Context

Purpose

The PHYSEC-2: Agency facilities policy and guidance will assist agencies to achieve an effective protective security outcome within the physical security domain of the TAS‑PSPF. They address core requirement 14 and its supplementary requirements.

Core requirement

The Accountable Authority must consider physical security measures and ensure they are adopted and integrated in any proposed facility design, selection, development or modification.

Supplementary requirements

To ensure physical security measures are adopted and integrated in facility design, selection, development or modification, the Accountable Authority is responsible for:

  1. identifying security threats relevant to the facility location, functions and stored assets, in conjunction with any identified accompanying risk[1]
  2. considering the criticality of the agency’s information, people and assets when assessing risks
  3. ensuring any protective security measures are integrated to protect against the highest business impact level, in accordance with the agency security risk assessment
  4. conducting regular reviews of the agency’s physical security measures to ensure ongoing suitability or modifications as necessary.

Access to Tasmanian Government assets by unintended and/or unauthorised people places these assets, and those accessing them, at significant risk.

Early identification and adoption of physical security measures provide protection through separation and isolation of information, people and assets. Consideration of these is critical in agency planning and facility design, selection, development and modification. The early identification and integration of physical security measures will allow agencies to address specific risks with proportionality according to the identified threat and operating environment.

The TAS-PSPF must be applied in conjunction with, and complementing, any work health and safety statutory requirements.

  1. Noting proportionality and cost effectiveness as considerations. These must also comply with any relevant Treasurer’s Instructions relevant to building/facility design, selection, development or modification.

    [Back]

Guidance

Introduction

Physical security is a key component of your agency’s protective security regime. It is a combination of physical and procedural measures designed to prevent or reduce the risks of compromise or harm to your information, people and assets.

Adopting physical security measures can assist your agency to:

  • keep your people, clients and the public safe
  • prevent unauthorised people accessing your information, people and assets
  • maintain the trust and confidence of the people, agencies and organisations you work with
  • deliver services without disruption in the event of increased threat levels.

To do this, you must know what you need to protect. In the physical security space, threats can come from your own people or from outside the agency. Threats are applicable to your information, people and assets when in the office or the usual place of business. Different threats may apply when your people are working away from the office.

Your agency’s unique context and potential threats determine the physical security measures you need. Taking a risk-based approach will ensure that the physical security measures you implement are right for your agency’s operating environment.

Required action: Identify security threats and accompanying risk

Under the TAS‑PSPF, ‘assets’ refers to an agency’s information, people and physical items, including ICT systems, technology and information infrastructure. Identifying assets which are critical to key functionality and ongoing operations is addressed in TAS-PSPF policy: Security planning (GOVSEC-5). GOVSEC-5 also requires agencies to develop a security plan that includes the prioritised application of protective security measures according to the security risks identified for the agency.

It is recommended that you use site-specific risk assessments to help you prepare site‑specific security plans and to include security requirements within other site development plans. The physical protective security measures applied by your agency to its facilities and physical assets are vital to minimising risks of harm or compromise.

When you are determining physical protective security measures to be applied, it is important that they be proportionate to the threats you have identified and likely risk scenarios. Understanding threats against your agency will be the result of determining an adversary’s intent to cause harm, damage or disruption to your agency’s location, function and/or assets.

The physical facilities that house your agency’s assets must be able to provide the level of protection required, as determined by risk assessments and the security plan in place for your agency. For this reason, you must incorporate protective security considerations into all processes related to facility design, selection and development, or modification of existing facilities.

Required action: Consider criticality of information, people and assets

TAS-PSPF policy: Protecting assets (PHYSEC-1) requires agencies to identify, categorise and keep a record of the agency’s assets which require any level of physical protection.

In support of PHYSEC-1, this policy (PHYSEC-2) requires that when you are assessing risks, you consider the criticality of your agency’s stored information, people and assets as relevant to the facility design, selection, development or modification of your agency’s facility/ies. For more information about criticality assessments, please refer to TAS-PSPF policy: Security planning (GOVSEC-5).

Security planning also involves identifying the business impact level (BIL) of the compromise or loss of, or harm to, agency assets. BILs provide a consistent and coordinated method to categorising security risks and impacts across government. The BIL scale ranges from 1 (low) to 5 (catastrophic), where the higher the impact, the stronger the agency’s protective security measures should be. The box below will assist you in defining the BIL of your agency’s assets.[2]

Business impact level: 1 - Low business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Insignificant damage to an individual, organisation or government.

Business impact level: 2 - Low to medium business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Limited damage to an individual, organisation or government.

Business impact level: 3 - High business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Damage to individuals, organisations, the state or national interests.

Business impact level: 4 - Extreme business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Serious damage to individuals, organisations, the state or national interests.

Business impact level: 5 - Catastrophic business impact

Compromise, loss or harm to asset, including physical assets, expected to cause: Exceptionally grave damage to individuals, organisations, the state or national interests.

The protection of information, people and assets is achieved via a combination of procedural and physical security measures.

It is recommended that you use asset control systems to identify, protect, and monitor physical assets. Implementing asset control systems increases accountability and protects against theft, damage, and loss. Asset control procedures should include:

  • recording the location and custodian of assets
  • periodic auditing of assets
  • reporting procedures for the loss or damage of assets.

  1. The coloured areas relate to information classification; for details, see TAS-PSPF policy: Protecting official information (INFOSEC-2).

    [Back]
Required action: Integrate protective security measures

At the earliest possible opportunity, you should consider how your agency will integrate physical security measures into the design, selection, development or modification of facilities.

