Security Awareness and Training
The objective of the audit was to assess the effectiveness of security awareness and training arrangements at selected Australian Government organisations, including whether they addressed selected security issues from the PSM.
1. Australian Government organisations have access to, and manage a significant amount of official resources, including information and assets. All individuals working in these organisations have a responsibility to protect and properly use these resources.
2. The policies and practices used to assist in the protection of these resources are collectively known as ‘protective security'. Protective security arrangements typically encompass information, information communications and technology (ICT), personnel and physical security dimensions.
3. A program of security awareness and training activities, which reflects an organisation's circumstances and risks, is integral to having effective protective security arrangements more broadly. Specifically, organisations need measures to help ensure that individuals who have access to official resources are aware, and as appropriate, trained in the application of any relevant security policies and procedures. This includes providing them with a clear understanding of their security related responsibilities.
4. The Protective Security Manual (PSM) and the Information Security Manual (ISM) contain the Australian Government's policy, guidelines and minimum requirements relating to the protection of official resources.1 Both manuals outline the importance of, and contain requirements relating to, the provision of security awareness and training.
5. In addition to the requirements in the PSM and ISM, there is a wide range of legislative obligations relating to the protection, use and disclosure of information. The Australian Law Reform Commission (ALRC) recently reported that it had identified 506 ‘secrecy' provisions among 176 different pieces of primary and subordinate Commonwealth legislation.2 Some of these provisions are organisation-specific, contained in legislation administered by the organisation, or in some cases, in its enabling legislation. In other instances, the provisions have broad application among Australian Government organisations, such as those in the Public Service Act 1999.
6. An organisation's security awareness and training program should promote an understanding of those requirements in the PSM and ISM that are pertinent to the roles and responsibilities of its staff. In this regard, requirements that are likely to have general application to the majority of Australian Government organisations include:
- handling, storing and disposing of official information, including security classified information;
- determining the security classification of information, including the use of protective markings;
- responsibilities associated with holding a security clearance, including reporting any changes in circumstances; and
- maintaining sound physical security polices and procedures, including perimeter and work area access controls, the wearing of staff passes and the management of keys and combinations.
7. The PSM recognises that other legislation contains requirements relating to the protection of particular types of official information. Accordingly, it is good practice for an organisation's security awareness program to also promote an understanding of any relevant ‘confidentiality' obligations in legislation administered by, or affecting the organisation.
8. More broadly, security awareness and training activities are likely to be more effective if organisational-wide security risks and issues are assessed, and the results used to plan security awareness and training activities. The impact of security awareness messages will be more beneficial if they are promoted and regularly reinforced using a variety of methods. In addition, the design of security awareness activities should take into account such things as: the nature of the organisation's information holdings and physical assets; the number of operational sites; and the number of staff with security clearances.
9. Since 1995, the Australian National Audit Office (ANAO) has undertaken ten cross-agency audits of protective security arrangements in Australian Government organisations.3 As shown in Table S 1, three of these audits have included recommendations designed to improve the management and delivery of security awareness and training. Each of these reports has encouraged Australian Government organisations to assess the benefits of the recommendations in light of their own circumstances and practices.
10. The objective of the audit was to assess the effectiveness of security awareness and training arrangements at selected Australian Government organisations, including whether they addressed selected security issues from the PSM.
11. To address the audit objective, the ANAO examined the methods used to promote and deliver security awareness and training, and whether the success (or otherwise) of these activities was being actively measured. The audit also assessed whether the three relevant recommendations from the ANAO's previous protective security audits have been implemented.
12. The audit also obtained details of progress made by the Attorney General's Department and the Department of Finance and Deregulation in clarifying which organisations operating under the Commonwealth Authorities and Companies Act 1997 the PSM applies to (Recommendation 1 in ANAO Audit Report No.44 2008–09 Security Risk Management).
13. The security awareness and training activities at the following four Australian Government organisations were assessed:
- National Archives of Australia (Archives);
- CrimTrac Agency (CrimTrac);
- National Gallery of Australia (Gallery); and
- Department of Health and Ageing (Health).
