Policy Defence Industry Security Program - Security Procedure

Defence Industry Security Program - Security Procedure


Print Friendly and PDFPrint Friendly

Intent

The Defence Industry Security Program (DISP) assists in securing Defence capability through strengthened security practices in partnership with industry, and enhances Defence’s ability to manage risk in the evolving security environment. The Defence Security and Vetting Service DS&VS manage the DISP to support Defence Groups and Services, and defence industry in managing security risks.

Following Defence’s assessment of James Cook University’s (JCU) eligibility and suitability, the University has been granted a DISP Membership at the following levels:

  • Governance Security: Entry Level
  • Personnel Security: Entry Level
  • Physical Security: Entry Level
  • Information & Cyber Security: Entry Level

JCU must continue to meet the ongoing eligibility and suitability requirements, as outlined in the Defence Security Principles Framework (DSPF) Principle 16 and Control 16.1 Defence Industry Security Program to maintain membership. JCU has committed to abide by the security provisions stated in the DSPF and are reflected in this procedure.

Scope

Elements of this procedure apply to all members of the University community including students, staff and affiliates where applicable and to all Australian JCU campuses and JCU Managed Locations, with the exception of JCU Brisbane. Elements of this procedure have application to those staff who have specific responsibilities in managing the University’s eligibility and suitability, or have received a security clearance from Defence.

Definitions

Except as otherwise specified in the Security Policy or this Procedure, the meaning of terms used are as per the Policy Glossary.

Defence Industry Security Program (DISP)

The Department of Defence, in consultation with industry, has reformed DISP to provide industry increased opportunities to work with Defence and easier access to Defence security services. The University has applied for entry level membership, which commits JCU to maintain certain Governance, Personnel, Physical and ICT security requirements.

Security Incident

An act, omission, circumstance, or occurrence which directly or indirectly adversely affect the security of people or official or classified assets on any campus or other University property. Such incident may include actual and suspected events including: acts of violence, theft, loss or damage to university property, suspicious or threatening behaviour, emergency situations such as fire, flood, chemical spills, accidents or bodily injury, disorderly and/or disruptive conduct, unauthorised access and alarm activation.

Procedure

1.  Commitment

1.1  It is the University’s obligation to maintain the governance, personnel, physical and information technology security levels required as part of its DISP membership and as detailed in the:

1.1.1 Protective Security Policy Framework (PSPF) that provides the appropriate controls for the Australian Government to protect its people, information and assets at home and overseas.

1.1.2 Defence Security Principles Framework that provides information on security requirements which are specific to Defence and DISP members.

1.1.3 Australian Government Information Security Manual is the standard which governs the security of government Information Communications Technology (ICT) systems and complements the PSPF.

2.  Responsibilities under the DISP

2.1 Chief Security Officer (CSO). The CSO must be a member of the Vice Chancellor’s Advisory Committee or senior management with the ability to implement policy and direct resources. They must be able to obtain and maintain a minimum Baseline Security Clearance.

2.2 The Chief of Staff is currently the CSO, and is responsible for oversight of security arrangements and championing a security culture in JCU for the purposes of the DISP. The Chief of Staff is accountable for ensuring:

2.2.1 all obligations contained in the DISP principle and control policy documents for their level of membership are met;

2.2.2 an appropriate system of risk, oversight and management is maintained;

2.2.3 DISP reporting obligations are fulfilled;

2.2.4 any sensitive and classified materials entrusted to JCU are safeguarded at all times;

2.2.5 Security Officer(s) are appointed to develop and implement JCU’s security policies and plans on the CSO’s behalf;

2.2.6 DISP Annual Security Report is agreed by the VCAC, and all recommendations are implemented within agreed timeframes; and

2.2.7 any change in Foreign Ownership Control and Influence (FOCI) status of JCU.

2.3 Security Officer (SO). The SO is responsible for the development and implementation of the DISP relevant security procedures and plans and acts on behalf of the CSO. The SO must be an Australian citizen and be able to obtain and maintain a Personnel Security Clearance at the Baseline level or above, as appropriate with the level of DISP membership.

2.4 The Chief of Staff is currently the SO for JCU and is responsible for:

2.4.1 the development and application of security policies and plans within JCU as they relate to the DISP;

2.4.2 maintaining a Security Register (SR);

2.4.3 facilitating annual security awareness training of relevant staff:

2.4.4 reporting security incidents and fraud incidents, and contact reports, in accordance with Defence policy; and

2.4.5 yearly assurance activities to support the CSO.

3.  Governance Security

3.1 Security Procedures and Plans. The relevant security procedures and plans are developed and maintained by the SO to provide all staff or students with a Defence security clearance a guide to their individual security responsibilities.

3.2 All relevant staff and students are required to read the procedures annually as a reminder of their individual responsibilities. Staff applying for a security clearance must read the SPP at the time of their introductory security briefing by the SO.

