Auditor-General Performance Audit 27 (2021-22): Administration of the Revised Protective Security Policy Framework

ANAO Security Performance Audit – this article comments on the findings and recommendations of ANAO Report 27, suggesting ‘adding value’ by extending breach and incident data capture capability, and establishing a central protective security advisory unit.

The Australian National Audit Office’s (ANAO) Performance Audit report 27 of 2021-2022, presented to the President of the Senate and Speaker of the House on 12 May 2022, assessed the extent to which the Attorney-General’s Department (AGD), the Department of Social Services (DSS) and Services Australia have effectively administered elements of the revised Protective Security Policy Framework (PSPF), overarching security doctrine and ‘better practice’ for 186 Commonwealth entities.

The report refers to various previous reviews of Australian Government protective security standards and guidance, consistent with the meticulous approach and audited entity ‘corporate memory’ applied through the ANAO cyclical audit review program, revisiting previous findings, and evaluating progress in implementing recommendations.

The full ANAO report is available here. The audit emphasis and scope addressed three of the sixteen PSPF Core Requirements:

• 4 – Security Maturity Monitoring;
• 15 – Physical Security for Entity Resources; and,
• 16 – Entity Facilities.

For readers with knowledge of the various iterations and history of the PSPF, and related guidance (e.g. technical notes for secure zone compliance authorised by the Security Construction and Equipment Committee [SCEC]), the ANAO audit assessment covers familiar territory, building on foundations of Australian Government protective security developed over more than forty years.

The Industry Risk report “8 Key ANAO Protective Security Audits” is a concise accessible summary of, and background to, previous Auditor-General findings on security and protective security management, and complements this ANAO Security Performance Audit article.

Security Governance and Incident Reporting

The audit opinion set out in the ANAO Security Performance Audit is that the audited agencies were largely effective in administering the revised PSPF, with exceptions noted in relation to the risk of optimism bias in self reporting of security ‘maturity’ to the AGD, and secure zone certification and accreditation.

Although not specifically mentioned in the audit report, perceptions that periodic central reporting is primarily a ‘tick and flick’ compliance exercise may compound agency optimism bias risk in assessing their own security ‘maturity’.

A live, online agency security incident database and treatment reporting risk register would add more value to daily protective security management, and improve real time security awareness.

Few incentives exist to report deficiencies when central agencies, as noted in the ANAO Security Performance Audit findings, rely solely on agency self-assessed reports and claims. A similar potential conflict of interest and disincentive to report breaches and poor practice confronts private sector Defence Industry Security Program (DISP) members. The DISP does however require periodic physical verification, particularly of member firms holding national security classified information.

The ANAO findings on improving reporting, including consistent recording and analysis of security breaches and incidents, would be enhanced by also recommending development of a model incident reporting process with a defined standard data set and glossary of breach and incident terms, for use by all entities applying PSPF Core Requirements.

Standardised nomenclature would allow comparison and historical analysis of security trends across, within and between Commonwealth entities. Reliable breach and incident data is a crucial prerequisite for effective security risk analysis.

Strategic cohesive risk management of Australian Government protective security would be further enhanced by integrating breach and incident data with the enterprise risk management ‘treat, monitor and review’ cycle prescribed within ISO31000 and related globally accepted professional guidance (e.g. the Security Risk Management Body of Knowledge https://tinyurl.com/4phs8xc6).

Breach and Incident Data

Statistical categories for crime reporting used by the Australian Bureau of Statistics (ABS) and agencies such as the NSW Bureau of Crime Statistics and Research (BOCSAR) are also relevant when assessing local crime patterns. This is true during security risk analysis and site surveys, mandatory elements of PSPF Core Requirement 3 – Security Planning and Risk Management.

Reliable, timely and consistent crime, security breach and incident reporting data is key to accurately assessing genuine security threats and risks confronting Australian Government agencies and entities in daily operations.

Without aggregated reliable historical security breach and incident data, selecting the optimal suite of security risk countermeasures is hampered by inadequate guesstimates and worst-case scenario speculation, causing waste and marginal if any improved protective security.

Standard Reporting and Analysis

Separately, security awareness and readiness to identify and report security breaches is an agency security ‘force multiplier,’ so data integrity and capture would be most comprehensive and useful if all staff following PSPF Core Requirements had direct access to reporting through the agency security portal or Intranet.

Standard security breach and incident datasets can be aggregated for flexible analysis and benchmarking, also simplifying periodic reporting to AGD and improving the capacity to visualise security risks across various agencies, functions and sites.

Broadly accessible (to Government) and curated security risk, incident, breach, vulnerability, threat and similar information and intelligence would support improved protective security strategy across government through qualitative and quantitative analysis.

Quality Security Information

Better information on the total costs of incidents would also reduce the protective security reporting governance burden, allowing more sophisticated automated systems and approaches such as the cost of loss equation, below, modified from the ASIS International Protection of Assets Manual – Security Management.

