PSPF Maturity Assessment Template and Calculator 0

Select classification
2018-19 PSPF assessment report
<Entity name>
Security maturity assessment
The overall maturity level summarises the maturity of the entity’s security capability and performance across the four security
outcomes (governance, information, personnel and physical) and sixteen core requirements. It provides an assessment of the
entity's overall security position within its specific risk environment and risk tolerances.
Overall maturity level

This text box will be populated based on your answers at the module level.
Summary of risk environment and security capability

You are required to provide details on the entity’s risk environment and the maturity of its security capability. Security capability
maturity refers to an entity's security position in relation to its specific risk environment and risk tolerances. Your summary should
consider how holistically and effectively the entity:
- implements and meets the intent of the PSPF core and supporting requirements
- minimises harm to the government's people information and assets
- fosters a positive security culture
- responds to, and learns from security incidents
- understands and manages security risks
- achieves security outcomes while delivering on their business objectives.
Enter text here

Security outcomes
Governance outcome maturity level
Information security maturity level

Personnel security maturity level

Physical security maturity level

Key risks to entity’s people, information and assets

Key risks to entity’s people, information and assets
You are required to provide details about the key risks to the entity's people, information and assets (AGD recommends listing the
top 3-5 risks). You are also required to detail the measures or strategies to mitigate the identified risks. Key risks may include:
- risks identified under any of the reporting modules
- systemic or emerging risks
- significant risks not sufficiently mitigated
- significant risks that have insufficient protective security policy coverage.
Enter text here
Personnel security clearance waivers

PSPF Policy 5: Reporting on Security and Policy 12: Eligibility and suitability of personnel require entities to report where the
accountable authority has waived the citizenship or checkable background requirements for any security clearances sponsored by
the entity.
Baseline NV1 NV2 PV

New Active New Active New Active New Active
Citizenship
waivers 0 0 0 0 0 0 0 0
Uncheckable
background
waivers
0 0 0 0 0 0 0 0
Exceptional circumstances and key security incidents

Exceptional circumstances (if applicable)
Examples of exceptional circumstances include natural disasters and emergency situations. Exceptional circumstances are
not routine in nature or enduring.
Enter details in Module 1
Summary of significant security incidents during the reporting period

You are required to provide the following information on significant security incidents that occurred during the reporting
period:
- Date of incident
- Type of security incident
- Has the incident been reported to the Attorney General’s Department?
- Has the incident been resolved?
A significant security incident is a deliberate, negligent or reckless action that leads, or could lead, to the loss, damage,
compromise, corruption or disclosure of official resources.
Enter text here

PSPF Reporting - manual completion
Maturity calculator
Suggested Selected maturity
Partial Substantial Full Excelled N/A maturity rating rating
Module 1: Role of accountable authority 0 0 0 0 0 Go to Module 1
Module 2: Management structures and responsibilities 0 0 0 0 0 Go to Module 2
Module 3: Security planning and risk management 0 0 0 0 0 Go to Module 3
Module 4: Security maturity monitoring 0 0 0 0 0 Go to Module 4
Module 5: Reporting on security 0 0 0 0 0 Go to Module 5
Module 6: Security governance for contracted goods and service providers 0 0 0 0 0 Go to Module 6
Module 7: Security governance for international sharing 0 0 0 0 0 Go to Module 7
Module 8: Sensitive and classified information 0 0 0 0 0 Go to Module 8
Module 9: Access to information 0 0 0 0 0 Go to Module 9
Module 10: Safeguarding information from cyber threats 0 0 0 0 0 Go to Module 10
Module 11: Robust ICT systems 0 0 0 0 0 Go to Module 11
Module 12: Eligibility and suitability of personnel 0 0 0 0 0 Go to Module 12
Module 13: Ongoing assessment of personnel 0 0 0 0 0 Go to Module 13
Module 14: Separating personnel 0 0 0 0 0 Go to Module 14
Module 15: Physical security for entity resources 0 0 0 0 0 Go to Module 15
Module 16: Entity facilities 0 0 0 0 0 Go to Module 16
Ad hoc Developing Managing Embedded

Overall security maturity 0 0 0 0 0
Governance outcome 0 0 0 0 0
Information security outcome 0 0 0 0
Personnel security outcome 0 0 0 0
Physical security outcome 0 0 0 0
1 Select classification
Module 1: Role of accountable authority
STEP 1: Maturity questions
Select response
Maturity questions from drop down list
1 The accountable authority has determined the -
entity's tolerance for and management of security
risks (as documented in the entity security plan).
2 The accountable authority considered the -

implications the entity's risk management decisions
have for other entities and shared information
where appropriate (as documented in the entity
security plan).
3 For lead security entities, the entity, on behalf of -

the accountable authority, provided other entities
with advice, guidance and services related to
government security to help other entities achieve
and maintain an acceptable level of security.
4 For lead security entities, responsibilities and -

accountabilities for partnerships or security
arrangements with other entities have been
established and documented.
5 Any decision to vary the application of a PSPF -

requirement was made: by the accountable
authority; in exceptional circumstances; for a
limited period of time; and consistent with the
entity's risk tolerance.
Exceptional circumstances
You are required to record any exceptional circumstances that resulted in the Accountable Authority varying the application of
the PSPF for a limited period of time. You are also required to detail the remedial action taken to reduce risk to the entity. If
there were no exceptional circumstances, enter ‘Not applicable’.
Examples of exceptional circumstances include natural disasters and emergency situations. Exceptional circumstances are not
routine in nature or enduring.
Enter details of exceptional circumstances here.

