3.1 Security zones and control measures
In areas where security classified information and assets are used, transmitted, stored or discussed, the area must be certified and accredited in accordance with any applicable ASIO Technical Note.
| Zone name | Zone definition |
|---|---|
| Zone 1 |
|
| Zone 2 |
|
| Zone 3 |
|
| Zone 4 |
|
| Zone 5 |
|
3.2 Working with security classified material in the office
Most VPS staff work in offices that are classified as zone 2; where there is restricted public access however access for authorised personnel is unrestricted. Access is usually controlled by single factor authentication, such as swiping an access security pass.
The risk of unauthorised access to security classified material is heightened in areas with unrestricted staff access. DPC recommends storage of hard copy security classified material be kept to a minimum and avoided if possible, particularly in zone 2 areas.
Storage of PROTECTED material is permitted in zone 2 areas in a Class C container.
Storage of information classified SECRET in a zone 2 area is permitted if a Class B container is used.
Clear desk policies apply in all situations where classified information is in use, including securing classified information in an appropriate security container at all times when the staff member is not at his or her workstation.
Working with security classified information in a public place, or anywhere where the information can be overseen or overheard by un-authorised people should be avoided at all times.
3.3 Working away from the office
Staff working from home (or from any other unsecured area) are essentially working in a zone 1 public access area.
Storage of PROTECTED material in a zone 1 area is to be avoided. If unavoidable it must be secured in a Class C container, commercial safe or vault when not in use. It must be:
- transported securely, and not visible or audible to unauthorised people
- appropriately secured
- protected from oversight or overhearing by others, including family and children
- secured or segregated from agency or department ICT systems if ICTis being used
- not stored or used on home IT equipment where that system is not appropriately secured.
Storage of SECRET material in a zone 1 area (including at home) is not permitted unless exceptional circumstances apply and the originator of the material approves it.
TOP SECRET material is not to be stored, accessed or used in any public or zone 1 area (including at home) or office area less than zone 3.
3.4 Storing security classified information
Special care must be taken when storing classified information. The zoning of the space or work area where the information needs to be stored will dictate the type of container that may be used to store the information.
The PSPF describes in detail storage requirements for information based on the business impact level assessment.
Table 6 provides an overview of storage container requirements for security classified material. Containers must be approved by the Security Construction and Equipment Committee.
| Classification | Security zone of the designated workplace | Minimum storage requirements |
|---|---|---|
| PROTECTED | Zones 2 and 3 | Class C container |
| Zones 4 and 5 | Lockable container | |
| Outside workplace | Class C container | |
| SECRET | Zone 2 | Not to be stored |
| Zone 3 | Class B container | |
| Zones 4 and 5 | Class C container | |
| Outside workplace | Not recommended to be stored | |
| TOP SECRET | Zone 2 | Not to be stored |
| Zone 3 | Class A container* | |
| Zone 4 | Class B container* | |
| Outside workplace | NOT to be stored |
*Time limited storage in exceptional
Updated