Glossary

A glossary of common and complex terms used in the Protective Security Policy Framework (PSPF).

Accountable authority – The person or people responsible for, and with control over, a Commonwealth entity's operations. This is set out in Section 12 of the Public Governance, Performance and Accountability Act 2013 (Cth).

ACSC – Australian Cyber Security Centre

AFP – Australian Federal Police

AGSVA – Australian Government Security Vetting Agency

Alternative mitigation – Other security measures or controls that provide the same or a greater level of protection as the PSPF requirement.

APS – Australian Public Service

APSC – Australian Public Service Commission

ASD – Australian Signals Directorate

ASIC – Australian Securities and Investments Commission

ASIO – Australian Security and Intelligence Organisation

ASIO Outreach – ASIO's public facing outreach area. They provide advice to government, industry and academia on current and emerging security threats, and security policy.

ASIS – Australian Secret Intelligence Service

Authorised vetting agency – An Australian Government entity that is authorised to undertake security vetting and issue personnel security clearances.

Caveat owner – The entity that creates an official record that has special handling requirements in addition to its security classification. For more information see the Sensitive Material Security Management Protocol (SMSMP) on GovTEAMS.

Chief Security Officer (CSO) – The Senior Executive Service (SES) level officer that the accountable authority has appointed to oversee entity security arrangements. Provisions for appointing a CSO in an entity with fewer than 100 employees are outlined in PSPF policy 1: Role of accountable authority.

Core requirement – A requirement that entities must meet to achieve the government's desired protective security outcomes. Each of the 16 PSPF policies include a core requirement (as well as supporting requirements).

CSO – Chief Security Officer

DFAT – Department of Foreign Affairs and Trade

EACS – Electronic Access Control Systems

Eligibility waiver – An accountable authority's decision to waive the citizenship or checkable background eligibility requirement for a candidate to hold a security clearance where there is an exceptional business requirement and after conducting a risk assessment.

Entity – Any Commonwealth entity listed under paragraph 10(1) of the Public Governance, Performance and Accountability Act 2013 (Cth).

IRAP – Information Security Registered Assessor

ISM – Information Security Manual

Lead protective security entity – A Commonwealth entity with additional responsibilities as:

  • lead entity in their portfolio, and/or
  • provider of government protective security advice, policy, technical standards or intelligence services, and/or
  • provider of shared services arrangements.

Negative vetting – An evaluation process used when obtaining certain security clearances that relies on the absence of information to the contrary in order to assess the subject's suitability for that security clearance.

OAIC – Office of the Australian Information Commissioner

ONI – Office of National Intelligence

Originator – The entity responsible for creating and classifying an official record where a record is as defined in the Archives Act 1983 (Cth). The entity remains the sole and permanent owner of the classification.

Outcomes – The protective security aims of the government relating to governance, people, information and physical assets. There are4 security outcomes for entities to achieve as part of the PSPF.

Personal security file – A record of the checks, decisions, risk assessments, mitigations, conditions and all other information relating to a security clearance.

Personnel – Employees and contractors, including secondees and any service providers that an entity engages. It also includes anyone who is given access to Australian government resources held by the entity as part of entity sharing initiatives.

PGPA ActPublic Governance, Performance and Accountability Act 2013 (Cth)

Positive vetting – A system of security checking that attempts to examine and independently verify all relevant aspects of a subject's suitability to hold certain security clearances. Positive vetting requires more extensive checks than negative vetting.

Principles – Fundamental values that guide decision–making. There are 5 principles that inform protective security settings (see Securing government business: Protective security guidance for executives).

Protective security – The protection of information, people and physical assets.

PSPF – Protective Security Policy Framework

PSPF maturity rating – The level to which an entity has addressed and implemented the core and supporting requirements in the PSPF. There are 4 levels of PSPF maturity.

Risk appetite – The risk an entity is willing to accept or retain within its tolerance levels to achieve its objectives, as defined in the Department of Finance Risk Management Policy.

Risk tolerance – The levels of risk an entity will tolerate to achieve a specific objective or manage a category of risk, as defined in the Department of Finance Risk Management Policy.

SCEC – Security Construction and Equipment Committee

Security advisors – Personnel appointed to perform security functions or specialist services related to security within an entity. These personnel support the work of the Chief Security Officer.

Security caveat – An indication of special handling requirements beyond those indicated by security classification. See Australian Government Security Caveat Guidelines on GovTEAMS for more detail.

Security culture – The characteristics, attitudes and habits within an organisation that establish and maintain security.

Security Governance Committee – A senior committee that supports an accountable authority and CSO to achieve protective security objectives and monitor performance against those objectives. Especially valuable to entities with large or complex arrangements.

Security incident – A security incident is defined as an:

  1. action, whether deliberate, reckless, negligent or accidental that fails to meet protective security requirements or entity–specific protective security practices and procedures that results, or may result in, the loss, damage, corruption or disclosure of official information or resources (see PSPF policy 2: Management structures and responsibilities C.7.1 Security incidents)
  2. approach from anybody seeking unauthorised access to official resources
  3. observable occurrence or event (including natural disaster events, terrorist attacks etc) that can harm Australian Government people, information or assets.

For further detail, see PSPF policy 2: Management structures and responsibilities. This also provides details about reporting channels for particular security incidents.

Security maturity – The entity's capability to holistically and appropriately manage their security risks through effectively implementing and managing the PSPF core and supporting requirements in the context of the entity's specific risk environment and risk tolerances.

Security plan – Central document detailing how the entity plans to manage and address their security risks.  For further detail see PSPF policy 3: Security planning and risk management.

Security risk – Something that could result in compromise, loss, unavailability or damage to information or physical assets, or cause harm to people.

Security risk management – Managing risks related to an entity's information, people and physical assets.

Security vetting – An authorised vetting agency's assessment of a clearance subject's suitability to hold a security clearance.

SES – Senior Executive Service

SMSMP – Sensitive Material Security Management Protocol

Sponsoring entity – The Australian Government entity that sponsors an individual's security clearance.

Supporting requirement – The actions needed to implement core requirements and attain the government's desired protective security outcomes. Each of the 16 PSPF policies include supporting requirements to help implement that policy's core requirement.

T4 Protective Security (T4 or ASIO T4) – ASIO's protective security capability (T4) provides expert protective security advice and training to the Australian Government, state and territory governments, and business. This includes physical security certification advice (as defined in the PSPF), technical surveillance countermeasures, and resources for security managers to assist in the protection of their information, people and assets via the ASIO Outreach website. T4 evaluates protective security products (such as locks, alarms and detection devices) to determine their suitability for use in government facilities.

TSCMs – Technical Surveillance Countermeasures

Vetting – The evaluation of a person's suitability to obtain and maintain a security clearance and access sensitive and classified Australian Government resources.

Vetting entity – An authorised entity responsible for assessing a person's suitability to obtain and maintain a security clearance.

Vetting personnel – Vetting officers and delegates who assess a clearance subject and identify any vulnerabilities that may compromise Australian Government resources.