Module 1: Role of accountable authority
STEP 2: Maturity assessment
5
0
Partial Substantial Full Excelled N/A
Suggested maturity level (based on average response)

Selected maturity level (entity assessment) Maturity - select from drop down list
Maturity levels
Ad hoc - The accountable authority is partially aware of protective security requirements across the entity. Partial
understanding, assessment and management of security risks to the entity's people, information and assets. Security is dealt
with in an ad hoc manner.
Developing - The accountable authority substantially applies protective security requirements across the entity. Security risks
and risk tolerances are identified and are substantially managed, monitored or reassessed on a regular basis. Security risk
decisions and shared risks that affect other entities are substantially managed and communicated to affected entities.
Managing - The accountable authority consistently applies protective security policy across the entity, determines the entity's
tolerance for security risks, promotes sound risk management processes and ensures appropriate governance arrangements
are in place to protect the entity's people, information and assets. In medium to large entities, the management committee
oversees and reviews risk profile and ensures underpinning procedures are consistent and adaptable to changes in the risk
environment. Security risk decisions and shared risks that affect other entities are understood and communicated in a timely
manner.
Embedded - The accountable authority has an integrated, continuous-improvement approach to security management across
the entity. Security risk management is a significant priority for the entity and is identified and aligned to business objectives.
The entity identifies and operates within agreed and defendable risk tolerances that actively inform business decisions. Formal
risk management processes and initiatives to connect security risk management and operations are in place. The entity
promotes inter-entity collaboration to improve management of security risk decisions and shared risks that affect other
entities. Where appropriate, the entity provides best-practice advice to other entities in its area of expertise.
Rationale
You are required to provide:
- a rationale for your selected maturity rating, including justification for any change (either up or down) from the suggested
maturity level
- reference to supporting evidence, if applicable, such as the entity’s security plan or relevant entity documentation and
processes, to substantiate your selected maturity rating.
Enter text here

Strategies and timeframes
If the maturity level is ad hoc or developing, you are required to detail:
- proposed future activities and timeframes to improve maturity and address identified risks
- any actions, measures or tools currently in place to mitigate the risk.
Enter text here

Module 2: Management structures and responsibilities
Select response
1 The accountable authority has appointed a Chief -
Security Officer (CSO) at the Senior Executive
Service level who is responsible for and empowered
to make decisions about the security of the entity's
people, information (including ICT) and assets.
2 The entity's procedures are documented and -

implemented to ensure: the elements of the
entity's security plan are achieved; security
incidents are investigated, responded to, and
reported; and relevant security policy or legislative
obligations are met.
3 Significant security incidents have been reported to -

the relevant authority or affected entity.
4 Entity personnel, including contractors, have -

undertaken security awareness training during the
reporting period and have been provided sufficient
information and training to support their awareness
of the collective responsibility to foster a positive
security culture.
5 Personnel in specialist and high-risk positions -

(including contractors and security incident
investigators) have been provided with security
awareness training targeted to the scope and
nature of their positions.
6 A monitored email address has been established -

and maintained as the central conduit for all
security-related matters across governance,
personnel, information (including ICT) and physical
security.
Module 2: Management structures and responsibilities
6
0

Maturity levels
Ad hoc - Security management structures are partially in place. Responsibility for designated security roles, protective security
planning and management of security practices is ad hoc. Incident reporting is by exception with partial staff awareness of
obligations. Incident response processes are informal and not centrally managed. Security is partially prioritised by leadership
with partial employee and contractor awareness.
Developing - The Chief Security Officer (CSO) is appointed and key security responsibilities are substantially assigned. Security
risk and incident reporting is occurring across the entity and response processes are centrally managed in the majority of
cases. The importance of security and developing a strong security culture is substantially recognised by leadership. The
majority of personnel attend periodic security awareness and skills development training.
Managing - Role of CSO is empowered to investigate, respond to and report on security incidents. Clearly defined security roles
and responsibilities exist with skilled personnel appointed by the CSO and empowered to make security decisions for their
entity. A governance oversight function is established (where appropriate to entity size). Entity's cycle of action, evaluation
and learning is evident in response to security incidents. Personnel are knowledgeable of security incident reporting
obligations with reporting processes published and accessible. Security is integral to the entity's business and informs decision-
making. Leadership is actively engaged and visibly prioritises good security practices with a strong security culture evident
within the entity. Personnel's attendance and understanding of regular education programs that inform and assist their
understanding of security-related processes and obligations is monitored.
Embedded - Role of CSO is highly visible and central to delivering on entity's strategic business priorities and objectives. A
security governance oversight function is operational. Security is fully integrated into entity operations, actively managed,
monitored and drives improvements. Security procedures and practices are robust and of proven effectiveness. CSO ensures
personnel resources are deployed to support the maintenance of effective protective security; appointing skilled personnel
according to business needs. Comprehensive approach to managing security incidents including investigating to determine
root causes and inform security improvements and education programs. All personnel are trained annually on security policy
and procedures, and take responsibility for implementation within their area of responsibility. Security culture is underpinned
by continuous improvements and education programs. Security culture is underpinned by continuous improvement and
accountability.
Rationale
maturity level
Enter text here

