Protective Security Policy Framework
9 Access to information
A. Purpose
1. The policy details security protections supporting entities’ provision of timely, reliable and appropriate
access to official information. Providing access to information helps develop new products and services,
can enhance consumer and business outcomes and assists with decision-making and policy development.
2. Access to government information does not need to be limited for security purposes, except in select
circumstances as identified in the requirements (primarily when sharing sensitive or classified information,
or disclosing information outside government).
B. Requirements
B.1 Core requirement
Each entity must enable appropriate access to official information. This includes:
a. sharing information within the entity, as well as with other relevant stakeholders
b. ensuring that those who access sensitive or security classified information have an
appropriate security clearance and need to know that information, and
c. controlling access to supporting ICT systems, networks (including remote access),
infrastructure and applications.
B.2 Supporting requirements
Supporting requirements for access to information
#
Requirement 1.
Formalised
agreements for
sharing
information and
resources
Requirement 2.
Limiting access
to sensitive and
classified
information and
resources
v2018.12
Supporting requirements
When disclosing sensitive or security classified information or resources to a person or organisation
outside of government, entities must have in place an agreement or arrangement, such as a contract
or deed, governing how the information is used and protected.
To reduce the risk of unauthorised disclosure, entities must ensure access to sensitive and security
classified information or resources is only provided to people with an operational need-to-know.
9 Access to information
1
Protective Security Policy Framework
#
Requirement 3.
Ongoing access
to sensitive or
classified
information and
resources
Supporting requirements
a. Entities must ensure that people requiring ongoing access to sensitive or security classified
information or resources are security cleared to the appropriate level:
Sensitive
information
UNOFFICIAL
OFFICIAL
Security classified information
PROTECTED
SECRET
OFFICIAL:
Sensitive
Personnel
Not
Employment Employment Baseline
Negative
security
applicable.
screening is
screening is
security
Vetting 1
clearance
Security
sufficient,
sufficient,
clearance or security
for
clearance not security
security
above.
clearance
ongoing
required.
clearance not clearance not
or above.
access
required.
required.
Note i
Some Australian office holders are not required to hold a security clearance.
Requirement 4.
Temporary
access to
classified
information and
resources
Requirement 5
Managing
access to
information
systems
TOP SECRET
Negative
Vetting 2
security
clearance or
above.
b. In addition, entities must ensure that people requiring access to caveated information meet all
clearance and suitability requirements imposed by the originator and caveat owner.
Note ii
Access to caveated material that involves a codeword requires a briefing and may require a
Negative Vetting 1, Negative Vetting 2 level or Positive Vetting level security clearance as well
as other additional requirements. For guidance, see the PSPF policy: Sensitive and classified
information and supporting Security Caveats Guidelines.
Entities may provide a person with temporary access to security classified information or resources on
the basis of a risk assessment for each case. In such cases, entities must:
a. limit the duration of access to security classified information or resources:
i.
to the period in which an application for a security clearance is being processed for
i.
the particular person, or
ii.
up to a maximum of three months in a 12-month period
ii.
b. conduct recommended employment screening checks (see the PSPF policy: Eligibility and
suitability of personnel)
c. supervise all temporary access
d. for TOP SECRET information, ensure the person has an existing Negative Vetting 1 security
clearance, and
e. deny temporary access to caveated information (other than in exceptional circumstances, and
only with approval of the caveat owner).
To manage access to information systems holding sensitive or security classified information, entities
must:
a. apply the Australian Government Recordkeeping Metadata Standard properties:
i.
for security classified information, apply the ‘Security Classification’ property (and
where relevant, the ‘Security Caveat’ property)
ii.
for OFFICIAL: Sensitive information, apply the ‘Dissemination Limiting Marker’
property, and
iii.
where an entity wishes to categorise information content by the type of restrictions
on access, apply the ‘Rights’ property, and
b. implement unique user identification, authentication and authorisation practices on each
occasion where system access is granted.
