Context

Purpose

The GOVSEC-3: Security awareness policy and guidance will assist agencies to achieve an effective protective security outcome within the security governance domain of the TAS‑PSPF. They address core requirement 3 and its supplementary requirements.

Core requirement

The Accountable Authority will work to develop a protective security culture within their agency.

Supplementary requirements

Enhancing security awareness and culture will be achieved through:

  1. enhancing induction to the agency through delivery of agency-specific security awareness module/s
  2. providing refresher, and targeted, training to ensure contemporary knowledge of emerging trends and security measures
  3. promoting positive security measures across the agency, including awareness of collective responsibility to foster a positive security culture
  4. providing specific training for people in roles that involve emergency, safety and security functions
  5. using effective communication methods to improve security culture.

Incorporating agency security awareness is the foundation to supporting staff to understand their role in protecting the agency and its assets from harm. Enhanced security awareness develops and supports improved security culture, which is a baseline protection against the exploitation of agency vulnerabilities.

The TAS-PSPF requires the Accountable Authority to develop agency‑specific security awareness and promotion of positive security measures.

Guidance

Introduction

The Tasmanian Government, its agencies and its people are responsible for a positive security culture. The evolution of that culture is reliant on the adoption of collective attitudes and behaviours in relation to security.

The TAS-PSPF, in conjunction with effective security leadership, aims to shift perceptions of security as measures which restrict functionality to security as an enabling feature of effective business. In this positive security culture, security exists intrinsically within an agency’s systems and practices in order to enhance security resilience across government more broadly.

Required action: Deliver agency-specific security awareness during induction

Security awareness training supports implementation of security policies, practices and procedures, and is a critical component of building your agency’s security culture and overall security maturity.

The Department of Premier and Cabinet (DPAC) is responsible for whole-of-government implementation of the TAS-PSPF, including the development and promotion of training materials to elevate protective security understanding and awareness across Tasmanian Government agencies. While you remain responsible for providing security awareness training to all people upon their commencement with your agency, training materials provided through DPAC may be helpful as you develop or update your induction and ongoing training programs.

Under TAS-PSPF policy: Security advice and responsibilities (GOVSEC-2), your Agency Security Advisor (ASA) is responsible for ensuring the development and delivery of agency-specific security awareness training, including enhanced role-specific training where necessary.

Your ASA may determine the appropriate training delivery method that ensures consistency across your agency for all employees, while ensuring all specific training and awareness requirements are met. If your agency elects to use an outsourced training provider to deliver the training, the provider should have sufficient knowledge of the TAS-PSPF and expertise in delivering adult education.

It is recommended that you use your agency’s security plan to identify security expectations, targets and risks of most relevance, and then address these in your agency‑specific training. Content for agency-specific security awareness training may include:

  • an overview of protective security requirements and arrangements within your agency
  • a description of your agency’s security culture and security objectives
  • personal safety and security measures in agency facilities and when people are working away from the office
  • individual and line manager security responsibilities
  • training or updating information classification and protective marking requirements
  • outlining your agency’s security risks and threats and notifying of relevant TAS-PSPF or agency-specific policies to address those risks and threats, and the individual employee’s responsibilities associated with them
  • information control measures, such as the ‘need to know’ principle and security clearance requirements (if applicable)
  • overseas travel safety and security responsibilities
  • measures to identify and report unusual or suspicious behaviours
  • asset (including information) protection
  • reporting requirements and procedures, including –
    • reporting security incidents
    • contact reporting (including the Contact Reporting Scheme)[1]
    • reporting suitability concerns about other employees
    • any other agency-specific reporting requirements including public interest disclosures.
  • case studies of reported or investigated security incidents (with information redacted to maintain appropriate confidentiality).

In addition to providing security awareness training, you may consider further enhancing your agency’s security awareness and culture through:

  • advising people on agency-specific asset management and loss reporting procedures prior to them taking custody of assets, including agency fraud measures
  • a safety handbook for all people that includes emergency response guidelines and contacts, as well as agency-specific safety requirements and procedures
  • regular safety exercises and drills for employees
  • providing people with specific emergency safety or security roles with regular training, in addition to assessing their ongoing suitability[2]
  • targeted security awareness training where your agency has identified a need based on their risk profile, or when the agency has an increased or changed threat environment.

