An audit of the security system for vetting members of the Australian Public Service (APS) and others accessing Government resources has found it to be inadequate for guarding against internal threats.
Auditor-General, Grant Hehir said in his report Mitigating insider threats through personnel security that an audit in 2014-15 had identified “deficiencies” at the Australian Government Security Vetting Agency (AGSVA).
He said the latest audit was an opportunity to review the implementation of recommended reforms to the Protective Security Policy Framework (PSPF).
“AGSVA’s security vetting services do not effectively mitigate the Government’s exposure to insider threats,” Mr Hehir said.
“The effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats is reduced by AGSVA not implementing the Government’s policy direction to share information with client entities on identified personnel security risks.”
He said that in addition, all audited entities – the Attorney-General’s Department, the Australian Securities and Investments Commission, Department of Home Affairs, Australian Radiation Protection and Nuclear Safety Authority and the Digital Transformation Agency – as well as AGSVA, were not complying with certain mandatory PSPF controls.
Mr Hehir said the earlier audit found AGSVA did not provide information about identified security concerns to sponsoring entities outside Defence due to a concern that disclosure would breach the Privacy Act 1988.
“The PSPF was revised in 2014 to require AGSVA to update its informed consent form to allow such disclosure to occur … but its revised form does not explicitly obtain informed consent to share information with entities,” he said.
“AGSVA’s information systems do not meet its business needs, which has resulted in inefficient processes and data quality and integrity issues.”
He found that AGSVA’s clearances did not provide sufficient assurance to entities about personnel security risks.
“A significant proportion of vetting assessments in 2015–16 and 2016–17 resulted in potential security concerns being identified, but the majority (99.88 per cent) of vetting decisions were to grant a clearance without additional risk mitigation,” Mr Hehir said.
He also found that entities did not always notify AGSVA when clearance holders left their ranks.
The report makes eight recommendations including that the Attorney-General’s Department and Digital Transformation Agency conduct a personnel security risk assessment that considered whether changes were needed to their protective security practices.
The Auditor-General’s 90-page report can be accessed at this PS News link and audit team was Daniel Whyte, Benjamin Siddans, Alice Bloomfield and Deborah Jackson.