C. Guidance
C.1 Sharing information in the entity and with external stakeholders
3. Access to, and use of, government information is necessary for an entity’s operational processes and
productivity. However, risks may arise from poor or outdated collection, storage and management
practices. 1
1
Refer to the 2017 Productivity Commission Inquiry Report for Data Availability and Use.
v2018.12
9 Access to information
2
Protective Security Policy Framework
Legislative provisions on access to information
Commonwealth legislation, common law and policy regulate the disclosure of sensitive information. This includes relevant
secrecy provisions, privacy law and legal professional privilege that restrict information access in some cases. 2
It may be an offence under the Crimes Act 1914 or Criminal Code to share or disclose information inappropriately. In
addition, under some legislation, it may be necessary to limit sharing of information depending on the purpose for which it
was collected. Some government policy and legislation may also require agreement or consent to disclose information
(eg sharing sensitive personal information covered by Australian Privacy Principles 3).
4. Risks may arise when information is shared outside of government. This is because PSPF information
handling and protection requirements apply only to government unless included in an agreement, such as a
contract or deed. Even where these instruments exist, there may be limited avenues for recourse in the
event of a security incident.
5. Requirement 1 mandates that written agreements, such as contracts or deeds, are in place to protect
sensitive or classified information disclosed to non-government stakeholders. 4 This includes external
parties accessing, processing, communicating or managing information assets, or adding products, services
or functions to government information systems.
6. Agreements for information disclosure provide assurance that external stakeholders understand the
obligations to protect government information. The Attorney-General’s Department recommends the use
of legally binding deeds of agreement (or other agreements) to protect government information disclosed
externally especially where that information is sensitive or classified. For guidance, see the PSPF policy:
Security governance for contracted goods and service providers.
7. Regular monitoring of security controls, service definitions and delivery levels that are included in deeds or
contract agreements assist the implementation of PSPF protections. This can include regular reviews and
audits of services, reports and records.
C.2 Limiting access to sensitive and classified information to those who
need to know
8. The need-to-know principle applies to all sensitive and classified information. It reflects the need for
personnel to access this information only where there is an operational requirement to do so. The practice
helps personnel understand their responsibility to protect information, including the correct methods for
storage, handling and dissemination.
9. Requirement 2 mandates that access to, and dissemination of, sensitive and security classified information
is limited to personnel who need the resources to do their work. This involves:
a. providing access to information only to personnel who need that access; not based on convenience or
because of their status, position, rank or level of authorised access
b. a positive obligation to share relevant information so that people with an operational need-to-know
the information have access.
C.3 Personnel security clearances for access to classified information
10. Access to sensitive and security classified information necessitates a high level of assurance of a person’s
integrity. This is due to the potential harm associated with compromise of that information.
11. In addition to having a need-to-know (as per Requirement 2), Requirement 3 limits access to security
classified information to those with the necessary security clearance.
Australian Law Reform Commission Report 112, Secrecy Laws and Open Government in Australia, identified 506 secrecy
provisions in 176 pieces of legislation, including 358 distinct criminal offences.
3 See the OAIC Guide to securing personal information for entities covered by the Privacy Act regarding access controls to
protect personal information.
4 This requirement for agreements with non-government stakeholders broadly aligns with related provisions under s95B of the
Privacy Act that mandates entities take contractual measures to ensure that a contracted service provider does not do an act, or
engage in a practice, that would breach an Australian Privacy Principle.
2
v2018.12
9 Access to information
3
Protective Security Policy Framework
12. Minimum security clearance levels for access to each information classification level are detailed in Table 1.
Table 1 Minimum security clearance levels for ongoing access to information
Sensitive
information
UNOFFICIAL
Personnel security
clearance for ongoing
access
Not
applicable.
OFFICIAL
Not
applicable.
Employment
screening is
sufficient,
security
clearance
not required.
OFFICIAL:
Sensitive
Not
applicable.
Employment
screening is
sufficient,
security
clearance not
required.
Security classified information Note i
PROTECTED
SECRET
TOP SECRET
Baseline
security
clearance or
above.
Negative
Vetting 1
security
clearance or
above.
Negative
Vetting 2
security
clearance or
above.
Table 1 notes:
i Access to caveated material that involves a codeword requires a briefing and may require a Negative Vetting 1,
Negative Vetting 2 level or Positive Vetting level security clearance as well as other additional requirements. For guidance,
see the PSPF policy: Sensitive and classified information and supporting Security Caveats Guidelines.
13. Some Australian office holders are not required to hold a security clearance to access security classified
information while exercising the duties of the office (however, staff of these office holders are not exempt
from security clearance requirements). Australian office holders who do not need a security clearance are:
a. members and senators of the Commonwealth, state parliaments and territory legislative assemblies
b. judges of the High Court of Australia, the Supreme Court, Family Court of Australia, the Federal Circuit
Court of Australia, and magistrates
c. royal commissioners
d. the Governor-General, state governors, Northern Territory administrator
e. members of the Executive Council, and
f.
appointed office holders with enabling legislation that gives the same privileges as the office holders
already identified eg members of the Administrative Appeals Tribunal.
