Skip to main content

The Australian Government is currently following caretaker conventions until the results of the 2025 election are announced. No election-related material will be available on this website. For more information about the election, please visit the relevant minister’s or party's websites.

Glossary

A glossary of common and complex terms used in the Protective Security Policy Framework (PSPF).

Accountable authority – The person or people responsible for, and with control over, a Commonwealth entity's operations. This is set out in Section 12 of the Public Governance, Performance and Accountability Act 2013 (Cth).

ACSC – Australian Cyber Security Centre

AFP – Australian Federal Police

AGSVA – Australian Government Security Vetting Agency

Alternative mitigation – Control or standard that differs from the PSPF Requirement or standard but achieves the same intent.

APS – Australian Public Service

APSC – Australian Public Service Commission

ASD – Australian Signals Directorate

ASIC – Australian Securities and Investments Commission

ASIO – Australian Security and Intelligence Organisation

ASIO Outreach – ASIO's public facing outreach area. They provide advice to government, industry and academia on current and emerging security threats, and security policy.

ASIS – Australian Secret Intelligence Service

Authorised Vetting Agency – An Australian Government entity that is authorised to undertake security and grant security clearances. Authorised Vetting Agencies include AFP, AGSVA, ASIO, ASIS, ASIC, DFAT, TS-PA Authority, and ONI.

Controlling Authority – The entity/s that originated the information marked with a security caveat, established the additional special protections and handling requirements and is responsible for managing and administering the security caveat.

Chief Security Officer (CSO) – A senior executive officer (or EL2 officer if the entity has fewer than 100 people), with appropriate seniority and a minimum security clearance of Negative Vetting Level 1, who is responsible for oversight of entity protective security arrangements

DFAT – Department of Foreign Affairs and Trade

EACS – Electronic Access Control Systems

Eligibility waiver – An Accountable Authority's decision to waive the citizenship or checkable background eligibility requirement for a person’s security clearance where there is an exceptional business requirement and after conducting a risk assessment.

Entity – Any Commonwealth entity listed under paragraph 10(1) of the Public Governance, Performance and Accountability Act 2013 (Cth). For the purposes of the PSPF Requirements, entity refers to non-corporate Commonwealth entity.

IRAP – Infosec Registered Assessors Program

ISM – Australian Signal Directorate’s Information Security Manual

Department of State – A Department of State is a non-corporate Commonwealth entity established by the Governor-General under section 64 of the Constitution. The Departments of State are the main bodies that reflect the structure of government.

OAIC – Office of the Australian Information Commissioner

ONI – Office of National Intelligence

Originator – The entity responsible for generating or first received the unmarked information and classifying an official record where a record is as defined in the Archives Act 1983 (Cth). The entity remains the sole and permanent owner of the classification.

Personal security file – A record of the checks, decisions, risk assessments, mitigations, conditions and all other information relating to a security clearance.

Personnel – Employees and contractors, including secondees and any service providers that an entity engages. It also includes anyone who is given access to Australian government resources held by the entity as part of entity sharing initiatives.

PGPA ActPublic Governance, Performance and Accountability Act 2013 (Cth).

Principles – Fundamental values that guide decision–making. There are 6 principles that inform protective security setting. The principles apply to all aspects of protective security, and must be integrated into the thinking, practice and decision making of entities at all levels. This enables entities to effectively manage security risks in a pragmatic way.

Protective security – The protection of information, people and resources.

PSPF – Protective Security Policy Framework

PSPF Reporting Categories – Three categories, including Fully implemented, Risk managed, Not yet implemented, that the entity selects the category that best reflects their level of implementation for the corresponding requirement.

Requirement – Mandatory obligation that non-corporate Commonwealth entities must implement to achieve minimum protective security standards.

Risk appetite – The risk an entity is willing to accept or retain within its tolerance levels to achieve its objectives, as defined in the Department of Finance Risk Management Policy.

Risk tolerance – The levels of risk an entity will tolerate to achieve a specific objective or manage a category of risk, as defined in the Department of Finance Risk Management Policy.

SCEC – Security Construction and Equipment Committee

Security Practitioner – Personnel appointed to perform security functions or specialist services related to security within an entity. These personnel support the work of the Chief Security Officer and Chief Information Security Officer

Security caveat – A marking that indicates that the information has special handling requirements in addition to those indicated by its security classification.

Security culture – The characteristics, attitudes and habits within an organisation that establish and maintain security.

Security Governance Committee – A senior committee that supports an accountable authority and CSO to achieve protective security objectives and monitor performance against those objectives. Especially valuable to entities with large or complex arrangements.

Security incident – A security incident is defined as an:

  • action, whether deliberate, reckless, negligent or accidental that fails to meet protective security requirements or entity–specific protective security practices and procedures that results in, or may result in, the loss, damage, corruption or disclosure of official information or resources,
  • attempt to gain unauthorised access to official information or resources,
  • approach from anybody seeking unauthorised access to official resources, or
  • event that harms, or may harm the security of Australian Government people, information or resources

For further detail, see PSPF Release 2024 section 3.6: Security Incidents. This also provides details about reporting channels for particular security incidents.

Security plan – Central document detailing how the entity plans to manage and address their security risks. For further detail see PSPF Release 2024 section 3.1: Security Planning.

Security risk – The effect of uncertainty on objectives that is often measured in terms of its likelihood and consequences. Something that could result in compromise, loss, unavailability or damage to information or physical resources, or cause harm to people.

Security risk management – The process of identifying, assessing and taking steps to reduce security risks to an acceptable level.

Security vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access sensitive and classified Australian Government resources.

SES – Senior Executive Service

SMSMP – Sensitive Material Security Management Protocol

Sponsoring entity – The Australian Government entity that sponsors an individual's security clearance.

T4 Protective Security (T4 or ASIO T4) – ASIO's protective security capability (T4) provides expert protective security advice and training to the Australian Government, state and territory governments, and business. This includes physical security certification advice (as defined in the PSPF), technical surveillance countermeasures, and resources for security managers to assist in the protection of their information, people and assets via the ASIO Outreach website. T4 evaluates protective security products (such as locks, alarms and detection devices) to determine their suitability for use in government facilities.

TSCMs – Technical Surveillance Countermeasures

Vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access classified Australian Government resources.

Vetting personnel – All those involved in conducting the security clearance vetting process, including administrative staff, checking officers, vetting analysts, vetting practitioners, assessing officers, vetting managers and vetting delegates.