By Scott Thomson, CP (Cyber) Snr MACS, IRAP Assessor, MAICD, CISSP, CRISC, CISA

Director Cyber & IM

Many agencies and departments are now addressing the new reporting requirements for the November 2024 update to the Protective Security Policy Framework (PSPF) for the period to 30 June 2025.

The PSPF is the essential guideline for Australian Government agencies to safeguard their information, people, and assets. The update to the PSPF introduced new compliance requirements that aim to strengthen the security posture across various government entities. Previously, entities were reporting maturity, but those days are no longer.

The PSPF provides a robust and structured approach to security management within Australian Government agencies that ensures that protective security measures align with the evolving threat landscape. The new compliance requirements underscore the government's commitment to enhancing security protocols and adapting to emerging risks.

Key Changes in Compliance Requirements

1. Risk Management

One of the most significant updates involves the enhancement of risk management practices. Agencies are now required to adopt a more proactive approach in identifying, assessing, and mitigating risks. This includes:

• Conducting regular risk assessments to identify vulnerabilities and threats.
• Implementing risk treatment plans to address identified risks.
• Regularly reviewing and updating risk management strategies to ensure their effectiveness.

2. Information Security

The new requirements place a stronger emphasis on information security. Agencies must now:

• Ensure that all sensitive information is classified appropriately and protected accordingly.
• Implement robust access controls to prevent unauthorized access to sensitive data.
• Adopt encryption standards for data at rest and in transit to safeguard information integrity and confidentiality.

3. Personnel Security

Personnel security remains a critical aspect of the PSPF. The updated requirements include:

• Conducting thorough background checks and vetting processes for all personnel handling sensitive information.
• Providing regular security awareness training to ensure that employees understand their roles and responsibilities in maintaining security.
• Implementing measures to monitor and manage insider threats.

4. Physical Security

Physical security measures have also been reinforced. Agencies are now required to:

• Enhance physical access controls to restrict entry to secure areas.
• Implement surveillance systems to monitor and record activities in sensitive locations.
• Ensure that physical security measures are regularly tested and maintained.

5. Incident Response

The ability to respond effectively to security incidents is crucial. The new requirements mandate that agencies:

• Develop and implement comprehensive incident response plans.
• Conduct regular incident response exercises to test the effectiveness of their plans.
• Establish protocols for timely reporting and communication during security incidents.

Implementation and Compliance

To ensure compliance with the new PSPF requirements, agencies must:

• Assign dedicated resources to oversee the implementation of the updated security measures.
• Conduct regular audits and assessments to verify compliance with the PSPF.
• Report compliance status to relevant oversight bodies and take corrective actions as needed.

Centium and the PSPF

In addition to our IRAP assessors, who bring their highly recognised understanding of the PSPF and its implementation, Centium has recently welcomed Peter Butler to the team of professional staff supporting clients with implementation and compliance with the PSPF.

Peter Butler is a highly skilled professional security specialist and advisor with over forty years’ experience in government law enforcement and protective security roles, working across various protective security environments within state and territory governments and Commonwealth agencies. He has held the position of Agency Security Advisor (ASA) for several Commonwealth Agencies.

Our team can provide you with independent assurance of your compliance with the PSPF through tailored assessments and audits as required by the framework. These assessments will enable agencies to build their implementation plan to address those requirements that they are not yet compliant with.

Visit the Centium website to learn more about our cybersecurity services for government: https://centium.com.au/services/cyber-security-information-management-audit/#/