14. These organisations face a range of security risks that can affect the integrity of their information and physical resources, their ability to maintain a safe and secure working environment, and the uninterrupted delivery of their programs or services. Specifically:
- central security considerations for the Archives and the Gallery are the protection of high-value and sensitive assets, records and other related information;
- CrimTrac's primary security responsibility is safeguarding the integrity of a range of sensitive law enforcement data, including personal and police reference information; and
- a key security issue for Health is the protection of the wide-range of information that it has access to and administers across its distributed physical locations.
15. Protective security describes the range of policies and practices employed to assist in the protection of an organisation's official resources. Soundly designed and timely security awareness and training activities are integral to the maintenance of effective protective security arrangements. Shortcomings in security awareness and training can undermine the operation of the controls and practices put in place to manage exposures to security risks.
16. Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations' security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations' security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training.
17. The audited organisations use a variety of approaches to promote and reinforce security awareness, including providing information on security requirements as part of staff induction processes, and offering ongoing security training or briefings to all staff. For the most part, the content of each organisation's4 security awareness and training programs adequately reflects the organisation's circumstances,5 including its security risks and issues , and provides good coverage of selected security issues from the PSM. On the other hand, only two of the audited organisations adequately cover the confidentiality and protection of information requirements contained in the Public Service Act 1999.
18. Procedures are in place to identify and capture details of security breaches or incidents at each of the audited organisations. At two of the audited organisations, less than five per cent of the security incidents examined were indicative of security awareness issues. However, around 40 per cent of the security incidents examined at another organisation related to a similar issue, suggesting a potential shortcoming in security awareness levels.
19. The principal shortcomings identified during the audit are:
- three of the organisations did not have a sound, organisation wide approach to identifying and assessing security risks and, as a result, could not demonstrate that the security risks faced by the organisation were appropriately factored into the design of their security awareness and training programs;
- only one organisation had an approved security awareness and training plan setting out its approach to managing its security awareness program;
- none of the organisations had training targeted at the roles and responsibilities of security cleared staff, although one organisation provides guidance (annually) to these staff about their responsibilities;
- records on the delivery of, and attendance at security awareness training were limited and, where available, generally indicated a need for additional, and more timely training; and
- none of the organisations regularly monitored the effectiveness of their security awareness and training programs, although two organisations monitored security incident records to help inform the design of their security awareness and training activities.
20. Three of the key findings in this audit (the lack of structured and organisation wide security risk assessments, the lack of security awareness planning; and the lack of monitoring) are consistent with findings reported in previous ANAO protective security audits. This suggests that improvements in these areas remain elusive for Australian Government organisations.
21. Health had implemented each of the three relevant recommendations from previous ANAO protective security audits. Archives had implemented two, the Gallery had implemented one and partially implemented another of the recommendations, while CrimTrac had partially implemented two of the recommendations.
22. The audit makes one recommendation aimed at improving organisations' approaches to security risk management. The remaining four recommendations of the audit are designed to improve the management of security awareness and training activities. Specifically, these recommendations focus on enhancing the planning, design, record keeping and monitoring of such activities. One of these recommendations (Recommendation No.2) reiterates similar recommendations made in previous ANAO audit reports.
Key findings by Chapter
Supporting Security Awareness and Training (Chapter 2)
Assessing security risks
23. Organisations should adopt a structured and organisation wide approach to identify, assess, treat, and monitor their protective security risks. Such an approach increases the likelihood that relevant security risks and issues will be appropriately factored into the organisation's security awareness and training activities.
24. The Gallery was the only organisation that had undertaken an organisation-wide review to identify and assess its security risks, including the risks associated with security awareness and training. The effectiveness of the approaches adopted at the other organisations was limited because:
- not all aspects of security risks were addressed – for example, Archives had not assessed risks associated with its security awareness and training activities and CrimTrac did not have up-to-date security risk assessments for its key ICT systems;
- no consolidated records of security risks were maintained, including their assessment, associated mitigation measures and the assignment of responsibilities for managing the security risks; and
- the results of security risk activity were not endorsed by the organisations' senior management.