The equation is based on the worst case probable maximum loss which can result from a single security breach, incident, or risk event, expressed as:

K = Cp + Ct + Cr + Ci – I, where:

• K = criticality of the asset, total cost of loss
• Cp = cost of permanent replacement
• Ct = cost of temporary substitute
• Cr = total related costs
• Ci = lost income cost
• I = available insurance or indemnity.

The equation demonstrates that loss or damage resulting from security incidents does not merely involve the actual value of the asset, and loss assessment based solely on asset value will understate the total cost of the incident. The total cost of failing to implement effective security countermeasures is significant when viewed this way.

Better Data = Better Security Decisions

Existing PSPF Business Impact Levels (consequences of security breaches, incidents, risk events, realised threats) are useful, although there is some evidence throughout government of what may be excessive concern over reputational, public goodwill and adverse media coverage risk, and rare yet high impact events such as terrorist attack. This creates another risk: when the more routine elements of sound security management are not given sustained attention.

A standard online platform for Australian Government security breach and incident datasets, with effective recording, reporting and analysis, would provide benefits including:

• Real time capture of security incidents (and workplace violence/health and safety, cybersecurity, enterprise risk management).
• Improved incident and threat awareness.
• Timely monitoring and response.
• High quality reliable knowledge informing the essential threshold risk, asset and capability protection issues arising at every site and for every function, listed below:
• What mission critical and other valuable assets do we have (personnel, information, equipment, reputation, operational service delivery capacity)?
• What are our threat sources and who are our adversaries?
• What is the intent, capability, and motivation of our adversaries?
• How could they compromise, damage, harm or otherwise disrupt our operations?
• How can we most effectively and cost-effectively deter, detect, delay, assess, respond and evaluate security breaches, incidents and risk events to ensure continued protection of assets, and operation without disruption?

Security Advisory Capability

An additional option to improve whole of government protective security effectiveness and reduce self-reporting security optimism risk bias identified by the ANAO would be to establish a team of advisers within AGD (suggested title “Security Advisory Unit” or SAU).

This capacity would supplement current PSPF and related guidance from AGD, ASIO Outreach and through the GovDex agency security network.

The SAU role could include practical advice on PSPF implementation and compliance, staffed with a core of AGD security practitioners, interchange rotations by agency security officers from various agencies including ASIO-T4, and/or through a panel of suitably qualified and PSPF/Australian Government experienced security consultants (similar to the SCEC Endorsed Security Zone Consultant scheme).

The SAU could be responsible for protective security audit, assurance assistance and verification including:

• Informing and updating agencies on PSPF Core Requirements and wider protective security better practices (audits, training, investigations, policies and procedures, security project management, security system design and integration etc.);
• Analysing security breach and incident data, for liaison with agencies, advice on countermeasures, and reporting to AGD executive management;
• Improving templates and instructions for self-assessment, accreditation and certification of agency sites and internal secure zone compartments;
• Revising PSPF guidance to reflect trends and developments identified from line and central agency security governance and incident reporting;
• Conducting periodic visits and inspections, on request by agencies, and under a periodic advisory program at prescribed PSPF intervals;
• Identifying divergent and non-compliant security practices to prevent them becoming entrenched; and,
• Detecting and assisting rectification of security ‘decay’ (complacency and failure to remain current, also apparent when security equipment fails).

The SAU concept would support existing networking arrangements for sharing security expertise with agency security staff, offering prompt practical advice and solutions, exposing government security practitioners to other agencies, security environments, and risk mitigation strategies.

The SAU could have a unifying role, bridging the gap between policy and practical implementation, comparable to that of the AGD Protective Security Training Centre, which successfully delivered consistent credible indoctrination for decades until closed in July 2017.

In 2008 the author introduced a similar concept and advisory team as one element of modernising protective security for a foreign Commonwealth government. The Senior Director (Protective Security Unit) confirmed in February 2022 the unit continues to operate successfully, transferring skills to line department and agency security and other staff, and maintaining consistent protective security standards across various functions, locations and operations.

Summary

The ANAO Security Performance Audit 27 is a timely update on the Australian Government PSPF, reinforcing the unique status of the Auditor-General as an officer reporting direct to Parliament on improving public sector administration and accountability.

Agencies committed to effective public administration and accountability should welcome ANAO attention as an independent objective assessment of management and program performance, and value for money in expending public funds. ANAO findings should attract the gravitas and priority they merit and require.

Performance auditing is rather a dry and technical discipline, but it is a corporate necessity, like security risk analysis and management, to continue business and deliver operational objectives without disruption, efficiently, cost effectively, in accordance with the law and the highest ethical standards.

This most recent instructive, astute and measured ANAO Security Performance Audit is a timely reminder of the wide public audit remit, and the next audit of protective security would be even more effective by including recommendations for consistent breach and incident data capture, reporting and analysis, and the security advisory and assurance unit concept.

Mark Jarratt, CPP

Director (Southern Region) | SCEC Security Zone Consultant

Mark Jarratt was Senior Inspector (Internal Audit) in the Australian Customs Service, among various other operational and management positions. He also completed the demanding government financial statement audit training course with ANAO auditors/graduate accountants.