Protective security measures are more likely to be effective if you address them at the concept and design stages when your agency is planning new sites/buildings, selecting new sites, and planning alterations to existing buildings.

When considering protective security measures for your agency’s facilities, think about:

  • the location and size of the site
  • ownership or tenancy of the site (e.g. sole occupancy, shared tenancy, multiple agencies/entities)
  • collateral exposure (e.g. proximity to other categories of physical assets)
  • access needs to the site (e.g. authorised personnel only, public access)
  • security classification of information, activities and assets (including ICT assets) to be stored, handled or processed in the facility, or parts of the facility
  • the category of other assets stored on the site
  • periods of greatest or increased risk (e.g. business hours or out-of-hours)
  • protective security measures required for –
    • the site as a whole
    • particular areas within the site (e.g. where a space or floor will hold information of a higher classification than the remainder)
    • storage, handling and processing of security‑classified information
    • security‑classified and other sensitive discussions and meetings.

Site selection

It is recommended that your Responsible Executive (RE) and Agency Security Advisor (ASA) are involved in the assessment of:

  • the suitability of the physical security environment of a proposed site for agency facilities
  • whether the facility can be constructed or modified to include the security measures that will provide the appropriate level of protection.[3]

There are several physical security risk factors to consider before a site is selected for your agency. Some of these factors are described in the box below.

Neighbourhood: The neighbourhood may present security‑related issues, e.g. local crime activity, risks from neighbouring entities or businesses, suitability of neighbours, and risks associated with oversight of operations.

Standoff perimeter: Standoff perimeters refer to the distance placed between a facility and any identified threat e.g. hostile people and vehicle‑borne attacks. It may not be possible to achieve an effective standoff perimeter in urban areas for some threats. It is recommended that agencies seek further advice where specific or known threats have been identified.[4]

Site access and parking: The need and ability to control access of pedestrians and vehicles to the site. This includes the facility itself, parking and the required standoff perimeter.

Building access point: The ability or need to secure all building access and egress points, including entries and exits, emergency exists, air intakes and outlets, and service ducts.

Security zones: Establishing security zones based on:

  1. agency risk assessments
  2. business impact levels
  3. security-in-depth at the site.[5]

Environmental risks: Natural disasters and potential mitigation strategies.

Construction of buildings

All building work in Australia (including new buildings and building work in existing buildings) must comply with the requirements of the Building Code of Australia (BCA).[6] The BCA classifies buildings according to the purpose for which they are designed, constructed or adapted to be used. The BCA requirements for commercial buildings, including facilities used by agencies, provide an increased level of perimeter protection as well as protection for assets and information where their compromise, loss of integrity or unavailability would have a business impact level of medium or below.

You may include additional building elements to address specific risks identified in the risk assessment for your agency where building hardening[7] may provide some level of mitigation. For example:

  • blast mitigation measures
  • forcible attack resistance
  • ballistic resistance
  • siting of road and public access paths
  • lighting (in addition to security lighting).

TAS-PSPF policy: Protecting official information (INFOSEC-2) requires that agencies using Zones 2-5 for storage of sensitive or security‑classified information and assets must construct facilities in accordance with the relevant sections of ASIO Technical Note 1/15: Physical security of zones.[8] It further requires that agencies constructing Zone 5 areas that will store TOP SECRET information or aggregated information – the compromise, loss of integrity or loss of availability of which may cause catastrophic damage – must also use ASIO Technical Note 5/12: Physical security of Zone 5 (TOP SECRET) areas.

  1. Physical security measures are designed to reduce the likelihood of security events; the site and design must also accommodate normal business.

    [Back]

  2. Where a specific or known threat has been identified, further information (e.g. hostile vehicle mitigations, blast mitigations) is available via the ASIO Outreach website, requiring registration for an account.

    [Back]

  3. Security-in-depth is a multi-layered approach to security, where measures combine to increase difficulty for intruders or authorised people to gain unauthorised access.

    [Back]

  4. Refer to the Building Act 2016 for relevant state legislation in accordance with the BCA.

    [Back]

  5. The process of making a building a less attractive and more difficult target.

    [Back]

  6. ASIO Technical Notes detail protective security mitigations to maintain the confidentiality and integrity of sensitive and security‑classified information and assets. Access to the Technical Notes is via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

    [Back]
Required action: Conduct reviews of physical security measures

Your ASA is responsible for conducting regular reviews of your agency’s physical security measures to monitor their efficacy, relevance and use, while confirming they are fit for purpose.

It is recommended that your agency uses a combination of methods, such as monitoring, reporting, reviewing and auditing, to help determine if:

  • physical security policies are being followed
  • physical security controls are effective
  • any new threats or practices have developed.

You should anticipate that your agency’s security threats and vulnerabilities will change. Preparing for change will be supported by conducting regular reviews of all protective security measures. Revising your agency’s physical security measures as appropriate will enable the contemporary and proactive maintenance of requirements under the TAS-PSPF.

Agencies must communicate changes that affect their people and advise them of any new policies and procedures as they are introduced. The TAS-PSPF policy: Security planning (GOVSEC-5) requires agencies to review their security plans at least every 2 years. However, you should consider your agency’s security plan to be a living document that can accommodate the evolving environment and changes which may be required.

References and resources
Version control and change log

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

  • V1.0 April 2023
    • Policy issued
  • V2.0 February 2024
    • Definition: 'core requirement' updated
    • Definition: 'originator' updated
    • Definition: 'protected information' removed and replaced with 'security classified'
    • Definition: 'Responsible Executive'
    • Definition: 'supplementary requirement' updated
Back to top