Management of Protective Security
The objective of the audit was to assess whether protective security functions in selected organisations were being effectively managed. In considering effectiveness, the audit assessed whether protective security arrangements: - were designed within the context of the business framework and the related security risks identified by the organisation; and - provided an appropriate level of support for the organisation's operations and the delivery of its services.
Security issues continue to receive widespread attention in the Parliament, the media and amongst the general public. In large part, this attention is fuelled by the continuing volatility of the international security-related environment, in particular, the recurring spectre of, and the continuing threats from, terrorist activity.
Given this heightened level of interest, all organisations in the Australian Public Sector need to be able to make informed decisions about, and have the capability to respond to, any potential risks and threats to the security of their assets, including information and their people. In particular, they need to design administrative processes to continually protect their assets from loss, harm or compromise. These processes are collectively referred to as the protective security function.
The Protective Security Manual is the main source of protective security policies, principles and standards for Commonwealth organisations. The manual provides guidance and advice on the policies and practices that are important in the development of an effective protective security function.
Audit objective and scope
The objective of the audit was to assess whether protective security functions in selected organisations were being effectively managed. In considering effectiveness, the audit assessed whether protective security arrangements:
- were designed within the context of the business framework and the related security risks identified by the organisation; and
- provided an appropriate level of support for the organisation's operations and the delivery of its services.
The audit was designed to evaluate the broader management issues associated with protective security, rather than examine the delivery of individual protective security practices. For example, the audit evaluated processes around the development of protective security plans and the management of security-related information. It also considered how each organisation satisfied itself that its security plans and policies continued to be appropriate and were being complied with.
The audit did not consider activities associated with the protection of Australia's national security, in particular, counter-terrorism initiatives, which will be reviewed in a forthcoming audit.
The following organisations participated in the audit:
- Australian Taxation Office;
- Commonwealth Scientific and Industrial Research Organisation;
- Department of Family and Community Services; and
- Special Broadcasting Service Corporation.
Overall, the ANAO concluded that not all the audited organisations had, at the time of the audit, sufficient and reliable processes in place for the effective management of their protective security functions. In particular, while the ANAO observed a positive trend towards greater senior management involvement and commitment in relation to protective security issues, we noted that the effectiveness of some practices was, at times, adversely impacted by resourcing difficulties and the lack of formal oversight and control.
The ANAO also considered that some of the organisations were too reliant on processes that were largely undertaken in isolation, or were reactive in nature, rather than being designed as part of a coordinated response to the business and security risks faced.
At the time of the audit, there were several significant reforms in progress amongst the audited organisations. The implementation of these reforms is expected to address many of the shortcomings identified by the ANAO.
The ANAO also identified a number of opportunities, including those matters being addressed at the time of the audit, to improve the management of protective security functions. These mainly related to:
- the need for better security planning—including the integration of security planning with business planning processes, and the adoption of processes for managing progress against those plans;
- better management of security risks—by integrating security risk management processes with organisation-wide risk management arrangements; and/or by adopting formal and structured processes over implementation and monitoring of risk treatment activities;
- developing strategic, whole-of-organisation approaches to the management of security education and training, and the maintenance of security awareness levels; and
- the need for greater investment in processes for the documentation and monitoring of, and the reporting on, the performance of protective security activities and arrangements.
Sound and better practices
The following examples of sound and better practices were observed amongst the audited organisations:
- Two organisations had established security committees to oversee the management of protective security activities.
- Two organisations were, at the time of the audit, developing formal strategies to set the priorities and direction for the delivery of security awareness education and training activities.
- In one organisation, the management of security risks occurred as an integral part of the approved organisation-wide risk management processes.
- One organisation was preparing, at the time of the audit, a comprehensive plan to oversee the management of its security risks, including the conduct of security-risk assessments and the monitoring of risk treatment strategies and activities.
- One organisation had established formal processes for routinely seeking independent information on its potential external threat environment.
- Three of the organisations had implemented databases to improve the effectiveness of their management of security clearance processes, including their capacity to identify those security clearances requiring review. One of these organisations proposed to interface the database to its Human Resource Management Information System to further assist in maintaining the accuracy and currency of security-clearance records.
- One of the organisations routinely captured and reported information on its security-related performance to its senior management.
Based on the experiences of the audited organisations, the ANAO made four recommendations designed to improve the management of protective security functions in all Australian Government organisations.
Responses provided by organisations
Each of the audited organisations, together with the Attorney-General's Department1, responded positively to the opportunity to comment on the proposed audit report.
Each of these organisations indicated that they agree with the recommendations. Organisations' responses to the recommendations are shown following each recommendation in Chapters 2–4. Other general comments provided by these organisations are reproduced at Appendix 1.
1 The Attorney-General's Department was asked to comment on the draft report given its central policy role in relation to protective security.