Resources

• TAS-PSPF - Version 2.0 - March 2024 (PDF 1.0MB)
• TAS-PSPF - Framework summary - plain language (PDF 402.0KB)
• TAS-PSPF - Framework poster (PDF 393.6KB)

Download PDFs

• GOVSEC-1: Establish security governance (PDF 1.1MB)
• GOVSEC-2: Security advice and responsibilities (PDF 2.8MB)
• GOVSEC-3: Security awareness (PDF 2.7MB)
• GOVSEC-4: Annual reporting (PDF 2.7MB)
• GOVSEC-5: Security planning (PDF 1.9MB)
• GOVSEC-6: Reporting incidents and security investigations (PDF 2.7MB)
• INFOSEC-1: Access to, and management of, official information (PDF 2.7MB)
• INFOSEC-2: Protecting official information (PDF 2.3MB)
• INFOSEC-3: Robust technology and information systems (PDF 1.5MB)
• PESEC-1: Recruiting the right people (PDF 2.7MB)
• PESEC-2: Ongoing suitability assessment (PDF 2.7MB)
• PESEC-3: Managing separating people (PDF 2.7MB)
• PHYSEC-1: Protecting assets (PDF 2.0MB)
• PHYSEC-2: Agency facilities (PDF 2.7MB)

• GOVSEC-1 summary (PDF 195.0KB)
• GOVSEC-2 summary (PDF 191.6KB)
• GOVSEC-3 summary (PDF 182.2KB)
• GOVSEC-4 summary (PDF 185.6KB)
• GOVSEC-5 summary (PDF 185.6KB)
• GOVSEC-6 summary (PDF 185.5KB)
• INFOSEC-1 summary (PDF 188.5KB)
• INFOSEC-2 summary (PDF 195.7KB)
• INFOSEC-3 summary (PDF 189.3KB)
• PESEC-1 summary (PDF 115.1KB)
• PESEC-2 summary (PDF 187.0KB)
• PESEC-3 summary (PDF 184.2KB)
• PHYSEC-1 summary (PDF 186.7KB)
• PHYSEC-2 summary (PDF 183.5KB)

• TAS-PSPF Direction 1-2023 - Direction on the use of TikTok (PDF 581.5KB)
• TAS-PSPF Direction 1-2025 - Direction on the use of DeepSeek (PDF 269.4KB)

• TAS-PSPF Annual self-assessment report 2024 - Template (Word 2.2MB)
• TAS-PSPF Annual self-assessment report - How to guide (PDF 473.3KB)
• TAS-PSPF Guideline checklist 2024 (Word 2.2MB)

Guiding terms

must/will/required/ responsible for

Any of these terms refer to an essential action that all agencies and Accountable Authorities must take.

must not

This term refers to an action that is prohibited – agencies and Accountable Authorities must NOT take this action.

should/recommended

Either of these terms refer to an action that agencies and Accountable Authorities ought to take as best practice, unless justifiable circumstances exist.

should not

This term refers to an action that agencies and Accountable Authorities ought to avoid, unless justifiable circumstances prevent an alternative action.

may

This term refers to an action that is optional to agencies and Accountable Authorities.

Definitions

Accountable Authority/ies

The person or people responsible for, and with control over, a Tasmanian Government public authority. This includes, but is not limited to, agencies (as defined in the State Service Act 2000), administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown.

agency/ies

A Tasmanian Government agency/department or sub-entity.

Agency Security Advisor (ASA)

The person nominated to perform security functions or specialist services related to security within an agency. This role supports the Accountable Authority in security monitoring and compliance.