Enter text here

Module 3: Security planning and risk management
Select response
1 The accountable authority has approved the -
entity's plan to manage security risks (the security
plan).
2 The security plan has been reviewed at least once -

within the last two years to ensure the existing
measures and mitigation controls remain adequate
and to respond to and manage significant shifts in
the entity's risk, threat and operating environment.
3 The entity has identified resources that are critical -

to the ongoing operation of the entity and the
national interest, and applied appropriate
protections to these resources to support their core
business.
4 The entity has identified a risk steward (or -

manager) responsible for each security risk or
category of security risk, including shared risks.
5 The entity has communicated identified risks that -

could potentially impact on the business of another
Commonwealth entity to the relevant entity.
6 The security plan has scalable measures to meet -

variations in threat levels and accommodate
changes in the National Terrorism Threat level.
7 The entity has documented decisions to implement -

alternative mitigation measures or controls to a
PSPF requirement and adjusted the maturity level
for the related PSPF requirement.
Module 3: Security planning and risk management
7
0

Maturity levels
Ad hoc - The accountable authority is partially aware of protective security requirements across the entity. Partial
understanding, assessment and management of security risks to the entity's people, information and assets. Security is dealt
with in an ad hoc manner.
Developing - The accountable authority substantially applies protective security requirements across the entity. Security risks
and risk tolerances are identified and are substantially managed, monitored or reassessed on a regular basis. Security risk
decisions and shared risks that affect other entities are substantially managed and communicated to affected entities.
Managing - The accountable authority consistently applies protective security policy across the entity, determines the entity's
tolerance for security risks, promotes sound risk management processes and ensures appropriate governance arrangements
are in place to protect the entity's people, information and assets. In medium to large entities, the management committee
oversees and reviews risk profile and ensures underpinning procedures are consistent and adaptable to changes in the risk
environment. Security risk decisions and shared risks that affect other entities are understood and communicated in a timely
manner.
Embedded - The accountable authority has an integrated, continuous-improvement approach to security management across
the entity. Security risk management is a significant priority for the entity and is identified and aligned to business objectives.
The entity identifies and operates within agreed and defendable risk tolerances that actively inform business decisions. Formal
risk management processes and initiatives to connect security risk management and operations are in place. The entity
promotes inter-entity collaboration to improve management of security risk decisions and shared risks that affect other
entities. Where appropriate, the entity provides best-practice advice to other entities in its area of expertise.
Rationale
maturity level
Enter text here

Enter text here

Module 4: Security maturity monitoring
Select response
1 The entity has monitored and assessed the maturity -
of its security capability and risk culture by
considering its progress against the goals and
strategic objectives identified in the security plan.
2 The entity has documented and evidenced its -

assessment of maturity of the entity's security
capability and risk culture against a set of indicators
identified in the entity security plan.
Module 4: Security maturity monitoring
2
0

Maturity levels
Ad hoc - The entity partially monitors maturity performance of its security capability and risk culture against the goals and
strategic objectives identified in the entity security plan.Security is dealt with in an ad hoc manner.
Developing - Security capability and risk culture is addressed in the security plan. The performance and progress against the
security plan's goals and strategic objectives is substantially monitored regularly.
Managing - Consistent and defined approach to monitoring the entity's security performance which is tailored to the entity's
risk environment. Entity has clearly defined security goals and objectives in the security plan and performance is tracked and
measured to assess security capability and risk culture maturity.
Embedded - The entity actively engages in ongoing monitoring and improvement of security capability and culture through
long-term planning to predict and prepare for security challenges. Performance data is captured analysed and informs
change.
Rationale
maturity level
Enter text here

Enter text here

Module 5: Reporting on security
Select response
1 The entity has fulfilled its reporting obligations to its -
portfolio minister and the Attorney-General's
Department.
2 The entity has reported any unmitigated security -

risks, security incidents or vulnerabilities in PSPF
implementation to affected entities.
3 The entity has fulfilled its reporting obligations to -

the Australian Signals Directorate.
Module 5: Reporting on security
3
0

Maturity levels
Ad hoc - The entity has partially met external reporting obligations to its portfolio minister, AGD and other affected entities.
Reporting on the entity's achievement of security outcomes, implementation of core requirements, maturity of security
capability, key risks to the entity's people, information and personnel and mitigation strategies is partial and ad hoc.
Developing - The entity substantially meets external reporting obligations to the portfolio minister, AGD and other affected
entities. The entity's achievement of security outcomes, implementation of core requirements, maturity of security capability,
key risks to an entity's people, information and personnel and mitigation strategies is substantially captured in the annual
report.
Managing - The entity meets all external reporting obligations within required timeframes to portfolio minister, AGD and
other affected entities through comprehensive reporting on achievement of security outcomes, implementation of core
requirements, maturity of security capability, key risks to an entity's people, information and personnel and mitigation
strategies. Key findings and trends are shared within the entity.
Embedded - The entity excels in meeting reporting obligations and uses annual reporting to drive improvements, strengthen
security culture and inform future planning.
Rationale
maturity level
Enter text here

Enter text here
Module 6: Security governance for contracted goods and service providers
Select response
1 When procuring goods and services, the entity -
identified and documented specific security risks to
its people, information and assets, and mitigations
for identified risks.
2 In contracts for goods and services, the entity -

included proportionate and relevant security terms
and conditions.
3 The entity implemented contract management -

practices to ensure that security controls included
in the contract are implemented, operated and
maintained by the contracted provider and
associated subcontractors.
4 The implemented contract management practices -

manage any changes to the provision of goods or
services, and reassess security risks.
5 The entity implemented appropriate security -

arrangements for the completion or termination of
each contract.
Module 6: Security governance for contracted goods and service providers
5
0

