GOVSEC-6: Reporting incidents and security investigations

The GOVSEC-6: Reporting incidents and security investigations policy and guidance will assist agencies to achieve an effective protective security outcome within the security governance domain of the TAS‑PSPF. They address core requirement 6 and its supplementary requirements.

The Accountable Authority will develop, implement and review processes to support the reporting and investigation of security breaches and incidents.

To assure improvement and enhance security maturity, it is necessary to create an environment that supports investigation. To achieve this, the Accountable Authority must:

1. provide a supportive environment for people to report security breaches and incidents^[1]
2. ensure security awareness includes knowledge about actions which constitute security breaches and incidents
3. develop and implement clear processes supporting thorough investigation of reported security breaches and incidents
4. provide adequate security awareness training to assure agency people are cognisant of the TAS‑PSPF’s protective security requirements
5. ensure corrections are addressed following the conclusion of investigations.^[2]

With increased security awareness and enhanced security culture, the identification of and response to security incidents will improve. Accountable Authorities must ensure reporting processes are developed and implemented in accordance with the TAS‑PSPF.

While the investigation of security incidents will be based on agency-specific risk tolerance and appetite, the TAS‑PSPF provides guidelines to ensure a consistent approach to these investigations.

1. In conjunction with existing reporting processes, including (but not limited to): Code of Conduct, Integrity Commission, Equal Opportunities Tasmania.

   [Back]

2. Consider updating security plans, enhancing security training, modifying the security treatment, revisiting the agency risk assessment.

   [Back]

This policy requires your agency to implement practices and procedures to support the reporting and investigation of security breaches and incidents. Through effective reporting and investigation of security incidents, you can identify vulnerabilities and reduce the risk of future occurrence.

Early detection of a security incident, and a timely response, is critical in reducing the consequences from the incident and is essential to effective security risk management.

The TAS-PSPF requires your Accountable Authority to provide a supportive and transparent environment that encourages your people to report security breaches and incidents, contributing to a positive security culture.

To support this requirement, it is recommended that you work to build understanding, trust and confidence in your agency reporting processes among employees.

To help ensure a supportive environment for reporting, you should:

• establish simple, discreet channels for people to report possible or actual security incidents
• actively promote security incident reporting procedures through multiple channels, e.g. agency-specific security awareness training, posters, banners, intranet, desktop shortcuts and computer login prompts
• ensure your Agency Security Advisor (ASA), or other designated security staff, are accessible for your people to discuss security issues or concerns (including sensitive issues to be discussed in confidence)
• include feedback processes to ensure that employees who report security breaches and incidents have their report acknowledged and/or are notified when the issue has been resolved
• provide clear pathways for people to escalate reports to external parties, as appropriate.^[3]

While reporting is a common means of detecting security incidents, it is recommended that your ASA consider other security monitoring measures to assist in identifying potential or actual security incidents.

3. In the event employees elect to escalate reports externally, the mechanism and information to do so should be made available. This may include matters relating to police investigation and integrity concerns (Integrity Commission).

   [Back]

Agency-specific security awareness training and materials should include relevant examples of reportable security breaches and incidents to complement agency reporting procedures and policies.

The TAS-PSPF defines a security incident as:

• an action, whether deliberate, reckless, negligent or accidental, that fails to meet protective security requirements or agency-specific protective security practices and procedures which results, or may result, in the loss, damage, corruption or disclosure of information or assets
• an approach from anybody seeking unauthorised access to protected assets
• an observable occurrence or event (including natural or man-made events) that could harm Tasmanian Government information, people or assets.

Security incidents can lead to security breaches, which can have serious consequences for your agency, the community and state or national interests, so it is important that you have robust systems and procedures in place to identify and respond effectively.

Below are some examples of security incidents and significant security incidents, noting that significant security incidents should be reported to the Department of Premier and Cabinet (DPAC) via your ASA.

Examples of security incidents include:

• Criminal actions such as actual or attempted theft, break and enter, vandalism or assault
• Loss of personal information that is likely to result in serious harm
• Security‑classified material not properly secured or stored
• Security‑classified material left in inappropriate waste bins
• Deliberate disregard of implementing TAS-PSPF requirement
• Access passes or identification documents lost or left unsecured
• Incorrect handling of information that is protectively marked, such as a failure to provide the required protection during transfers or transmission resulting in a data spill on an electronic information network or system
• Compromise of keys to security locks, or of combination settings
• Sharing computer passwords
• Vandalism.

Examples of significant security incidents include:

• Espionage or suspected espionage
• Actual or suspected compromise of material at any level, including tampering with security containers or systems
• Loss, compromise, suspected compromise, theft or attempted theft of classified equipment
• Actual or attempted unauthorised access to an alarm system covering a secured area where security‑classified information is stored
• Loss of material classified PROTECTED or above, or significant quantities of material of a lower classification
• Recovery of previously unreported missing classified material or equipment
• Unauthorised disclosure of official or classified information, significant loss or compromise of cryptographic keying material, or a significant breach of ICT systems
• Continuous breaches involving the same person or work area where the combination of the events warrants an investigation
• Loss, theft, attempted theft, recovery or suspicious incidents involving weapons, ammunitions, explosives or hazardous materials including chemical, biological, radioactive or nuclear
• Actual or suspected hacking into any ICT system.

