Program 3.1: Security and ICT
| Objective |
|---|
|
To ensure a secure Australian Government presence overseas by sustaining and improving security, and strengthening information and communications technology (ICT) capability at Australia’s overseas missions. |
| Deliverables | 2013–14 result | Reporting |
|---|---|---|
|
Enhanced protection through strengthened security measures in line with the evolving security environment, particularly in high-threat location. |
met | below |
|
Protection of classified information and ICT services through effective management of ICT systems and security vetting processes, as well as through staff security training to ensure high standards of awareness and vigilance. |
met | below |
|
Continued progress in moving the department’s ICT systems infrastructure to a common platform that can be more efficiently integrated and supported, and implementation of ICT elements of the Government’s national security policy objectives.* |
some progress | below |
|
High-quality overseas ICT services to other government agencies. |
met | below |
| Key performance indicators | 2013–14 result | Reporting |
|---|---|---|
|
Security risks relating to classified information are minimised, as evidenced by a low number of sensitive security breaches. |
met | below |
|
Effective risk-mitigation strategies appropriate to increased security risks. |
met | below |
|
Client satisfaction with the accessibility, reliability and effectiveness of the secure cable network (Official Diplomatic Information Network) and the global secure telecommunications infrastructure. |
met | below |
* This Deliverable was amended over the course of the 2013–2014 reporting period. A reference in the Portfolio Budget Statements 2013–2014 to ‘implementation of key elements of the Government’s ICT Reform Program and ICT elements of the Government’s national security policy and objectives’ was replaced in the Portfolio Additional Estimates Statements 2013–2014 with the reference to ‘implementation of ICT elements of the Government’s national security policy and objectives’. The original reference related to a program of the previous Government. In line with the Requirements for Annual Reports for Departments, Executive Agencies and FMA Act Bodies of 29 May 2014, the department has reported against the former and current KPIs for the entirety of the reporting period.
Overview
The department ensured appropriate security arrangements at our overseas missions through ongoing review and mitigation of threats from terrorism, politically-motivated violence, civil disorder, foreign intelligence services, crime and cyber espionage. Posts in Afghanistan, Iraq and Pakistan were a priority along with other high-threat posts in the Middle East, Africa and the Pacific.
As a result of integration, we expanded our international threat assessment capability to monitor and advise on security threats and risks for staff operating in regional and remote areas. We implemented a new overseas travel policy and updated our training programs to ensure staff were well prepared to operate safely overseas.
The department fully complied with the mandatory requirements of the Protective Security Policy Framework (PSPF) in relation to security governance, personnel security and physical security. The department’s Security Manual Change Management Committee continued to review security policies and practice to ensure compliance with the PSPF and responsiveness to changes in the international security environment. We updated the department’s Security Manual to reflect best security practice as a result of the integration process.
The department’s ICT modernisation reform agenda continued in 2013–14 in accordance with the DFAT ICT Strategy. Work was completed on improving ICT services to the department and partner agencies and major long-term change programs were progressed.
The department’s ICT footprint expanded significantly following the integration of AusAID. The global and domestic ICT network increased to over 170 sites with the addition of 39 sites. Of these, 23 are co-located with existing departmental operations, nine are in unique or ‘stand-alone’ locations within the same city, and seven are in remote locations, such as provincial centres in Papua New Guinea.
The organisational change presented a major ICT challenge for the department given the duplication of infrastructure, resourcing and applications. We delivered a single departmental email address, phone, internet and intranet service within six weeks of the integration announcement. We merged finance and human resourcing systems by 30 June 2014 for the start of the new financial year.
We completed major elements of our ICT reform program, including the global upgrade of the standard ICT operating environment at all overseas sites and commenced at domestic locations. A new MOU for the provision of ICT services with over 45 partner agencies was successfully negotiated and is currently being finalised. We increased technology and procedural security controls and network performance within Australia and at overseas posts to enhance the protection of the global network.
The Australian Passport Office (APO) and the Information Management and Technology Division continued work on the Passport Redevelopment Program (PRP). The PRP will deliver a new passport issuance system that will be able to manage projected growth in passport issue rates, deliver efficiencies and a more secure passport service.
The International Communications Network (ICN) Program moved into its initial development and delivery phase of a five-year modernisation of the department’s global ICT infrastructure and services.
Security threat assessment
Within the department’s risk management framework, we reviewed security threat ratings for all posts. We used our assessments of threats from foreign intelligence service activity, politically motivated violence, civil disorder, and crime to determine posts’ security mitigation strategies, operational procedures and contingency planning. We also provided up-to-date assessments of dangers to staff and their families on posting, risks to government property overseas, and threats to the department’s global ICT network and classified information, including from cyber espionage.
