JavaScript is required

3. Physical security

Physical security measures are implemented to minimise the risk of information or resources being tampered with, accessed, used or removed without proper authorisation.

3.1 Security zones and control measures

In areas where security classified information and assets are used, transmitted, stored or discussed, the area must be certified and accredited in accordance with any applicable ASIO Technical Note.

Table 5 describes the five physical security zones
Zone name Zone definition
Zone 1
  • public access (including a home office)
Zone 2
  • restricted public access. Unrestricted access for authorised personnel
  • may use single factor authentication for access control (such as a security pass)
Zone 3
  • no public access
  • visitor access only for visitors with a need to know and with close escort
  • restricted access for authorised personnel
  • single factor authentication for access control
  • area must be certified and has specific construction requirements
Zone 4
  • no public access
  • visitor access only for visitors with a need to know and with close escort
  • restricted access for authorised personnel with appropriate security clearance
  • single factor authentication for access control
  • area must be certified and has specific construction requirements
Zone 5
  • no public access
  • visitor access only for visitors with a need to know and with close escort
  • restricted access for authorised personnel with appropriate security clearance
  • dual factor authentication for access control
  • area must be certified and has specific construction requirements

3.2 Working with security classified material in the office

Most VPS staff work in offices that are classified as zone 2; where there is restricted public access however access for authorised personnel is unrestricted. Access is usually controlled by single factor authentication, such as swiping an access security pass.

The risk of unauthorised access to security classified material is heightened in areas with unrestricted staff access. DPC recommends storage of hard copy security classified material be kept to a minimum and avoided if possible, particularly in zone 2 areas.

Storage of PROTECTED material is permitted in zone 2 areas in a Class C container.

Storage of information classified SECRET in a zone 2 area is permitted if a Class B container is used.

Clear desk policies apply in all situations where classified information is in use, including securing classified information in an appropriate security container at all times when the staff member is not at his or her workstation.

Working with security classified information in a public place, or anywhere where the information can be overseen or overheard by un-authorised people should be avoided at all times.

3.3 Working away from the office

Staff working from home (or from any other unsecured area) are essentially working in a zone 1 public access area.

Storage of PROTECTED material in a zone 1 area is to be avoided. If unavoidable it must be secured in a Class C container, commercial safe or vault when not in use. It must be:

  • transported securely, and not visible or audible to unauthorised people
  • appropriately secured
  • protected from oversight or overhearing by others, including family and children
  • secured or segregated from agency or department ICT systems if ICTis being used
  • not stored or used on home IT equipment where that system is not appropriately secured.

Storage of SECRET material in a zone 1 area (including at home) is not permitted unless exceptional circumstances apply and the originator of the material approves it.

TOP SECRET material is not to be stored, accessed or used in any public or zone 1 area (including at home) or office area less than zone 3.

B class container
B class container
Compactus
Compactus

3.4 Storing security classified information

Special care must be taken when storing classified information. The zoning of the space or work area where the information needs to be stored will dictate the type of container that may be used to store the information.

The PSPF describes in detail storage requirements for information based on the business impact level assessment.

Table 6 provides an overview of storage container requirements for security classified material. Containers must be approved by the Security Construction and Equipment Committee.

Table 6 – Overview of storage container requirements
Classification Security zone of the designated workplace Minimum storage requirements
PROTECTED Zones 2 and 3 Class C container
Zones 4 and 5 Lockable container
Outside workplace Class C container
SECRET Zone 2 Not to be stored
Zone 3 Class B container
Zones 4 and 5 Class C container
Outside workplace Not recommended to be stored
TOP SECRET Zone 2 Not to be stored
Zone 3 Class A container*
Zone 4 Class B container*
Outside workplace NOT to be stored

*Time limited storage in exceptional

Updated