Context

Purpose

The PHYSEC-1: Protecting assets policy and guidance will assist agencies to achieve an effective protective security outcome within the physical security domain of the TAS‑PSPF. They address core requirement 13 and its supplementary requirements.

Core requirement

The Accountable Authority must identify and implement appropriate physical security measures to mitigate the risk of harm or compromise to its information, people and assets.

Supplementary requirements

To implement appropriate physical security measures to mitigate the risk of harm or compromise to its information, people and assets, the Accountable Authority must:

  1. identify, categorise and keep a record of the agency’s assets which require any level of physical protection[1]
  2. implement physical security measures proportionate to the identified threat and likely risk scenario, using the assessed business impact of harm or compromise to agency assets - this may include -
    1. zoning of work areas (e.g. access controls, security screening)
    2. application of required individual control elements (e.g. secure storage, site locations, perimeter measures, security lighting)
    3. separated ICT infrastructure, equipment and facilities
  3. certify and accredit all security zones on all premises for which the agency has responsibility[2]
  4. dispose of physical assets securely
  5. implement procedures to ensure appropriate accreditation of proposed worksites outside the office. Provide training to all people, in the correct use and application of the agency’s physical security measures.

Agencies must identify the information, people and assets that require protection from compromise and harm. Vulnerabilities will be identified in the agency‑specific risk assessment and managed according to the risk appetite and tolerance of each agency. Implementing layered physical security elements between the public and Tasmanian Government information and assets will enhance protection of the information and the public.

The TAS-PSPF describes how to mitigate identified risks to assets through best practice physical security measures.

  1. This will be based on the agency risk assessment and business impact levels.

    [Back]

  2. Refer to ASIO Technical Notes to ascertain the requirements of security zones and associated processes. Access is via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

Guidance

Introduction

Physical security is a key component of your agency’s protective security regime. It is a combination of physical and procedural measures designed to prevent or reduce the risks of compromise or harm to your information, people and assets.

Adopting physical security measures can assist your agency to:

  • keep your people, clients and the public safe
  • prevent unauthorised people accessing your information, people and assets
  • maintain the trust and confidence of the people, agencies and organisations you work with
  • deliver services without disruption in the event of increased threat levels.

To do this, you must know what you need to protect. In the physical security space, threats can come from your own people or from outside the agency. Threats are applicable to your information, people and assets when in the office or the usual place of business. Different threats may apply when your people are working away from the office.

Your agency’s unique context and potential threats determine the physical security measures you need. Taking a risk-based approach will ensure that the physical security measures you implement are right for your agency’s operating environment.

Required action: Identify, categorise and keep records of assets

Under the TAS‑PSPF, ‘assets’ refers to an agency’s information, people and physical items, including ICT systems, technology and information infrastructure. Identifying assets which are critical to key functionality and ongoing operations is addressed in TAS-PSPF policy: Security planning (GOVSEC-5).

Identifying your agency’s critical assets enables you to prioritise the application of protections to those assets. Understanding your assets, including their value and sensitivity, is essential to accurately assess your physical security risks.

Physical security measures provide an essential layer of protection that minimises the risks of compromise or harm to your agency’s assets – your information, your people, and your physical items.

Information

Information is a valuable asset and requires protection. The TAS-PSPF policy: Protecting official information (INFOSEC-2) provides guidance relating to the classification, protective marking, transfer, handling and storage requirements of information assets.

The physical security measures applied by an agency, in support of these requirements, will strengthen the protection of information assets, reducing the likelihood of compromise to those assets.

People

An agency’s people are central to its operations and require protection from harm. This policy (PHYSEC-1) reinforces the requirement of the Work Health and Safety Act 2012 that an agency protects its people and others from harm. This is achieved by minimising exposure to risks and providing support in the event of a harmful or traumatic incident.

It is recommended that agencies implement appropriate physical security measures to ensure the personal security of their people, while working in the office and away from the office, to support compliance with the Work Health and Safety Act 2012.

Physical assets

Physical assets are tangible items that are valuable to an agency and require protection. Protection includes ensuring continued operability and accessibility, as appropriate, and preventing any unauthorised access, use or removal.

Categories of physical assets and factors to consider are outlined below.

Attractive

This category of asset may not always be valuable but is desired.

Factors to consider:

  • The function of the asset is desirable, i.e. it holds information which may be attractive to an outsider.
  • Portable assets which could be easily removed with limited likelihood of detection, regardless of the information held within.

Classified

This category of asset is classified in its own right or is classified due to the confidentiality requirements of the information held on the asset (e.g. ICT equipment).

Factors to consider:

  • The level of the classification of the asset.
  • The mobility and accessibility of the classified asset.
  • The assessed business impacts which resulted in the security classification of the asset.

Dangerous

This category of asset considers its likelihood to inflict harm (e.g. weapons or hazardous material).

Factors to consider:

  • The quantity and type of dangerous assets being stored, e.g. storerooms with large quantities of chemicals that could be weaponised or armoury rooms or disposal holding locations.
  • The level of public awareness/concern about the presence of the assets.

Important

This category of asset considers the significance of the asset’s integrity or availability for the agency’s operations.

Factors to consider:

  • The integrity of the asset.
  • The consequences should the asset be unavailable or inoperable when it is needed.

Significant

This category of asset has cultural or national significance, regardless of monetary value.

Factors to consider:

  • The intrinsic value to the state or national identity.
  • The negative reputational effect of the loss or damage of the asset.