Maturity levels
Ad hoc - Protective security provisions are partially included in goods and service provider contracts. Entity partially monitors
service providers' adherence to contract provisions.
Developing - Appropriate security obligation clauses are included in the majority of goods and service provider contracts.
Entity substantially applies processes to monitor service providers' adherence to contract provisions.
Managing - Provider contracts contain explicit provisions to ensure implementation of relevant protective security
requirements. The entity uses processes to monitor service providers' adherence to contract provisions and security
obligations.
Embedded - The entity excels actively monitors and audits service provider capability to fully implement contractual
protective security requirements. Where appropriate, the entity supports contractors to achieve security outcomes.
Rationale
maturity level
Enter text here

Enter text here

Module 7: Security governance for international sharing
This module is only required if your entity shares sensitive or security classified Australian Government information with one
or more foreign entities. A foreign entity includes both foreign governments and foreign contractors.
If this module is not applicable for your entity, select 'not applicable' from
the drop down box on the right Select

Select response
1 The entity adhered to any provisions concerning the -
security of people, information and assets
contained in international agreements and
arrangements to which Australia is a party.
2 Before sharing sensitive or security classified -

Australian Government information or assets with a
foreign entity, the entity ensured there was an
explicit legislative provision, an international
agreement or an international arrangement in place
for its protection.
3 The entity has protected sensitive or security -

classified information or assets provided by a
foreign entity under an international agreement or
international arrangement in accordance with the
relevant agreement or arrangement.
Module 7: Security governance for international sharing
3
0

Maturity levels
Ad hoc - The entity has access to foreign government information and assets and partially understands and implements
handling and protection requirements agreed in international agreements and arrangements to which Australia is a party.
Developing - The entity has access to foreign government information and assets. There is substantial awareness through
training and accessibility of applicable agreements, of the level of handling protection requirements agreed in international
agreements and arrangements to which Australia is a party.
Managing - The entity has access to foreign government information and assets and consistently applies handling protection
requirements agreed in international agreements and arrangements to which Australia is a party. Alternatively the entity is
confident it does not access any information or assets that would be governed by international agreements or arrangements
to which Australia is a party.
Embedded - Where an entity has access to foreign government information and assets, it actively implements handling
requirements agreed in international agreements and arrangements to which Australia is a party - and these are consistently
applied. The entity proactively contributes to, and identifies opportunities to evolve multilateral, bilateral agreements and
arrangements to which Australia is a party on sharing and protection of information and assets.
Rationale
maturity level
Enter text here

Enter text here

Module 8: Sensitive and classified information
Select response
1 The entity has identified its information asset -
holdings and has implemented proportionate
controls to protect the information.
2 Information generated by the entity has been -

assessed to determine the potential damage that
would arise if the information's confidentiality was
compromised.
3 The entity's systems, processes and procedures -

allow information, including emails to be
protectively marked if appropriate.
4 Information that has been assessed as sensitive or -

security classified is protectively marked at the
lowest reasonable level.
5 Caveat material has been marked in accordance -

with the caveat guidelines.
6 Accountable material has appropriate controls -

applied, including auditable records of transfer,
copy or movements.
7 The entity has not allowed the removal of, or -

change to, information's classification without the
originator's approval.
8 The entity has met the minimum requirements for -

transfer and transmission of sensitive and security
classified information.
9 The entity has met the minimum requirements for -

use and storage of sensitive and security classified
information.
10 The entity has securely disposed of sensitive and -

classified information, as required.
Module 8: Sensitive and classified information

10
9
8
7
6
5
4
3
2
1
0

Maturity levels
Ad hoc - The entity has a partial understanding of its information asset holdings. Procedures and operational controls to
protect official government information assets proportional to their value, importance and sensitivity are ad hoc.
Developing - The entity knows the value of its information asset holdings and has established operational controls to ensure
official government information is managed in accordance with minimum protections identified in the PSPF policy: Sensitive
and classified information, proportional to their value, importance and sensitivity. The entity monitors and controls classified
information holdings within the context of its risk environment.
Managing - The entity know the value of its information asset holdings and operational controls are in place to ensure official
government information asset holdings are consistently handled in accordance with minimum protections identified in the
PSPF policy: Sensitive and classified information, proportional to their value, importance and sensitivity.
Embedded - The entity culture actively supports the consistent and appropriate handling of official government information
asset holdings in accordance with minimum [protections identified in the PSPF policy: Sensitive and classified information. In a
heightened risk environment, the entity closely monitors and controls classified information asset holdings.
Rationale
maturity level
Enter text here

Enter text here
Module 9: Access to information
Select response
1 The entity had an agreement or arrangement, such -
as a contract or deed, in place before sharing
sensitive or security classified resources with a
person or organisation outside of government.
2 The entity limited access to sensitive and security -

classified resources to people with a need-to-know.
3 The entity limited ongoing access to security -

classified resources to people with an appropriate
security clearance.
4 The entity only provided access to caveated -

information to people who met the conditions
imposed by the originator and caveat owner.
5 The entity only provided temporary access to -

security classified resources after conducting a risk
assessment.
6 The entity only allowed temporary access for a -

limited duration and under supervision.
7 Temporary access to TOP SECRET information was -

only provided to persons with an existing NV1
security clearance.
8 No temporary access was provided to caveated -

information.
9 The entity has applied the Australian Government -

Recordkeeping Metadata Standard properties to
information systems holding sensitive or security
classified information.
10 The entity has implemented unique user -

identification, authentication and authorisation
practices on each occasion where system access is
granted.
Module 9: Access to information

