ANAO Report No.38 (2017-18) Mitigating Insider Threats through Personnel Security
Conclusion (p.8)
The effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats is reduced by: AGSVA not implementing the Government’s policy direction to share information with client entities on identified personnel security risks; and all audited entities, including AGSVA, not complying with certain mandatory PSPF controls.
AGSVA’s security vetting services do not effectively mitigate the Government’s exposure to insider threats. AGSVA collects and analyses information regarding personnel security risks, but does not communicate risk information to entities outside the Department of Defence or use clearance maintenance requirements to minimise risk. Since the previous ANAO audit, AGSVA’s average timeframe for completing Positive Vetting (PV) clearances has increased significantly. AGSVA has a program in place to remediate its PV timeframes, and it has established a comprehensive internal quality framework. AGSVA plans to realise many process improvements through procuring a new information and communications technology (ICT) system, which is expected to be fully operational in 2023.
Selected entities’ compliance with PSPF personnel security requirements was mixed. While most entities had policies and procedures in place for personnel security, some entities were only partially compliant with the PSPF requirements to ensure personnel have appropriate clearances. None of the entities had fully implemented the PSPF requirements introduced in 2014 relating to managing ongoing suitability. In addition, entities did not always notify AGSVA when clearance holders leave the entity.
Recommendations (pp.10-11)
Recommendation No.1
The Department of Defence, in consultation with the Attorney-General’s Department, establish operational guidelines for, and make appropriate risk-based use of, clearance maintenance requirements.
Attorney-General’s Department’s response: Agreed.
Department of Defence’s response: Agreed.
Recommendation No.2
The Department of Defence implement the Protective Security Policy Framework requirement to obtain explicit informed consent from clearance subjects to share sensitive personal information with sponsoring entities.
Department of Defence’s response: Agreed
Recommendation No.3
The Attorney-General’s Department and the Department of Defence establish a framework to facilitate the Australian Government Security Vetting Agency providing sponsoring entities with specific information on security concerns and mitigating factors identified through the vetting process.
Attorney-General’s Department’s response: Agreed.
Department of Defence’s response: Agreed.
Recommendation No.4
The Attorney-General’s Department and the Digital Transformation Agency conduct a personnel security risk assessment that considers whether changes are needed to their protective security practices.
Attorney-General’s Department’s response: Agreed.
Digital Transformation Agency’s response: Agreed.
Recommendation No.5
The Digital Transformation Agency take immediate action to comply with the Protective Security Policy Framework governance requirements.
Digital Transformation Agency’s response: Agreed.
Recommendation No.6
The Attorney-General’s Department, the Australian Securities and Investments Commission, the Department of Home Affairs and the Digital Transformation Agency implement quality assurance mechanisms to reconcile their personnel records with AGSVA’s clearance holder records, and commence clearance processes for any personnel who do not hold a required clearance.
Attorney-General’s Department’s response: Agreed.
Australian Securities and Investments Commission’s response: Agreed.
Department of Home Affairs’ response: Agreed.
Digital Transformation Agency’s response: Agreed.
Recommendation No.7
The Attorney-General’s Department, the Australian Radiation Protection and Nuclear Safety Authority, the Australian Securities and Investments Commission and the Digital Transformation Agency review their policies and procedures for eligibility waivers to ensure they are compliant with Protective Security Policy Framework mandatory controls.
Attorney-General’s Department’s response: Agreed.
Australian Radiation Protection and Nuclear Safety Authority’s response: Agreed.
Australian Securities and Investments Commission’s response: Agreed.
Digital Transformation Agency’s response: Agreed.
Recommendation No.8
The Attorney-General’s Department, the Australian Radiation Protection and Nuclear Safety Authority, the Australian Securities and Investments Commission, the Department of Home Affairs and the Digital Transformation Agency implement the Protective Security Policy Framework requirement to undertake an annual health check for clearance holders and their managers.
Attorney-General’s Department’s response: Agreed.
Australian Radiation Protection and Nuclear Safety Authority’s response: Agreed.
Australian Securities and Investments Commission’s response: Agreed.
Department of Home Affairs’ response: Agreed.
Digital Transformation Agency’s response: Agreed.
ANAO Report No.43 (2017-18) Domestic Passenger Screening – Follow‑Up
Conclusion (pp.8-9)
As at March 2018, the Department has implemented one and partially implemented four of the five recommendations made in ANAO Audit Report No.5 2016–17, Passenger Security Screening at Domestic Airports (see Table S.1 below). Consequently, while the Department has made progress, it is not yet well placed to provide assurance that passenger screening is effective and that screening authorities comply with the Regulations.
The extent to which the Department has implemented an effective compliance monitoring program has been constrained by the quality of data captured in the Regulatory Management System. Consequently, the ability of the Department to conduct meaningful analysis of compliance activity data and identify non-compliance trends in passenger screening is limited. While the Department has developed a data analysis function to work around the limitations of the Regulatory Management System, its initial analysis was not used to inform planning. The Department has further work to do to be able to identify non-compliance trends and incorporate the results of the analysis into the annual compliance program as recommended in the previous audit.
The Department has developed and approved a learning and development framework. However, the plan to implement the framework has not yet been approved, and a key element yet to be finalised is the approach to monitoring and evaluating the framework. Delivery of appropriate training was delayed by the Department’s decision to broaden the application of the training needs analysis beyond the initial Regulatory Management System focused training recommended by the ANAO (Recommendation No.4) in the previous audit. While steps were taken to address short-term training needs, the first training courses outlined in the learning and development framework commenced in February 2018.
The Department has developed, but not yet implemented performance monitoring arrangements despite numerous reports including ANAO Audit Report No.26 2002–03, Aviation Security in Australia recommending that performance measures be implemented. Most recently, the timely implementation of these performance measures has been impacted by the Department’s decision to implement the measures in July 2018 as part of the broader Enhanced Mandatory Reporting Project. While the Department has made progress to improve the reporting provided to its stakeholders, the ability of the Department to accurately assess the effectiveness of passenger screening is limited due to the quality of the data captured in the Regulatory Management System, the lack of an associated reporting function and because performance measures have not yet been implemented.
Recommendations (p.11)
Recommendation No.1
In implementing Recommendation No.2 from the previous audit, the Department should ensure that its approach delivers a meaningful analysis of passenger screening compliance activities and outcomes. The analysis should: be capable of accurately identifying non-compliance trends; generate results that are used to inform the development of the risk and compliance prioritisation ratings; and be incorporated into subsequent compliance monitoring programs.
Department of Home Affairs response: Agreed.
Recommendation No.2
In implementing Recommendation No.4 from the previous audit, the Department should develop and implement a monitoring and evaluation strategy, so it can assess to what extent the objectives of the learning and development framework are being met.
Department of Home Affairs response: Agreed.
Recommendation No.3
In implementing Recommendation No.3 from the previous audit, the Department should ensure that performance measures are established in a timely manner alongside an effective monitoring and review mechanism to provide assurance that the performance measures developed for passenger screening are practical, achievable and measurable.
Department of Home Affairs response: Agreed.