Valuable

This category of asset relates to monetary value.

Factors to consider:

  • The financial viability and time required to replace or repair the asset.
  • The capability of the agency to operate without the asset or with partial functionality.
  • The level of importance the asset has to the agency’s function or capability.

Asset controls

It is recommended that your agency implements asset controls. Asset controls are useful as they identify asset holdings while serving as a mechanism to protect against theft, damage and loss. Asset control procedures should include:

  • recording the location and authorised custodian of the asset/s
  • periodic auditing of the asset/s
  • reporting requirements for the loss or damage of any asset/s.
Required action: Implement proportionate physical security measures

The protections required for, and that can effectively be applied to, physical assets will be affected by the category of asset and the business impact level of the compromise or loss of, or harm to the asset. The box below will assist you in defining the business impact level of your agency’s physical assets.[3]

Business impact level: 1 - Low business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Insignificant damage to an individual, organisation or government.

Business impact level: 2 - Low to medium business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Limited damage to an individual, organisation or government.

Business impact level: 3 - High business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Damage to individuals, organisations, the state or national interests.

Business impact level: 4 - Extreme business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Serious damage to individuals, organisations, the state or national interests.

Business impact level: 5 - Catastrophic business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Exceptionally grave damage to individuals, organisations, the state or national interests.

After determining the business impact level of an asset, your Accountable Authority must implement commensurate physical security measures according to the assessed risk.

It is recommended that your agency protects its assets by using a combination of physical and procedural security measures to achieve this outcome.

In determining the physical security measures required to protect your agency’s assets, you should consider the cost of security measures, ensuring they are proportionate to the mitigation of the identified threats and likely risk scenario/s.

Any physical security measures you take should ideally be capable of achieving all, or at least a combination, of the protective security outcomes listed below.

  • Deter: Measures that cause significant difficulty or require specialist knowledge and tools for adversaries to defeat.
  • Detect: Measures that identify unauthorised action is being taken or has already occurred.
  • Delay: Measures to impede an adversary during attempted entry or attack or slow the progress of a detrimental event to allow a response.
  • Respond: Measures that prevent, resist, or mitigate an attack or event when it is detected.
  • Recover: Measures to restore operations to normal levels (as soon as possible) following an event.

Measures to protect agency assets

In applying physical security measures, you can implement various protections to address the risk of assets being made inoperable or inaccessible or being accessed, used, or removed without proper authorisation.

The information above will help you to categorise your physical assets and identify the level of business impact of any compromise, loss, or harm to an asset. Knowing these things will in turn help you to determine the physical security measures needed to protect the asset.

Below is an example of this process in action.

Example:

Your agency holds a database with comprehensive information relating to your staff. On face value, the information in the database does not warrant security classification as the business impact level of compromise of its confidentiality is assessed as ‘medium’. However, the database is determined critical to the business operations of the agency which indicates the categorisation of the database may best be as an ‘important’ asset. Considering the factors relevant to ‘important’ assets and the integrity and availability of the database, you may determine the business impact level in relation to compromise of its integrity and availability to be ‘extreme’.

As a result of this determination, the database is now marked and handled as Official: Sensitive. Due to the ‘extreme’ business impact level of the database, greater protections are applied to protect the integrity and availability of the database.

The following physical security measures are considered to provide protection:

  • CCTV
  • electronic access control
  • emergency communication systems
  • perimeter intrusion detection systems
  • perimeter security measures
  • secure storage
  • security alarm systems
  • security and trespass warning signs
  • security doors, screens and keyring systems
  • security screening equipment
  • security lighting.

  1. The coloured areas relate to information classification; for details, refer to TAS-PSPF policy: Protecting official information (INFOSEC-2).

    [Back]
Required action: Zone work areas

Your agency may contain various divisions, business areas and alternate sites. These variations are likely to influence the assets held within certain workspaces.

Zoning specific work areas can help you to scale physical security measures based on your security risk assessment.

Security zones are numbered 1-5, with increasing restrictions and access controls as the zone number rises.

Extra physical security measures apply to areas where protectively marked information and other official or valuable assets are processed, handled, and stored. The physical security measures applied to each of these areas are designed to protect the contained items from compromise, either accidentally or maliciously.

Where you identify increased threat levels to your agency’s environment, you must consider what additional measures are required to protect assets and whether a change in zone storage is required.

To aid the ongoing management of physical security in your agency, you must:

  • certify and accredit all security zones on all premises for which your agency has responsibility[4]
  • dispose of physical assets securely
  • implement procedures to ensure appropriate accreditation of proposed worksites outside the office.
  • provide training to all people in the correct use and application of your agency’s physical security measures.

The different security zones are explained below.

Understanding security zones

Zone 1: Public access areas

Public access areas are unsecured zones and include out-of-office working arrangements. They provide limited access controls to information and physical assets and limited protection for people. Storage, handling, processing and discussion of security-classified information should not be conducted within a Zone 1 area, due to the public access in these areas.

Examples of Zone 1 areas include:

  • building perimeters and public foyers
  • interview and front-desk areas
  • temporary out-of-office work areas where your agency has no control over access
  • field work, including most vehicle-based work
  • public access areas within multi-building facilities (e.g. cafes).

Zone 2: Work areas

Work areas are low-security areas with some controls. This zone is typically the first layer of protection for information, people and assets. Information and assets classified up to and including PROTECTED may be used and stored. Information and assets classified as SECRET may be used, but not stored.

