Protective Security Policy Frameworkglossary of Security Terms

Protective Security Policy FrameworkGlossary of security terms

Amended

October 2017

Version 1.4

© Commonwealth of Australia 2011

All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence.

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence
(http://creativecommons.org/licenses/by/3.0/legalcode ).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour
(http://www.itsanhonour.gov.au/coat-arms/index.cfm) website.

Contact us

Inquiries regarding the licence and any use of this document are welcome at:

Commercial and Administrative Law Branch
Attorney-General’s Department
3-5 National Cct
BARTON ACT 2600

Telephone: (02) 6141 6666

Document details
Security classification / Unclassified
Dissemination limiting marking / Nil—Publicly available
Date of next review / July 2017
Authority / Protective Security Policy Committee
Author / Protective Security Policy Section
Attorney-General’s Department
Document status / Approved 1 June 2012
Amended November 2014

Amendments

No. / Date / Location / Amendment
1.  / July 2012 / Attorney-General’s certificate / Amendments to wording of definition
2.  / July 2012 / Adverse security assessment / Amendments to wording of definition
3.  / July 2012 / Prescribed administrative action / Definition added
4.  / July 2012 / Qualified security assessment / Amendments to wording of definition
5.  / July 2012 / For Official Use Only / Definition added
6.  / June 2014 / Sponsoring agency / Definition added
7.  / June 2014 / Whole person / Definition added
8.  / June 2014 / Manager / Definition added
9.  / December 2014 / National interest / Definition updated to include national economic wellbeing
10.  / December 2014 / Throughout / Update definitions relating to personnel security
11.  / December 2014 / PROTECTED, CONFIDENTIAL and SECRET / Update to reflect impact on the national interest, organisations and individuals
12.  / December 2014 / TOP SECRET / Update to reflect impact on the national interest
13.  / October 2017 / Information / Amendment to definition

i

1.  Purpose

The purpose of this document is to define the terms, abbreviations and acronyms used in the Protective Security Policy Framework.

