Policy Defence Industry Security Program - Security Procedure
Defence Industry Security Program - Security Procedure
- Aboriginal and Torres Strait Islander in Marine Science
- Courses
- Future Students
- Current Students
- Research and Teaching
- Partners and Community
- About JCU
- Reputation and Experience
- Celebrating 50 Years
- Academy
- Anthropological Laboratory for Tropical Audiovisual Research (ALTAR)
- Anton Breinl Research Centre
- Agriculture Technology and Adoption Centre (AgTAC)
- Living on Campus
- How to apply
- Advanced Analytical Centre
- Alumni
- AMHHEC
- Aquaculture Solutions
- AusAsian Mental Health Research Group
- ARCSTA
- Area 61
- Association of Australian University Secretaries
- Australian Lions Stinger Research
- Australian Tropical Herbarium
- Australian Quantum & Classical Transport Physics Group
- Boating and Diving
- JCU-CSIRO Partnership
- Employability Edge
- Clinical Psychedelic Research Lab
- Centre for Tropical Biosecurity
- Career Ready Plan
- Careers at JCU
- Careers and Employability
- Chancellery
- Centre for Tropical Bioinformatics and Molecular Biology
- CITBA
- CMT
- CASE
- College of Business, Law and Governance
- College of Healthcare Sciences
- College of Medicine and Dentistry
- College of Science and Engineering
- CPHMVS
- Centre for Disaster Solutions
- CSTFA
- Cyber Security Hub
- Cyclone Testing Station
- The Centre for Disaster Studies
- Daintree Rainforest Observatory
- Defence
- Discover Nature at JCU
- Research Division
- Services and Resources Division
- Education Division
- Elite Athletes
- eResearch
- Environmental Research Complex [ERC]
- Estate
- Fletcherview
- Foundation for Australian Literary Studies
- Gender Equity Action and Research
- General Practice and Rural Medicine
- JCU Orientation
- Give to JCU
- Governance
- Art of Academic Writing
- Art of Academic Editing
- Graduate Research School
- Graduation
- Indigenous Education and Research Centre
- Indigenous Engagement
- Indigenous Legal Needs Project
- Inherent Requirements
- IsoTropics Geochemistry Lab
- IT Services
- International Students
- Research and Innovation Services
- JCU Eduquarium
- JCU Heroes Programs
- JCU Webinars
- JCU Events
- JCU Global Experience
- JCU Ideas Lab
- JCU Job Ready
- JCU Motorsports
- JCU Prizes
- JCU Sport
- JCU Turtle Health Research
- Language and Culture Research Centre
- CEE
- LearnJCU
- Library
- Mabo Decision: 30 years on
- MARF
- Marine Geophysics Laboratory
- New students
- Off-Campus Students
- Office of the Vice Chancellor and President
- Virtual Open Day
- Orpheus
- Open Day
- Outstanding Alumni
- Parents and Partners
- Pathways to university
- Pharmacy Full Scope
- Planning for your future
- Placements
-
Policy
- Academic Governance
- Academic Management
- Engagement
-
Corporate Governance
- Academic Freedom and Freedom of Speech Policy
- Affiliation of a Residential College Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Business Continuity Policy
- Child Safety Policy
- Code of Conduct – University Council
- Compliance Policy
- Conduct of Council Elections Policy
- Conflicts of Interests Policy – University Council and its Committees
- Controlled and Non-Controlled Entities Policy
- Critical Incident Policy
- Data Governance Policy
- Distinguished Professor Policy
- Domestic and Family Violence Policy
- Emeritus Professor Policy
- Foreign Interference Policy
- General Practice Training Governance Policy
- Incident Management Policy
- Information Privacy Policy
- Legal Services Claims and Litigation Assistance Policy
- Organisational Structure Policy
- Records Management Policy
- Right to Information Policy
- Risk Management Policy
- Social Media Policy
- Staff Code of Conduct
- University Archives - Access
- Visiting Speaker and Event Policy
- Policy Development and Review Policy
- Quality Enhancement Framework
- Reviews of Organisational Units and Thematic Areas - Policy and Procedures
-
Estate and Facility Management
- Advertising on Campus
- Alcohol Consumption on University Property