As a result of integration, we reviewed our security policies, processes and methodologies to develop a more widely-based threat and risk framework that extended coverage beyond national capitals to regional and remote areas. We provided security advice, including mitigation measures, to help inform decision-makers about the deployment of whole-of-government personnel, Australian Civilian Corps members, contractors, and volunteers working overseas in support of Australia’s aid program.
As part of our regular auditing of security arrangements for volunteer deployments, we revised the agreed common security standard between the department and core partners of the Australian Volunteers for International Development Program—Austraining International, Australian Red Cross, and Australian Volunteers International.
Managing security at overseas missions
The security and safety of government officials and their families overseas, together with the protection of classified information and assets, was a high priority. In addition to post-managed security arrangements, the department engaged specialist security contractors to supplement and reinforce our capabilities, particularly in vulnerable locations, such as Baghdad, Kabul and Jakarta.
Departmental security advisors undertook official inspections at 16 posts to confirm the appropriateness of security arrangements. Regional security advisors based in Baghdad, Beijing, Jakarta, Kabul, Islamabad, New Delhi, and Port Moresby continued to monitor, assess and respond to changing security environments within their respective regions.
The department provided operational security equipment and services to posts including walk-through metal detectors, mail isolation units, CCTV and duress alarms, guarding (including close personal protection), and residential security. We supplied new specialised security and safety equipment to Tel Aviv, Islamabad, Kabul, and Baghdad and managed the armoured vehicles fleet program for 24 posts.
The department reconvened the Inter-Agency Security Forum (IAOSF) involving representatives from agencies with staff at our overseas posts. A high priority for the IAOSF was a review of the Security Services Protocol, which provides guidance on responsibilities for security measures at posts, and a working group was established in March as part of the review process.
The department continued to enhance its overseas security countermeasures capability particularly in high-threat locations. We strengthened internal cyber governance, management and response frameworks, and contributed to whole-of-government responses to cyber issues.
Appropriate physical security measures are vital for a secure Australian government presence overseas. The department oversaw implementation of the initial physical security works for the new embassy in Jakarta and finalised the security specifications for the new embassy in Bangkok. In Kabul, we provided advice for the security fit-out of the office annex and agreed on the security standards for an expanded embassy and residential compound. We commenced consolidation of all office and residential facilities to achieve a more integrated and physically secure working environment in Kabul. Security works for the new embassy in Addis Ababa neared completion and we undertook security design work and planning for missions in Chengdu, Nairobi, Noumea, and Rangoon. As part of the Paris embassy mid-life upgrade, a number of physical security enhancements were incorporated in the works. We commenced work on the security specifications for the new Melbourne state office. The forecast security inspection to Dakar proceeded. The establishment of a diplomatic mission in Dakar was later discontinued.
The department supported other government organisations, providing physical security design documentation and project oversight for projects in eleven overseas locations.
Security vetting, compliance and awareness
We applied a comprehensive vetting regime to all staff handling classified information in Australia and overseas. We granted 442 new clearances; recognised 1973 clearances (including former AusAID personnel), and approved 490 security clearance revalidations.
The department fully complied with the Protective Security Policy Framework in relation to security governance, personnel protective security and physical protective security.
We minimised security risks relating to classified information through a strictly-enforced security breach monitoring and reporting system, as well as issuing regular security reminders and conducting mandatory pre-posting security briefings. There were no sensitive security breaches involving the compromise of national security classified information.
Security training
Security training was mandatory for all staff on long and short-term overseas postings, including attached agency staff. We reviewed and updated our training programs and adapted them to meet the needs of the changing international security environment, as well as workplace health and safety obligations overseas. We prioritised staff safety, implementing a new overseas travel policy to take account of the increase in travel by staff to remote locations and regions with elevated security threats. The policy established minimum safety and security training requirements for travelling staff.
We delivered security training to 1265 officers, including 215 from other agencies. Our training focused on overseas and personal security awareness and defensive driving, including car-jacking awareness. For staff going to extreme- or high-threat locations, specialist hostile environment preparation training was mandatory, including medical trauma and first aid training. Training courses emphasised practical learning outcomes, including through the use of simulations, threat scenarios and field exercises.
ICT capability building
The ICT Strategy 2011–2014 guided the overall direction of the department’s ICT programs and operations. We commenced planning for a new strategy for delivery from 2014–15.
The department completed the ICT reform program underway since 2011. The program improved basic ICT services at post and domestically, and enhanced business continuity and disaster recover capabilities, mobility solutions and capabilities, and financial control and management of ICT services. We consolidated ICT functions into a single accountable division to ensure greater control over ICT programs and more effective client agency engagement.