25. The results of the audit indicate there is scope to improve the approaches of the audited organisations to identify and assess their security risks. ANAO Recommendation No.1 is designed to address these issues.
Security policies have been promulgated and are current
26. Clear, current and easily accessible security policies, together with related procedural documentation, are important to assist staff better understand an organisation's security risks and issues, as well as their own security related responsibilities.
27. Each of the audited organisations had a range of readily accessible security policy and procedural documents. The documents were generally comprehensive, dealing with relevant security issues and requirements in an informative manner. Importantly, the security policy documents at the Gallery and Health had been recently reviewed and endorsed by their respective senior management. The Archives and CrimTrac would benefit from a review of the currency of their documents, including an assessment of whether they remain consistent with relevant standards in the PSM and the ISM.
Communication with senior management
28. Strong direction, leadership and commitment from an organisation's senior management are important in achieving effective protective security outcomes. As noted in Audit Report No.44 2008–09, Security Risk Management, organisations should have regular communication lines to support senior managers to obtain sufficient understanding and assurance about security related matters.
29. Each of the audited organisations had designated a member of their senior management to oversee the management of protective security matters within the organisation (commonly known as the Security Executive). In each case, this person maintained regular contact with the organisation's security team.
30. CrimTrac, the Gallery and Health regularly reported on security related matters to their respective senior management. There would be merit in the Archives reporting periodically on the status or performance of protective security activities to senior management.
Security awareness and training planning
31. Planning can assist an organisation develop coordinated and targeted security awareness and training programs, and help ensure that activities are designed to suit the roles and responsibilities of staff. The form and extent of planning required by each organisation depends on the organisation's circumstances, including its size, the nature of operations and its security risk profile.
32. Health, which was the largest organisation audited, was the only organisation that had an approved security awareness and training plan in place. Health's plan contains a series of strategies designed to improve the department's approach to security awareness and training. The strategies include undertaking targeted audience assessments, using available communication channels effectively, and monitoring and evaluation arrangements.
33. The lack of planning of security awareness and training activities is consistent with the results in previous ANAO protective security audits. ANAO Recommendation No.2 is designed to address this issue.
Designing and Delivering Security Awareness and Training (Chapter 3)
Security awareness techniques
34. Security awareness messages will be more effective when promoted and reinforced on a regular basis using a variety of mechanisms or tools. This normally requires a mix of general (organisation-wide) and targeted (role or work area specific) mechanisms; and the use of both active (such as briefings) and passive (such as posters) methods.
35. For the most part, the audited organisations employed a good variety of security awareness techniques. Specifically, each of the audited organisations provided security awareness training as part of their induction process, as well as offering ongoing security awareness training or briefings. However, only the Gallery and Health used posters or brochures to promote key security related messages.
36. The Gallery and Health had both recently introduced e-learning applications that contain modules dealing with security, including ICT security. Other useful techniques used by the audited organisations included a requirement for staff to sign security related acknowledgements or declarations and the promulgation of a series of factsheets on selected security issues.
Sufficiency and appropriateness of the content of security awareness and training programs
37. The design of an organisation's security awareness and training program should be commensurate with the nature of the organisation's operations, including its security risks and issues.
38. As mentioned at paragraph 24, the Gallery was the only organisation that had undertaken an organisation-wide review to identify and assess its security risks and that maintained sufficient documentation of its security risks. As result, the organisations could not clearly demonstrate that details of security risks were appropriately factored into the design of their security awareness and training programs.
39. Consequently, the ANAO examined whether the content (and design) of the audited organisations' security awareness and training programs reflected the:
- nature of the organisation's information holdings, including the level of security classified and sensitive information;
- number of staff with security clearances;
- location, nature and value of physical assets;
- number of the organisation's operational sites; and
- existence of any specific requirements relating to the protection and confidentiality of information in legislation or agreements administered by the organisation.