- Approval of Works to University Buildings and Site Infrastructure
- Authorised Use of University Facilities, Premises and/or Grounds for Non-core Purposes
- Environmental Policy
- High Voltage Access Policy
- Memorial Plaques
- Noise on University Sites
- Real Estate Dealings Policy
- Security Policy
- Space Allocation and Management Policy
- Student Timetable Policy
- Tree Protection
- Vehicle Fleet Policy
- Weapons Policy
- Adaptive Workplace Policy
-
Financial Management
- Appendices
-
Assets (FMPM 200 - FMPM 399)
- FMPM 200 Overview - Assets & Cash Management
- FMPM 210 Cash
- FMPM 220 Policy - Bank Accounts
- FMPM 230 - Petty Cash Advances
- FMPM 300 Investments
- FMPM 320 Plant and Equipment
- Financial FMPM 322 - Acquisitions of Plant and Equipment
- FMPM 260 Other Advances
- FMPM 330 Non-Capital Assets
- FMPM 280 Official Stores
- FMPM 290 Prepayments
- FMPM 323 - Disposal of Property, Plant and Equipment Procedure
- FMPM 324 Stocktake
- FMPM 350 Intangible Assets
- FMPM 270-2 Accounts Receivable - Student Debtors - Penalties
- FMPM 240 Travel Advances (Students)
- FMPM 330 Non-Capital Assets
- FMPM 270-1 Accounts Receivable
- FMPM 250 - Policy Salary Advances
- Equity (FMPM 500 - FMPM 599)
- Expenses (FMPM 700 - FMPM799)
- Financial Management and Control (FMPM 800 - FMPM 899)
- Further Applications (FMPM 900 - FMPM 999)
- Introduction (FMPM 100 - FMPM 199)
- Liabilities (FMPM 400 - FMPM 499)
- Revenue (FMPM 600 - FMPM 699)
-
Human Resources
- Awards for Excellence Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Community and Indigenous Language Allowance
- Competency Pay for Tradespersons Policy
- Conflict of Interest Policy
- Early Retirement Policy
- Equal Employment Opportunity
- Honorary Appointments Policy
- Human Resources Policy Glossary
- Market Loading Policy
- Overpayment of Wages Policy
- Performance, Development and Recognition Policy
- Recruitment, Selection and Appointment Policy
- Relocation Assistance Policy
- Remote Working Policy
- Salary Packaging Program Policy
- Special Studies Program Policy
- Supported Wage System (SWS) Policy
- Mandatory Training Policy
- Digital Infrastructure
-
International and Admissions
- Attendance Monitoring Policy - English Language and Foundation Programs
- Enrolment Requirements for International Student Visa-Holders Policy
- Management of Off-Campus Operations, Ventures and Partnerships
- Transfer of International Student Visa Holders to Other Educational Institutions
- US Federal Student Aid-SAP & Return to Title IV Policy
- Admissions Policy
-
Learning and Teaching
- Blended Learning Policy
- Charter of Responsibilities for Academic Quality and Governance
- Coursework Academic Integrity Policy
- English Language and Numeracy Policy
- Graduate Attributes
- Graduate Certificate of Education (Academic Practice) Internal Sponsorship Policy
- Learning Teaching and Assessment Policy
- Policy Glossary
- Review of a Student’s Suitability to Continue a Course Involving Placement
- Student Digital Experience Policy
- Student Evaluation of Subjects and Teaching Policy
- Student Retention Policy
- Research Education
- Research Management
-
Student Matters
- Academic Progression Policy
- Administration of Commonwealth Scholarships Policy
- Attendance Monitoring Policy - English Language and Foundation Programs
- Award Finalisation and Graduation Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Copyright Policy and Procedure
- Coursework Enrolment Policy
- Coursework Scholarships, Grants and Prizes Policy
- Library Use Policy
- Student Code of Conduct
- Student Complaints Policy
- Student Disability Policy
- Student Fee Payments and Refunds Policy
- Student Review and Appeals Policy (effective from 01/01/2023)
- Student Special Circumstances Policy
- Transfer of International Student Visa Holders to Other Educational Institutions
- Student Results Policy
- Support for Students Policy (Interim)
- Work Health and Safety
- Policy search
- PAHL
- Publications
- Professional Experience Placement