3.3 While working at Defence establishments, or facilities, security cleared personnel must abide by the applicable local security instructions.

3.4 Security Register. A Security Register as per the template provided by DISP is to be maintained to capture all matters of security interest to JCU and is maintained by the SO.

3.5 Foreign Ownership Control and Influence. DISP members are obligated to report all potential or actual changes to their Foreign Ownership Control and Influence status. The SO is to report FOCI changes by submitting the AE250-1 webform to DISP.submit@defence.gov.au.

3.6 Annual Security Report (ASR). The ASR is a declaration by the CSO, under the authority of the Vice Chancellor that JCU is continuing to meet the eligibility and suitability requirements of the DISP. The ASR is to be submitted as per the template provided by DISP to Defence annually from the date DISP membership is granted.

3.7 Security Risk Assessments (SRAs). DISP Members are to maintain SRAs to identify and manage risks. Additionally, a more specific SRA should be maintained relating to any Defence contract the University may be engaged in.

3.8 Annual Security Awareness Training. DISP members are to implement annual security awareness training for all relevant staff. In certain circumstances, Defence may require the University to complete the Defence annual Security Awareness course in addition to the JCU training. This would be coordinated through the SO.

3.9 Contact Reporting. Staff or students engaged with a DISP project or who have a Defence security clearance need to be aware of the possibility of suspicious contacts being made and report them to the SO. A contact is any suspicious or nefarious activity where an employee communicates with representatives of foreign countries; extremist or subversive groups; criminal groups; or political or issue motivated groups or individuals, including the media.

3.10 Espionage represents a threat to the security of Defence and Defence industry. Foreign Intelligence Services (FIS) personnel are skilled in the exploitation of relationships and aim to recruit people with legitimate access to their target area. Private and official contacts, particularly social contacts, are used by foreign representatives to glean information of possible intelligence value or to make character studies of Australian official or business people.

3.11 Any contact, either in Australia or overseas, which is considered to have security significance, is to be reported immediately to the SO who will complete and submit Form XP168 - Report of Security Contact Concern and sent to DS&VS Security Incident Centre – security.incidentcentre@defence.gov.au.

3.12 Security Incident Reporting. JCU staff and students are required to report security incidents. The SO should report all security incidents using the online form XP188 - Security Incident Report to security.incidentcentre@defence.gov.au in accordance with the DSPF and record the incident in the Security Register.

3.13 The SO should take necessary action to immediately correct any security deficiencies or any matters which are likely to pose a direct security risk to University staff, students or classified material, or which threaten to reduce the level of protection being afforded to classified material in JCU’s custody.

3.14 Classified information. Where classified information is held, the following must occur:

3.14.1 Close of Business Security Check. A security check is to be conducted at close of business to ensure that all classified material is secured in approved security containers and the Physical Security Zones perimeter(s) are secure.

3.14.2 Random Security Checks. To ensure compliance with the DISP minimum security requirements, Defence will conduct random and targeted security spot checks of DISP members. This may include but is not limited to, a review of the JCU’s security procedures and plans, personnel, information and physical security arrangements and security registers. In addition, the SO is responsible for undertaking random security checks to ensure that:

a. classified material is properly protected; and

b. all staff are adhering to all security requirements.

The random security check is to be recorded within the SR.

3.15 Emergency Situations. In the event of a fire, civil disturbance or other occurrence which requires evacuation from the facility, where practicable security cleared staff should, prior to leaving:

3.15.1 take action to secure all classified material in security containers; or

3.15.2 assume personal charge of the classified material and retain it until relieved of the responsibility by the custodian or SO.

It may be necessary that access by emergency personnel is granted under escort by appropriately security cleared staff.

4.  Personnel Security

4.1 Security Clearances. Once a security clearance is granted, the security cleared staff or student must meet their ongoing responsibilities (http://www.defence.gov.au/agsva) including reporting of any change of circumstances. If a person is no longer required to hold a clearance or leaves JCU, Defence will manage the security clearance after-care and separation process.

4.2 Staff/Student Identification (ID) and Access. Where a JCU facility requires security access due to security zoning (see below) or classified material, staff and students are required to be responsible for their ID and access card in accordance with the following:

4.2.1 to ensure their safekeeping;

4.2.2 to wear them visibly at all times within the specified workplace, ensuring the photograph can be clearly seen;

4.2.3 report it to the SO in the event of loss;

4.2.4 to ensure that no other person has possession, use or access to their ID or access pass;

4.2.5 to challenge anyone not known to them in the facility that is not wearing a pass;

4.2.6 to return the ID or access pass to the SO on expiration of the pass, cessation of the requirement to enter premises requiring the pass, or termination of employment/study; and

4.2.7 to surrender any Defence access pass to their SO during their debriefing, when ceasing engagement with JCU.

4.3 Electronic access cards to a security zones facility are to be considered a “Security Key” and will be recorded in the Security Register by the SO. The SO will conduct an annual audit to account for all relevant JCU access cards.

