Protective Security Policy Framework Document Map – Version 1.4 – amended June 2016

PSPF Tier 1:

Directive on the security of government business

Overarching protective security policy statement and principles

PSPF Tier 2:

Protective Security Policy Framework (V1.8 – amended Nov 14):

  • Governance arrangements
  • Personnel security core policy (V2.0September 2014)
  • Information security core policy, and
  • Physical security core policy

Australian Government protective security governance arrangements

Mandatory Requirements

Overall responsibility for protective security

Applicability of the Protective Security Policy Framework

Developing a security culture

  • ASA/ITSA competencies and functions(V1.1– amended April 2015)

Better practice guides:

  • Preparing protective security policies, plans and procedures (V1.1 – amended April 2015)
  • Preparing agency classification guides (V1.1 – amended April 2015)
  • Developing agency alert levels (V1.1 – amended April 2015)

Security risk management

  • Business impact levels (V2.1 – amended April 2015)

Audit, reviews and reporting

  • Compliance reporting(V1.0 – approved Mar 12)

Protective security investigations

  • Reporting incidents and conducting security investigations(V1.1 – amended April 2015)

Legislation

Business continuity management

Contracting

  • Security requirements of outsourced services and functions (V1.1 – amended April 2015)

Fraud control

International security agreements

  • Safeguarding foreign government information (V1.1 – amended April 2015)

PSPF tier 3

Personnel Security

Australian Government personnel security management protocol(V2.1– amended April 2015)

Australian Government personnel security management guidelines:

  • Agency personnel security responsibilities(V1.1 – amended April 2015)
  • Vetting practices(V1.1 – amended April 2015)

Better practice guides:

  • Managing the insider threat to your business (V1.1 – amended April 2015)
  • Identifying and managing people of security concern (V1.1 – amended April 2015)

Information Security

Australian Government information security management protocol (V1.2 – amended April 2015)

Australian Government information security management guidelines:

  • Australian Government classification system (V2.1 – amended April 2015)
  • Protectively marking and handling sensitive and security classified information (V1.2 – amended April 2015)
  • Risk management of outsourced ICT arrangements (including Cloud) (V1.1 – amended April 2015)
  • Agency cyber security responsibilities when transacting on line with the public (V2.1 – amended April 2015)
  • Management of aggregated information(V1.1 – amended April 2015)

Physical Security

Australian Government physical security management protocol(V1.5 – amended April 2015)

Australian Government physical security management guidelines:

  • Security zones and risk mitigation control measures (V1.5 – amended April 2015)
  • Physical security of ICT equipment, systems and facilities(V1.1 – amended April 2015)
  • Working away from the office(V1.1 – amended April 2015)
  • Event security(V1.1 – amended April 2015)

PSPF tier 4 documents

Agency protective security policies and procedures

Notes:

  • The PSPF references the Australian Government information security manual (ISM) for ICT security
  • The PSPF gives authority to, or refers to, other publications from other agencies and Australian /International Standards for some specific requirements/ controls