Glossary
A glossary of common and complex terms used in the Protective Security Policy Framework (PSPF).
Accountable authority – The person or people responsible for, and with control over, a Commonwealth entity's operations. This is set out in Section 12 of the Public Governance, Performance and Accountability Act 2013 (Cth).
ACSC – Australian Cyber Security Centre
AFP – Australian Federal Police
AGSVA – Australian Government Security Vetting Agency
Alternative mitigation – Control or standard that differs from the PSPF Requirement or standard but achieves the same intent.
APS – Australian Public Service
APSC – Australian Public Service Commission
ASD – Australian Signals Directorate
ASIC – Australian Securities and Investments Commission
ASIO – Australian Security and Intelligence Organisation
ASIO Outreach – ASIO's public facing outreach area. They provide advice to government, industry and academia on current and emerging security threats, and security policy.
ASIS – Australian Secret Intelligence Service
Authorised Vetting Agency – An Australian Government entity that is authorised to undertake security and grant security clearances. Authorised Vetting Agencies include AFP, AGSVA, ASIO, ASIS, ASIC, DFAT, TS-PA Authority, and ONI.
Controlling Authority – The entity/s that originated the information marked with a security caveat, established the additional special protections and handling requirements and is responsible for managing and administering the security caveat.
Chief Security Officer (CSO) – A senior executive officer (or EL2 officer if the entity has fewer than 100 people), with appropriate seniority and a minimum security clearance of Negative Vetting Level 1, who is responsible for oversight of entity protective security arrangements
DFAT – Department of Foreign Affairs and Trade
EACS – Electronic Access Control Systems
Eligibility waiver – An Accountable Authority's decision to waive the citizenship or checkable background eligibility requirement for a person’s security clearance where there is an exceptional business requirement and after conducting a risk assessment.
Entity – Any Commonwealth entity listed under paragraph 10(1) of the Public Governance, Performance and Accountability Act 2013 (Cth). For the purposes of the PSPF Requirements, entity refers to non-corporate Commonwealth entity.
IRAP – Infosec Registered Assessors Program
ISM – Australian Signal Directorate’s Information Security Manual
Department of State – A Department of State is a non-corporate Commonwealth entity established by the Governor-General under section 64 of the Constitution. The Departments of State are the main bodies that reflect the structure of government.
OAIC – Office of the Australian Information Commissioner
ONI – Office of National Intelligence
Originator – The entity responsible for generating or first received the unmarked information and classifying an official record where a record is as defined in the Archives Act 1983 (Cth). The entity remains the sole and permanent owner of the classification.
Personal security file – A record of the checks, decisions, risk assessments, mitigations, conditions and all other information relating to a security clearance.
Personnel – Employees and contractors, including secondees and any service providers that an entity engages. It also includes anyone who is given access to Australian government resources held by the entity as part of entity sharing initiatives.
PGPA Act – Public Governance, Performance and Accountability Act 2013 (Cth).
Principles – Fundamental values that guide decision–making. There are 6 principles that inform protective security setting. The principles apply to all aspects of protective security, and must be integrated into the thinking, practice and decision making of entities at all levels. This enables entities to effectively manage security risks in a pragmatic way.
Protective security – The protection of information, people and resources.
PSPF – Protective Security Policy Framework
PSPF Reporting Categories – Three categories, including Fully implemented, Risk managed, Not yet implemented, that the entity selects the category that best reflects their level of implementation for the corresponding requirement.
Requirement – Mandatory obligation that non-corporate Commonwealth entities must implement to achieve minimum protective security standards.
Risk appetite – The risk an entity is willing to accept or retain within its tolerance levels to achieve its objectives, as defined in the Department of Finance Risk Management Policy.
Risk tolerance – The levels of risk an entity will tolerate to achieve a specific objective or manage a category of risk, as defined in the Department of Finance Risk Management Policy.
SCEC – Security Construction and Equipment Committee
Security Practitioner – Personnel appointed to perform security functions or specialist services related to security within an entity. These personnel support the work of the Chief Security Officer and Chief Information Security Officer
Security caveat – A marking that indicates that the information has special handling requirements in addition to those indicated by its security classification.
Security culture – The characteristics, attitudes and habits within an organisation that establish and maintain security.
Security Governance Committee – A senior committee that supports an accountable authority and CSO to achieve protective security objectives and monitor performance against those objectives. Especially valuable to entities with large or complex arrangements.
Security incident – A security incident is defined as an:
- action, whether deliberate, reckless, negligent or accidental that fails to meet protective security requirements or entity–specific protective security practices and procedures that results in, or may result in, the loss, damage, corruption or disclosure of official information or resources,
- attempt to gain unauthorised access to official information or resources,
- approach from anybody seeking unauthorised access to official resources, or
- event that harms, or may harm the security of Australian Government people, information or resources
For further detail, see PSPF Release 2024 section 3.6: Security Incidents. This also provides details about reporting channels for particular security incidents.
Security plan – Central document detailing how the entity plans to manage and address their security risks. For further detail see PSPF Release 2024 section 3.1: Security Planning.
Security risk – The effect of uncertainty on objectives that is often measured in terms of its likelihood and consequences. Something that could result in compromise, loss, unavailability or damage to information or physical resources, or cause harm to people.
Security risk management – The process of identifying, assessing and taking steps to reduce security risks to an acceptable level.
Security vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access sensitive and classified Australian Government resources.
SES – Senior Executive Service
SMSMP – Sensitive Material Security Management Protocol
Sponsoring entity – The Australian Government entity that sponsors an individual's security clearance.
T4 Protective Security (T4 or ASIO T4) – ASIO's protective security capability (T4) provides expert protective security advice and training to the Australian Government, state and territory governments, and business. This includes physical security certification advice (as defined in the PSPF), technical surveillance countermeasures, and resources for security managers to assist in the protection of their information, people and assets via the ASIO Outreach website. T4 evaluates protective security products (such as locks, alarms and detection devices) to determine their suitability for use in government facilities.
TSCMs – Technical Surveillance Countermeasures
Vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access classified Australian Government resources.
Vetting personnel – All those involved in conducting the security clearance vetting process, including administrative staff, checking officers, vetting analysts, vetting practitioners, assessing officers, vetting managers and vetting delegates.