Examples of Zone 2 work areas include:

  • normal office environments
  • normal out-of-office or home-based worksites where you can control access to areas used by your agency
  • interview and front-desk areas where your people are separated from clients and the public
  • vehicle-based work where the vehicle is fitted with a security container, alarm, or immobiliser
  • exhibition areas with security controls and controlled public access.

Zone 3: Restricted work areas

Restricted work areas are security areas with higher security controls. They provide access controls to information and assets where a loss would result in a business impact up to extreme. Information and assets classified up to and including SECRET may be used and stored. They provide layered protection for people.

Access to this zone is limited according to ‘need to know’ and security clearances – all visitors must be escorted, or closely monitored, and have a business need to access the area.

Examples of Zone 3 areas include:

  • storage area for highly valuable assets
  • secure areas within an agency building that have additional access controls for your people.

Zone 4: Security areas

These are areas with high levels of security. These areas provide access controls to information where any loss would result in a business impact to extreme and assets where any loss would result in a business impact up to catastrophic. They provide layered protection for people.

People with ongoing access must hold a security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of Zone 4 areas include:

  • secure areas within your agency’s building/s that have additional access controls for authorised staff
  • storage area for highly valuable assets, with additional asset protection controls.

Zone 5: Highly restricted security areas

These are the highest security zones. They are restricted with dual authentication applied to access controls. These areas are likely to contain information and assets with a business impact of catastrophic. Visitors and contractors must be closely escorted and demonstrate a ‘need to know’.

Zone 5 areas include Australian intelligence community facilities.

Zoning control elements

Each of the security zones requires specific control elements to meet the required level of protection. Implementing control elements provides assurance against:

  • the compromise, loss of integrity or unavailability of sensitive or security‑classified information
  • the compromise, loss or damage of sensitive or security‑classified assets.

Control elements must be in accordance with ASIO Technical Notes[5] which dictate the minimum requirements to protect sensitive and security‑classified information and assets. For more information, refer to Annexure 1: Physical protections for security zones.

  1. Refer to ASIO Technical Notes to ascertain the requirements of security zones and associated processes. Access is via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

  2. Access to ASIO Technical Notes is via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]
Required action: Apply control elements

Security Construction and Equipment Committee‑approved equipment

The Security Construction and Equipment Committee (SCEC) is responsible for evaluating security equipment and determining which products will be evaluated and the priority of that evaluation.

The SCEC then assigns evaluated equipment a security level (SL) rating from 1-4, which is based on the level of security it has been assessed to provide, in increasing order. Products rated at SL1 provide the lowest acceptable level of security for government use.

Approved products are listed in the SCEC Security Equipment Evaluated Product List (SEEPL). This is available to government users via the GovTEAMS Protective Security Policy community.[6]

While it is not a mandated requirement that you use SCEC‑approved equipment, it is recommended that you use SCEC-approved equipment for strengthened protection of your agency’s assets. Alternatively, you can use suitable commercial equipment as long as it complies with the identified security‑related Australian and International Standards for the protection of people, information, and assets.

Security containers and cabinets

Layering your physical security measures includes using security containers and cabinets. Security containers and cabinets can be used to protect information, portable and valuable assets, and money. You must identify the need for, and the most appropriate type of, security cabinets or containers to secure your agency’s assets.

When choosing the most appropriate security container or cabinet, it is recommended that you consider:

  • the type of assets (refer to 'Categories of physical assets and factors to consider' above)
  • the quantity or size of information and assets
  • the location of the information or assets within your facility
  • the structure and location of your facility
  • the access control systems
  • other physical protection mechanisms, for example, locks and alarms.

It is recommended that you store sensitive and security‑classified information and assets in security containers and cabinets separately from physical assets. Ensuring separation decreases the risk of multiple compromises.

For information on selecting security containers to store official information, refer to TAS-PSPF policy: Protecting official information (INFOSEC-2).

Managing security containers and cabinets

If not managed appropriately, security containers and cabinets can be a security risk. It is recommended that keys to security containers and cabinets are secured in key cabinets within an agency’s perimeter and where possible, within the security zone where the containers and cabinets are located.

For containers or cabinets secured with a combination setting, it is recommended that the combination is changed:

  • every 6 months
  • following repairs
  • following change of employees
  • when there is reason to believe there has been or may have been a compromise.

SCEC-approved security containers

SCEC‑approved security containers are for the storage of sensitive and security‑classified information and assets. These containers are designed to provide a high level of tamper evidence from covert attack and significantly delay other attacks.

There are 3 levels of SCEC‑approved security containers:

  • Class A – protect information with a business impact level of extreme or catastrophic when it has been assessed as high risk. These containers are a significant structure and will not always be suitable in premises with restricted floor loadings.
  • Class B – protect information with a business impact level of extreme or catastrophic when it has been assessed as low risk. These containers can also be used to store information with a business impact level of high or extreme when it has been assessed as high risk.
  • Class C – protect information with a business impact level up to extreme when it has been assessed as low risk. These containers can also be used for information with a business impact level of medium when it has been assessed as high risk.

Key cabinets

You can use manual and electronic key cabinets to secure keys (e.g. keys for Class C containers or internal offices). These should be located within the security zone or near the zone where the security containers or cabinets are located. Some electronic key cabinets may have an automated audit capacity which means you won’t need to maintain a key register. Electronic key cabinets may also be integrated into your electronic access control system/s.