Not all security incidents warrant investigation. Your ASA is responsible for assessing the requirement for a formal security investigation or escalating the decision to your Responsible Executive (RE).

In assessing the incident, your ASA must consider:

• the seriousness or complexity of the incident
• the possible outcomes of the investigation (administrative, disciplinary, civil or criminal)
• if the incident requires referral to another agency or authority
• the resources required to conduct the investigation
• who will conduct the investigation and what support they need
• the investigation process and time frames
• the authorisation needed to undertake the investigation
• the decision-makers and subsequent reporting obligations.

A security investigation is the formal process of examining the cause and extent of a security incident that has, or could have, caused harm to individuals, or another agency or the state or national interest. Security investigations protect the interest of the Tasmanian Government and the rights of the affected individuals.

Investigating security incidents (actual or suspected) may be necessary to resolve an existing breach or vulnerability and reduce the impact or consequences. Security investigations can:

• provide useful information for future risk assessments or reviews
• help determine the effectiveness of existing protective security arrangements within your agency
• monitor security performance (including security maturity and culture)
• identify security risks in order to implement improvements.

Your agency must establish procedures for investigating reported security incidents. It is recommended that these procedures cover:

• the terms of reference and the investigation plan (authorised by your Accountable Authority or RE)
• the responsibilities of the investigator, approving officer and other relevant parties
• qualifications and/or training required for investigators
• procedural fairness and standards of ethical behaviour to ensure impartiality and the absence of any conflict of interest
• actions for handling complaints or allegations (including anonymous or public interest disclosure^[4] reports)
• case management procedures to ensure compliance with your agency’s procedures
• procedures for undertaking operational practices (such as interviews of affected persons)
• points of referral, escalation or approval, including keeping the RE notified of progress
• points of escalation to law enforcement or the Australian Security Intelligence Organisation (ASIO)
• findings and recommendations
• final report requirements.

It is recommended that, where possible, agencies apply the Australian Government Investigation Standards (AGIS)^[5] to maintain a minimum quality standard within investigations.

When investigating, the principles of procedural fairness should be applied, meaning any individuals being investigated or whose interests could be adversely affected should be informed of the case against them and given the opportunity to be heard by an unbiased decision-maker. Procedural fairness should also be applied to any actions taken as a result of the investigation, as well as when considering the security integrity of current or future investigations by your agency, or another agency.

Where a suspected security incident involves major compromise of official information or other resources that originate from, or are the responsibility of, another entity, it is important to seek advice from the originating entity prior to instigating any investigation. The originating entity may have operational security requirements that need to be applied to the investigation.

In some cases, it may be more appropriate that the originating or responsible entity carries out the investigation. TAS-PSPF policy: Security advice and responsibilities (GOVSEC-2) outlines your obligation to report certain security incidents to external entities.

4. Refer to the Public Interest Disclosures Act 2002 for more information.

   [Back]

5. Australian Government Investigation Standards

   [Back]

Your agency is required to take ownership of its maturity and performance against the core requirements of the TAS-PSPF, and work to strengthen agency security culture and awareness.

TAS-PSPF policy: Security awareness (GOVSEC-3) requires you to deliver agency‑specific security awareness training during induction. Security awareness training supports implementation of security policies, practices and procedures, and is a critical component of building your agency’s security culture and overall security maturity.

Training must ensure all agency people are made adequately aware of their responsibilities under the TAS-PSPF, including:

• assisting the agency to achieve a strengthened security culture
• taking personal responsibility for their actions
• complying with agency protective security policies and procedures.

To support the intent of this policy (GOVSEC-6), agency-specific security awareness training should include security incident reporting procedures, using relevant, practical examples, to assist agency people in understanding when and how to report potential incidents or concerns.

Further information about agency-specific security awareness training, including suggested content, is available in TAS-PSPF policy: Security awareness (GOVSEC-3).

Embedding post-incident learning into incident reports or updated procedures can provide useful insights into opportunities for improvements and emerging issues, vulnerabilities in processes and training, or employee understanding of how to apply their security obligations.

You should apply a process of continual improvement to monitoring, evaluating, responding to, and managing security incidents.

It is recommended that you identify, document, and share learnings internally (i.e. with and between your Accountable Authority, RE and ASA) and externally, where appropriate (i.e. with co-located agencies, agencies with similar risk profiles or through whole-of-government arrangements).

Possible questions to consider once the incident is resolved include:

• Were the procedures adequate to deal with the incident and were all stages of incident management followed?
• Were the right people involved and were escalation points and time frames sufficient and useful?
• Did the incident highlight areas of vulnerability and if so, what action is being taken to address these vulnerabilities?
• Could the incident have been prevented? If so, how?
• Could the incident have been detected earlier, or damage reduced if detected earlier?
• What were the triggers and is there a way to prevent future occurrences?
• Is it a recurring incident or becoming systemic; if so, what additional protection or action is required to prevent further incidents?