- Queensland Research Centre for Peripheral Vascular Disease
- Rapid Assessment Unit
- RDIM
- Researcher Development Portal
- Roderick Centre for Australian Literature and Creative Writing
- Safety and Wellbeing
- Scholarships
- Contextual Science for Tropical Coastal Ecosystems
- Staff
- State of the Tropics
- Strategic Procurement
- Student Equity and Wellbeing
- Student profiles
- SWIRLnet
- TARL
- TESS
- TREAD
- TropEco for Staff and Students
- TQ Maths Hub
- TUDLab
- Unicare Centre and Unicampus Kids
- UAV
- VAVS Home
- Work Health and Safety
- WHOCC for Vector-borne & NTDs
- Media
- Copyright and Terms of Use
- Australian Institute of Tropical Health & Medicine
- Pay review
Print FriendlyIntent
The Defence Industry Security Program (DISP) assists in securing Defence capability through strengthened security practices in partnership with industry, and enhances Defence’s ability to manage risk in the evolving security environment. The Defence Security and Vetting Service DS&VS manage the DISP to support Defence Groups and Services, and defence industry in managing security risks.
Following Defence’s assessment of James Cook University’s (JCU) eligibility and suitability, the University has been granted a DISP Membership at the following levels:
- Governance Security: Entry Level
- Personnel Security: Entry Level
- Physical Security: Entry Level
- Information & Cyber Security: Entry Level
JCU must continue to meet the ongoing eligibility and suitability requirements, as outlined in the Defence Security Principles Framework (DSPF) Principle 16 and Control 16.1 Defence Industry Security Program to maintain membership. JCU has committed to abide by the security provisions stated in the DSPF and are reflected in this procedure.
Scope
Elements of this procedure apply to all members of the University community including students, staff and affiliates where applicable and to all Australian JCU campuses and JCU Managed Locations, with the exception of JCU Brisbane. Elements of this procedure have application to those staff who have specific responsibilities in managing the University’s eligibility and suitability, or have received a security clearance from Defence.
Definitions
Except as otherwise specified in the Security Policy or this Procedure, the meaning of terms used are as per the Policy Glossary.
Defence Industry Security Program (DISP) | The Department of Defence, in consultation with industry, has reformed DISP to provide industry increased opportunities to work with Defence and easier access to Defence security services. The University has applied for entry level membership, which commits JCU to maintain certain Governance, Personnel, Physical and ICT security requirements. |
Security Incident | An act, omission, circumstance, or occurrence which directly or indirectly adversely affect the security of people or official or classified assets on any campus or other University property. Such incident may include actual and suspected events including: acts of violence, theft, loss or damage to university property, suspicious or threatening behaviour, emergency situations such as fire, flood, chemical spills, accidents or bodily injury, disorderly and/or disruptive conduct, unauthorised access and alarm activation. |
Procedure
1. Commitment
1.1 It is the University’s obligation to maintain the governance, personnel, physical and information technology security levels required as part of its DISP membership and as detailed in the:
1.1.1 Protective Security Policy Framework (PSPF) that provides the appropriate controls for the Australian Government to protect its people, information and assets at home and overseas.
1.1.2 Defence Security Principles Framework that provides information on security requirements which are specific to Defence and DISP members.
1.1.3 Australian Government Information Security Manual is the standard which governs the security of government Information Communications Technology (ICT) systems and complements the PSPF.