SCEC have approved various Class B key cabinets; however, these provide the same level of protection as other SCEC-approved Class B cabinets (e.g. filing cabinets and cupboards). SCEC‑approved electronic Class C and B key containers are recommended to store keys for Zones 4 and 5, and for Class C containers.[7]

Commercial safes and vaults

Commercial safes and vaults provide a level of protection against forced entry. A vault is a secure space that is generally built in place. A safe may be portable and is typically smaller than a vault.  Both safes and vaults provide varying degrees of protection, depending on their construction, use and location. They may both be used to store valuable physical assets.

It is recommended that you seek advice from qualified locksmiths or manufacturers when deciding the criteria to apply to select commercial safes and vaults. Guidance is available in Australian/New Zealand standard AS/NZS 3809-1998 – Safes and strongrooms.

The boxes below may also assist you as you consider commercial safes and vaults for your agency.

Zone 1

Business impact level 1 - Low business impact

Determined by an agency risk assessment – locked commercial container recommended.

Business impact level 2 - Low to medium business impact

Determined by an agency risk assessment – commercial safe or vault recommended.

Business impact level 3 - High business impact

AS/NZS 3809-compliant commercial safe or vault.

Business impact level 4 - Extreme business impact

AS/NZS 3809-compliant high‑security safe or vault.

Business impact level 5 - Catastrophic impact

Not to be held unless unavoidable.

Zone 2

Business impact level 1 - Low business impact

Determined by an agency risk assessment – locked commercial container recommended.

Business impact level 2 - Low to medium business impact

Determined by an agency risk assessment.

Business impact level 3 - High business impact

Commercial safe or vault.

Business impact level 4 - Extreme business impact

AS/NZS 3809-compliant medium-security safe or vault recommended.

Business impact level 5 - Catastrophic impact

Not to be held unless unavoidable.

Zone 3

Business impact level 1 - Low business impact

Determined by an agency risk assessment.

Business impact level 2 - Low to medium business impact

Determined by an agency risk assessment.

Business impact level 3 - High business impact

Determined by an agency risk assessment – locked commercial container recommended.

Business impact level 4 - Extreme business impact

AS/NZS 3809- compliant commercial vault or safe.

Business impact level 5 - Catastrophic impact

AS/NZS 3809-compliant high or very high-security safe or vault recommended.

Zone 4

Business impact level 1 - Low business impact

Determined by an agency risk assessment.

Business impact level 2 - Low to medium business impact

Determined by an agency risk assessment.

Business impact level 3 - High business impact

Determined by an agency risk assessment.

Business impact level 4 - Extreme business impact

Commercial safe or vault recommended.

Business impact level 5 - Catastrophic impact

AS/NZS 3809-compliant medium or high-security safe or vault recommended.

Zone 5

Business impact level 1 - Low business impact

Determined by an agency risk assessment.

Business impact level 2 - Low to medium business impact

Determined by an agency risk assessment.

Business impact level 3 - High business impact

Determined by an agency risk assessment.

Business impact level 4 - Extreme business impact

Commercial safe or vault recommended.

Business impact level 5 - Catastrophic impact

AS/NZS 3809-compliant medium or high-security safe or vault recommended.

Vehicle safes

You may consider fitting vehicles used by staff with field safes to carry valuable assets and official information. Vehicle safes provide some protection against theft but only when vehicles are fitted with other anti-theft controls.

Secure rooms and strongrooms

You may consider using secure rooms and strongrooms instead of containers to secure large quantities of official information, classified assets, and valuable assets, where compromise or harm would have a high business impact level.

A secure room is designed to protect its contents from covert attack and has a degree of fire protection, if correctly constructed.[8] Secure rooms are suitable for storage of large quantities of official information and classified assets, while maintaining the levels of protection provided by a Class A, B or C container.

Audio security measures

It is recommended that you implement audio security measures to prevent overhearing in areas where discussions and/or meetings relating to sensitive and security-classified information are held.

Rooms or areas where sensitive or security‑classified discussions are held should be acoustically treated so that sound created within the space is inaudible to a person or device outside that area. Appropriate and effective sound insulation is critical to achieving the required level of security for sensitive and security‑classified discussions.

If your agency needs to engage in sensitive or security‑classified discussions in unsecured areas, it is recommended that you take all available steps to reduce the likelihood that those conversations are overhead.

Security alarm systems

Security alarm systems (SAS) detect unauthorised access to an agency’s facilities. SAS are only effective if used in conjunction with layered physical security measures to delay or respond to the detected unauthorised access.

SAS can be broadly divided into 2 categories:

  • perimeter (external) intrusion detection systems (PIDS) or alarms
  • internal security alarm systems.

It is recommended that SAS are configured to monitor your agency’s high-risk areas (e.g. infrequently accessed areas, roof spaces, inspection hatches and underfloor cavities).

To support the operation of SAS, you must facilitate periodic maintenance and testing via an authorised service provider. It is recommended that maintenance and testing happen at least every 2 years to ensure all systems are operational.

Security guards

Security guards provide a physical presence at agency facilities and a swift response to security incidents. It is recommended that if you are thinking about using security guards, consider:

  • the level of threat and/or risk
  • if guards need to be onsite or offsite
  • security clearance requirements based on the security zone and frequency of access
  • confirming that guards hired are licensed in Tasmania.

Access control

Access control measures are designed to limit access to authorised people, vehicles and equipment, while preventing unauthorised access. Measures of access control include:

  • security guards located at premises access/egress points
  • security guards located in a central area who control access/egress via intercoms, videophones and CCTV
  • electronic access control systems (EACS)
  • mechanical locking devices – controlled with keys or codes.