  1. Refer to TAS-PSPF policy: Ongoing suitability assessment (PESEC-2) for information relating to contact reporting obligations.

    [Back]

  2. See TAS-PSPF policy: Ongoing suitability assessment (PESEC-2) for further information.

    [Back]
Required action: Provide refresher and targeted training

To remain contemporary with the security landscape in which your agency, or the Tasmanian Government operates, it is necessary to perform regular refresher training in respect to security awareness. It is recommended this training is conducted annually to adequately address any changes, while maintaining confidence in the ongoing suitability and compliance of agency people.

Your ASA should determine what form (e.g. in person, online), scope of coverage and content is required for the refresher training to meet the security needs of the agency and the minimum requirements of the TAS-PSPF.

Your agency refresher training should consider emerging trends and security measures[3], as well as the agency’s current threat or risk environment, goals and objectives of the agency’s security plan and any inadequacies of previous trainings or recurring security incidents.

A valuable tool for growth includes incorporating post-incident learning into incident reports or updated procedures which can provide useful insights into opportunities for improvements to your security awareness training.

People with specific emergency, safety or security roles should also be provided with regular training targeted to the scope and nature of their position which may include employees in high‑risk positions, positions of trust, security incident investigators or security clearance holders.

Training for people with security clearances may include briefings or targeted training modules which outline the day-to-day responsibilities of being a clearance holder and information relating to reporting obligations (see TAS-PSPF policy: Ongoing suitability assessment (PESEC-2) for further information).

Training for those in high-risk positions[4] should include security awareness specific to the risks associated with the focus or scope of the position.

  1. Relevant information may be obtained via ASIO Outreach for authorised subscribers.

    [Back]

  2. High‑risk positions may include those involved in:

    • sensitive or priority negotiations or policy work
    • controlling access to valuable or attractive assets (including information)
    • work in remote or dangerous locations
    • liaising or sharing information with foreign officials.
    [Back]
Required action: Promoting a positive security culture

Fostering a positive protective security culture where people value, protect and use agency information and assets appropriately is critical to achieving security outcomes. Through a robust security culture, the threat to an agency and its assets can be significantly decreased.

In addition to keeping an agency and its people safe, a strong and healthy security culture helps to increase internal and external trust, embed consistent positive behaviour and support people to engage productively with risk.

Your agency should aim for a security culture where leadership and employees:

  • comprehensively understand your agency’s security risks
  • understand their collective and individual security responsibilities
  • proactively manage the security risk relevant to their work environment
  • embed good security practices in their day-to-day activities
  • use risk management to inform decisions which might affect the agency’s security
  • promote good security practices both internally and externally of the agency.

You may implement a range of tools to promote positive security measures across your agency, including:

  • security awareness training that provides an understanding of protective security requirements under the TAS-PSPF and addresses relevant areas of agency security
  • security campaigns that address ongoing agency security needs and the specific needs of sensitive areas, activities or periods of time
  • security instructions and reminders via publications, electronic bulletins and visual displays such as posters
  • incorporating protective security competencies into employee selection processes and performance management programs
  • drills and exercises.

The importance of a positive security culture is reflected in TAS-PSPF Principle 5: A positive security culture is critical:

The Tasmanian Government, its agencies and its people are responsible for a positive security culture. The evolution of that culture is reliant on collective attitudes and behaviours adopted in relation to security. The TAS‑PSPF, in conjunction with effective security leadership, aims to shift perceptions of security as measures which restrict functionality to security as an enabling feature of effective business. In this positive security culture, security exists intrinsically within an agency’s systems and practices in order to enhance security resilience across government more broadly.

For this reason, your agency must be able to demonstrate a continuous improvement cycle in enhancing the security culture.

Required action: Provide role specific training

People in specialist or high-risk positions, positions of trust, security incident investigators or security clearance holders should be provided with specific security awareness training targeted to the scope and nature of their position. As mentioned above, such positions may include:

  • sensitive or priority negotiations or policy work
  • responsibility for, or access to, valuable or attractive assets
  • working remotely or in dangerous conditions
  • being required to liaise with foreign officials, or regularly share information with foreign officials.

