Australian Attorney-General Robert McClelland announced a number of significant changes to the protective security protocols on Tuesday morning at the Security in Government conference in Canberra. Opening the conference with an informative and announcement-rich speech, the Attorney-General described changes which are intended to enhance national security while enabling more efficient government business practice.
These changes will impact Government agencies in both state and federal theaters, as well as organisations who do business with government or consult for government organisations.
Resonating throughout the conference programme, the protocols reflect the 'enabling the business of government' theme. For the first time, Business Impact Levels have been added as a risk assessment metric. A further significant change to the security policies framework is the equal weight given to safeguarding the confidentiality, integrity and availability of information.
Past security protocols focused on confidentiality and integrity, sometimes at the cost of availability, accessibility and openness.
"Agencies must consider the business impact that could result from the compromise, loss of, or disruption of access to information, including that posed by the aggregation of data" Mr McClelland said. "Agencies now also need to create policies and procedures to manage both the aggregation and declassification of information" he warned.
With a single class approach which removes National and Non-National differentiations, the seven classification levels have been replaced by just four (TOP SECRET, SECRET, CONFIDENTIAL and PROTECTED), and five additional Dissemination Limiting Markers (DLMs) have been added to provide further security granularity.
The DLMs are
- for official use only
- sensitive personal (eg, documents which fall under the Privacy Act)
- sensitive legal (eg, documents which fall under specific legislation)
- sensitive cabinet (PROTECTED is applied to all Cabinet information by default)
Some agencies have a wide range of classification key words in place, and these are often confusing for individuals who need to use the information for their day to day government work. Further, agencies exchanging information may find themselves with documents classified in different ways, subtly different but leading to confusion and delays.
This less complicated four classification single streamlined approach provides for the minimisation of this confusion and will lead to an easier progression to Gov 2.0 transparency. Further information on Gov2.0 can be found at the Department of Finance and Deregulation, recommended reading is the Government Response to the Report of the Government 2.0 Taskforce.
A key difference in the approach of the new framework is the intention to create policies around information, and not individual documents, the creators of the data or the data itself. Central to this strategy is the clear requirement for agencies to take a great deal more responsibility in building policies which are relevant to their organisations, using the Protective Security Manual as a framework and not a document which is presented to new starters as a rulebook of minimum requirements.
Classifications must also reflect legislative directives and be marked accordingly when Privacy Laws may be impacted.
Each agency will be required to build their own Security Manual relevant to their own organisation, the business conducted and the sensitivity of the information they hold and generate. This task will include the classification of existing in-use documentation, the review of email and document management systems for protective markings and the training of staff. Agencies may choose to address the massive data stores of historical information for remarking, however this is not a requirement from the Attorney-General.
Agencies have their work cut out for them.
While a transitional period of 12 months has been allowed for and reporting to portfolio ministers on compliance is not required until July 13, for agencies with large volumes of information or with small teams of internal technical security officers this is a task which may seriously impact business as usual operations.
Director of the Protective Security Policy within the Attorney-General's Department Mal Owens provided some comfort to Agencies looking at the changes.
"The classifications are as they always have been, and there has not been any changes to the handling of caveat material", "such as AUSTEO" (Australian Eyes Only). Guidelines on security reporting and assistance for agencies is available upon request and the existing treatment of aligned security classifications for TOP SECRET, SECRET, CLASSIFIED and PROTECTED will not change.
Further, the government is moving towards a closer alignment of the Protective Security Policy Framework with standards used outside of government and recognised globally.
McClelland confirmed in his address that the new framework "aligns with, and uses the controls from the International Standards and Australian Standard 27000 Information Technology series for developing information security risk treatments. This alignment in standards and terminology will deliver increased efficiencies."
Surely this change, and changes to follow which will more closely align ICT physical security, equipment testing, teleworking best practice and mobile telecommunications policy with global standards, will be good news for commercial organisations doing business with government.
By consolidating security framework and protocols into globally recognised standards, the ability for non-government organisations to interface with government organisations using similar language and understanding can only be enhanced and simplified.
Contractors and Government cleared individuals unfamiliar with the access provided by clearance levels should refer to the documentation on the Protective Security Policy Framework section of the AG website. Below is a table from the document which covers a basic overview.
The new documentation mentioned above
Stephen Gillies attended Security in Government as a guest of The Attorney-General's Department.