2.1
This chapter sets out the Committee’s findings in relation to the Department of Foreign Affairs and Trade’s (DFAT’s) governance of its security reforms, as well as ongoing security arrangements. It comprises the following sections:
Committee conclusions and recommendations
Reform planning and project management
Executive and management oversight
Security records, risk assessments and inspections
Deployment, management and maintenance of security measures
Committee conclusions and recommendations
2.2
The Committee considers that good planning, risk and project management are critical to ensuring Australian staff and missions are protected overseas. In relation to DFAT’s overseas security responsibilities, DFAT recognised that ‘elsewhere poor risk management could be financial loss; here the results could be catastrophic’.
2.3
Despite this, a recurring theme of this inquiry was the lack of consistency and coordination in DFAT’s management of overseas security. Weaknesses were identified in relation to:
planning, monitoring and assurance (regarding both the implementation of reforms, and the deployment and documentation of security measures);
the delineation of roles and responsibilities; and
standards across risk assessments and security inspections.
2.4
The Committee heard that the Departmental Security Framework was to be launched in March 2018 and reviewed via an internal audit later in the year. Given that considerable reliance appears to have been placed on this Framework to facilitate improvements in managing security risks and policies, the Committee expects that it should sufficiently address the above areas.
2.5
The Committee recommends that the Department of Foreign Affairs and Trade make available to the Committee:
an extract of the findings and recommendations from the internal audit of the Departmental Security Framework (to be undertaken in 2018), and an outline of how DFAT intends to address these
a summary of how the Framework addresses the key issues identified in this report, giving particular emphasis to the matters raised in paragraph 2.3
2.6
Of concern to the Committee is DFAT’s slow progress in rectifying issues identified in the preceding ANAO audit over a decade ago. Full implementation of recommendations from DFAT’s most recent internal Review of Diplomatic Security (2015) also remains outstanding. At a minimum, an effective implementation strategy should be supported by a plan that sets out for each recommendation: roles and responsibilities; a budget; a timeframe; and deliverables. This would facilitate the efficient implementation of review recommendations, improving security outcomes and allowing the best return on investment for such reviews.
2.7
The Committee recommends that the Department of Foreign Affairs and Trade report back to the Committee on its progress in implementing recommendations from:
the Review of Diplomatic Security (May 2015)
Auditor-General’s Report No.5 (2017–18), complete with timeframes, planned deliverables and outcomes observed to date
2.8
With regards to day-to-day security management, the Committee concurs with the ANAO’s assessment that DFAT would benefit from better delineation of roles and responsibilities. While the Committee notes that DFAT has taken steps to address this through the Departmental Security Framework and revised Security Manual, it considers that in future, roles and responsibilities should be clearly defined from the outset as part of basic management practice.
2.9
The Committee was pleased to note that there are regular Executive reporting arrangements in place for the Security Branches division, and recognises the importance of sustaining these into the future, to support effective decision-making. The department should also ensure that sufficient information is made available through these reporting channels, to ensure senior officials have visibility of operations on the ground.
2.10
The Committee notes DFAT’s summary of its arrangements for tracking security measures. To complement governance processes, the Committee would expect to see sound procedures in place at post, requiring staff to actively monitor and report on these measures on an ongoing basis.
2.11
Inconsistencies identified by the ANAO in DFAT’s record-keeping, risk assessments and inspection arrangements have undermined the Committee’s confidence that measures are being appropriately deployed and monitored across posts.
2.12
The Committee notes DFAT’s reference to a ‘revised documentation process in 2016’ to assist in coordinating the deployment of measures. In the absence of detailed information, it is unclear how this process would ensure greater consistency when determining measures to be deployed to posts.
2.13
The Committee notes the annual reporting requirements for briefing the Audit and Risk Committee, and the recent inclusion of overseas security‑related audits in DFAT’s internal audit program. The Committee maintains that consideration should be given to whether such independent assurance mechanisms should be supplemented or strengthened.
2.14
The Committee recommends that the Department of Foreign Affairs and Trade assess whether current independent assurance arrangements provide sufficient and ongoing oversight of its overseas security management, and take timely action accordingly.
2.15
In addition to promoting effectiveness and efficiency, assurance activities can assist in identifying non-compliance. The Committee supports the Auditor-General’s position that non‑compliance with an organisation’s security policy must be addressed in order to drive cultural change, with the leadership of an organisation providing a clear direction for this change.