ASIO Outreach

ASIO’s public‑facing website, which provides advice to government, industry and academia on current and emerging security threats and security policy, available by subscription.

asset

An agency’s people, information, and physical items, including ICT systems, technology and information infrastructure.

availability

Ensuring that authorised users have access to information and associated assets when required.

classification

A process that determines and stipulates the extent of protection required to prevent information from compromise and harm.

compromise

May include exposure to loss and unintended or unauthorised access, misuse, information disclosure and intrusion of business activities and information. Compromise is a risk and hindrance to business delivery, safety and security.

confidentiality

Ensuring that information is accessible only to those authorised to have access and a ‘need to know’.

consequence

The outcome, or expected outcome, of any compromise of information or a security incident.

contractor

External or third party contracted to provide services to an agency. For the purpose of the TAS‑PSPF, contractor includes sub-contractor and service provider.

core requirement

A requirement that agencies must meet to achieve the government's required protective security outcomes. Each of the 14 TAS‑PSPF policies includes a core requirement (as well as supplementary requirements).

employees

All people conducting work on an agency premises, including contractors. See also, people.

function

The purpose or role of an agency.

handling

Any processes for accessing, transmitting, transferring, storing or disposing of official information.

integrity

Safeguarding the accuracy and completeness of information and processing methods, i.e. information has been created, modified or deleted by the intended authorised means and is correct and valid.

official information

All Tasmanian Government documents, intellectual property and information that is held, transmitted, or obtained by an agency.

originator

The instigating individual (or agency) who generated or received the information and is responsible for classifying it.

outcomes

The protective security ‘end-state’ aims of the Tasmanian Government relating to 4 security domains: governance, information, people and physical.

people

Employees and contractors, including secondees and any service providers that an agency engages. It also includes anyone who is given access to Tasmanian Government assets.

principles

Fundamental values that guide decision‑making. There are 5 principles that inform protective security settings in the TAS-PSPF.

1. Security is a responsibility of government, its agencies and its people.
2. Each agency is accountable and owns its security risks.
3. Security will be guided by a risk management approach.
4. Strong governance ensures protective security is reflected in agency planning.
5. A positive security culture is critical.

protection

The processes and procedures applied to ensure the confidentiality, integrity and availability of information and assets.

protective marking

The level of classification applied to information, and any other handling instructions or protections the information requires due to the level of harm should it be compromised.

PSPF maturity rating

The level to which an agency has addressed and implemented the core and supplementary requirements in the TAS‑PSPF.

Responsible Executive (RE)

The person who oversees protective security matters within your agency, they may also be the Chief Security Officer (CSO).

risk appetite

The risk an agency or Accountable Authority is willing to accept.

risk tolerance

The level of risk an agency is comfortable taking after risk treatments have been applied to achieve an objective or manage a security risk.

security classified

Information that holds a classification of PROTECTED, SECRET or TOP SECRET and must be protected against compromise. Access to the information must be controlled and accessed by appropriately security cleared people.

security culture

The characteristics, attitudes and habits within an organisation that establish and maintain security.

security incident

A security incident is:

• an action, whether deliberate, reckless, negligent or accidental, that fails to meet protective security requirements or agency‑specific protective security practices and procedures which results, or may result in, the loss, damage, corruption or disclosure of information or assets
• an approach from anybody seeking unauthorised access to protected assets
• an observable occurrence or event (including natural or man-made events) that could harm Tasmanian Government information, people or assets.

security maturity

The measure of an agency’s ability to manage their security risks within their risk environment and aligned to their risk tolerances.

security plan

Central document detailing how an agency plans to manage and address their security risks.

security risk

Something that could result in compromise, loss, unavailability or damage to information or assets, or cause harm to people.

security risk management

Managing risks related to an agency’s information, people and assets.

security vetting

An authorised vetting agency's assessment of a clearance subject's suitability to hold a security clearance.

sensitive

Information classified as sensitive is not security-classified information; however, this information requires some protections on a ‘needs to know’ basis.

supplementary requirements

The actions needed to implement the TAS-PSPF core requirements and attain the government's required protective security outcomes. Each of the 14 core requirements includes supplementary requirements to help implement the TAS‑PSPF.

threat

The intent and capability of an adversary.

threat actor/adversary

An entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an agency’s security.

visitor

Any person who attends an agency and/or has access to its assets, who is not employed or otherwise engaged by that agency.

zone

The physical locality, workspaces, and design of areas within an agency that store assets and information, specifically where information is produced, accessed, handled and stored. Security zoned areas range from 1-5, where the security requirements increase with the applicable zone number allocation.