10
9
8
7
6
5
4
3
2
1
0

Maturity levels
Ad hoc - Information access controls and security procedures are partially in place. Standards on information sharing, access
to sensitive and security classified information and controlling access to supporting ICT systems and data holdings are partially
applied.
Developing - Processes are substantially in place to enable appropriate sharing of information with relevant stakeholders who
have a need-to-know and are appropriately security cleared. Access controls are substantially implemented to limit
unauthorised access to supporting ICT systems and data holdings in accordance with the Information access controls
standards.
Managing - Information holdings are accessed and shared with appropriately security cleared personnel who have a need-to-
know. Access controls support the integrity of ICT systems and data holdings.
Embedded - The entity proactively refines and reinforces information management processes and access controls to ensure
protection of information and currency of systems to protect against emerging threats and issues. Information is shared with
appropriately security cleared personnel who have a need-to-know. Systems are in place to detect, monitor and respond to
irregular access to information or systems in real-time.
Rationale
maturity level
Enter text here

Enter text here

Module 10: Safeguarding information from cyber threats
Select response
1 The entity implemented 'application whitelisting' in -
accordance with the Australian Government
Information Security Manual (ISM) Strategies to
Mitigate Cyber Security Incidents.
2 The entity implemented 'patching applications' in -

3 The entity implemented 'restricting administrative -

privileges' in accordance with the Australian
Government Information Security Manual (ISM)
Strategies to Mitigate Cyber Security Incidents.
4 The entity implemented 'patching operating -

systems' in accordance with the Australian
5 The entity implemented 'office macros' in -

6 The entity implemented 'harden user applications' -

in accordance with the Australian Government
7 The entity implemented 'multi-factor -

authentication' in accordance with the Australian
8 The entity implemented 'backup daily' in -

9 The entity had measures in place to reduce the risk -

of harm to the public when transacting online with
the entity.
Module 10: Safeguarding information from cyber threats
9
8
7
6
5
4
3
2
1
0
Note: Questions 5 to 8 are not included in the maturity calculation - only the Top 4 are mandated by the PSPF

Maturity levels
Ad hoc - Partial implementation of Top 4 strategies to mitigate targeted cyber intrusions. Reactive approach to emerging
cyber intrusions and threats.
Developing - The entity has implemented the majority of the Top 4 strategies to mitigate targeted cyber intrusions and has
developed a substantial understanding of emerging cyber intrusions and threat.
Managing - All Top 4 strategies to mitigate targeted cyber intrusions have been fully implemented with ongoing monitoring of
performance. Entity's procedures and systems are sufficient to mitigate known cyber intrusions and emerging threats.
Embedded - The entity has fully implemented the Essential Eight, and other activities relevant to the entity's risk environment,
to protect against harm from identified cyber threats. Processes are regularly tested to ensure real-time response to potential
cyber intrusions and emerging threats.
Rationale
maturity level
Enter text here

Enter text here
Module 11: Robust ICT systems
Select response
1 During the reporting period, the entity addressed -
security in the early phases of the development life
cycle of new ICT systems.
2 Before processing, storing or communicating -

sensitive or classified information on an entity ICT
system, the entity recognised and accepted the
residual security risks to the system and
information in accordance with the Australian
Government Information Security Manual.
3 Entity ICT systems (including software) incorporate -

processes for audit trails and activity logging in
applications.
4 The entity's internet connection services for their -

ICT systems are securely managed and have been
obtained through a secure gateway meeting
Australian Signals Directorate requirements for
managing security risks.
Module 11: Robust ICT systems
4
0

Maturity levels
Ad hoc - Partial security measures in place for ICT system development. Management of ICT systems certification and
accreditation is ad hoc and partially in accordance with relevant Information Security Manual (ISM) technical standards when
operationalised.
Developing - Security measures are substantially in place for ICT system development. Certification and accreditation of ICT
systems in accordance with ISM technical standards is, in the majority of cases, managed when operationalised.
Managing - Security measures are applied during all stages of ICT system development. ICT systems are certified and
accredited in accordance with ISM technical standards when operationalised.
Embedded - ICT security measures, including ICT systems certification and accreditation are in accordance with the ISM
technical standards. The entity excels in proactively exploring opportunities to further improve ICT security posture in response
to ICT security threats.
Rationale
maturity level
Enter text here

Enter text here

Module 12: Eligibility and suitability of personnel
Personnel security waivers - new waivers issued in 2018-19

You are required to provide the number of new security clearance eligibility waivers issued during this reporting period.
New in
Citizenship waivers 2018-19
Baseline
Negative vetting 1
Negative vetting 2
Positive vetting
New in
Background checkability waivers 2018-19
Baseline
Negative vetting 1
Negative vetting 2
Positive vetting
Select response
1 The entity conducted pre-employment/pre- -
engagement screening for personnel.
2 As part of pre-employment/pre-engagement -
screening, the entity used the Document
Verification Service to verify the legitimacy of
identity documents.
screening, the entity confirmed the eligibility of
personnel to work in Australia.
screening, the entity considered the suitability of
personnel to access Australian Government
resources, and obtained their agreement to comply
with the government's policies, standards,
protocols and guidelines that safeguard resources
from harm.
5 The entity has identified and recorded positions -

that require a security clearance and the level of
clearance required.
6 Personnel working in positions identified as -

requiring a security clearance have a valid clearance
issued by an authorised vetting agency or have
approved temporary access.
7 The entity used the Australian Government Security -
Vetting Agency (AGSVA) to conduct security vetting.
8 The entity has only appointed a person who is not -

an Australian citizen to a position identified as
requiring a security clearance if there is an
exceptional business requirement. In such cases,
the accountable authority has considered the
documented outcomes of a risk assessment and
accepted the risk of waiving the citizenship
requirement.
9 The entity has only appointed a person who has an -

uncheckable background to a position identified as
requiring a security clearance if there is an
exceptional business requirement. In such cases,
the accountable authority has considered the
documented outcomes of a risk assessment and
accepted the risk of waiving the checkable
background requirement.
Vetting agency questions