2. Responsibilities under the DISP
2.1 Chief Security Officer (CSO). The CSO must be a member of the Vice Chancellor’s Advisory Committee or senior management with the ability to implement policy and direct resources. They must be able to obtain and maintain a minimum Baseline Security Clearance.
2.2 The Chief of Staff is currently the CSO, and is responsible for oversight of security arrangements and championing a security culture in JCU for the purposes of the DISP. The Chief of Staff is accountable for ensuring:
2.2.1 all obligations contained in the DISP principle and control policy documents for their level of membership are met;
2.2.2 an appropriate system of risk, oversight and management is maintained;
2.2.3 DISP reporting obligations are fulfilled;
2.2.4 any sensitive and classified materials entrusted to JCU are safeguarded at all times;
2.2.5 Security Officer(s) are appointed to develop and implement JCU’s security policies and plans on the CSO’s behalf;
2.2.6 DISP Annual Security Report is agreed by the VCAC, and all recommendations are implemented within agreed timeframes; and
2.2.7 any change in Foreign Ownership Control and Influence (FOCI) status of JCU.
2.3 Security Officer (SO). The SO is responsible for the development and implementation of the DISP relevant security procedures and plans and acts on behalf of the CSO. The SO must be an Australian citizen and be able to obtain and maintain a Personnel Security Clearance at the Baseline level or above, as appropriate with the level of DISP membership.
2.4 The Chief of Staff is currently the SO for JCU and is responsible for:
2.4.1 the development and application of security policies and plans within JCU as they relate to the DISP;
2.4.2 maintaining a Security Register (SR);
2.4.3 facilitating annual security awareness training of relevant staff:
2.4.4 reporting security incidents and fraud incidents, and contact reports, in accordance with Defence policy; and
2.4.5 yearly assurance activities to support the CSO.
3. Governance Security
3.1 Security Procedures and Plans. The relevant security procedures and plans are developed and maintained by the SO to provide all staff or students with a Defence security clearance a guide to their individual security responsibilities.
3.2 All relevant staff and students are required to read the procedures annually as a reminder of their individual responsibilities. Staff applying for a security clearance must read the SPP at the time of their introductory security briefing by the SO.
3.3 While working at Defence establishments, or facilities, security cleared personnel must abide by the applicable local security instructions.
3.4 Security Register. A Security Register as per the template provided by DISP is to be maintained to capture all matters of security interest to JCU and is maintained by the SO.
3.5 Foreign Ownership Control and Influence. DISP members are obligated to report all potential or actual changes to their Foreign Ownership Control and Influence status. The SO is to report FOCI changes by submitting the AE250-1 webform to DISP.submit@defence.gov.au.
3.6 Annual Security Report (ASR). The ASR is a declaration by the CSO, under the authority of the Vice Chancellor that JCU is continuing to meet the eligibility and suitability requirements of the DISP. The ASR is to be submitted as per the template provided by DISP to Defence annually from the date DISP membership is granted.
3.7 Security Risk Assessments (SRAs). DISP Members are to maintain SRAs to identify and manage risks. Additionally, a more specific SRA should be maintained relating to any Defence contract the University may be engaged in.
3.8 Annual Security Awareness Training. DISP members are to implement annual security awareness training for all relevant staff. In certain circumstances, Defence may require the University to complete the Defence annual Security Awareness course in addition to the JCU training. This would be coordinated through the SO.
3.9 Contact Reporting. Staff or students engaged with a DISP project or who have a Defence security clearance need to be aware of the possibility of suspicious contacts being made and report them to the SO. A contact is any suspicious or nefarious activity where an employee communicates with representatives of foreign countries; extremist or subversive groups; criminal groups; or political or issue motivated groups or individuals, including the media.
3.10 Espionage represents a threat to the security of Defence and Defence industry. Foreign Intelligence Services (FIS) personnel are skilled in the exploitation of relationships and aim to recruit people with legitimate access to their target area. Private and official contacts, particularly social contacts, are used by foreign representatives to glean information of possible intelligence value or to make character studies of Australian official or business people.