The department completed the global upgrade of the standard ICT operating environment at all overseas pre-integration sites and commenced at domestic locations. The upgrade involved major infrastructure changes, including more powerful servers and faster desktops, and adoption of the Windows 7 operating system and Microsoft Office 2010 suite. The project standardised our domestic and international ICT environments, laying the groundwork for the ICN and further integration activity.
The department expanded its new data centre in preparation for the migration of core systems and services from the existing facilities which are at end of life. The new facility houses up-to-date computing infrastructure within a purpose-built whole-of-government data centre. It is more resilient, reliable, offers greater redundancy and also meets government environmental targets.
Availability and reliability of communications
New satellite infrastructure was installed at 12 posts. The upgrades improved the reliability of satellite communication, allowed remote management of satellite infrastructure and facilitated better satellite bandwidth allocation. New communications hardware at a further 15 posts also enhanced ICT performance.
We further improved communications reliability by consolidating the department’s email infrastructure within a single platform. We replaced the ageing Notes email system with Microsoft Exchange and introduced a global automated email archiving facility domestically and at post.
Australia’s first electronic declaration to the Organisation for the Prohibition of Chemical Weapons
The Information Management and Technology Division in partnership with the Australian Safeguards and Non-Proliferation Office (ASNO) redeveloped a key business application to hold information on certain chemicals manufactured in Australia as well as their use, storage and transfers in and out of the country. The chemicals application assists ASNO meet Australia’s declaration obligations under the Chemical Weapons Convention and other requirements of the Chemical Weapons (Prohibition) Act 1994.
In March 2014, the department produced Australia’s first electronic annual declaration of past chemical activities for the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The previous database generated a Word document of approximately 150 pages, included a number of manual steps and was overly complex. The new application produced an electronic declaration file in XML format in about 90 seconds.
A secure online portal will be released in 2014 which will allow chemical manufacturers, users and traders to submit their chemical activities to ASNO online, removing the need for manual data entry that would normally be required by ASNO and the OPCW.
The combination of online data collection and the new chemicals application will save approximately 6–8 weeks of an ASNO Executive Officer’s time in preparing and generating annual declarations on past and anticipated chemical activities for the OPCW.
%20-%20ASNO%20team.jpg)
IMD–ASNO Team: Left to right: Tracey Jolly (IMD), Dr Josy Myer (ASNO), Meng Ngai (IMD), Anne Charlton (IMD), Kearyn Ferguson (ASNO), and Dr Robert Floyd (Director General ASNO). [DFAT]
International Communications Network program
The ICN program is the scheduled replacement and modernisation of the SATIN network and is a key enabler of the department’s ICT transformation agenda. The ICN will address existing network and system limitations to better meet the changing business needs of the department’s global communications network. The program will incrementally introduce new and improved ICT capabilities in areas such as unclassified and classified mobile computing and communications.
The pace of ICN development was affected to some extent by the need to temporarily redeploy key technical staff and resources to meet the priority of integration—this was particularly the case in areas such as network infrastructure. The procurement of a new global telecommunications contract under ICN was rescheduled in order to prioritise integration of the DFAT and AusAID ICT networks.
The department commenced the first of a number of major procurement activities for the ICN, approaching the market for the supply of wide area network services in January 2014.
Passport Redevelopment Program
Together with the APO, we continued work on the PRP, considering the requirements and validation phases necessary for the sub-systems which will underpin Australia’s new passport issuance system for deployment in 2016. The department has instigated a contract variation and established an alternative delivery model for implementation in 2014–15.
SAP Redevelopment Program
The department progressed through phase three of a multi-year program of work to modernise financial management processes. This program involves considerable business process re-engineering both in Australia and posts but will deliver improvements to the management of travel and expenses, procurement and contracts, and assets and inventories, as well as cash handling, financial reporting and budget planning.
Cyber security
The department implemented new technical and procedural processes to reduce the potential for misuse of privilege by trusted insiders and increase the protection of administrative accounts against intruders.
We collaborated with partners such as the Australian Signals Directorate (ASD) to assure the integrity and security of the department’s systems and information in response the continually evolving cyber threat environment.
We played an active role in key whole-of-government forums, such as the Cyber Security Operations Board, which sets standards for protections, reporting and response to cyber threats.
To ensure the robustness of our cyber security capabilities and their alignment with whole-of-government priorities, we reformed security risk management and compliance processes. We enhanced information technology security risk assessments using new threat modelling techniques to deliver more rigour and better alignment of risk treatments to technological risk factors.
With assistance from ASD, we began work to simplify and standardise the design of new departmental systems to strengthen cyber controls.
Records management
The department responded to the increased demand for records management services following integration by adding function classifications and inherited records authorities to the Electronic Documentation and Records Management System (EDRMS). EDRMS training was delivered to over 1400 staff.
We reviewed onsite records storage held domestically and internationally and began several projects to sentence and destroy old paper records.
