The Protective Security Policy Framework (PSPF) provides advice and guidance on risk management and security controls. It also outlines minimum standards.
The PSPF’s 16 policies
The PSPF is made up of 16 policies across:
Governance policies
Policy 1: Role of the accountable — covers the role of an ‘accountable authority’ (a person) who ensures information security practices are in place, including defining, evaluating and prioritising risks.
Policy 2: Management structures and — outlines the management structures and responsibilities for effective information security practices, including the need for specific roles (e.g. a CSO) with clear lines of authority and accountability.
Policy 3: Security planning and risk — covers processes and procedures to prepare and put in place an information security strategy, including risk assessments and security awareness training.
Policy 4: Security maturity — outlines the need to regularly assess, check and review the effectiveness of information security provisions to deal with evolving threats.
Policy 5: Reporting on — covers the need to report potential security breaches quickly and take action to prevent future incidents.
Policy 6: Security governance for contracted goods and service — emphasises the need for appropriate security controls for organisations providing goods and services to the Australian Government.
Policy 7: Security governance for international — focuses on the need to ensure appropriate security controls when sharing information with international parties.
Information policies
Policy 8: Sensitive and security classified — provides guidance on the use and handling of sensitive and classified information.
Policy 9: Access to — guidance on how to control access to information, including setting up access levels, monitoring for inappropriate activity, and establishing procedures to revoke access if necessary.
Policy 10: Safeguarding information from cyber — guidance on how to protect data and systems from cyber threats, including detecting potential threats, responding to incidents and recovering from data breaches.
Policy 11: Robust ICT — outlines the need for secure ICT systems and networks, with policies and procedures to ensure their ongoing protection.
Personnel policies
Policy 12: Eligibility and suitability of — guidance on how to vet and manage personnel with access to classified information.
Policy 13: Ongoing assessment of — guidance on the ongoing assessment of personnel with access to sensitive information.
Policy 14: Separating — procedures for removing access, so that when people leave their roles their access is revoked.
Physical policies
Policy 15: Physical security for entity — how to ensure the physical security of key resources and personnel, covering areas such as site selection, identification systems and access limitations.
Policy 16: Entity — outlines how to protect and secure premises, assets and personnel through security measures, access controls and monitoring mechanisms.
Salsa Digital’s take
The PSPF helps ensure that government organisations (and vendors who provide goods and services to government) meet their responsibilities when it comes to managing information security risks. It’s an important framework for government and people who deal with government.