3.11 Any contact, either in Australia or overseas, which is considered to have security significance, is to be reported immediately to the SO who will complete and submit Form XP168 - Report of Security Contact Concern and sent to DS&VS Security Incident Centre – security.incidentcentre@defence.gov.au.
3.12 Security Incident Reporting. JCU staff and students are required to report security incidents. The SO should report all security incidents using the online form XP188 - Security Incident Report to security.incidentcentre@defence.gov.au in accordance with the DSPF and record the incident in the Security Register.
3.13 The SO should take necessary action to immediately correct any security deficiencies or any matters which are likely to pose a direct security risk to University staff, students or classified material, or which threaten to reduce the level of protection being afforded to classified material in JCU’s custody.
3.14 Classified information. Where classified information is held, the following must occur:
3.14.1 Close of Business Security Check. A security check is to be conducted at close of business to ensure that all classified material is secured in approved security containers and the Physical Security Zones perimeter(s) are secure.
3.14.2 Random Security Checks. To ensure compliance with the DISP minimum security requirements, Defence will conduct random and targeted security spot checks of DISP members. This may include but is not limited to, a review of the JCU’s security procedures and plans, personnel, information and physical security arrangements and security registers. In addition, the SO is responsible for undertaking random security checks to ensure that:
a. classified material is properly protected; and
b. all staff are adhering to all security requirements.
The random security check is to be recorded within the SR.
3.15 Emergency Situations. In the event of a fire, civil disturbance or other occurrence which requires evacuation from the facility, where practicable security cleared staff should, prior to leaving:
3.15.1 take action to secure all classified material in security containers; or
3.15.2 assume personal charge of the classified material and retain it until relieved of the responsibility by the custodian or SO.
It may be necessary that access by emergency personnel is granted under escort by appropriately security cleared staff.
4. Personnel Security
4.1 Security Clearances. Once a security clearance is granted, the security cleared staff or student must meet their ongoing responsibilities (http://www.defence.gov.au/agsva) including reporting of any change of circumstances. If a person is no longer required to hold a clearance or leaves JCU, Defence will manage the security clearance after-care and separation process.
4.2 Staff/Student Identification (ID) and Access. Where a JCU facility requires security access due to security zoning (see below) or classified material, staff and students are required to be responsible for their ID and access card in accordance with the following:
4.2.1 to ensure their safekeeping;
4.2.2 to wear them visibly at all times within the specified workplace, ensuring the photograph can be clearly seen;
4.2.3 report it to the SO in the event of loss;
4.2.4 to ensure that no other person has possession, use or access to their ID or access pass;
4.2.5 to challenge anyone not known to them in the facility that is not wearing a pass;
4.2.6 to return the ID or access pass to the SO on expiration of the pass, cessation of the requirement to enter premises requiring the pass, or termination of employment/study; and
4.2.7 to surrender any Defence access pass to their SO during their debriefing, when ceasing engagement with JCU.
4.3 Electronic access cards to a security zones facility are to be considered a “Security Key” and will be recorded in the Security Register by the SO. The SO will conduct an annual audit to account for all relevant JCU access cards.
4.4 JCU staff or students who visit Defence premises must wear their Defence Visitor or Defence Access pass, so it can be seen clearly at all times.
5. Physical Security
5.1 Physical Certification of Zones. As an Entry Level DISP member, JCU is required to notify DS&VS of the physical security arrangements at each facility as part of the membership application process. Currently, JCU has no requirement to self-certify or accredit a facility or area as a security zone. The University may declare the following if a DISP project required it:
5.1.1 Zone 1: A Security Zone 1 is a public access area within a space or area that has access control measures in place at the perimeter. No certification or accreditation is required for Zone 1.
5.1.2 Zone 2: Security Zone 2 facilities are considered low-risk and commonly recognised as normal office buildings constructed in accordance with the Building Code of Australia, with commercial locking and restricted profile keying systems along with other requirements. The perimeter of Security Zone 2 facilities are generally slab-to-slab construction or tamper evident ceilings after hours. Zone 2 can store up to certain levels of classified information and assets in accordance with the PSPF.