2.16
The Committee recommends that the Department of Foreign Affairs and Trade review its security policies and procedures, and implement revised arrangements to ensure consequences for non-compliance are adequate to embed a strong security compliance culture.
2.17
The Committee recognises the importance of cyber resilience, as supported by compliance with the ‘Essential Eight’, for the protection of overseas missions. The Committee commends DFAT on its commitment to achieving cyber resilience by June 2018 and will follow its progress with interest.
2.18
The Committee recommends that the Department of Foreign Affairs and Trade report back to the Committee on the status of its cyber resilience and compliance with the ‘Essential Eight’ as at July 2018.
2.19
As made clear by the Committee Chair: ‘The annual report of a department is a very significant document. It’s signed by the Secretary [and] it’s an authoritative, if not the most authoritative, document of a department.’ However, the Committee notes the ANAO’s findings about the quality of DFAT’s performance measures and discrepancies identified in its 2014–15 Annual Report. The Committee maintains that performance measures should be relevant, reliable and complete to enable assessment of DFAT’s management of overseas post security. The Committee expects that evidence presented in DFAT’s future annual reports will be accurate and transparent.
Review of evidence
Reform planning and project management
2.20
Since 2012, DFAT has commissioned several reviews of its overseas missions protection arrangements, including a Review of Diplomatic Security in May 2015. This review made 27 recommendations, of which one third (9) were assessed by the ANAO as either fully or partially implemented in October 2016. The audit found that ‘DFAT did not have a plan for implementing the recommendations’ and improvements were required to the accuracy of status reporting. The ANAO recommended that DFAT develop a strategic plan and detailed implementation plan to support the reforms and activities underway.
2.21
Six months on at the public hearing, DFAT advised that it had engaged a project manager in late 2017 to ‘close out all the outstanding recommendations, along with all of the ANAO recommendations’. The Committee heard that, 22 of the 27 recommendations had ‘either been concluded or closed’. The five outstanding recommendations were to be delivered by 2021.
2.22
A strategic plan identifying the department’s ‘security priorities’ had also been developed and the new Departmental Security Framework (DSF), due to launch in March 2018, was considered to be a ‘key mechanism’ for delivering this plan. The Framework is intended to address governance, security policy and standard operating procedures. DFAT told the Committee that it believed this framework would ‘go a long way to bring about that higher standard of consistency across posts.’
2.23
In its 2017–18 Corporate Plan, DFAT included plans to ‘review the implementation and effectiveness of the new DSF and adoption of the risk management tools by Post Security Officers via survey’ by 2018–19.
Executive and management oversight
2.24
In response to the 2015 review, DFAT established the Security Branches division in March 2016 and appointed a Chief Security Officer (CSO) to oversee this division. DFAT also formed a Diplomatic Security Committee, chaired by the responsible Deputy Secretary. The Committee meets quarterly and receives written and verbal updates from the CSO and the Chief Information Officer (CIO). In addition, the CSO reports to the Departmental Executive, chaired by the Secretary, every six months. From August 2017, the CSO and CIO meet monthly with the Secretary and Deputy Secretaries to discuss any emerging issues.
2.25
At the public hearing, the Auditor-General observed that: ‘The type of governance structure described is consistent with what you would expect.’ However, the Auditor-General also drew attention to findings in the audit that while DFAT’s internal reporting was ‘maturing’, it could be enhanced by including further information, to ‘improve the quality of trend analysis and identifying areas for improvement’.
2.26
Primary responsibility for security at posts is held by the Head of Mission/Post (the Ambassador or High Commissioner). The Deputy Head of Mission/Post performs the role of Post Security Officer, and is responsible for the day-to-day management of security arrangements.
2.27
The audit highlighted issues with the delineation of roles and responsibilities between: Heads of Mission and DFAT Canberra; and the Post Security Officer and other post security roles. DFAT advised that it had addressed the former through the updated security manual.
2.28
Cyber security is the responsibility of the CIO who is also the Chief Information Security Officer. The CIO oversees DFAT’s high side (confidential and above) network, as well as the low side (unclassified) network. These networks are also utilised by 50 partner agencies, including Austrade, to varying degrees. With regard to DFAT network security monitoring, the CIO advised the Committee that ‘anything that occurs at post is equally visible and managed here from Canberra.’
