Embed Size (px)
Citation preview
DPC/G4.9 Government guideline on cyber security
ISMF Guideline 9Personnel vetting and security clearances
BACKGROUND
All personnel (including contractors) requiring ongoing access to the Australian Government security classified information or resources need security clearances. The Australian Government Security Vetting Agency [AGSVA], via applications submitted through the Department of the Premier and Cabinet [DPC], processes and reviews national security clearances for all South Australian Government agencies. An agency’s approach to personnel vetting for ongoing access to South Australian Government information and resources should be comprehensive from pre-employment screening to security clearance and background checks.
The implementation of personnel security management standards provides scope for risk management by agencies. It is an ongoing process and ensures that only suitable people obtain and retain access to security classified resources. This guideline supports implementation of ISMF Policy Statement 9.
GUIDANCE
Agencies determine suitability requirements for all new staff employed in their agencies, based on the results of a business risk assessment. These requirements are normally conditions of engagement, or ongoing conditions on employment, and may include character checks and security clearances.
Baseline vetting leverages the Australian Standard: AS: 4811-2006 Employment Screening and its companion handbook HB: 323-2007: Employment Screening Handbook.
A security clearance is defined in alignment with Australian Government Protective Security Policy Framework as “An administrative determination by competent authority that an individual is eligible and suitable, from a security stand-point, for access to security classified resources”.
Security Clearance Levels
There are four national security clearance levels as described below; with ‘negative vetting level 2’ and ‘positive vetting’ only applying to individuals with a requirement to access National Security information:
Baseline vetting – ongoing access to information or resources classified PROTECTED or other situations where an agency might determine it needs a higher level of assurance of a person’s suitability to perform a particular role. Baseline vetting may be conducted independently by the agency or via AGSVA/DPC.
Negative vetting level 1 – ongoing access to information or resources classified PROTECTED, CONFIDENTIAL and SECRET, or in other situations where an agency might determine it needs a higher level of assurance of a person’s suitability to perform a particular role.
Negative vetting level 2 - ongoing access to information or resources that are classified PROTECTED, CONFIDENTIAL, SECRET or TOP SECRET, or in other situations where an agency might determine it needs a higher level of assurance of a person’s suitability to perform a particular role.
Positive vetting – permits access to information or resources at ALL CLASSIFICATIONS including certain types of caveated, compartmented and code-word information associated with national security matters. Positive vetting requirements are managed by ASIO.
Agencies are responsible for developing and implementing policies and procedures to ensure the security of persons, assets and information associated with personnel vetting activities. ISMF standards specific to personnel screening include ISMF Standards 6, 21, 22 and 23.
INFORMATION SECURITY ROLES AND RESPONSIBILITIES
Applicability
ALL ISMF Standard 6
Agencies shall assign roles and responsibilities to appropriate personnel for the protection and management of information assets in accordance with clause 4 of the PSMF. Each Responsible Party must have documented assigned roles and responsibilities in matters pertaining to the ownership, custodianship and protection of information.
PERSONNEL SCREENING
Applicability
ALL ISMF Standard 22
When employing personnel the Responsible Party shall perform appropriate security and / or reference checks to verify their credentials in accordance with the Australian Government personnel security core policy, and the AS/NZS ISO/IEC 27002 standard.
Government guideline on cyber securityPersonnel vetting and security clearances v1.2
Page 2 of 4
ISMF Guideline 9
ADDITIONAL CONSIDERATIONS
Personnel security clearances need to meet a common minimum standard recognised across agencies and, where practical, security clearances should be readily portable between agencies to reduce duplication of processes and to efficiently use resources.
The fundamental rule of personnel security is that agencies base all access decisions on the ‘need‐to‐know’ principle. Agencies are to establish the existence of a legitimate need to access the security classified resources to carry out official duties before granting access.
Agencies should educate their users on the security implications associated with personnel
vetting and security clearances and help them to understand their requirements to ensure the confidentiality, integrity and availability of government information assets.
There may be a need for an organisation to use different forms of confidentiality or non-disclosure agreements in different situations.
ISMF Standard 21 outlines further guidance in regards to security in job responsibilities. ISMF Standard 23 outlines further guidance in regards to contractual obligations, terms and
conditions of employment.
This guideline does not aim to provide the reader with all of the controls pertaining to security clearances and personnel vetting. It is merely an overview of the information provided in government cyber security policy and the AS/NZS ISO/IEC 27002 Standard. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).
Government guideline on cyber securityPersonnel vetting and security clearances v1.2
Page 3 of 4
ISMF Guideline 9
Exposure draft (UNCLASSIFIED)
REFERENCES, LINKS & ADDITIONAL INFORMATION
DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF] PC030 Government of South Australia Protective Security Management Framework [PSMF] Code of Ethics for the South Australian Public Sector Australian Government Protective Security Policy Framework [PSPF] Australian Government Information Security Manual [ISM] Australian Government Security Vetting Agency [AGSVA]
Document Control
ID DPC/G4.9Version 1.2Classification/DLM PUBLIC-I2-A1Compliance DiscretionaryOriginal authorisation date October 2011Last approval date September 2017Next review date In Review
Licence
With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.
ISMF Guideline 9