14. For information regarding personnel security clearance assessments, see the PSPF policy: Eligibility and
suitability of personnel.
C.3.1 Access to caveated information
15. Stringent protections apply to caveated information. Requirement 3 mandates that people requiring access
to caveated information meet all clearance and suitability requirements imposed by the originator and
caveat owner.
16. Table 11 in the PSPF policy: Sensitive and classified information provides guidance on commonly used
caveats. Of particular note, the three releasability caveats – Australian Eyes Only (AUSTEO), Australian
Government Access Only (AGAO) and Releasable to (REL) – limit access to information based on citizenship.
a. The PSPF policy: Security governance for international sharing generally requires an agreement or
arrangement to be in place for a foreign national to access sensitive or classified information
b. Supporting requirements in the PSPF policy: Security governance for international sharing limit foreign
access to sensitive and security classified information even when an international agreement or
arrangement is in place:
i.
Entities must not share information bearing the AUSTEO caveat with a person who is not an
Australian citizen, or an A(dustralian citizen wshithp dualoes nationality preclude access). 5.
5 To facilitate information sharing if needed for business purposes, the originator can, on a case-by-case basis, reconsider
application of the AUSTEO caveat to its information and, if warranted, apply a different caveat or classification to that
v2018.12
9 Access to information
4
Protective Security Policy Framework
ii.
Entities, other than ASD, ASIO, ASIS, the Department of Defence and ONA, must not share
information bearing the AGAO caveat with a person who is not an Australian citizen.
17. Handling and protection requirements for caveated information are not all publicly available. The Sensitive
Material Security Management Protocol (SMSMP) sets out the protection and handling requirements for
caveated information. The SMSMP is available to entity security advisors.
C.4 Temporary access to classified resources
18. Temporary (rather than ongoing access) to classified information may be required in some limited
circumstance. Temporary access may be provided up to and including SECRET level information. This can be
achieved without a security clearance after the risks of doing so have been assessed. Temporary access to
security classified material includes:
a. short-term access, where the person does not hold a clearance at the appropriate level (but has a valid
need-to-know and requires access to relevant information) and the risks can be mitigated. This may
include, but is not limited to:
i.
new starters
ii.
people on short-term projects
iii.
people who are reasonably expected to have only incidental or accidental contact with security
classified material (eg security guards, cleaners, external IT personnel, researchers and visitors
such as children who do not have an ability to comprehend the classified information) 6
b. provisional access, where the person has commenced a clearance process by providing the relevant
details for assessment by a vetting agency. The type of temporary access can be changed from shortterm to provisional once the vetting agency has confirmed that the completed security clearance pack
has been received and advises the entity that no initial concerns have been identified.
19. Requirement 4 mandates the following minimum protections to safeguard classified resources that are
accessed on a temporary basis:
a. entities must limit the duration of access to security classified information as follows:
i.
for short-term access – a maximum of three months in a 12-month period
ii.
for provisional access – until a security clearance is granted or denied
b. entities must supervise all temporary access. Examples include:
i.
escorting visitors in premises where classified information is being stored or used
ii.
management oversight of the work of personnel who have the temporary access
iii.
monitoring or audit logging incidents of contact with security classified material 7 (eg contract
conditions that require service providers to report when any of their contractors have had
contact with classified information).
c. entities must ensure that personnel have an existing Negative Vetting 1 security clearance for shortterm or provisional access to TOP SECRET information. In exceptional circumstances, short-term or
provisional access to caveated information may be granted by the originator and caveat owner.
Approval of the caveat owner is based on assessed risk and granted on a case-by-case basis. For further
information see section C.3.1.
20. Requirement 4 mandates that entities conduct a risk assessment to determine whether to allow temporary
access to classified information. The Attorney-General’s Department recommends the assessment include:
information (eg the REL caveat). For guidance on reclassifying information, see the PSPF policy: Sensitive and classified
information.
