Demystifying SCEC – SCEC is an acronym for the Australian Government’s ‘Security Construction and Equipment Committee’ (www.scec.gov.au). Compliance with SCEC requirements is often sought in requests for quotes and tenders issued by the Australian Government, and suppliers to government who are required to comply with official security policy and standards.

SCEC is a standing interdepartmental committee, chaired by the Australian Security Intelligence Organisation (ASIO).

The T4 branch of ASIO provides secretariat support for SCEC, runs the testing evaluation program of security equipment deemed suitable for use by agencies and sponsored providers to government, and accredits private sector advisers and services including SCEC Security Zone consultants, locksmiths, couriers, and classified waste destruction facilities (see https://www.asio.gov.au/asio-t4-protective-security.html).

ASIO-T4 prescribes detailed physical, electronic, administrative and related security requirements for Australian Government zones and secure areas on behalf of SCEC.

Demystifying SCEC secure zones

Australian Government secure zones include Zone 1 (unrestricted public access) through to Zone 5 (containing the most highly classified national security assets).

The minimum standard for Australian Government sites is Zone 2 (formerly known as Intruder Resistant Area), and protective security requirements become significantly more stringent for higher security zones.

Essential minimum Zone 2 features include, but are not limited to:

• unrestricted employee and contractor access, with restricted public access;
• appropriately secured points of entry and other ‘penetrations’;
• tamper-evident barriers, resistant to surreptitious and covert entry; and
• commercial grade (or Security Level 1 or 2) security equipment, as rated in the ASIO-T4 SEEPL (Security Equipment Evaluated Product List).

Zone 5 access is limited to trusted security cleared personnel with a demonstrated business need for entry. Such zones include various physical, administrative, personnel and protective information security risk treatments, including high standards of forcible and covert intrusion resistance and ASIO-T4 tested and endorsed Type 1A security alarm systems (i.e. Gallagher or Honeywell).

AS/NZS2201 Class 5 compliant commercial grade security alarm systems may be used in Zone 3 areas for protection of assets classified up to and including SECRET (extreme business impact) when installed and commissioned to Type 1A standards.

Security risks and countermeasures

Zone requirements are based upon the site or facility security risk assessment, conducted in accordance with standards such as ISO 31000 – Risk management and Handbook 167:2006 – Security risk management; both are mandatory under Australian Government policy.

Security risk assessors should address relevant issues including the location, functions, operational objectives and context of the site or facility, and the classification/ value of assets.

Assessments should incorporate the intent and capability of plausible/credible adversaries or threat actors, such as insiders, serious and organised criminals, foreign intelligence services and others. They should also identify controls that currently serve to protect assets, and their present level of effectiveness in doing so.

The type and extent of protective security countermeasure requirements for each site, facility or zone are dictated by the nature, type and value of the official, sensitive and/or classified information or tangible assets proposed to be held therein.

Secure zones for conducting classified and sensitive discussions are also obliged to meet prescribed standards for acoustic attenuation privacy and protection, including audio testing and technical surveillance (“bugging”) countermeasures.

ASIO-T4 Technical Notes and supporting information such as Protective Security Circulars (PSCs), Security Equipment Guides (SEGs) and the SEEPL must be closely followed to ensure zone compliance.

If the zone does not comply with all mandatory protective security requirements, approval to use the facility or area will not be granted.

Demystifying SCEC zone accreditation and certification

Sites and facilities used for sensitive, official, classified and valuable information and tangible assets must be accredited and certified to Australian Government standards, upon proving compliance with the controlled access and asset protection concepts set out in detailed guidance including ASIO-T4 Technical Notes.

Consistent with Australian Government protective security policy, led by the Attorney-General’s Department, T4 is the sole authority for certifying physical security compliance of controlled zones containing official information and tangible assets where compromise, loss of integrity or unavailability would have catastrophic consequences (business impact), and of Australian Signals Directorate (ASD) Certified Gateway ICT Service Providers (e.g. Telstra).

Agency Security Advisers (ASAs) have the authority to certify and accredit all zones up to and including Zone 4. ASIO-T4 must first certify Zone 5 areas, before accreditation can be granted by an ASA or their delegate.

Formal approval will only be granted when a site is assessed as fully compliant, and security systems provide a stable and reliable integrated controlled access platform for official asset protection in the relevant secure zone, area, facility or compartment.

SCEC security zone consultants

Demystifying SCEC security zone consultants – such professionals are trained and authorised by ASIO-T4 to advise agencies and sponsored suppliers to government on achieving compliance with the mandated secure area requirements, including the design of zone countermeasures in the protection of assets.

Only SCEC security zone consultants are formally endorsed to provide physical security advice on the:

• design, acceptance testing and commissioning of Type 1A Security Alarm Systems; and,
• design and construction of security zones as defined in the Australian Government Protective Security Policy Framework (PSPF) and ASIO-T4 Technical Notes.

SCEC security zone consultants design and commission security alarm systems and provide advice on related measures, such as wall construction, mechanical and electromechanical locking and electronic security management platforms.

Australian Government policy requires that a SCEC security zone consultant must be engaged when commissioning new installations, or for extensions involving five or more new monitored points of a Type 1A security alarm system.

SCEC security zone consultants must hold a minimum national security clearance at Negative Vetting Level 1 (NV1), which permits (need-to-know) access to information up to and including SECRET.

SCEC security zone consultants are revalidated by ASIO-T4 at least every five years and undertake ongoing competency assessments.  They must declare no conflicts of interest, accept the obligation to always act in the interests of clients, show integrity, reliability, be a fit and proper person and formally accept in writing to be bound by the SCEC Code of Conduct.

SCEC consultants are also required to hold a relevant State or Territory security licence(s) for the type of work performed and comply with obligations under the Crimes Act 1914 (Cth) to protect official information.

SCEC consultants provide specialised advice and design services in support of agencies, providing compliant cost-effective security solutions by acting in the interests of the client, reducing exposure to defects and assisting to ensure the site or facility readily qualifies for certification and accreditation with the least cost and delay.

I trust this helps in demystifying SCEC for those new to the term and government program. If not, or if your organisation requires SCEC support, feel free to contact Industry Risk to discuss the program and any specific requirements that you have.

Mark Jarratt, CPP
Director (Southern Region) | SCEC Consultant

Mark Jarratt is Industry Risk’s Director (Southern Region), a SCEC security zone consultant and licensed security consultant (ACT, NSW, VIC). He qualified for the global ASIS International Certified Protection Professional designation in 1999. He was formerly Chief of Security (agency security adviser), Australian Customs, and has worked as a licensed security consultant and risk analyst for consulting engineering and management advisory firms since 2001.