Security records, risk assessments and inspections
2.29
In relation to the recording of security measures, the ANAO found that:
Information on the security measures in place at overseas posts is not centrally recorded in DFAT, with security measures recorded in various ways, including at posts, and DFAT had no assurance on whether records were accurate or current.
2.30
Consequently, the ANAO recommended that DFAT:
develop and maintain a comprehensive database of physical and operational security measures at overseas posts
2.31
DFAT told the Committee:
we are developing that database capability right now and we are confident that we are much better placed right now to provide assurance around the security measures we’ve had in place. We've spent the last five months, in fact, doing what's called a security snapshot of each and every post, where every single security measure at post has been updated in discussion with our post security officers.
2.32
When asked how it intends to keep track of these measures on an ongoing basis, DFAT advised:
They will be tracked through a range of governance processes covering internal arrangements within the Security Branches, as well as the Departmental Security Committee.
2.33
In its report, the ANAO indicated that improvements to DFAT’s recording of measures would ‘better inform the monitoring of post security risks’. However, the ANAO also found that the quality and consistency of risk assessments were further affected by the quantifiers for data breaches not being defined and a ‘lack of consistently applied criteria’. It recommended that DFAT ‘develop a more consistent framework for assessing security risks for overseas posts’.
2.34
DFAT advised the Committee that the new DSF ‘contains a set of risk management tools to assist staff in making risk-based decisions’ at posts. From March 2018, Post Security Officers will be required to complete an Annual Security Report, identifying the highest risks and measures taken to mitigate these, in addition to a ‘health check’ to assist in the ‘early identification of vulnerabilities. Posts will also be required to incorporate security risks into existing risk registers.’
2.35
Inspections undertaken by the Security Branches division are also intended to inform post security risk assessments. Prior to 2017–18, DFAT endeavoured to inspect each post every five years, with the higher-threat posts being visited more regularly. In 2016–17, DFAT undertook inspections at 18 of its 103 posts.
2.36
However, the ANAO’s review of inspections across multiple years found that some ‘produced authoritative and credible reports and recommendations, whereas others did not add value’, in one case overlooking previously identified vulnerabilities. Further, there was ‘no formal system in place for following up on recommendations’ made in the reports. The ANAO recommended that DFAT:
refine a framework for risk-based selection of posts for security inspection, improve the deployment of inspection staff resources, and develop consistent standards and accountability mechanisms to enable the timely identification and resolution of security vulnerabilities at posts.
2.37
In August 2017, the department redeployed its inspection staff to focus on addressing ANAO recommendations, advising that inspections would resume following February 2018.
Deployment, management and maintenance of security measures
2.38
The ANAO found that DFAT had ‘no documented end-to-end process or procedure connecting the activities that inform the deployment of security measures’. The ANAO therefore recommended that DFAT:
enhance the coordination of the deployment of security measures to achieve greater consistency when determining security measures to be deployed to overseas posts.
2.39
In its response to this recommendation, DFAT referred to a ‘revised documentation process’, which it noted had been tested through the ‘establishment of a number of recently opened posts’ and would eliminate inconsistencies identified by the ANAO. In the absence of detailed information, it is unclear how this process would ensure greater consistency when determining measures to be deployed to posts.
2.40
Once deployed, the ANAO notes that the ‘preventative maintenance of security measures is critical to ensure the measures are available to posts and operating effectively’. Having examined DFAT’s practices in this area, the ANAO made findings consistent with its 2004–05 audit, which ‘also identified weaknesses relating to overseas security measures’. The ANAO maintained that ‘strengthening arrangements for preventative maintenance of security measures at overseas posts would better ensure these measures are mitigating risks across all posts’.
2.41
The Chief Security Officer gave evidence at the public hearing that the ‘security snapshots’ currently being undertaken by the department were intended to support improvements in this area:
It’s an ongoing assurance. In fact the whole aim of the changes that we’ve been undertaking in this space is to ensure that through our interactions between our security specialists here in Canberra and all of our posts we have that constant monitoring and review of all security measures in place so that we are able to deal, quickly, with any situation that may arise. For example, if an X-ray machine breaks down we’re onto it straightaway rather than waiting some months for a security inspection, which used to be the case.…
One of the challenges for us is ensuring we’re able to understand the life cycle of a lot of our assets at post so that we’re able to plan in advance for replacing those assets rather than waiting for a security inspection to tell us, ‘This asset now has reached its end of life.’
