Administration of Security Incidents, including the Conduct of Security Investigations
The objective of the audit was to evaluate the policies and practices of selected organisations to determine whether they had established sound arrangements for, and maintained effective control over, the administration of security incidents and investigations.
The effective administration of security incidents and investigations is a fundamental part of good security management. Information gathered on security incidents and investigations may highlight the need for entities1 to re-assess the adequacy of current practices or arrangements, and is also a key input into continuous improvement activities. In turn, good security management helps to contain the effects of a security incident and enables entities to manage the consequences of a security incident and to recover as quickly as possible.2
Entities can encounter a wide-range of security incidents including the theft or loss of assets, the inappropriate handling or suspected compromise of classified information, instances of unauthorised access to information or restricted work areas and the physical or threatened assault of staff. The number and type of security incidents generally reflect the nature of each entity's work, including the level of classified or sensitive information. It may also be influenced by such factors as, the conduct of regular security inspections, the strength of security awareness amongst staff, and the ease of reporting security incidents.
The Protective Security Manual (PSM), issued by the Attorney-General, is the principal source of protective security policies, principles and standards for Australian Government entities. Part G of the PSM contains instructions and guidance on the administration of security incidents and investigations.
The objective of the audit was to evaluate the policies and practices of selected Australian Government entities to determine whether they had established robust arrangements for, and maintained effective control over, the administration of security incidents and investigations.
The following entities participated in the audit:
- Australian Crime Commission;
- Australian Customs Service;
- Australian Maritime Safety Authority;
- Child Support Agency; and
- Department of Finance and Administration.
Overall, the ANAO concluded that the audited entities had sound policies and practices in place to support, and maintain effective control over, the administration of security incidents and the conduct of security investigations. In particular, the audit found that most of the entities had established sound processes for capturing and recording security incidents.
The audit also considered that the experience and training of key security-staff, together with good levels of support by management, contributed positively to the effective administration of security incidents and investigations in the audited entities.
However, the ANAO did identify a number of shortcomings, and opportunities for further improvement, in relation to administration of security incidents and security investigations. These matters mainly relate to:
- improving the content, and processes for maintaining the currency of, security-related policy and procedural documentation;
- developing a formal plan or strategy to assist with the management of security awareness activities;
- establishing more formal (and regular) processes for the review, analysis and reporting of the impact of security incidents and investigations on the security health of the entity;
- providing greater clarity and accountability for decisions on the responses taken to security incidents, including the decision to undertake a security investigation; and
- putting in place mechanisms to improve the communication of information between different work areas involved in security or security-related investigations.
The ANAO made seven recommendations based on the findings from the entities reviewed. These recommendations are likely to have relevance to the administration of security incidents in all Australian Government entities.
Sound and better practices
A number of sound and better practices were observed in the audited entities. Details of these practices are contained in Table 1 of the report.
Responses provided by entities
Each of the audited entities, together with the Attorney-General's Department,3 indicated that they agreed with the recommendations.
1 In this report, the term ‘entity' is used to describe any Australian Government body, including those organisations subject to the Financial Management and Accountability Act (FMA Act) 1997 and the Commonwealth Authorities and Companies Act (CAC Act) 1997.
2 Australian Security Industry Forum – Security 2004, Opening Address – Security in a Changing Environment, Attorney–General, 14 July 2004, Sydney.
3 The Attorney-General's Department was provided the opportunity to comment on the draft report given its central policy role in relation to protective security.