Protective Security Policy Framework: An Operational Resilience Compliance Guide for the Australian Government

Introduction to the Australian Government’s Protective Security Policy Framework (PSPF)

On October 1, 2018, the Department of Home Affairs within the Australian Government commenced the Protective Security Policy Framework (PSPF), a series of reforms intended to clarify, streamline, and encourage a “strengthened security culture across government agencies.” At its launch, the PSPF was described as a living document that would be updated as needed to address emerging security issues, new security best practices, and changes to Government security policies.

Since 2018, numerous policies within the PSPF have been amended, rewritten, or otherwise updated in this fashion, often with the advisement or guidance of relevant groups within various departments across the Government as well as feedback from the private sector. To date, this process has operated in accordance with the PSPF’s initial design and demonstrates the value of collaborative cooperation with groups both within and outside the Government.

Additionally, since 2018, the Attorney-General’s Department has issued an annual PSPF Assessment Report (formerly PSPF Compliance Report). These reports consolidate reporting by non-corporate Commonwealth entities to assure both the Government and the Australian public of entities’ adherence to PSPF requirements, and by proxy, their implementation of risk-appropriate security measures and degree of achievement for intended security outcomes.

Last year, the Australian Government launched the first in a new series of annual iterations of the PSPF, appropriately titled PSPF Release 2024. By consolidating all PSPF policy changes into yearly updates, the Government has created a predictable cadence by which affected entities can anticipate potential policy updates and prepare to update their own processes to remain compliant with all its requirements and stay as protected as possible by doing so.

Since PSPF Release 2024 is the framework’s consolidated update for last year, there’s been some significant policy changes and expansions that affected entities need to know about. To help your organisation stay compliant in the area of operational resilience, we’ll review the purpose and scope of the PSPF, touch on new requirements in Release 2024, and discuss how advanced digital tools can help you to efficiently keep compliant going forward.

What is the purpose and scope of the PSPF?

The PSPF is a document composed of consolidated security policy requirements that was drawn with the intention to clarify what Australian Government entities and other affected organisations must do to “protect their people, information, and resources, both domestically and internationally.”

To achieve this, the PSPF comprises a five-tiered structure:

Minister’s Directive on the Security of Government Business

The top-line imperative which defines the framework’s overall objective, and under which all other tiers live.

Simply put, it is:

“The Protective Security Policy Framework (PSPF) sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and assets, both domestically and internationally.”

Protective Security Principles

Six fundamental concepts which define the approach to the Minister’s Directive.

They are:

1. Security is everyone’s responsibility.
2. Developing and fostering a positive security culture is critical to security outcomes.
3. Security enables the business of government. It supports the efficient and effective delivery of services.
4. Security measures applied proportionately protect entities’ people, information, and assets in line with their assessed risks.
5. Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
6. A cycle of action, evaluation, and learning is evident in response to security incidents.

Protective security domains

Six spheres of influence within which Government policy and PSPF guidelines can meaningfully support the application of security principles.

They are:

1. Governance
2. Risk
3. Information
4. Technology
5. Personnel
6. Physical

PSPF Releases, Directions, and Standards and Technical Manuals

Iterations of the PSPF itself, instructions for compliance with each iteration, and existing policies, security standards, and technical manuals from which the mandatory compliance requirements are drawn and assembled into the bulk of the PSPF.

PSPF Guidelines and Policy Explanatory Notes

The text of all mandatory compliance requirements by which all affected entities must abide, complete with in-depth explainers clearly outlining the details of each one’s application.

