¶ Overview
Defence has established the Defence Security Principles Framework (DSPF) to support compliance with the requirements of the PSPF. DSPF Principle 23, which is supported by Control 23.1 ICT Certification and Accreditation, outlines Defence’s requirements for ICT assessment and authorisation including that:
- all Defence ICT systems must be authorised prior to processing, storing or communicating official information;
- the authorising officer is based on the level of assessed system risk; and
- ICT systems are to be re-authorised under various conditions including when: new or emerging threats are identified; a cyber security incident occurs; changes to the certified system architecture occur; or the system’s authorisation expires.
The DSPF is supported by directives and instructions issued by Defence’s Services and Groups
https://www.anao.gov.au/sites/default/files/2024-09/Auditor-General_Report_2024-25_2.pdf
- https://www.defence.gov.au/sites/default/files/2024-09/Defence-Security-Principles-Framework-Redacted-27SEPTEMBER2024.pdf
- https://www.defence.gov.au/business-industry/industry-governance/industry-regulators/defence-industry-security-program
¶ Sections
a set of principles and corresponding controls
(from published Defence-Security-Principles-Framework-Redacted-27SEPTEMBER2024.pdf)
⇒ incomplete extracts from the PDF ‼
¶ Governance and Executive Guidance
<>
¶ Purpose
The DSPF aligns Defence with the Commonwealth’s Protective Security Policy Framework (PSPF). Under the PSPF, all agencies must develop their own protective security policies and procedures.
¶ Objective
<>
¶ Scope and applicability
<>
¶ DSPF Document management and availability
<>
¶ The structure of the DSPF
Building on the PSPF and Information Security Manual (ISM), the DSPF provides governance, principles, policy, process and guidance to enable and empower Defence personnel to make security decisions in accordance with risk.
The DSPF has three Defence-specific levels of protective security management:
The three tiers of Defence Guidance are:
- DSPF Governance and Executive Guidance: This document establishes and explains the DSPF.
- DSPF Principles and Expected Outcomes: These documents provide security principles and expected outcomes across the Defence Enterprise (including references to any guidance, policies, or laws relevant to understanding/applying the principle or achievement of the expected outcome).
- DSPF Enterprise-wide Controls: Where necessary, these documents provide additional controls, processes and instructions relating to the interpretation and the application of DSPF Principles and Expected Outcomes relating to specific, complex or unconventional circumstances. They may also be used to manage circumstances where a degree of commonality across security management would be preferable and beneficial. It is neither expected, nor desirable, that all DSPF Principles and Expected Outcomes have accompanying DSPF Enterprise-wide Controls.
<>
¶ Principle 10 : Classification and Protection of Official Information
¶ Control 10.1 : Classification and Protection of Official Information
¶ Annex A to Classification and Protection of Official Information – Selecting an Appropriate Protective Marking
¶ Annex B to Classification and Protection of Official Information – Applying Protective Markings to Official Information
¶ Annex C to Classification and Protection of Official Information – Reviewing and Altering Protective Markings
¶ Annex D to Classification and Protection of Official Information – Release of Official Information
¶ Annex E to Classification and Protection of Official Information – Registration of Protectively Marked Information
¶ Annex F to Classification and Protection of Official Information – Official Information Filing and File Census
¶ Annex G to Classification and Protection of Official Information – Copying and Reproduction of Protectively Marked Information
¶ Annex H to Classification and Protection of Official Information – Disposal and Destruction of Protectively Marked Information and Assets
¶ Annex I to Classification and Protection of Official Information – Remarking Information Bearing Former Protective Markings
¶ Principle 11 : Security for Projects
¶ Control 11.1 : Security for Projects
¶ Principle 12 : Security for Capability Planning
¶ Principle 13 : Communications Security (COMSEC)
¶ Control 13.1 : Communications Security (COMSEC)