A performance audit into whether Australian Public Service entities provide safe and secure physical environments for the people, information and assets they use found that more could be done.
In his Administration of the Revised Protective Security Policy Framework, Auditor-General Grant Hehir said he also examined whether the Attorney-General’s Department (AGD) effectively administered the Protective Security Policy Framework (PSPF).
Mr Hehir said the PSPF set out the Government’s protective security policy and was introduced to help Government entities protect their people, information and assets, both at home and overseas.
He said the Framework applied to 97 Australian non-corporate Commonwealth entities and 89 corporate entities.
“The administration of the revised PSPF by selected entities was largely effective,” Mr Hehir said.
“Advice to Government by AGD as policy owner is limited as it is reliant on self-reporting from entities,” he said.
“The risk of optimism bias in entity self-assessment reporting has not been addressed by AGD as part of its administration of the PSPF.”
Mr Hehir said AGD did not monitor compliance with mandatory requirements, but did provide a variety of support to entities, including detailed written guidance “that could be better tailored to low-risk and face-to-face service environments”.
The Auditor-General said the AGD’s role as policy owner could be strengthened by ensuring that entities understood and followed the mandated security reporting requirements.
He said the audited entities, the Department of Social Services (DSS) and Services Australia, had not met all core requirements at their self-assessed maturity levels in safeguarding people, information and assets.
“DSS was largely effective in implementing requirements that it established for itself under the PSPF at the ‘managing’ and ‘embedded’ maturity levels,” the Auditor-General said.
However, he said DSS did not accurately report its maturity level as ‘embedded’ for three of the PSPF policies.
He said Services Australia was largely effective at implementing requirements under the PSPF at the ‘developing’ maturity level, but its reporting was not accurate because it had been based on an outdated security plan.
Mr Hehir made five recommendations, one of which was to AGD to review all significant security incident reporting data to assess whether the PSPF adequately supported entities to protect their people, information and assets.
He made two recommendations to DSS and two to Services Australia, including that it undertake site risk assessments as early as possible in when designing and modifying facilities.
The Auditor-General’s full Report can be accessed at this PS News link and a 73-page printable version at this link.
The audit team was Natalie Maras, Chay Kulatunge, Amanda Reynolds, Dale Todd and Corinne Horton.