Additionally, it’s important to define exactly for whom and for which entities the PSPF provides direction and guidance. According to the PSPF website, the PSPF is designed for:

• The Accountable Authorities of Australian Government entities, per the Public Governance, Performance, and Accountability Act 2013 (PGPA Act)
• Entity Chief Security Officers, Chief Information Security Officers, security practitioners, and other named security officials
• Service providers that provide services to Australian Government entities, or are required to implement the PSPF according to relevant deeds or agreements
• Those responsible for communicating security information to Australian Public Service (APS) employees, third-party service providers delivering services to Australian Government entities, and visitors to government facilities
• Those working within, and for, the Australian Government, including APS employees, third-party service providers, and contracted staff

New compliance requirements for operational resilience in the PSPF

A series of changes to the PSPF were delivered through Release 2024, such as expanding Protective Security Domains to separate Risk from Technology and clarifying guidance in areas where either reporting data suggested lower levels of guideline adherence or feedback from affected entities suggested that guidelines were not explicitly clear as written.

There were also more tangible changes to the document itself, such as layout and design updates to improve its accessibility and the clarity of its structure. Additionally, to enable more valuable analysis of security vulnerabilities, the Department of Home Affairs shifted from a maturity reporting model to a compliance reporting model to improve the accuracy of reporting data.

While these updates are highly relevant to the functional administration, comprehensibility, and evaluation of the efficacy of the PSPF, some of the most substantive updates to the PSPF in Release 2024 are the incorporation of new compliance requirements in the area of operational resilience, specifically:

• Business continuity planning
• Emergency management
• Incident notification and reporting

As these areas weren’t previously seen as fertile ground for growing security threats or risks to operational resilience, earlier iterations of the PSPF didn’t include specific elements of Government policy or other guidelines to address them directly.

However, more recently, operational resilience has emerged as a highly critical area of focus, as reflected in Government policy and strategic planning. This is best exemplified by the passage of the Security of Critical Infrastructure Act 2018 (SOCI), and the adoption of the 2023–2030 Australian Cyber Security Strategy, within which the PSPF is noted as a source of security best practices to enable the successful achievement of the goals of multiple “Shields.”

Business continuity planning

According to PSPF Release 2024, every affected entity must develop, implement, and maintain a business continuity plan to minimise the impacts of significant business disruptions to both their critical services and assets and to their other services and assets when a threat or security risk assessment indicates that it’s needed.

The business continuity plan must:

• Lay out actions the entity will engage with before, during, and after an unexpected incident occurs to minimise the degree of damage and the time required to recover
• Document a set of planned procedures through which the entity can continue or recover its services to the Government
• Detail post-incident actions the entity can take to limit loss or damage
• Include provisions accounting for significant business disruptions to:
  • Reduce the immediate impact on the entity and provide lower yet acceptable levels of service, or;
  • Enable the entity to resume normal operations within an acceptable period of time

To aid the development of an entity’s business continuity plan, the PSPF recommends a number of globally and locally recognised business continuity standards and guidance, specifically:

• ISO 22301:2019 — (Security and resilience) Business continuity management systems
• ISO 22313:2020 — (Security and resilience) Business continuity management systems — Guidance on the use of ISO 22301
• ISO/TS 22318:2021 — (Security and resilience) Business continuity management systems — Guidelines for supply chain continuity management
• Australian Signals Directorate (ASD) Business Continuity in a Box (Australian Cybersecurity Center)
• Business Continuity Institute (BCI) Good Practice Guidelines

Finally, the PSPF recommends that when an entity develops their business continuity plan, they do so in such a way that it complements their overall security plan and other policies and procedures rather than by itself. This is to ensure that the business continuity plan doesn’t run afoul of existing protocols, and that the entity considers it as essential as any other established security directive.

Emergency management

PSPF Release 2024 points up the incalculable importance of preparedness when recognising and responding to a potential emergency. This is why it mandates that within the business continuity plan, the entity must also have plans prepared to initiate in the event of any of a wide range of different emergencies in order to protect the entity’s personnel, information, and resources.