This policy (GOVSEC-6) states that you must ensure your agency addresses corrections identified throughout the investigation process. Corrections may be in the form of updates to the security plan, targeted security awareness training, modifications to processes and procedures or agency‑specific policies.

Addressing corrections provides confidence to your people and enhances your resilience to future incidents of the same nature. When considering your agency’s cycle of continuous improvement with regards to the TAS-PSPF, it includes being adaptive to your environment and strengthening your capability of deterrence, detection, response and recovery.

Step 1 – Appoint an investigator

In the interests of procedural fairness, it is important that the investigator be impartial and not have an actual or apparent conflict of interest in the matter being investigated.

Your agency is strongly encouraged to provide relevant and appropriate training for investigators, as determined by your agency. The AGIS provides guidance on recommended training or qualifications for investigators. Where insufficient power to collect available or required evidence is identified, or if a conflict of interest is identified, the investigator is encouraged to refer the investigation to another person or agency with the necessary powers.

An investigator’s key responsibilities include:

• understanding the incident being investigated and the terms of reference
• identifying the relevant law, policy or procedures that apply
• making sufficient inquiries to ascertain all relevant facts
• ascertaining whether an offence or incident has occurred, based on the relevant facts
• reporting the findings and identifying the reasons for the findings
• making relevant recommendations.

Investigators assess:

• applicable legislation that may determine the nature of, and set the framework for, the investigation
• the nature of the incident
• how serious the incident is and therefore the possible level of harm it has for the agency, or more widely for the government
• whether the incident indicates the existence of a systemic problem
• whether it is part of a pattern of conduct
• whether it may breach any Australian law, especially any criminal provision.

Step 2: Develop an investigation plan

The investigation plan identifies:

• the issues to be investigated
• any relevant legislation, particular provisions of a code of conduct, agency policy and procedures, particular standards and guidelines
• required evidence
• methods and avenues to collect the evidence
• legal requirements and procedures to be followed in collecting evidence
• the allocation of tasks, resources and timings
• arrangements in case the terms of reference or investigation plan need to be modified during the investigation.

Terms of reference

It is recommended that the RE approve the terms of reference, objectives and scope for all security investigations. The terms of reference could include:

• the background
• resources allocated
• time frames
• the types of inquiries to be conducted
• the extent and limit of powers of the investigating officer during the investigations to collect evidence by:
  • obtaining information from people about policies, procedures and practices
  • accessing relevant records and other material
  • interviewing witnesses and suspects
  • search and surveillance
  • the format of progress reporting and the final report
  • any special requirements or factors specific to the investigation.

Step 3: Gather evidence

The investigator identifies, collects and presents information or evidence that goes to proving or disproving any matters of fact relating to an incident. In an investigation, the types of evidence are:

• physical
• documentary (records)
• verbal (recollections)
• expert (technical advice).

Evidence gathered in a security investigation may not comply with the rules of evidence and therefore may not be satisfactory in a criminal investigation, or where legal proceedings might arise in relation to the incident.

Step 4: Record and store evidence

It is recommended that investigators maintain a separate file for each investigation. This is a complete record of the investigation, documenting every step, including dates and times, all discussions, phone calls, interviews, decisions and conclusions made during the course of the investigation.

Investigators are encouraged to store this file and any physical evidence securely to prevent unauthorised access, damage or alteration. This is to maintain confidentiality and ensure continuity of evidence. It is important that the record includes the handling of physical evidence and any tampering with the file or physical evidence.

Step 5: Prepare the investigation report

At the conclusion of the investigation, the investigator produces a findings report for the RE, commissioning body (e.g. the agency security governance committee) or the relevant decision-maker.

The report must include reasons for the findings according to the terms of reference, using supporting material, and recommendations that could include:

• disciplinary action
• dismissal of a disciplinary charge following a constituted hearing
• referral of a matter to an external agency for further investigation or prosecution
• changes to administrative or security policies, procedures or practices.

Standard of proof

In drawing conclusions regarding administrative investigations, whether conducted for security or other reasons such as disciplinary purposes, the decision-maker needs to be satisfied that the allegations are proved ‘on the balance of probabilities’.

Step 6: Close the investigation

The investigation is considered closed when all reports are completed, and evidence is documented and filed. It is better practice for an independent person, preferably more experienced than the investigator, to review the closed investigation.

This allows an impartial assessment of the investigation that may identify future improvements to investigation practices.

• ASIO T4 Protective Security, Security Managers Handbook – Introduction to protective security measures, available to authorised people via the GovTEAMS protective security community
• Australian Government Protective Security Policy Framework - Policy 2: Management structures and responsibilities (PDF)
• Australian Government Investigations Standards
• South Australian Government, GOVSEC 1: Security Governance (PDF)
• Tasmanian legislation, Public Interest Disclosures Act 2002

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

• V1.0 April 2023
  • Policy issued
• V2.0 February 2024
  • Definition: 'core requirement' updated
  • Definition: 'originator' updated
  • Definition: 'protected information' removed and replaced with 'security classified'
  • Definition: 'Responsible Executive' added
  • Definition: 'supplementary requirement' updated