2.42
With respect to cyber security, DFAT advised the Committee that it expects to be cyber resilient by 30 June 2018 and ‘as compliant as possible’ with the ‘Essential Eight’. ICT services are ‘delivered centrally from [DFAT] Canberra’, meaning any ‘mitigations, policies and technical controls’ applied in Canberra are rolled out to all DFAT posts. The high side network (confidential and above) is only available in the restricted areas of posts, and other agencies’ systems are ‘air–gapped’ from DFAT’s systems, to help protect the latter from incidents or compromises.
Monitoring and reporting
2.43
The ANAO found that the effectiveness of DFAT’s monitoring and reporting on overseas post security was ‘limited as it [was] not consistently implemented or verified’.
Internal monitoring, assurance and compliance
2.44
Overseas security inspections (examined earlier in this chapter) and self‑assessments are the two key mechanisms through which DFAT monitors its post security arrangements. Security breaches are monitored via staff reporting and captured in a database. The ANAO identified ‘data integrity and system limitations’ in DFAT’s security breaches database and recommended that DFAT:
develop an information system to respond to security breaches, and identify trends and mitigation strategies, based on reliable and useful breach data.
2.45
For monitoring of cyber security, DFAT has a ‘24/7 network operations centre which… watches the globe constantly out of Canberra.’ DFAT advised that it also conducts ‘monitoring of people’s behaviours’ when they are using DFAT’s systems and ‘reach[es] out to those individuals’ who ‘behave poorly’.
2.46
The ANAO observed that ‘DFAT’s Internal Audit Branch is responsible for providing assurance on DFAT’s activities, controls, compliance with requirements and identifying opportunities for improvement to the DFAT Audit and Risk Committee’. The Security Branches division also provides a report to the Audit and Risk Committee on an annual basis.
2.47
DFAT advised the ANAO that the Security Branches division’s current functions had not been examined in ‘recent internal audit coverage’. However, in its 2016-17 internal audit work program, DFAT included an audit of ‘Security Clearances: Processes and Outcomes’. For 2017–18, the department told the Committee that its internal audit work plan includes:
an audit into the Security Branches’ management of security contracts, and a potential audit to review the Security Branches’ oversight and management of the [Head of Mission] Security Compliance Certificates or alternatively Posts’ annual risk assessments and mitigation plans under the new DFAT Security Framework. The 2017-18 program also includes a large sample review/audit of mandatory e-learning compliance rates.
2.48
Also scheduled for 2018, is an audit of the departmental security framework ‘to see if there are areas where that could be further strengthened’, as advised during the public hearing.
2.49
At the public hearing, the Auditor-General commented on the merits of internal audit:
The advantage of the internal audit function is it’s separate from line responsibility. It provides another level of independent oversight, but… it’s really up to the accountable authority to decide what’s best placed in those areas.
2.50
While internal audit can examine controls and compliance, the Auditor-General’s observations during the hearing made clear that this should be accompanied by a strong security culture:
I think one of the lessons that come out of this audit is that there were a lot of issues of non-compliance going on, and it’s the actions of the organisation that they’re taking now to try and remedy those things which will drive the cultural change as well… Leaders have to model exactly what they want and show us that it’s important, and there have to be… consequences for non-compliance, otherwise it all just becomes talk.
External performance reporting
2.51
When asked how it assesses security culture in line with its 2017–18 Corporate Plan, DFAT told the Committee that it is tracking the number of hits on its intranet from ‘employees who are clicking on and acknowledging that they are seeing’ security awareness campaign material. This number increased by around 450 per cent, ‘six to 12 months after the commencement of the awareness raising campaign’.
2.52
DFAT advised that it also engages with its Post Security Officers to obtain ‘feedback from them as to the security culture’ at posts. The department undertook a security culture survey in May-June 2017 which found that ‘DFAT’s security culture was healthy’. Going forward, DFAT advised that surveys will be a ‘critical part’ of its efforts to ‘better understand and measure the culture across the department.’
2.53
In addition to measures of security culture, DFAT has presented various other security performance indicators in its annual Portfolio Budget Statements over the years. The ANAO found that those presented since 2013–14 did ‘not allow for meaningful assessment of the extent to which DFAT is achieving its objectives’.
2.54
Furthermore, the ANAO identified ‘discrepancies in the number of security inspections’ reported in the performance section of DFAT’s 2014–15 Annual Report. The department stated that the anomaly in question was a ‘one-off but not identified as such in the Annual Report’.