6 The Attorney-General’s Department considers this to be children aged under 10 years.
7
Monitoring and audit logging (and related audit trails) are key measures to control access to ICT systems and the information
held on those systems. Further information about developing and maintaining robust ICT systems is included under the PSPF
policy: Robust ICT systems.
v2018.12
9 Access to information
5
Protective Security Policy Framework
a. the need for temporary access, including if the role can be performed by a person who already holds
the necessary clearance
b. confirmation from the authorised vetting agency that the person has no identified security concerns, or
a clearance that has been cancelled or denied
c. the quantum and classification level of information that could be accessed, and the potential business
impact if this information was compromised
d. how access to classified information will be supervised, including how access to caveat or
compartmented information will be prevented, and
e. other risk mitigating factors such as pre-engagement screening, entity specific character checks,
knowledge of personal history, or having an existing or previous security clearance.
21. Where an entity intends to grant temporary access to classified information from another entity or third
party, the Attorney-General’s Department recommends consulting the other entity or party, where
appropriate, and obtaining agreement for temporary access to their classified information.
22. The Attorney-General’s Department considers there is merit in obtaining an undertaking (eg through a
confidentiality or non-disclosure agreement) from the person to protect official information.
C.5 Information access controls
23. Having well structured, robust ICT systems provides access for personnel to undertake their work. It also
protects information, technology and intellectual property.
24. Access to networks, operating systems, applications and sensitive or classified information that is
processed, stored or communicated is controlled through:
a. a clear understanding of the information held on such systems, and
b. effective user identification and authentication practices.
25. For guidance on ICT system development, see the PSPF policy: Robust ICT systems.
C.5.1 Categorising information as an access control management tool
26. Metadata describes, among other things, key security characteristics of information.
27. The National Archives of Australia produces the Australian Government Recordkeeping Metadata Standard
to provide standardised metadata terms and definitions for consistency across government. The minimum
metadata set is a practical application of the standard that identifies the metadata properties essential for
agency management and use of business information.
28. The metadata properties are used to describe access to information. From an information security
perspective, there are three metadata properties of importance:
a. the ‘security classification’ property identifies the security classification of the information and is used
to identify information that is restricted to users with appropriate security clearance permissions.
Requirement 5 mandates application of this property for all classified information
b. the ‘security caveat’ (in addition to a security classification property) is a warning that, where relevant,
security classified information requires additional special handling and that only people cleared and
briefed to see it may have access. Security caveats are additional to security classifications.
Requirement 5 mandates application of this property for classified information where relevant
c. the ‘rights’ property:
v2018.12
i.
can be used to identify information that is limited, other than for security reasons, to a defined
audience only. For example, this may include restrictions on use of information protected
under the Privacy Act 1988 or under legal professional privilege
ii.
provides a standard set of terms to describe types of sensitivity ensuring common
understanding and consistency across systems and government entities. The National Archives
of Australia identifies a subset of rights property terms for common usage as information
management markers to categorise information.
9 Access to information
6
Protective Security Policy Framework
Table 2 Categorising information as an access control management tool – information management markers
Information
management
marker
Definition
Legal privilege
Legislative secrecy
Personal privacy
Restrictions on access to, or use of, information covered by legal professional privilege.
Restrictions on access to, or use of, information covered by legislative secrecy provisions.
Restrictions, under the Privacy Act 1988, on access to, or use of, personal information collected for
business purposes. The Act defines personal information as ‘information or an opinion about an
identified individual, or an individual who is reasonable identifiable’. ‘Sensitive information’ under
the Act includes personal information about an individual’s:
a. racial or ethnic origin
b. political opinions
c. membership of a political organisation
d. religious beliefs or affiliations
e. philosophical beliefs
f. membership of a professional or trade organisation or trade union
g. sexual orientation or practices
h. criminal record
i. health or genetic information
j. certain defined biometric information.
Table 2 notes
i
The PSPF Policy: Sensitive and classified information provides guidance on identifying sensitive and security classified
information with a protective marking. The order of precedence or hierarchy for protective markings is: classification,
foreign government information markings (if any), caveats or other special handling instructions (if any) then optional
information management markers (if any).
29. The Attorney-General’s Department encourages use of the Australian Government Recordkeeping
Metadata Standards to describe official information where relevant.
C.5.2 User identification, authentication and authorisation practices
C.5.2.1 User identification and authentication
30. Entities are encouraged to establish a formal user registration and de-registration procedure for granting
and revoking access; this helps entities have confidence about who is accessing their information. The
Attorney-General’s Department recommends entities regularly review user access rights; this provides
confidence that users can only access the sensitive or security classified information they have been
specifically authorised to use.
