's reports to the Board did not specifically address security risk management;
• security roles had been assigned but not fully documented;
• an assessment of security risks had not been completed;
• a security plan outlining the AIHW's approach to the management of its security risks had not been developed; and
• security issues were not systematically linked with the AIHW's corporate risk management and business planning activities.

Each of the three audited organisations had developed a range of controls designed to reduce their security risks. Overall, the controls we examined were operating effectively although there were some shortcomings. These shortcomings included insufficient documentation to support decisions made in the conduct of security clearances and limited evidence of monitoring the performance of security-related contractors. The results of the audit indicated there was scope to improve the monitoring of such controls to help ensure they are operating effectively.

The results of this audit suggest that issues identified in previous protective security audits continue to be challenging for organisations. These issues include the integration of security risk management activities with organisations' broader risk management activities, and the monitoring of security risk treatments or controls.

The ANAO made one recommendation aimed at clarifying which CAC Act organisations are required to comply with the PSM. The ANAO made three further recommendations designed to improve organisations' management of protective security risks. These recommendations focused on security risk management processes, better integrating security risks into organisational risk management and planning activities and monitoring of the controls implemented to reduce security risks.

Key Findings by Chapter

Managing security risks (Chapter 2)

The PSM is the principal source of policy, associated guidance material and the minimum requirements or standards relating to the protective security of Australian Government organisations' information, assets and people.

There is a risk that some CAC Act organisations which employ staff under the PSA are not aware of the legal advice from the AGS regarding the applicability of the PSM in January 2008. The legal advice indicated that such organisations are obliged to comply with the PSM even if they have not been directed under the CAC Act to do so. Given this advice, it is likely that the AIHW should comply with the PSM. However, this position has not been made clear to the AIHW.

AGD advised that it does not maintain a record of those CAC Act organisations directed by Ministers to comply with the PSM. As a result, there is also a lack of visibility as to which CAC Act organisations have (or have not) received a direction (from their responsible Minister) to apply the PSM. Given the amendments to the CAC Act in 2008, it is opportune that AGD work with the Department of Finance and Deregulation (Finance) to address the issues surrounding the applicability of the PSM to CAC Act organisations.

To assess whether organisations are effectively managing security risks, we considered whether they had well-designed security risk management policies, an appropriate level of senior management involvement, clear roles and responsibilities and appropriate training for staff with security responsibilities. In addition, we assessed whether they had a systematic and coordinated security risk management process to identify, assess, treat and control protective security risks.

Of the three organisations audited, only AusAID had a separate security risk management policy. That policy provided detailed instructions for AusAID's employees in the practical implementation of the security measures supporting the policy. At the time of the audit, the AIHW had a draft security policy. The ANAO considered that the focus of the proposed policy should be expanded to reflect other elements of protective security risks faced by the AIHW.

Treasury had developed a corporate risk management policy which provided the framework for all risk management activities in the department. Treasury's policy states that line managers throughout the department, including certain specialist areas, such as security, are responsible for undertaking risk assessment and reporting, and for maintaining current risk management plans.

Treasury and AusAID had clear reporting lines to and from their respective senior executives in relation to security risk matters. In particular, Treasury had established a security committee to coordinate protective security activities. At the AIHW, security risk management issues were raised with the Executive Committee as part of other risk management issues. A more targeted level of involvement by the AIHW's senior management in security risk matters would assist in achieving a more integrated approach to security risk management.

In Treasury and AusAID security team roles and responsibilities were well-defined and key security staff were either sufficiently trained or had suitable experience to undertake their duties. At the time of audit security roles had been assigned but not fully documented at the AIHW and training of all staff with specific security roles had not been completed. Also, at the time of the audit, the AIHW had not completed an assessment of its security risks, nor developed a security risk register and security plan. While Treasury and AusAID had developed sound security risk management processes, there was scope for improvement in both organisations. In particular, neither had:

• appropriate managerial acceptance, or otherwise, of identified security risks; and
• developed a comprehensive risk register that reflected the key steps in their risk management process. In particular, the registers did not identify treatment priorities nor assign responsibility for the implementation and monitoring of risk reduction measures.

Treasury had developed a security plan that generally reflected the guidance contained in the PSM. By contrast, the security plans at AusAID did not contain many of the key elements of a security plan as described in the PSM.

The ANAO considers, as reflected in the PSM, that having security risks reflected in corporate risk management policies assists in promoting a stronger security culture. Specifically, organisations will be better placed to identify and deal with security issues when the management of security risks is integrated, or aligned, with the organisation's broader risk management and planning processes.

In AusAID and the AIHW security issues were not systematically linked with corporate risk management and business planning activities. Treasury's risk management policy indicated that, as part of operational planning, groups/divisions must complete an assessment of risks relevant to their areas of operation. Our audit indicated, however, that security risks were generally not explicitly considered in the identification of risks in Treasury's group or divisional operational plans.

Monitoring and review (Chapter 3)

Organisations that monitor security risks and changes in their risk environment are better placed to detect events that may alter their risk management priorities. The ANAO noted that Treasury and AusAID monitored their security environments. On the other hand, the AIHW's monitoring of its general risk environment did not include a separate structured consideration of security risks.

Each of the audited organisations has implemented controls designed to reduce their security risks. Our examination of selected controls indicated that they generally operated as intended. However, the results also indicated that there was scope to improve ongoing monitoring of those controls used to reduce identified security risks at each of the audited organisations. In particular, the main issues identified were that:

• sufficient information was not available in all cases to fully support decisions made to grant or deny a security clearance (AusAID);
• the effective date of clearances was often backdated prior to the date of the delegate's approval of the clearance (AusAID); and
• there was no evidence of regular and formal monitoring taking place in relation to important security services contracts (AusAID and Treasury).

Summary of organisations' responses to the audit

The AGD, Finance and each of the audited organisations agreed with the recommendations in this report. The organisations' responses to each of the recommendations are shown in the body of the report. Organisations' general comments are shown at Appendix 2.