Electronic access control systems

EACS are mandatory for Zones 3-5, where no other suitable identity verification and access control measures are active. In managing Zones 3-5, your agency must:

  • have sectionalised access control systems and full audit capacity
  • regularly review and audit your EACS for unusual or prohibited activity or access.

When implementing EACS, it is recommended that you:

  • seek relevant specialist advice during selection and design
  • use an appropriate installer recommended by the manufacturer to install and commission the system/s
  • regularly audit EACS across all agency security zones and areas, in accordance with your risk assessment and security plan.

Identity cards

Identity cards allow recognition of people across agency facilities. Zones 3-5 require identity cards with personal verification for all people using these facilities.

It is recommended that your agency use identity cards across all facilities, regardless of the level of formal zoning.

Identity cards should only be issued to people who have had their identities validated as per TAS‑PSPF policy: Recruiting the right people (PESEC-1).

It is recommended that you use the National Identity Proofing Guidelines[9] to at least Level 3 for people not covered by the TAS-PSPF (e.g. contracted service providers).

Identity card‑making equipment and all spare, blank or returned cards should be secured according to the security risk assessment (Zone 2 or higher).

Identity cards should be:

  • uniquely identifiable
  • worn and clearly displayed by authorised people while on agency premises
  • regularly audited in accordance with your agency’s risk assessments and security plan.

Visitor controls

A visitor is any person who attends an agency and/or has access to its assets, who is not employed or otherwise engaged by that agency. All visitors should be issued with visitor access passes which are access controlled according to the visitor need. All passes should:

  • be visible at all times
  • be collected and disabled at the end of the visit
  • audited regularly
  • not be shared with other visitors.

Perimeter measures

Some agencies may require perimeter access control measures, based on agency risk assessments. Perimeter access control measures may be in the form of:

  • fences and walls
  • pedestrian barriers, ingress/egress points
  • vehicle security barriers.

The effectiveness of any perimeter measure is dependent on construction, environmental design and other layered protective security measures. When you are designing and implementing perimeter measures, refer to the relevant Australian Standards and ASIO-T4 documents.[10]

Security lighting

The use of security lighting can support surveillance of the perimeter and approaches to your agency’s buildings and facilities. When applied correctly, security lighting can enhance safety for staff and visitors. Lighting should be placed with consideration to reducing or removing capacity for people to hide or conceal around the buildings and facilities.

When thinking about security lighting for your agency’s buildings and facilities, consider:

  • the general area and coverage required
  • environmental conditions
  • site‑specific requirements (i.e. ingress/egress, vehicle parking, walkways).

  1. Access via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

  2. For advice, refer to ASIO SEG-013 Electronic Key Cabinets, available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

  3. For information relating to the construction of secure rooms and strongrooms, refer to ASIO Technical Notes: 7-06, 8-06 and 9-06. Available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]

  4. For further information, please refer to the National Identity Proofing Guidelines (PDF) on the Department of Home Affairs website.

    [Back]

  5. Refer to ASIO Security Equipment Guide SEG-003 Perimeter Security Fences and SEG-024 Access Control Portals and Turnstiles, available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community. Also refer to AS 1725.1:2010 Chain link fabric fencing – security fences and gates and AS/NZS 3016:2002 Electrical installations – electric security fences.

    [Back]
Required action: Separate ICT infrastructure, equipment and facilities

ICT equipment

Agencies should implement an ICT equipment management policy to ensure that ICT equipment, and the data it processes, stores or communicates, is protected in an appropriate manner.

ICT equipment includes:

  • movable physical assets, e.g. computers, photocopiers, multi-function devices, mobile phones, storage media
  • system equipment, e.g. hardware and software
  • building management systems and security systems.

ICT system equipment is generally operational 24-hours a day and may include:

  • servers, e.g. dedicated devices and laptops used as servers
  • communication network devices, e.g. PABX systems
  • supporting network infrastructure, e.g. cabling, patch panels
  • gateway devices, e.g. routers, network access devices.

ICT equipment, as an agency asset, requires specific protection because of:

  • the classification of the information held on the asset, the business impact level of compromise or harm to that information, or the classification of the asset itself
  • the criticality of integrity or availability of the information held or processed on the asset
  • the potential attractiveness of either the information held or the asset in its own right
  • the aggregation of information, which may increase the business impact level of the asset’s compromise.

It is recommended that to identify the appropriate physical security measures to protect ICT assets and the information held or communicated on them, you base the level of protection required on the highest business impact level that would result from:

  • the compromise, loss of integrity or unavailability of the aggregate of electronic information held on the equipment, or
  • the loss or unavailability of the ICT equipment itself.

ICT facilities

It is recommended that you have dedicated ICT facilities to house your agency’s ICT equipment and systems. These facilities may include:

  • server and gateway rooms
  • data centres
  • back-up repositories
  • storage areas for ICT equipment that holds official information
  • communication and patch rooms.

It is recommended that you locate your agency’s ICT facilities in security zones dedicated to these facilities and separate to other functions. Remember that you must store sensitive or security‑classified information in accredited security zones.

ICT facilities may be housed in a separate security zone, within an existing security zone (i.e. the work area is a Zone 3 and within that Zone 3 is a separate Zone 4 for the ICT facilities). Where ICT equipment is held in one of these separate security zones, the required level of physical security of containers and/or rooms to protect the ICT equipment may be lowered, so long as the security zone is suitable for the aggregation of the information held.

