A performance audit of whether Australian public service entities provide safe and secure physical environments for the people, information, and assets they use showed that more could be done.
In his Administration of the Revised Protective Security Policy Framework, Auditor General Grant Hehir they also examined whether the Attorney General (AGD) effectively applies the Protective Security Policy Framework (PSPF).
Mr. Hehir said the PSPF set out the government’s protective security policies and was put in place to help government agencies protect their people, information, and assets at home and abroad.
He said the framework applied to 97 Australian non-corporate Commonwealth entities and 89 corporate entities.
“Management of the revised PSPF by selected entities has been largely effective,” said Mr. Hehir.
“Advice to the government by AGD as a policy owner is limited as it relies on entities self-reporting,” he said.
“AGD has not addressed the risk of optimism bias in entity self-assessment reporting as part of the PSPF’s administration.”
Mr. Hehir said AGD did not monitor compliance with the mandatory requirements but did provide various support to entities, including detailed written guidance “that could be better tailored for low-risk environments and personalized service”.
The Auditor General said the AGD’s role as a policy owner could be strengthened by ensuring entities understand and follow mandatory security reporting requirements.
He said the audited entities, the Department of Social Services (DSS) and Services Australia, had not met all the core requirements in protecting people, information, and assets at their self-assessed maturity levels.
“DSS was largely effective in implementing requirements it had established for itself under the PSPF at the managing and embedded levels,” the Auditor General said.
However, he said DSS did not accurately report his maturity level as “embedded” for three PSPF policies.
He said Services Australia was largely effective in implementing the requirements under the PSPF at the ‘developing’ maturity level. Still, the reporting was inaccurate based on an outdated security plan.
Mr. Hehir made five recommendations, one of which was for AGD to review all key security incident reporting data to assess whether the PSPFPSPF-supported ties sufficiently protect their people, information, and assets.
He made two recommendations to DSS and two to Services Australia, including that it conducts site risk assessments as early as possible when designing and adapting facilities.
The Auditor General’s full report can be accessed at this PS News link, and a 73-page printable version at this link.
The audit team included Natalie Maras, Chay Kulatunge, Amanda Reynolds, Dale Todd, and Corinne Horton.