Select 'Not applicable' if the entity is not an authorised vetting agency
10 The vetting agency has only granted security -
clearances if they have been sponsored by an
Australian Government entity or otherwise
authorised by the Australian Government.
11 The vetting agency has obtained informed consent -

from clearance subjects to collect, use and disclose
their personal information for the purposes of
assessing and managing their eligibility and
suitability to hold a security clearance.
12 The vetting agency has only granted security -

clearances after considering the clearance subject’s
integrity in accordance with the Personnel Security
Adjudicative Guidelines, conducting the minimum
personnel security checks for a security clearance,
and resolving any doubt in the national interest.
13 The vetting agency has provided information to the -

sponsoring entity about clearance subjects who
have an uncheckable background. In these cases,
the vetting agency has not granted a security
clearance unless the accountable authority has
waived the checkable background requirement.
14 The vetting agency has provided information to the -
sponsoring entity about security concerns identified
during the vetting or security assessment process
that can be managed through conditions attached
to the security clearance. In these cases, the vetting
agency has not granted a security clearance unless
the accountable authority and the clearance subject
have accepted the clearance conditions.
15 The vetting agency has provided relevant -

information of security concern about clearance
subjects when advising the sponsoring entity of the
outcome of each security vetting process.
16 Without compromising the national interest, the -

vetting agency has applied the rules of procedural
fairness to security clearance decisions that are
adverse to a clearance subject.
17 The vetting agency has determined the skills and -

competencies required for vetting personnel to
perform their role and had appropriate
performance monitoring and management
mechanisms in place to ensure vetting personnel
have and maintain those skills and competencies.
Module 12: Eligibility and suitability of personnel
16
14
12
10
8
6
4
2
0

Maturity levels
Ad hoc - The entity partially has procedures and systems in place to ensure personnel are eligible and suitable to access
Australian Government resources. Pre-employment screening is ad hoc and security vetting standards (where relevant) are
partially followed. Some risks associated with eligibility and suitability of personnel are managed.
Developing - The entity has developed the majority of the entity's procedures and systems to ensure that personnel are
eligible and suitable to access Australian Government resources. Pre-employment screening practices are substantially in
place and security vetting requirements (where relevant) are mostly followed. The entity manages the majority of risks
associated with eligibility waivers and suitability of personnel.
Managing - Procedures and systems are in place to ensure that all personnel are eligible and suitable to access Australian
Government resources. All pre-employment screening and security vetting requirements (where relevant) are followed. These
procedures and systems mitigate risks identified in the entity's personnel security risk assessment.
Embedded - The entity excels in implementing efficient and timely processes to ensure the eligibility and suitability of
personnel to access Australian Government resources. All requirements are followed and the entity has comprehensive
practices in place to proactively manage risks identified in its personnel security risk assessment.
Rationale
maturity level
Enter text here

Enter text here

Module 13: Ongoing assessment of personnel
Personnel security waivers - total active waivers

You are required to provide information on all active security clearance eligibility waivers as at the conclusion of the reporting
period (ie 30 June). This includes ongoing waivers issued in previous reporting periods.
Citizenship waivers Total active

Baseline
Negative vetting 1
Negative vetting 2
Positive vetting
Background checkability waivers Total active
Baseline
Negative vetting 1
Negative vetting 2
Positive vetting
Select response
1 The entity assessed and managed the ongoing -
suitability of its personnel to access Australian
Government resources (including personnel
without a security clearance).
2 The entity shared relevant information of security -

concern about its personnel, where appropriate.
3 The entity conducted an annual security check with -

security cleared personnel.
4 The entity shared information about security -

concerns relating to security cleared personnel with
the authorised vetting agency and other affected
entities as appropriate.
5 The entity monitored compliance with clearance -

maintenance requirements of conditional security
clearances and reported non-compliance to the
authorised vetting agency.
6 The entity reviewed eligibility waivers at least once -

during the reporting period and prior to any
position transfer.
7 The vetting agency shared information about -
security cleared personnel that is of security
concern with the sponsoring entity and other
affected entities as appropriate.
8 The vetting agency assessed and responded to -

information of security concern about security
clearance holders.
9 In cases where concerns were identified, the vetting -

agency reviewed the clearance holder’s suitability
to hold a security clearance.
10 The vetting agency revalidated security clearances -

within the revalidation period.
11 To revalidate security clearances, the vetting -

agency considered the clearance subject’s integrity
in accordance with the Personnel Security
Adjudicative Guidelines, revalidated the minimum
personnel security checks for a security clearance,
and resolved any doubt in the national interest.
Module 13: Ongoing assessment of personnel
11
10
9
8
7
6
5
4
3
2
1
0