The following table demonstrates storage container requirements for electronic information in ICT facilities.

Table: Storage container requirements for electronic information in ICT facilities

Business impact level of aggregated electronic information

Security zone of the work area

Security container or secure room ordinarily required

Additional security zone within work area for ICT facility

Security container or secure room required for ICT equipment

1 - Low business impact

Zone 2

Lockable commercial cabinet

No additional zone required

Lockable commercial cabinet

Zone 1

Lockable commercial cabinet

Zone 2 or above

Lockable commercial cabinet

2 - Low to medium business impact

Zone 2

Lockable commercial cabinet

No additional zone required

Lockable commercial cabinet

Zone 1

SCEC Class C

Zone 2 or above

Lockable commercial cabinet

3 - High business impact

Zone 3 or above

SCEC Class C recommended for Zone 3. Lockable commercial cabinet for Zones 4 and 5

No additional zone required

SCEC Class C recommended for Zone 3. Lockable commercial cabinet for Zones 4 and 5

Zone 2

SCEC Class C

Zone 3 or above

Lockable commercial cabinet

Zone 2

SCEC Class C

4 - Extreme business impact

Zone 4

SCEC Class C

Zone 3 or above

Lockable commercial cabinet

Zone 2

SCEC Class C

Zone 3

SCEC Class B

Zone 4 or above

Lockable commercial cabinet

Zone 3

SCEC Class C

Zone 2

SCEC Class B

5 - Catastrophic business impact

Zone 5

SCEC Class B

Compartment (certified by Chief Security Officer)

SCEC Class C

Access control to ICT equipment and facilities

Agencies must control access to ICT facilities in line with the relevant security zone. In circumstances where the business impact is lower than catastrophic, agencies may consider the following controls to limit access to ICT facilities:

  • a dedicated section of the SAS or an EACS
  • people physically administering access to authorised people.

When not in use or unattended, ICT equipment must be secured appropriately according to the classification or business impact level of the stored information or asset.

Required action: Certify and accredit security zones

Information sharing is crucial to government business and requires a level of confidence between Tasmanian Government agencies, interjurisdictional and national counterparts. Certification and accreditation of security zones are a means to strengthen the level of confidence in the ability of agencies to share, access and protect information according to classification.[11]

Certification

Certification of security zones establishes compliance with the minimum physical security requirements to the satisfaction of the relevant certification authority.

Implementation and operation of control elements in Zones 1-4 may be certified by your agency’s Responsible Executive (RE) or delegated Agency Security Advisor (ASA).

Annexure 2 provides a summary of the certification authorities for the relevant control measures.

Accreditation

Accreditation of security zones involves compiling and reviewing all applicable certifications and other deliverables for the zone to determine and accept the residual security risks. Approval for each security zone to operate at the desired, or required level, is only granted for a specified time. For your agency’s Zones 1-5, the RE (or delegated ASA) is the accrediting authority when the controls are certified as meeting the requirements summarised in Annexure 2.

Recertification and reaccreditation

Your agency’s facilities must be recertified and reaccredited by circumstances including:

  • expiry of the certification –
    1. Zone 2: 10 years
    2. Zones 3-5: 5 years
  • changes in the business impact level associated with the sensitive or security‑classified information or assets stored within the zone
  • significant changes to architecture of the facility or the physical security controls used
  • any other conditions stipulated by the accreditation authority, such as changes to the threat level or other environmental factors of concern.

  1. Refer to ASIO Technical Notes 1/15 and 5/12 to ascertain the requirements of security zones and associated processes. Available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]
Required action: Dispose of physical assets securely

When your agency’s building, facilities, information, or assets are no longer needed, you must consider the security implications during the decommissioning and disposal phase.

You must ensure that the disposal of your agency’s physical assets is secure and minimises risk to the Tasmanian Government.

Prior to the decommission or disposal of physical assets, such as containers, cabinets, vaults, strongrooms, and secure rooms, it is recommended that you:

  • reset combination locks to the original settings
  • visually inspect and remove all contents from physical assets.

You should refer to the Australian Government Information Security Manual[12] for information on how to sanitise ICT equipment and media before disposal. In some instances, ICT equipment cannot be sanitised and must be destroyed.

  1. For further information, please refer to the Australian Cyber Security Centre website.

    [Back]
Required action: Ensure accreditation of worksites away from agency locations

Working away from the office covers all work undertaken by agency people away from the agency’s facilities and physical locations. When developing working‑away‑from‑the‑office policies and procedures, you should consider the security risks of the environments in which your agency’s people operate, the type of information used and how that information will be accessed.

You must consider the security measures required to enable your agency’s people to work securely when they are working away from the office.

Mobile computing and communications

Mobile computing and communications occur when people are provided access to your agency’s systems and information from locations outside of your agency’s control, using portable devices. Most areas being used for mobile computing and communications (i.e. work from home or mobile work arrangements) are public areas with few, or no, protective security measures in place, and would therefore be rated no greater than a Zone 1 secure area. For this reason, you should implement controls to minimise any residual risk, such as requiring people to carry portable devices at all times; that is, that they are not to be left unattended.

Due to the inherently low security surrounding mobile computing and communications, it may not be possible to implement appropriate zoning requirements away from the office. In these circumstances, you should consider ICT logical security controls to protect your agency’s information and assets. You can find advice on suitable logical controls in the Australian Government Information Security Manual.