31. Having uniquely identifiable users helps to ensure accountability. Authenticating the identity of users on
each occasion that system access is granted helps provide assurance that information is being accessed
appropriately. Entities can authenticate access by various methods including:
a. passphrases or passwords
b. biometrics
c. cryptographic tokens
d. smart cards.
32. Entities may reduce the risk of user accounts being compromised by:
a. using multi-factor authentication (two or more authentication methods) where users provide
something they know, like a passphrase; something they have, like a physical token; and/or something
they are, like biometric data
b. increasing the complexity of single authentication methods (such as passphrases or passwords) by
increasing the minimum password length and using a mix of alphanumeric and special characters.
33. Systems and network managers normally need increased administrative access rights to perform their jobs.
This implies a high degree of trust and stringent controls to balance the need for privileged access to
systems and networks against risks to these peoples’ trustworthiness and competence.
v2018.12
9 Access to information
7
Protective Security Policy Framework
34. The Attorney-General’s Department recommends using multi-factor authentication to assure the identity
of a higher-risk user. This includes system administrators, database administrators, privileged users (and
other similar positions of trust) as well as remote access users. Strengthened personnel and physical
security controls for privileged access can also be beneficial.
35. For guidance, see the PSPF policy: Safeguarding information from cyber threats (in particular, the
supporting requirement, Restricting administrative privileges). Technical guidance is available in the
Information Security Manual.
C.5.2.2 Authorising access to ICT systems
36. Sound authorisation measures allow entities to effectively control access to their information, ICT systems,
networks (including remote access), infrastructure and applications. The Attorney-General’s Department
recommends that entities implement measures to manage authorised access to systems holding its
sensitive and classified information as detailed in Table 3.
Table 3 Recommended access authorisation measures
User access
management Note i
Authorised network
access Note ii
Authorised operating
system access Note iii
Application and
information access
Mobile computing
and communications
Ensure that systems
for managing
passwords are
interactive and require
users to follow good
security practices in
the selection and use
of passwords or
passphrases.
Consider the use of
automatic equipment
identification as a
means to authenticate
connections from
specific locations and
equipment.
Control access to
operating systems
through a secure logon procedure.
Afford sensitive
systems a dedicated
(isolated) computing
environment, in
accordance with
entity risk
assessment.
Adopt security
measures to protect
against the risks of
using mobile
computing and
communications
facilities.
Control physical and
logical access to
diagnostic and
configuration ports.
Restrict and tightly
control the use of
utility programs that
may be capable of
overriding system and
application controls.
Display restricted
access and authorised
use only (or
equivalent) warnings
upon access to all
entity ICT systems, and
shut down inactive
sessions after a
defined period of
inactivity.
Consider restricting
connection times to
provide additional
security for high risk
applications.
Restrict the ability of
users to connect to
shared networks,
including those that
extend across entity
boundaries.
Segregate groups of
information services,
users and information
systems, based on an
entity risk assessment.
Implement routing
controls for networks
to ensure computer
connections and
information flows do
not breach other
relevant access
management
measures.
Note iv
Table 3 notes
i
The Information Security Manual provides details on user access management, including on passphrase management.
v2018.12
9 Access to information
8
Protective Security Policy Framework
ii
See the Information Security Manual for controls on network segmentation and guidance on authorised network access.
Further guidance on authorised operating system access control is available in the Information Security Manual.
iv
See the Information Security Manual for guidance on working offsite using mobile computing and communications.
iii
D. Find out more
37. Other legislation and policies:
a. Australian Signals Directorate Information Security Manual
b. Office of the Australian Information Commissioner Guide to securing personal information for
Australian Government entities covered by the Privacy Act 1988
c. ACSI 53 – Communications Security Handbook (Rules and Procedures for Agency Comsec Officer and
Custodian). Available to Comsec officers via ASD.
38. Further guidance and support is available in the Australian Standard AS/NZS ISO/IEC 27002 Information
technology – Security techniques – Code of practice for information security management.
D.1 Change log
Table 4 Amendments in this policy
Version
Date
Section
Amendment
vV2018.1
V2018.2
Sep 2018
Nov 2018
Throughout
C.3.1
Not applicable. This is the first issue of this policy
Reference to dual citizenship
v2018.12
9 Access to information
9