Maturity levels
Ad hoc - The entity assesses and partially manages ongoing suitability of all personnel affecting security risk. Information of
security concern for ongoing suitability of personnel is assessed and shared on an ad hoc basis with relevant stakeholders.
Some security clearance maintenance requirements (where relevant) are met.
Developing - The entity has substantially developed its procedures and systems to assess and manage ongoing suitability of
personnel. In the majority of cases, information of security concern for ongoing suitability of personnel is assessed and shared
by the entity with relevant shareholders. Procedures are mostly in place to ensure compliance with security clearance
maintenance requirements (where relevant).
Managing - Procedures and systems are in place to ensure that the ongoing suitability of personnel is assessed and managed
in accordance with the entity's personnel security risk assessment. The entity has established lines of communication and
processes to ensure information of security concern is shared with stakeholders as appropriate. The entity has procedures in
place to ensure compliance with all security clearance maintenance requirements (where relevant).
Embedded - The entity is proactive in assessing and managing the suitability of personnel, including security clearance
maintenance requirements (where relevant), to ensure integrity of the entity's core business. The entity has well established
lines of communication and robust processes to ensure information of security concern for ongoing suitability of personnel is
shared with stakeholders in a timely manner.
Rationale
maturity level
Enter text here

Enter text here

Module 14: Separating personnel
Select response
1 The entity's CSO or a security adviser was made -
aware of proposed cessations of employment
resulting from alleged misconduct or other adverse
reasons prior to separation.
2 Separating personnel who had access to sensitive or -

security classified information were debriefed,
including advising them of their continuing
obligations under the Criminal Code and other
relevant legislation, and the entity obtained the
person's acknowledgement of these obligations.
3 The entity shared relevant security information -

about personnel transferring to another Australian
Government entity with the receiving entity.
4 The entity reported security concerns about -

separating personnel to ASIO.
5 On separation or transfer, the entity removed -

personnel's access to Australian Government
resources, including physical facilities and ICT
systems.
6 The entity undertook a risk assessment to identify -

security implications if it was not possible to
undertake required separation procedures.
7 The entity advised the authorised vetting agency -

about the separation of clearance holders and
provided details of relevant circumstances and
identified security risks.

8 On the advice of sponsoring entities, the vetting -
agency managed and recorded changes in the
security clearance status of separating personnel,
including a change of sponsoring entity.
9 The vetting agency transferred personal security -

files where a clearance subject transferred to an
entity covered by a different authorised vetting
agency, to the extent that their enabling legislation
allows.
Module 14: Separating personnel
9
8
7
6
5
4
3
2
1
0

Maturity levels
Ad hoc - Partial ad hoc processes are in place to ensure that separating personnel have their access to Australian Government
resources withdrawn and are informed of their ongoing security obligations.
Developing - Separating personnel in the majority of cases understand their ongoing security obligations and have their
access to Australian Government resources withdrawn. Systems and processes are substantially developed to verify
consistency of separating personnel practices across the entity.
Managing - The entity has in place systems and processes to ensure that all separating personnel understand their ongoing
security obligations, particularly where they have had access to sensitive and security classified information and resources
during their employment. Separating personnel have their access to Australian Government resources withdrawn within an
appropriate timeframe.
Embedded - The entity has proactively implemented systems and processes that are reviewed regularly for separating
personnel. Access to Australian Government resources is withdrawn from personnel upon separation. The entity ensures
separating personnel are debriefed and provided a comprehensive understanding of their ongoing security obligations.
Information of security concern about separating personnel is shared with relevant stakeholders, including internally, where
appropriate. Risk assessments are undertaken, where appropriate.
Rationale
maturity level
Enter text here

Enter text here

Module 15: Physical security for entity resources
Select response
1 The entity has implemented physical security -
measures that minimise or remove the risk of harm
to people.
2 The entity has put in place physical security -

measures to protect entity resources that are
appropriate and proportionate to the assessed
business impact level of their compromise, loss or
damage.
3 The entity has assessed security risks and selected -

appropriate containers, cabinets, secure rooms and
strong rooms to protect entity information and
assets.
4 The entity has securely disposed of physical assets, -

as required.
Module 15: Physical security for entity resources
4
0

Maturity levels
Ad hoc - The entity partially applies physical security requirements. This increases the risk of resources being made inoperable
or inaccessible or accessed or removed without proper authorisation.
Developing - The entity substantially has in place physical security measures that minimise or remove the risk of resources
being made inoperable, inaccessible, accessed or removed without proper authorisation. The majority of physical security
measures are implemented according to requirements.
Managing - The entity applies physical security measures that minimise or remove the risk of resources being made
inoperable, inaccessible, accessed or removed without proper authorisation in accordance with requirements. Risks to the
compromise of resources are mitigated to a level consistent with entity risk tolerance levels, in accordance with the entity's
security plan.
Embedded - The entity applies physical security measures and better-practice guidance that minimise or remove the risk of
resources being made inoperable, inaccessible, accessed or removed without proper authorisation which improves the
delivery of business. These measures are proportionate to the level of risk and are scalable to changes in the threat
environment.
Rationale
maturity level
Enter text here

Enter text here
Module 16: Entity facilities
Select response
1 If the entity designed or modified facilities during -
the reporting period, protective security was fully
integrated early in the process of planning,
selecting, designing and modifying facilities.
2 If the entity designed or modified facilities during -

the reporting period, restricted access areas were
defined according to the five security zones.
3 Entity facilities that are defined as Zones Two to -