The aim of role‑specific training is to enhance awareness of the requirements and risks associated with the identified position, ensuring a more in-depth approach to your agency security. This may include highlighting any existing or emerging trends relevant to the position.

It is recommended that at a minimum, security awareness training programs or briefings for security‑cleared people should:

  • ensure that people who have access to security-classified resources understand and accept their day-to-day security responsibilities and reporting obligations (e.g. changes of circumstances, and suspicious, ongoing, unusual or persistent contacts)
  • remind clearance holders of their responsibilities at regular intervals
  • for people with access to sensitive compartmented information, include training and briefings from or in consultation with compartment owners.

Agency Security Advisors

The TAS-PSPF requires agencies to nominate an ASA to support the Accountable Authority with implementation, coordination, security monitoring and compliance with the TAS-PSPF.

Many functions of an ASA involve specialised skills. It is recommended ASAs demonstrate comprehensive knowledge or technical competencies in:

  • the TAS-PSPF and supporting technical guidance, for example ASIO Technical Notes and the Australian Government Information Security Manual[5]
  • the application of security measures relevant to the ASA’s functions (e.g. professional certifications)
  • managing security risk assessments.

Relevant knowledge, competencies and skills can be attained through on-the-job training, prior experience in a related field or formal qualifications (e.g. tertiary qualifications such as the Certificate IV or Diploma in Government Security or equivalent qualification). Where your agency provides training towards formal qualifications for ASAs, this training should be delivered by a Registered Training Organisation (RTO). RTOs are accredited training providers that offer nationally recognised training courses.[6]

  1. Australian Government Information Security Manual

    [Back]

  2. A list of RTOs is available from the national register of vocational education and training (VET).

    [Back]
Required action: Improve security culture through effective communication

A well-developed culture of security encourages information sharing by people about risks to themselves and their colleagues. In turn, effective communication and reporting of security incidents and breaches can contribute to a positive security culture.

Many potential security incidents are observed by your agency’s employees. It is important that all employees, including contractors, understand how and when to report potential incidents or concerns.

To help ensure timely reporting and improve security culture, you should:

  • establish simple channels for people to report security incidents or suspected incidents
  • include security incident reporting and consequences, including practical examples, in agency-specific security awareness training
  • actively promote agency security measures and employee responsibilities through multiple channels, e.g. posters, banners, intranet, desktop shortcuts and computer login prompts
  • communicate security‑related information across your agency, including sharing threat‑related information with employees when required
  • ensure the ASA, or other designated security personnel, is accessible for employees to discuss security issues or concerns (including sensitive issues to be discussed in confidence)
  • include feedback processes in reporting and incident management procedures to ensure all relevant parties are notified of results once an incident has been resolved.

To holistically understand the performance of your agency security culture, it is recommended that you identify, document and share learnings internally with relevant security staff and executives, and externally where appropriate (e.g. with co-located agencies, agencies with similar risk profiles or through whole-of-government arrangements).

Security email address

To prevent agency security from becoming siloed, it is recommended that a central security email address be established for agency security-related matters, which can be monitored by your Accountable Authority, ASAs and other security people as required. This enables a greater flow of security‑related information within your agency while also creating a central contact within your agency for external communication with other agencies.

It is recommended that your agency’s security email address be generic in nature and take the form of security@[agency].tas.gov.au or security.advisor@[agency].tas.gov.au (or similar).

You should provide your agency’s security email address to Resilience and Recovery Tasmania[7] and other relevant agencies to facilitate collaboration and communication.

If your agency is unable to create a generic email address for security-related matters and relies on an individual’s email address, it is recommended that the email address be transferred to or be monitored by other staff during extended periods of absence.

If required, you may wish to establish multiple security-related email addresses to control the flow of specific information.

  1. Email Resilience and Recovery Tasmania at taspspf@dpac.tas.gov.au.

    [Back]
References and resources
Version control and change log

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

  • V1.0 April 2023
    • Policy issued
  • V2.0 February 2024
    • Definition: 'core requirement' updated
    • Definition: 'originator' updated
    • Definition: 'protected information' removed and replaced with 'security classified'
    • Definition: 'Responsible Executive' added
    • Definition: 'supplementary requirement' updated
Back to top