Emergencies for which plans should be prepared include but aren’t limited to:

• Bombs and bomb threats
• Potentially hazardous substances or hoaxes
• Failure of essential services
• Fire and explosions
• Cyberattacks and serious cybersecurity incidents (noting National Coordination requirements)
• Major accidents
• Natural disasters
• Disruptive/dangerous visitors, including active shooter
• Threatening telephone calls, emails and letters, and
• Suspicious packages or deliveries

In addition to development and maintenance of emergency management plans, the PSPF specifies that emergency response teams should run security awareness trainings, exercises, and rehearsals of those plans to guarantee their efficacy and confirm the readiness of key personnel to execute an emergency management plan as the situation demands.

Incident notification and reporting

In addition to prepared plans for business continuity and emergency management, PSPF Release 2024 affirms that affected entities must issue incident notifications that match the scope and nature of the incident in question and includes all relevant authorities or regulatory agencies. For example, if the incident presents an immediate threat to public safety, it’s advised that the entity disseminate appropriate warnings to all potentially affected parties.

For the reporting of incidents to supervisory authorities, the entity should rely on existing reporting practices as specified by each such authority in their oversight capacity. This includes the Attorney-General’s Department (AGD) in the case of a legal matter, or ASD in the case of a cyber crime or other cybersecurity matter.

How integrated resilience management software helps you comply with the PSPF

Many organisations who have developed, implemented, and maintained key operational resilience tools like business continuity and emergency management plans have historically relied on antiquated or legacy tools such as spreadsheets, Word documents, or other isolated systems to do so. The use of tools like these introduces a number of challenges, including:

• Fragmentation, where plans are often siloed, thereby lacking coordination
• Lack of real-time visibility, such that key plan operatives can’t efficiently assess plan effectiveness or the progress of the response to an incident
• Manual reporting burden, which creates labor redundancies and introduces a greater potential for human error when completing or submitting reports
• Difficulty tracking training exercises, which limits the effectiveness of post-exercise analysis and therefore any subsequent plan improvement strategies

All of these challenges can not only delay response efforts, thus increasing the magnitude of any potential damage or loss of services, but can also increase the risk of a compliance failure, which is the opposite of their intended objectives.

Luckily, advanced digital solutions like integrated resilience management software can help your organisation to centralise the creation, management, testing, and should the need arise, activation of your business continuity plans, emergency management plans, and incident notification. Integrated resilience software also makes it easy to update plans as changes in your risk landscape demand and track performance to drive continuous improvement.

When looking for a digital solution to help your organisation comply with PSPF Release 2024’s operational resilience requirements, choose integrated resilience management software that lets your team:

• Replace paper-based, static business continuity plans with dynamic, digitised plans that are easy to adjust, always up-to-date, and available on any device
• Input a consistent recovery strategy across your organisation including response plans, roles, responsibilities, and checklists, which can be deployed in seconds when needed
• Gain greater visibility of your business continuity posture and offer more transparency to team members with flexible dashboards and analytics capabilities
• Manage business continuity processes proactively and uncover valuable insights with consolidated data and business intelligence visualisation on interactive dashboards
• Streamline your emergency management response using best practice all-hazard management standards from around the world, including AIIMS, NIMS/ICS and JESIP
• Coordinate a swift and effective response to any incident, regardless of the types of danger, damage, or hazards involved
• Manage emergency response assets and resources including credentials and certifications, ensuring you have the right resources ready to respond
• Gather organised incident notes with ready-to-go forms and templates hosted in the cloud with nothing to install
• Allocate team members to fill out mandatory incident notifications accurately and completely, and send them to the right agencies or regulatory authorities every time

Since the PSPF has shifted to annual iterations instead of ad hoc policy updates, it will be much easier for your organisation to make any necessary procedural changes to stay compliant with new policies or guidance. But to optimize both your PSPF compliance efforts and your overall resilience posture — which is, after all, the goal of all operational resilience guidance — no solution is more flexible, more scalable, or easier to use than integrated resilience management software.

To see how integrated resilience management software can help your organisation keep compliance a top priority, request a demo of Noggin today.