Five have been constructed in accordance with
applicable sections of ASIO Technical Note 1/15 –
Physical Security Zones, and ASIO Technical Note
5/12 – Physical Security Zones (TOP SECRET) areas.
4 Entity facilities have been constructed to protect -

against the highest level of risk in accordance with
the entity's security risk assessment.
5 In areas that store sensitive and security classified -

information, the entity has secured perimeter doors
and hardware with SCEC-approved products rated
to Security Level 3 in Zones Three to Five.
6 The entity has used appropriate sectionalised alarm -

systems or guard patrols for facilities defined as
Zone Three.
7 The entity has used appropriate sectionalised alarm -

systems for facilities defined as Zone Four and Five.
8 Over the reporting period, security alarm systems -

were directly managed and controlled by the entity,
maintained by appropriately cleared contractors,
and monitored and responded to in a timely
manner.
9 Privileged alarm systems operators and users were -

appropriately trained and security cleared.
10 The entity used suitable identity verification and -
access control measures limiting access to Zones
Two to Five to authorised personnel, visitors,
vehicles and equipment.
11 If the entity granted ongoing (or regular) access to -

entity facilities to any person who was not directly
engaged by the entity or covered by the terms of a
contract or agreement, the entity ensured that the
person had the required level of security clearance
and that a business case and risk assessment had
been conducted or reassessed at least once in the
last two years.
12 A technical surveillance countermeasures -

inspection has been completed for facilities where
TOP SECRET discussions are regularly held, or the
compromise of discussions may have a catastrophic
business impact level.
13 The CSO or delegated security adviser certified the -

facility’s Zones One to Four in accordance with the
PSPF and ASIO Technical Notes before they were
used operationally.
14 The CSO or delegated security adviser obtain ASIO- -

T4 physical security certification for security areas
used to handle TOP SECRET sensitive and security
classified information, sensitive compartmented
information (SCI) or aggregated information where
the compromise of confidentiality, loss of integrity
or unavailability of that information may have a
catastrophic business impact level.
15 Before they were used operationally, the CSO or -

delegated security adviser accredited the facility’s
Zones One to Five zones by compiling and reviewing
all applicable certifications and other deliverables
for the zone and determining and accepting the
residual security risks.
16 Before they were used operationally, the CSO or -

delegated security adviser obtained the Australian
Signals Directorate security accreditation for areas
used to secure systems to access TOP SECRET
sensitive compartmented information.
17 Security zones for ICT sensitive and security -

classified information with an extreme business
impact level have been certified and accredited by
the entity.
18 All TOP SECRET information ICT facilities are in -
compartments within an accredited Zone Five area
and comply with Annex A – ASIO Technical Note
5/12 – Compartments within Zone Five areas.
19 Before they were used operationally, the entity -

obtained ASIO-T4 physical security certification for
the outsourced ICT facility to hold information that,
if compromised, would have a catastrophic business
impact level.
Module 16: Entity facilities
18
16
14
12
10
8
6
4
2
0

Maturity levels
Ad hoc - The entity partially considers physical security in the early stages of planning, selecting, designing and modifying
facilities. Facility certification, is partially in accordance with ASIO Technical Notes. Accreditation and documentation of
security zones is ad hoc.
Developing - The entity considers physical security when planning, selecting, designing and modifying facilities in the majority
of cases, with physical security requirements substantially integrated into all facilities. Certification and periodic review of the
majority of facilities is in accordance with ASIO Technical Notes. The majority of security zones are accredited.
Managing - Physical security requirements are integrated into all stages of planning and modifying facilities. Entity facilities
are certified and accredited systematically. Entity facilities are certified in accordance with ASIO Technical Notes and
accredited in accordance with the PSPF with appropriate documentation.
Embedded - Physical security requirements are a key driver for selection, design or modification of entity facilities. The entity
actively ensures certification and accreditation of entity facilities with upgrades implemented as a priority. Certification is in
accordance with ASIO Technical notes and accreditation in accordance with the PSPF.
Rationale
maturity level
Enter text here

Enter text here

PSPF Maturity Assessment Template and Calculator 0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PSPF Maturity Assessment Template and Calculator 0

Uploaded by

Copyright:

Available Formats

Select classification

2018-19 PSPF assessment report

Overall maturity level

Summary of risk environment and security capability

Enter text here

Information security maturity level

Personnel security maturity level

Physical security maturity level

Key risks to entity’s people, information and assets

Enter text here

Personnel security clearance waivers

Baseline NV1 NV2 PV

Exceptional circumstances and key security incidents

Enter details in Module 1

Summary of significant security incidents during the reporting period

Enter text here

Ad hoc Developing Managing Embedded

Personnel security outcome 0 0 0 0

Physical security outcome 0 0 0 0

2 The accountable authority considered the -

3 For lead security entities, the entity, on behalf of -

4 For lead security entities, responsibilities and -

5 Any decision to vary the application of a PSPF -

Enter details of exceptional circumstances here.

Suggested maturity level (based on average response)

Enter text here

Enter text here

2 The entity's procedures are documented and -

3 Significant security incidents have been reported to -

4 Entity personnel, including contractors, have -

5 Personnel in specialist and high-risk positions -

6 A monitored email address has been established -

Suggested maturity level (based on average response)

Enter text here

Strategies and timeframes

Enter text here

2 The security plan has been reviewed at least once -

3 The entity has identified resources that are critical -

4 The entity has identified a risk steward (or -

5 The entity has communicated identified risks that -

6 The security plan has scalable measures to meet -

7 The entity has documented decisions to implement -

Suggested maturity level (based on average response)

Enter text here

Enter text here

2 The entity has documented and evidenced its -

Suggested maturity level (based on average response)

Enter text here

Enter text here

2 The entity has reported any unmitigated security -

3 The entity has fulfilled its reporting obligations to -

Suggested maturity level (based on average response)

Enter text here

Enter text here

2 In contracts for goods and services, the entity -

3 The entity implemented contract management -

4 The implemented contract management practices -

5 The entity implemented appropriate security -

Suggested maturity level (based on average response)

Enter text here

Enter text here

STEP 1: Maturity questions