Protecting resources while working away from the office

The TAS-PSPF requires agencies to protect their people, information and assets in accordance with the assessed business impact level of compromise or harm. This includes while working away from the office. Your agency should accredit proposed worksites outside of the office in line with the type of work expected to be undertaken.

In determining the feasibility of work away from the office, you must consider:

  • if sensitive or security‑classified information can be appropriately secured
  • if the work area can be independently secured
  • if the work area can be protected from oversight or overhearing by other people
  • if the ICT equipment being used can be secured or segregated from the agency’s ICT system.

It may be difficult to secure an agency’s information when the working environment is not controlled or managed by the originating agency. This situation may present when information is stored or used at commercial facilities, private residences or a service provider’s premises.

It is recommended that you consider all areas outside of your agency’s control as Zone 1 unless you can confirm and certify security measures.

Training in physical security measures

In accordance with TAS-PSPF policy: Security awareness (GOVSEC-3), your agency must provide security awareness communications, training and support to help create a strong security culture. It is important that your agency communicates physical security expectations and measures to your agency people, visitors and anyone who performs work within your agency.

Where specific physical security measures exist within your agency, training in the correct use and application is a requirement of this policy (PHYSEC-1). For all other training, please refer to TAS‑PSPF policy: Security awareness (GOVSEC-3).

Annexure 1: Physical protections for security zones

Control element: Building construction

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: In accordance with applicable sections of ASIO Technical Note 1/15: Physical security of zones.
    • When only used during business hours: Normal construction to the Building Code of Australia.
    • When also used out of business hours: Normal construction, and:
      • slab-to-slab construction or
      • tamper-evident ceilings or
      • applicable sections of ASIO Tech Note 1/15: Physical security of zones.
  • Zone 3: In accordance with applicable sections of ASIO Technical Note 1/15: Physical security of zones.
    • For protection of valuable physical assets, recommend aligning building construction with level 4 (or above) of the Australian Standard 3555.1. In such cases, construction will be considered to meet minimum security zone protections mandated by this policy.
  • Zone 4: As for Zone 3.
  • Zone 5: Construction complies with:
    • ASIO Technical Note 1/15: Physical security of zones.
    • ASIO Technical Note 5/12: Physical security of Zone 5 (TOP SECRET) areas.

Control element: Perimeter doors and hardware

Doors

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: Constructed in accordance with ASIO Technical Note 1/15: Physical security of zones.
  • Zone 3: As for Zone 2.
  • Zone 4: As for Zone 2.
  • Zone 5: Constructed in accordance with ASIO Technical Note 5/12: Physical security of Zone 5 (TOP SECRET) areas.

Locks

  • Zone 1: In accordance with agency risk assessment. May use commercial locking systems.
  • Zone 2: As for Zone 1.
  • Zone 3: Minimum SCEC-approved SL3 locks and hardware.
  • Zone 4: As for Zone 3.
  • Zone 5: As for Zone 3.

Keying systems

  • Zone 1: Recommended SCEC-approved SL1 or SL2 keying system.
  • Zone 2: As for Zone 1.
  • Zone 3: SCEC-approved minimum SL3 keying system.
  • Zone 4: As for Zone 3.
  • Zone 5: As for Zone 3.

Control element: Out-of-hours security alarm system (SAS)

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: In accordance with agency risk assessment.
    • In an office environment, recommend Class 3-4 SAS[13] hard wired in the zone.
  • Zone 3: Type 1A SAS, or Class 5 SAS[13] hard wired in the zone.
    • If no SAS, guard patrols performed at random intervals, within every 4 hours required.
  • Zone 4: Use in accordance with the Type 1A SAS transition policy:
    • For new or significantly expanded sites, SCEC-approved Type 1A SAS with SCEC-approved detection devices (designed and commissioned by SCEC-endorsed security zone consultants)
    • for existing sites, SCEC-approved Type 1 SAS with SCEC-approved detection devices.
  • Zone 5: As for Zone 4.

Detection devices

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: Hard wired within the zone. Recommended SCEC-approved SL2 or SL3 detection devices.
  • Zone 3: As for Zone 2.
  • Zone 4: SCEC-approved SL3 or SL4 detection devices.
  • Zone 5: As for Zone 4.

SAS contractor clearance requirements

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: Contractors who maintain these systems provided with short-term access to security-classified resources[14] at the appropriate level for the information stored within the zone.
  • Zone 3: As for Zone 2.
  • Zone 4: Contractors who maintain these systems cleared at the appropriate level for the information stored within the zone.
  • Zone 5: As for Zone 4.

Management of SAS

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: As for Zone 1.
  • Zone 3: Control of alarm systems directly managed by the agency. 
    • Privileged alarm systems operators and users appropriately trained and security cleared to the level of the security zone.
    • All alarm system arming and disarming personal identification numbers are secure.
  • Zone 4: As for Zone 3.
  • Zone 5: As for Zone 3.

Monitoring and response

  • Zone 1: All alarm systems monitored and responded to in a timely manner.
    • Response capability appropriate to the threat and risk.
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: As for Zone 1.
  • Zone 5: As for Zone 1.

Control element: Interoperability of alarm system and other building management system

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: In accordance with agency risk assessment.
    • If a separate SAS and EACs are used, ensure the alarm cannot be disabled by the access control system.
  • Zone 3: Ensure the alarm cannot be disabled by the access control system.
  • Zone 4: Ensure limited one-way interoperability in accordance with Type 1A SAS for Australian Government—Product Integration specification.
  • Zone 5: Ensure limited one-way interoperability in accordance with Type 1A SAS for Australian Government—Product Integration specification.
    • The alarm system may disable access control system when activated.