Transition to electronic records continued to be a focus with over 65,000 electronic files created and only 15,000 paper files created. New high speed scanners enhanced our digital capability.
ICT client services and support
The department continued to deliver high quality domestic ICT support to ministerial and parliamentary staff by undertaking office relocations and equipment upgrades in ministerial, electorate and Commonwealth Parliamentary Offices. Regional technical officers (RTOs) also supported our ministers on 18 overseas visits.
We completed ICT fit-out of new and relocated sites in Addis Ababa, Chengdu, Beijing, Honiara, Honolulu, Kabul, Shanghai, Melbourne, Perth and Sydney. Emergency Communications (radio) Networks were installed in eight posts and secure area environmental systems were replaced at nine posts.
In support of the department’s overseas presence, RTOs conducted 254 routine and emergency maintenance short-term missions, with all posts visited at least once in the year.
The department negotiated a new MOU for the provision of ICT services with over 45 partner agencies. The new MOU uses a new service based financial cost model, which allows for more transparent and responsive service arrangements. (See Appendix 10, for more information about arrangements to provide ICT services to other Australian Government agencies.)
ICT training and development
Well-trained staff will be crucial for achieving the department’s longer-term ICT objectives. We trained 170 post ICT system administrators domestically and internationally. Over 3300 staff received training on a range of ICT issues including Windows 7 and Office 2010 environment.
As part of the integration process, over 1000 former AusAID staff have received training in SATIN, including EDRMS and cables.
Lunchtime ICT training courses in Canberra continued throughout 2013–14 with topics covering a range of essential ICT skills for general and specialist staff.
| 2009–10 | 2010–11 | 2011–12 | 2012–13 | 2013–14 | |
|---|---|---|---|---|---|
| Number of posts and Australian Government entities with access to secure communications network and secure telecommunications infrastructure | 145 | 148 | 145 | 144 | 172 |
| Number of client agencies receiving ICT services | 42 | 44 | 42 | 42 | 42 |
| Number of cables | 166,580 | 160,137 | 145,021 | 149,090 | 142,945 |
| Cables to overseas post | 83,221 | 74,590 | 67,290 | 67,401 | 66,092 |
| Cables from overseas posts | 83,359 | 85,547 | 77,731 | 81,689 | 76,853 |
| Number of security-related visits to overseas missions | 187 | 127 | 106 | 111 | 131 |
| Number of security clearances and reviews processed | 849 | 1,154 | 830 | 1,582 | 2,905 |
Outlook
The department is one of seven agencies participating in the ANAO’s first cyber security audit. We will implement the outcomes from the report—scheduled for release in late June 2014.
We will continue working with the Overseas Property Office on the security elements of work at our new embassies as well as those being upgraded or relocated. We will set performance requirements for security works in Melbourne, Canberra, Los Angeles, and Beijing, and for co-location with the United Kingdom in Baghdad. In Kabul, security work will continue towards achieving a contiguous office and residential compound. The department will facilitate the provision of new security services in Kabul and Jakarta.
The department will update the Security Services Protocol in line with the IAOSF working group recommendations.
The department will introduce an electronic-based security clearance revalidation system to improve the efficiency of clearance processing.
We will roll out the SATIN network to our 39 new sites over the next two years and continue to manage the platform until it is replaced through the ICN program. Integration of finance, human resources and records management systems will be progressed throughout 2014–15.
In 2014–15 the ICN program will begin to modernise and enhance the department’s technology services overseas and in Australia. The program will commence delivery of a new global telecommunications network service, expand the department’s data centre, introduce new classified mobile computing and communication services, expand unclassified mobile service, and open up the department to collaborate and exchange information more effectively with other government agencies.
In line with the Government’s National Security Roadmap, we will bring forward an initial release of the protected network solution through the ICN and ICT Integration programs. This will improve the department’s ability to gather, analyse and share information with partner agencies at the protected level.
We will continue replacement of key legacy systems, such as the existing Consular Management Information System, to provide more flexible, business-focused technology.
We will develop a new ICT Strategy to guide the ongoing modernisation of the department’s ICT services over the next 3 years. We will focus on aligning ICT to the objectives and goals set out in the department’s Strategic Framework and Business Plan as part of the Australian Public Service Commission Capability Review.
Further work bringing together systems delivering human resourcing, finance and aid programs will be required. Legacy systems which were used to deliver interim ICT solutions will need to be decommissioned.
To meet the tight timeframes for integration, highly skilled ICT resources were sourced from business-as-usual activities and other major programs of work. This reprioritisation and redeployment of ICT resources impacted the pace of development on ICN and the responsiveness of ICT services delivery in some areas. While overall operational support was not affected, enhancements to core aid delivery systems such as AidWorks were put on hold and will be addressed in 2014–15.