5.2 Security Containers. All official and classified material must be stored in approved security containers. Access to the container(s) shall be limited to the approved custodian(s). DSPF Principle 72 Physical Security outlines the appropriate types of security containers applicable to the various levels of classified material in the various types of Physical Security Zones within Australia.
5.3 The SO is to record details of the security containers, their locations and their custodians in the SR.
5.4 JCU does not currently have requirement to maintain security containers.
5.5 Keys and Combinations. The SO maintains a register of all facility keys, security containers, combinations and keys. Each security container must have a custodian appointed who is responsible for the contents and controlling access to the security container.
5.6 Security keys to security containers are to be held only by authorised and appropriately security cleared personnel. Keys to containers holding classified material are to be regarded as having the same classification as the material held in the containers and must be protected accordingly.
5.7 A key register must be maintained by the SO. Duplicate keys are not to be made except on the authorisation of the SO and recorded in the key register. An audit of the keys must be performed at least every six months. The loss or compromise of a security key must be reported in accordance with clause 3.12.
5.8 In the event of a compromise or suspected compromise of a security container, the SO must be informed immediately.
6. Information And Cyber Security
6.1 ICT Networks Standard Operating Procedures. As a DISP member with Information and Cyber Security Entry Level membership, JCU is expected to meet ICT network accreditation standard that meets the following four requirements of the ASD Essential 8: application whitelisting, patch applications, restrict administrative privileges, and patch operating systems for those systems used for projects and/or research with Defence.
6.2 The Head, Enterprise Architecture, Strategy and Risk, is JCU’s IT Security Officer responsible for maintaining the system specific Standard Operating Procedures (SOP) applicable to ICT systems for JCU.
6.3 Official Information. Defence official information is classified in accordance with the Australian Government Security Classification System (AGSCS) and protected in a manner that prevents unauthorised access by or disclosure to, those who do not have a need-to-know and the appropriate security clearance.
6.4 JCU staff or students with security clearances using classified material are to ensure that there is no deliberate or casual inspection or oversight by unauthorised persons. All classified material is to be secured in an approved security container when not in actual use or under direct supervision of an appropriately cleared person with a need-to-know (see clause 5.2).
6.5 Applying protective marking to official information can be found in the DSPF Principle 10 Classification and Protection of Classified Information. A protective marking assigned to official information indicates the consequence of unauthorised disclosure. It identifies the level of protection that must be provided during use, storage, transmission, transfer and disposal of classified information.
7. Consequences of breach of procedure
7.1 Failure by staff and students to abide by the security procedures and plans and the regulations outlined in the DSPF may result in DISP membership being terminated and the cancellation of any contracts JCU may have with Defence.
7.2 Depending on the nature of the non-compliance, the breach may constitute a breach of discipline of the University, and the University may instigate disciplinary proceedings in accordance with the University’s Staff Code of Conduct and the Enterprise Agreement (as amended or replaced from time to time), or the Student Code of Conduct.
7.3 Depending upon the severity and implications of the breach, sanctions may include legal action, a formal warning, retraining, and/or other disciplinary action (such as suspension or termination of employment, or suspension or exclusion from the University).
Related policy instruments
Access to Controlled Areas Procedure
Business Continuity Management Plan
Incident Management Policy and Procedures
Risk Management Framework and Plan
Workplace Health and Safety Policy
Related documents and legislation
James Cook University Act 1997
Administration
NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.
Approval Details
Procedure Sponsor | DVC Services and Resources |
Approval Authority | DVC Services and Resources |
Date for next Major Review (in accordance with the Policy Handbook) | 22/12/2025 |
Revision History
Version | Approval date | Implementation date | Details | Author |
20-1 | 22/12/2020 | 22/12/2020 | Procedure established | Chief of Staff |
Keywords | Security, Defence, DISP, classified information |