Peter Butler.Senior Manager Protective Security: ACT

Health.

Protective Security Policy Framework.The ACT Government Model & ACT Health

Perspective.

What is Protective Security Policy Framework?The Protective Security Policy Framework (PSPF) provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas (Commonwealth Attorney Generals Department). http://www.protectivesecurity.gov.au/Pages/default.aspx

HISTORY:The PSPF is the framework by which the CommonwealthGovernment has been operating under since 2008. At a recentCouncil Of Australian Governments (COAG) meeting, allstate premiers and territorial heads of government agreed toadopt and implement the PSPF principles over the next tenyear period. Each jurisdiction will develop a version of the PSPFto meet their business needs.

Simply, Protective Security Policy Framework canbe compared to a whole of government set ofstandards for security to ensure that allgovernment agencies and authorities apply aconsistent approach to the way in which agencysecurity is implemented and managed.

What is PSPF cont…..

By adopting this approach governments can implement,manage, risk assess and compliance audit security principles and governance consistently across their jurisdictions.

What is Protective Security?

Protective Security is the various components or streams ofsecurity that collectively band together through aframework to adopt a formalised structure in order tomanage government security, based on a risk managementapproach.

The Commonwealth PSPF model has thirty three mandatorycomponents which are grouped into four categories:

1. Governance arrangements2. Physical Security3. Personnel Security4. Information Security

What is Protective Security cont….Commonwealth FrameworkPSPF Tier 1:

Directive on the security of government business

Protective security policy statement and principles

PSPF Tier 2:Governance arrangementsProtective security core policies:•Personnel security•Information security•Physical security

Australian Government personnel security

management protocol

Australian Government personnel security management guidelines:•Agency personnel security guidelines•Personnel security practitioners guidelines•Security clearance subjects guidelines•Contact reporting guidelines•Procedural fairness guidelines•Reporting changes in personal circumstances guidelines•Adjudicative guidelines

Australian Government information security

management protocol

Australian Government information security management guidelines:•Australian Government classification system•Protectively marking and handling sensitive and security classified information•Agency cyber security responsibilities when transacting on line with the public•Management of aggregated information

Australian Government physical security management

protocol

Australian Government physical security management guidelines:•Security zones and risk mitigation control measures•Physical security of ICT equipment, systems and facilities•Working away from the office•Event security

Securing Government Business - Protective Security Guidance for ExecutivesA summary of Tier 1 and 2 documents for agency heads and senior executivesPSPF—Glossary of terms

PSPF tier 3

Australian Government protective security governance arrangementsMandatory RequirementsOverall responsibility for protective securityApplicability of the Protective Security Policy FrameworkDeveloping a security culture•Security awareness training•ASA/ITSA competencies and functionsBetter practice guides:•Preparing protective security policies, plans and procedures•Preparing agency classification guidesSecurity risk management •Business impact levelsAudit, reviews and reporting •Compliance reportingProtective security investigations •Reporting incidents and conducting security investigationsLegislationInternational security agreements •Safeguarding foreign government informationBusiness continuity management Contracting• Security requirements of outsourced services and functions

PSPF. The ACT Government Model.

The ACT Government PSPF model adopted twentythree of the thirty three mandatory components ofthe Commonwealth framework and tailored them tosuit ACT Government business.

These 23 components were grouped into four streams of security similar to the Commonwealth framework:

1. Governance Security (GOVSEC)2. Physical Security (PHYSEC)3. Personnel Security (PERSEC)4. Information Security (INFOSEC).

ACT Government PSPF Model.

ACT Government PSPF Model cont….

The framework adopted by the ACT Government outlines five key and mandatory layers of responsibility within its structure. Each agency or authority must have the following layers of accountabilities:

1. An Executive Security Committee. Accountable for the governance and collective security management and review of the agencies security operations.

2. An Agency Security Executive (ASE). Responsible for the executive management and financial allocations of security budgets and expenditure.

ACT Government PSPF Model cont….

3. An Agency Security Advisor (ASA).Responsible for providing strategic security advice to the ASE and Director General on all Protective Security matters and overseeing all security related matters across the agency. Must be an appropriately experienced and qualified security professional.

4. An Agency Security Officer (ASO). Responsible for the day to day management of security operations and assists the ASE as required.

5. Information Technology Security Advisor (ITSA). An appropriately qualified and experienced IT security manager to oversee the agency’s IT platforms and IT security requirements.

Application of PSPF in a Hospital Healthcare environment.

ACT Health as an agency of the ACT Government is inthe process of developing and implementing aProtective Security Policy Framework aligned to theACT whole of government model.

When fully implemented, ACT Health’s PSPF will be theover-arching Protective Security Policy, ProtectiveSecurity S.O.P.s and governance framework for all ofthe agencies protective security requirements.

ACT Health PSPF.The ACT Health PSPF is made up of a structured governance framework that collectively guides the management of all security requirements and capabilities.

1. Governance (GOVSEC).

• Agency Security Plan

• Business Continuity Plans (BCPs)

• Fraud Control Plans

• Emergency Management Framework

• Risk Management Framework

• Security Investigations Framework.

• Security Audit Framework. Annual Reports.

• Enterprise Security Risk Assessment

ACT Health PSPF cont.…...

2. Physical Security (PHYSEC).

• Security guarding services

• Access control systems

• Intruder alarm systems

• Alarm monitoring & alarm response

• Mobile vehicle patrols

• CCTV surveillance systems

• Radiation security plans & response

• Biological security plans & response.

• Code responses (Black, grey etc.).

ACT Health PSPF cont…

3. Information Security (INFOSEC).

• IT security, systems & networks.

• Information security: medical records, patient files, research data, cabinet files.

• Clear desk policy. Securing confidential files etc, not leaving out on desks or in public view.

• Appropriate storage facilities for private/confidential files & material.

• Classification of files: Confidential, Classified, Protected etc.

• Workforce education regarding leaving confidential documents on photocopiers, printers etc.

• Working away from office & mobile data devices

• Appropriate destruction of files & documents

ACT Health PSPF cont…

4. Personnel Security (PERSEC).

• Pre-employment screening (Police, AFP, ASIO etc).

• Position specific security checks (AFP, ASIO etc).

• Commonwealth Security clearances, AGSVA etc.

• Security investigations

ACT Health PSPF cont…

• The application of Protective Security principles and requirements isalways based on a risk management approach to assessing securityrequirements against identified risks and vulnerabilities throughout thehealth facility.

• The ACT Health Protective Security Policy is the over-arching documentlinking the four streams of security just mentioned in the previous slides.

• This framework is the foundation of security principles and guidelines forthe organisation to implement, manage, risk assess and compliance auditall aspects of the organisation’s security requirements againstgovernment KPIs.

• Furthermore, a very important consideration of Protective Security isthat its principles must be considered in the design and developmentstages of all new build projects, facility upgrades, fit-outs and redesigns.

ACT Health PSPF cont…

Challenges to implementing PSPF into a hospital environment:

• Educating the workforce on security awareness.

• Developing a risk management approach to security

• Getting full support from the organisation and senior executive.

• Developing an encompassing protective security framework which covers all facets of the organisation’s security requirements.

• Having the appropriately qualified expertise in your security management structure.

• Reinforcing security awareness to medical & clinical practitioners.

• Networking with similar security practitioners to resolve challenges

QUESTIONS?????