4.4 JCU staff or students who visit Defence premises must wear their Defence Visitor or Defence Access pass, so it can be seen clearly at all times.

5. Physical Security

5.1 Physical Certification of Zones. As an Entry Level DISP member, JCU is required to notify DS&VS of the physical security arrangements at each facility as part of the membership application process. Currently, JCU has no requirement to self-certify or accredit a facility or area as a security zone. The University may declare the following if a DISP project required it:

5.1.1 Zone 1: A Security Zone 1 is a public access area within a space or area that has access control measures in place at the perimeter. No certification or accreditation is required for Zone 1.

5.1.2 Zone 2: Security Zone 2 facilities are considered low-risk and commonly recognised as normal office buildings constructed in accordance with the Building Code of Australia, with commercial locking and restricted profile keying systems along with other requirements. The perimeter of Security Zone 2 facilities are generally slab-to-slab construction or tamper evident ceilings after hours. Zone 2 can store up to certain levels of classified information and assets in accordance with the PSPF.

5.2 Security Containers. All official and classified material must be stored in approved security containers. Access to the container(s) shall be limited to the approved custodian(s). DSPF Principle 72 Physical Security outlines the appropriate types of security containers applicable to the various levels of classified material in the various types of Physical Security Zones within Australia.

5.3 The SO is to record details of the security containers, their locations and their custodians in the SR.

5.4 JCU does not currently have requirement to maintain security containers.

5.5 Keys and Combinations. The SO maintains a register of all facility keys, security containers, combinations and keys. Each security container must have a custodian appointed who is responsible for the contents and controlling access to the security container.

5.6 Security keys to security containers are to be held only by authorised and appropriately security cleared personnel. Keys to containers holding classified material are to be regarded as having the same classification as the material held in the containers and must be protected accordingly.

5.7 A key register must be maintained by the SO. Duplicate keys are not to be made except on the authorisation of the SO and recorded in the key register. An audit of the keys must be performed at least every six months. The loss or compromise of a security key must be reported in accordance with clause 3.12.

5.8 In the event of a compromise or suspected compromise of a security container, the SO must be informed immediately.

6. Information And Cyber Security

6.1 ICT Networks Standard Operating Procedures. As a DISP member with Information and Cyber Security Entry Level membership, JCU is expected to meet ICT network accreditation standard that meets the following four requirements of the ASD Essential 8: application whitelisting, patch applications, restrict administrative privileges, and patch operating systems for those systems used for projects and/or research with Defence.

6.2 The Head, Enterprise Architecture, Strategy and Risk, is JCU’s IT Security Officer responsible for maintaining the system specific Standard Operating Procedures (SOP) applicable to ICT systems for JCU.

6.3 Official Information. Defence official information is classified in accordance with the Australian Government Security Classification System (AGSCS) and protected in a manner that prevents unauthorised access by or disclosure to, those who do not have a need-to-know and the appropriate security clearance.

6.4 JCU staff or students with security clearances using classified material are to ensure that there is no deliberate or casual inspection or oversight by unauthorised persons. All classified material is to be secured in an approved security container when not in actual use or under direct supervision of an appropriately cleared person with a need-to-know (see clause 5.2).

6.5 Applying protective marking to official information can be found in the DSPF Principle 10 Classification and Protection of Classified Information. A protective marking assigned to official information indicates the consequence of unauthorised disclosure. It identifies the level of protection that must be provided during use, storage, transmission, transfer and disposal of classified information.

7. Consequences of breach of procedure

7.1 Failure by staff and students to abide by the security procedures and plans and the regulations outlined in the DSPF may result in DISP membership being terminated and the cancellation of any contracts JCU may have with Defence.

7.2 Depending on the nature of the non-compliance, the breach may constitute a breach of discipline of the University, and the University may instigate disciplinary proceedings in accordance with the University’s Staff Code of Conduct and the Enterprise Agreement (as amended or replaced from time to time), or the Student Code of Conduct.

7.3 Depending upon the severity and implications of the breach, sanctions may include legal action, a formal warning, retraining, and/or other disciplinary action (such as suspension or termination of employment, or suspension or exclusion from the University).

Related policy instruments

Access to Controlled Areas Procedure

Business Continuity Management Plan

Business Continuity Policy

Incident Management Policy and Procedures

Risk Management Framework and Plan

Risk Management Policy

Security Policy

Workplace Health and Safety Policy

Related documents and legislation

James Cook University Act 1997

Administration

NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Procedure Sponsor

DVC Services and Resources

Approval Authority

DVC Services and Resources

Date for next Major Review (in accordance with the Policy Handbook)

22/12/2023

Revision History

Version

Approval date

Implementation date

Details

Author

20-1

22/12/2020

22/12/2020

Procedure established

Chief of Staff

Keywords

Security, Defence, DISP, classified information