Control element: Access control systems

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: In accordance with agency risk assessment.
    • Recommend using identity access card in office environments.
  • Zone 3: Use identity card and sectionalised access control systems.
    • Use electronic access control systems where there are no other suitable verification and access control measures in place.
    • Verify the identity of all personnel, including contractors, issued with EACS access cards at the time of issue (using the National Identity Proofing Guidelines to a minimum level 3).
    • Regularly audit EACS.
  • Zone 4: As for Zone 3, with full audit trail of access control systems.
    • Directly managed and controlled by the entity.
    • Maintained by appropriately cleared contractors.
    • Privileged operators and users are appropriately trained and security cleared to the level of the security zone.
    • Regularly audit EACs.
  • Zone 5: As for Zone 4, with full audit trail of access control systems and dual authentication.

Control element: Technical surveillance counter-measures (TSCM)

  • Zone 1: No requirement.
  • Zone 2: No requirement.
  • Zone 3: In accordance with agency risk assessment.
  • Zone 4: As for Zone 3.
  • Zone 5: TSCM and audio security inspection:
    • for areas where TOP SECRET discussions are regularly held, or the compromise of other discussions may have a catastrophic business impact
    • before conferences and meetings where TOP SECRET discussions are to be held
    • refer to ASIO Technical Note 5/12: Physical security of Zone 5 (TOP SECRET) areas.[15]

Control element: Visitor control

  • Zone 1: In accordance with agency risk assessment.
  • Zone 2: In accordance with agency risk assessment.
  • Zone 3: Visitor and contractor access only for visitors with a ‘need to know’ and with close escort.
    • Recommend providing receptionists and guards with:
      • detailed auditable visitor control and access instructions
      • secure method of calling for immediate assistance if threatened.
  • Zone 4: As for Zone 3, and visitor and contractor access with a 'need to know' and with close escort with constant line of sight.
  • Zone 5: As for Zone 4.

  1. For guidance on alarm systems see Australian Standard AS/NZS 2201.1:2007 – Intruder alarm systems.

    [Back]

  2. Refer to TAS-PSPF policy: Access to, and management of, official information (INFOSEC-1) for guidance on short-term access to security-classified resources.

    [Back]

  3. Available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]
Annexure 2: Summary of control measures and certification authority

Control measure: Agency-specific threat assessments

  • Zone 1: RE (or ASA) if the need is identified in the risk assessment.
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: As for Zone 1.
  • Zone 5: As for Zone 1.

Control measure: Agency security risk assessment

  • Zone 1: RE (or ASA).
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: As for Zone 1.
  • Zone 5: As for Zone 1.

Control measure: Site security plan

  • Zone 1: RE (or ASA).
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: As for Zone 1.
  • Zone 5: As for Zone 1.

Control measure: SCEC-approved Type 1A SAS

  • Zone 1: N/A
  • Zone 2: N/A
  • Zone 3: N/A
  • Zone 4: SCEC-endorsed security zone consultant[16] (regular servicing by authorised provider required).
  • Zone 5: As for Zone 4.

Control measure: SCEC-approved Type 1 SAS

  • Zone 1: SCEC-endorsed security zone consultant.[16][17][18]
  • Zone 2: As for Zone 1.
  • Zone 3: SCEC-endorsed security zone consultant.[16][18]
  • Zone 4: SCEC-endorsed security zone consultant.[16]
  • Zone 5: As for Zone 4.

Control measure: Commercial alarm system

  • Zone 1: Suitably qualified system installer or designer[17] (regular servicing by authorised provider required).
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: N/A
  • Zone 5: N/A

Control measure: Electronic access control systems

  • Zone 1: Suitably qualified system installer or designer (current software patches and no obsolete components required).
  • Zone 2: As for Zone 1.
  • Zone 3: As for Zone 1.
  • Zone 4: As for Zone 1.
  • Zone 5: As for Zone 1.

Control measure: Other zone requirements

  • Zone 1: RE (or ASA).
  • Zone 2: RE (or ASA).
  • Zone 3: RE (or ASA).
  • Zone 4: RE (or ASA).
  • Zone 5: RE (or ASA).

Control measure: Certification (including site inspection)

  • Zone 1: RE (or ASA).
  • Zone 2: RE (or ASA).
  • Zone 3: RE (or ASA).
  • Zone 4: RE (or ASA).
  • Zone 5: ASIO-T4.

  1. SCEC-endorsed security zone consultants design and commission SCEC Type 1A SAS in accordance with the requirements of the Type 1A SAS Implementation and Operation Guide.

    [Back]

  2. Inclusion of an alarm system or EACS in Zones 1 and 2 are at the agency’s discretion.

    [Back]

  3. If out-of-hours guard patrols or commercial alarm systems are not used instead.

    [Back]
References and resources
Version control and change log

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

  • V1.0 April 2023
    • Policy issued
  • V2.0 February 2024
    • Definition: 'core requirement' updated
    • Definition: 'originator' updated
    • Definition: 'protected information' removed and replaced with 'security classified'
    • Definition: 'Responsible Executive' added
    • Definition: 'supplementary requirement' updated
    • Removal of reference to T1 alarms – these have been phased out
Back to top