2.  Terms and definitions

Term / Definition /
Access / Obtaining knowledge or possession of information (including verbal, electronic and hard-copy information) or other resources, or obtaining admittance to an area.
Access control system / A system designed to limit access to facilities to authorised people whose identify has been verified.
Accreditation / A procedure by which an authoritative body gives formal recognition, approval, and acceptance of the associated residual security risk with the operation, of a system.
Accountable material / Particularly sensitive information requiring strict access and movement control – there are many types of information that could constitute accountable material, but Cabinet documents are always to be treated as accountable material.
Active
in reference to security clearances / A maintained security clearance that is sponsored by an Australian Government agency, and being maintained by a clearance holder and sponsoring agency.
Adverse security assessment / An assessment from ASIO, in writing, that contains a recommendation about a prescribed administrative action that would be prejudicial to the interests of the person. For example, a recommendation that a person should not be given access to security classified material.
Agency
(also Australian Government agency) / Includes all Australian Government non-corporate Commonwealth entities, corporate Commonwealth entities or companies under the Public Governance Performance and Accountability Act 2013 or other bodies established in relation to public purposes.
Agency head / The head of any Australian Government department, authority, agency or body.
Agency security adviser (ASA) / The officer responsible for day-to-day management and operation of the agency’s protective security.
Agency security management personnel / Employees who are responsible for the day-to-day protective security functions within that agency, e.g. they may undertake duties such as security risk reviews and audits, security awareness programs for agency staff, they may be involved in the preparation of agency security plans, and may provide advice on security risk management.
Agency security plan / The plan of action that articulates how an agency will manage its security risks.
Agency specific character checks / Employment screening and ongoing suitability assessments undertaken by an agency as part of its personnel security management to address specific agency risks.
Agreement / An instrument, agreement, treaty between the Australian Government and another government; or arrangement or MOU between an Australian Government agency and a foreign agency for the exchange and protection of information. Also see bilateral agreement, government sponsored instrument and multilateral agreement.
Aggregation / A term used to describe a compilation of classified or unclassified official information or assets.
Annual health check
(also Annual confirmation of suitability)
in reference to personnel security / The annual confirmation by a manager about each employee they are responsible for, including information regarding:
·  Whether the relevant employee:
­  has reported any changes in circumstances
­  is suitable to have continued access to official resources
·  any previously un-actioned security concerns
Assessing officer / A competent person who conducts personnel security clearances in accordance with the procedures outlined in the PSPF.
Asset / An item that has a value to an agency—including personnel, information and physical assets. Also see official resources.
Attached staff / APS employees from any agency, and ADF personnel, who are posted overseas and who work mainly from the chancery premises (building or office of a diplomatic or consular mission managed by DFAT).
Attorney-General’s certificate / A certificate from the Attorney-General that prohibits or limits the disclosure of grounds contained in the assessment or the fact there is an assessment for reasons that disclosure would be prejudicial to the interests of security.
Audit / An examination and verification of an agency’s systems and procedures, measured against a predetermined standard.
Australian Government agency / See agency.
Australian Government Information Security Manual (ISM) / The Australian Signals Directorate’s document suite that details controls, principles and rationale for information security on ICT systems.
Australian Government Protective Security Manual (PSM) / Australia’s protective security policy until it was replaced by the PSPF.
Australian Government resources / The collective term used for Australian Government people, information and assets.
Australian New Zealand Counter Terrorism Committee (ANZCTC) / An inter-governmental committee that coordinates a cooperative framework to counter terrorism. The committee meets biannually and comprises representatives from the Australian (Commonwealth, state and territory) and New Zealand Governments.
Australian Privacy Principles (APPs) / Contained in Schedule 1 of the Privacy Act 1988 (Cth), the APPs regulate the handling of personal information by Australian Government agencies and some private sector organisations
Authorised agency
in reference to security vetting / A Commonwealth agency authorised to undertake security vetting and grant security clearances to meet the agency’s business needs.
Authorised persons
(also Specified persons)
in reference to contracting / Persons employed by a contractor to an agency, who are authorised by the agency to carry out work or perform duties under the contract with the agency.
Authorised Commonwealth Officer
(also person authorised) / Section 89 of the Crimes Act 1914 (Cth) allows for the appointment of Authorised Commonwealth Officers by a Minister to direct a person to leave Commonwealth premises.
A person authorised in writing by a Minister or the public authority under the Commonwealth occupying a premises may also direct a person to leave premises occupied or in use by the public authority under the Commonwealth under the Public Order (Protection of Persons and Property) Act 1971 (Cth).
Availability
in reference to information / The desired state that allows authorised users to access defined information for authorised purposes at the time they need to do so.
Baseline security clearance / Security clearance required for ongoing access to security classified information at the PROTECTED level, or where a level of assurance is required of a person’s suitability to perform a role.
Bilateral agreement / An agreement between the Australian Government, or an Australian Government agency, and the government, or agency, of another country that provides for the reciprocal exchange of usually security classified information. The agreement also sets out the agreed handling requirements. Also see multilateral agreement and government sponsored security instrument.
Breach / See security breach.
Briefings / Additional specific training required prior to a person being given access to certain Codeword or compartmented information or sensitive sites.
Business continuity planning (BCP) / The development, implementation and maintenance of policies, frameworks and programs to assist agencies manage a business disruption, as well as build agency resilience. It is the capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event.
Business impact level / The level of impact on an agency’s ability to operate or on the national interest, organisations or individuals, resulting from the compromise of confidentiality, loss of integrity or loss of availability of people, information or assets.
Business information / See official information.
Cabinet documents / Material agencies prepare that is intended for submission to the Cabinet (generally Cabinet submissions and attached material, including audio visual presentations); and documents dealing with Cabinet meetings (business lists, Cabinet minutes and notes taken by Cabinet note takers). For further information refer to the Cabinet Handbook.
Cabinet-in-Confidence / A legacy protective marking replaced by Sensitive: Cabinet.
Cancel
in reference to vetting decisions / Circumstances where a security clearance is initiated, but not completed by the vetting agency as:
·  the sponsorship of the clearance was removed at the request of the sponsoring agency
·  the sponsorship or clearance requirement could not be confirmed, or
·  the clearance subject was non-compliant with the clearance process.
Caveat / See security caveat.
Ceased
in reference to security clearances / Circumstances where a security clearance:
·  has been denied or revoked
·  may have time-based conditions on when a clearance subject or holder can reapply for a security clearance, or where the clearance subject or holder is ineligible to hold or maintain a security clearance.
Certification / Formal procedure by which an accredited or authorized person or agency assesses and verifies (and attests in writing by issuing a certificate) the attributes, characteristics, quality, qualification, or status of individuals or organizations, goods or services, procedures or processes, or events or situations, in accordance with established requirements or standards. See audit.
Change of circumstance / A change to an employee’s personal circumstances (i.e. change of address, marriage/divorce, overseas travel) that may influence how a person behaves or may make them vulnerable to coercion by an external party.
Class A secure room / A room constructed and secured in accordance with ASIO specifications – doors are fitted with two endorsed combination locks; for further information refer to ASIO Technical Note 7-06 – Class A Secure Room available to agency security advisers from the Protective Security Policy community on GovDex.
Class A security container / A steel-lined concrete-strengthened container secured with an endorsed combination lock manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL.
Class B secure room / A room constructed and secured in accordance with ASIO specifications – doors are fitted with one endorsed combination lock; for further information refer to ASIO Technical Note 8-06 – Class B Secure Room available to agency security advisers from the Protective Security Policy community on GovDex.
Class B security container / A security container manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL.
Class C secure room / A room constructed and secured in accordance with ASIO specifications and locked using one lock endorsed for the protection of security classification information; for further information refer to ASIO Technical Note 9-06 – Class C Secure Room available to agency security advisers from the Protective Security Policy community on GovDex.
Class C security container / A security container manufactured to ASIO-approved specifications; for further information refer to the SEC or SEEPL.
Classification system / See security classification system.
Classified document register (CDR) / A register that includes details of all accountable material produced, received or sent; including TOP SECRET security classified documents, and other security classified documents as required by agencies’ information security policies.
Clear desk policy / A policy requiring a person to ensure that official information and other valuable resources are secured appropriately when the person is absent from their workstation or work place.
Clear screen policy / A supplementary policy to the clear desk policy that requires a person to ensure that information on ICT equipment is secured appropriately when the person is absent from the work station, e.g. by locking the ICT equipment.
Clearance / See security clearance.
Clearance process
in reference to personnel security / The process of assessing a person’s suitability for access to security classified information.
Codeword / A type of security caveat – a codeword is a word that indicates that the information it covers is in a special ‘need-to-know’ category. Those with a need to access the information will be cleared and briefed about the significance of this type of information. See also security caveat and source codeword.
Compromise or misuse / The means by which harm could be caused to resources, especially loss, damage, corruption or disclosure of information, whether deliberate or accidental.
Communications security (COMSEC) / All measures (including the use of cryptographic security, transmission security, emission security and physical security measures) applied to protect government telecommunications from unauthorised interception and exploitation and to ensure the authenticity of such telecommunications.
COMSEC officer / The person in an agency who is responsible for authorising and controlling cryptographic access.
CONFIDENTIAL / A security classification that shows that compromise of confidentiality of official information could cause significant damage to the national interest, organisations or individuals.