40. Overall, the ANAO assessed that the content of the security awareness and training programs at the Archives, the Gallery and Health was, for the most part, sufficient and appropriate in terms of the elements examined. Specifically, the design of the security awareness and training material at each organisation adequately reflected the nature of that organisation's information holdings, the value of its physical assets and the number (and location) of operational sites. In addition, the programs at each organisation largely addressed the selected issues from the PSM that were examined by the ANAO.
41. The security awareness material at the Gallery and Health adequately covered the requirements for the protection of information contained in the Public Service Act 1999. New starters at the Archives are required to acknowledge that they have been made aware of these requirements. However, two-thirds of Archives' personnel files examined by the ANAO did not contain documentation to indicate the acknowledgement had occurred.
42. The audit identified a number of opportunities to further improve the design of the organisations' security awareness training activities, including:
- none of the organisations had any training or briefings targeted at the roles and responsibilities of security cleared staff, although the Gallery reminds security cleared staff of their responsibilities through an annual acknowledgement form;
- not all of the security awareness training material at the Archives and the Gallery contained references to the availability of their respective security policy and procedural documents; and
- the security awareness training material at the Archives did not contain information on, or references to, requirements contained in the Archives Act 1983 relating to the protection of information.
43. ANAO Recommendation No.3 is aimed at addressing these findings.
44. At the time of the audit CrimTrac's security policy document was more than five years old. CrimTrac advised that it plans to review this document, and update it as necessary. The ANAO did not assess the content of CrimTrac's security policy document as it intends to replace it. CrimTrac discontinued use of the Attorney-General's Department's Internet-based security awareness training program in March 2009, and during the audit was re-assessing its approach to security awareness training. As a result, CrimTrac did not have a structured security awareness training program in place at the time of the audit. The ANAO did not assess the content of the training material as it is no longer being used by CrimTrac.
Maintaining sufficient records on the delivery of security awareness training
45. Maintaining accurate and complete attendance information can help organisations manage the scheduling and delivery of security awareness training. Accurate attendance records also provide assurance to senior management that sufficient training has occurred.
46. Apart from the Gallery, none of the audited organisations maintained sufficient records on the delivery of, and attendance at, security awareness training. The introduction of e-learning applications at two of the organisations has resulted in the capture of more accurate and detailed information on the completion of security awareness training. The lack of structured records meant there was insufficient evidence to gain assurance that appropriate levels of security awareness training had occurred. However, the records that were available suggest that the audited organisations can improve both the amount and the timeliness of security awareness training. ANAO Recommendation No.4 is designed to address these issues.
Monitoring the Effectiveness of Security Awareness and Training (Chapter 4)
47. Organisations that regularly monitor and assess the effectiveness of security awareness and training activities are well placed to make timely improvements to the approaches they use. This includes detecting delivery techniques that are not working well, or are no longer useful.
48. None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities. ANAO Recommendation No.5 is aimed at addressing this finding.
49. The organisations did, however, use a range of intermittent processes to obtain information on security awareness levels. For example, the Gallery and Health periodically monitored security incident records. Security incidents can provide valuable insights into an organisation's security environment, including the level of security awareness. Each of the audited organisations had implemented procedures to identify and capture details of security breaches or incidents. An examination of security incidents records at three of the audited organisations (at the time of the audit, no security incidents were recorded at CrimTrac) indicated that incidents were well documented, with follow-up action generally occurring in a timely manner.
Summary of organisations' responses
50. Each of the audited organisations, together with AGD, agreed with the recommendations in the report.
1 Attorney-General's Department, Protective Security Manual, October 2007 and Defence Signals Directorate, Information Security Manual, September 2009. The scope of each manual is discussed in Chapter 1.
2 Australian Law Reform Commission, Secrecy Laws and Open Government in Australia, Report 112, December 2009, p. 70. The 506 provisions are listed in Appendix 4 of the Report (pp. 613-629). The report is available at: <www.alrc.gov.au/inquiries/title/alrc112/index.html> [accessed 12 March 2010].
3 These audits are listed at Appendix 2.
4 Except CrimTrac, as the ANAO did not assess the content of its security awareness and training program (see paragraph 44).
5 Based on the five elements examined by the ANAO (see paragraph 39).