security of government buildings
play

Slide 1 Security of Government Buildings Tabled 29 May 2019 This presentation provides an overview of the Victorian AuditorGenerals report Security of Government Buildings . Slide 2 Focus of this audit Department of Department of

0 downloads 3 Views 654 KB Size Report
  1. Slide 1 Security of Government Buildings Tabled 29 May 2019 This presentation provides an overview of the Victorian Auditor‐General’s report Security of Government Buildings .

  2. Slide 2 Focus of this audit Department of Department of Department of Justice and Treasury and Health and Community Finance Human Services Safety (DJCS) —Shared Service Focus (DHHS) Provider (SSP) Is government office accommodation sufficiently Are governance arrangements effective? secure against unauthorised access and antisocial behaviour? Do security measures keep government accommodation sufficiently secure? 2 Our overall audit objective was to determine whether government office accommodation is sufficiently secure to prevent unauthorised access and antisocial behavior. Government office security is important for protecting the safety of staff and visitors as well as protecting information and assets within the building. We examined the Department of Treasury and Finance’s (DTF) Shared Services Provider (SSP). DTF is the responsible department for coordinating government office accommodation and managing the State Purchase Contract for security services. We selected the Department of Health and Human Services (DHHS) and the Department of Justice and Community Safety (DJCS) as two case study examples.

  3. Slide 3 What we found Physical and protective security governance arrangements are not effective; there is no statewide leader A weak security culture undermines the effectiveness of security infrastructure and measures 3 Security threats are a real everyday risk to government agencies. We found that Victoria's current security governance arrangements are not effective as there is no statewide leader. Then, at the department level, weak security cultures undermine the effectiveness of the security infrastructure at the audited facilities.

  4. Slide 4 Protective Security Protective Security Governance Information and Physical security Personnel security ICT security 4 Government agencies keep their people, information and assets secure through protective security. Physical security is one of three protective security domains, together with personnel and information security. Physical security is the first layer of defence to prevent unauthorised access to buildings and protect staff against occupational violence.

  5. Slide 5 Physical Security Infrastructure Policies Procedures Policies Procedures Infrastructure Physical security Physical security 5 Physical security measures include policies (such as a clear desk policy), procedures (such as visitor and contractor sign in using personal identification), and infrastructure (such as barriers).

  6. Slide 6 Leadership No statewide leadership No statewide security policy Inconsistent departmental practices 6 There is no statewide leader to provide strategic direction, oversight and coordination of protective or physical security. The SSP, as a service provider, is responsible for the security operations of its clients, and is not a policy lead for physical security. The state does not does not have a whole‐of‐government principle‐based security policy that includes all stages of security management. In the absence of statewide leadership, we found two different approaches to physical security at the department level. DJCS has made positive steps towards developing department‐wide policies and procedures for security management, but DHHS has not developed its security policies and procedures, exposing it to higher risks.

  7. Slide 7 Ineffective governance arrangements Limited risk assessment and security Limited security awareness training planning Weak security culture Roles and responsibilities not clearly Incident reporting, monitoring and understood; limited strategic evaluation not mature or integrated communication 7 Overall, we found a weak security culture and ineffective governance arrangements because audited departments do not undertake regular, comprehensive risk assessments, which limits the effectiveness of subsequent security planning. We also found that roles and responsibilities for security management between the SSP and audited departments are not clear. Additionally, audited departments have not rolled out security awareness training, and there are no integrated systems for reporting or monitoring security incidents. SSP data for July to December 2018 shows that the most common recorded incident type relates to staff safety, while medical incidents are also common. Incidents relating to the physical security of office accommodation — such as unauthorised access, access control, suspicious activity or suspicious packages — were reported less frequently, but still occurred in this period.

  8. Slide 8 Security services management Departments Not always a No whole‐of‐ engage security timely or risk government services based approach to approach for independent of security services alarm monitoring the SSP management or maintenance issues 8 The state has limited visibility and control over the management of security services. This is because the SSP has no oversight of security services that departments independently engage. We also found that the management of security services is limited in responding to security concerns in a timely and risk‐based manner. There is also no whole‐of‐government state purchase contract for security systems such as alarm monitoring and maintenance, which is a lost opportunity for cost efficiency.

  9. Slide 9 Physical security testing Engaged a consultant to test security at selected DHHS and DJCS locations Gained access to all locations—staff did not understand their role in maintaining security or comply with processes Accessed master keys Accessed unsecured sensitive information Several moderate breaches 9 We tested physical security at selected DHHS and DJCS locations. While we observed some good behaviour, such as staff questioning and requesting identification, we also identified some significant security risks. We gained access to staff‐ only areas at all the sites and found sensitive information outside an office. This is because staff do not fully understand their role in maintaining physical security or comply with established processes. In addition to this, we observed several risks of a more moderate nature. For example, lax processes for visitor or contractor sign in and approval.

  10. Slide 10 Recommendations 8 2 recommendations for DTF recommendations for DHHS and DJCS • Develop a statewide principle based physical • Promote a strong security culture and good security policy governance • Finalise accommodation guidelines • Implement and enforce clean desk and clear screen policies • Improve statewide security incident reporting • Improve strategic communication 2 recommendations for DHHS • Develop KPIs for security services management • Develop design standards for accommodation • Provide agencies with terms and conditions in planning and office refurbishments the accommodation leases and Security Services State Purchase Contract (SPC) • Develop a governance structure for security management, including clear accountability and • Explore options for a security monitoring and executive oversight maintenance SPC 10 We made eight recommendations to the Department of Treasury and Finance, related to: • establishing leadership and policy for physical security • improving physical security governance, including incident reporting and strategic communications • improving transparency of the terms and conditions of the Security Services SPC and accommodation leases. We made two recommendations to DJCS and DHHS about strengthening security governance and culture. We made two further recommendations to DHHS, to establish governance structures, executive oversight and office accommodation planning guidelines. The Department of Premier and Cabinet, although not an audited agency, agreed to collaborate on a statewide security policy.

  11. Slide 11 For further information, please view the full report on our website: www.audit.vic.gov.au 11 For further information, please view the full report on our website: www.audit.vic.gov.au

Recommend Documents


when devops meets security
When devops meets security Michael

When devops meets security Michael Brunton-Spall I'm from the Government

data driven buildings
Data Driven Buildings Bharathan Balaji

Data Driven Buildings Bharathan Balaji Amazon AI Labs Buildings are

buildings brexit and the business energy tax reform
Buildings, Brexit and the Business

Buildings, Brexit and the Business Energy Tax Reform Patrick Brown

buildings
Buildings Grounds Buildings &

Buildings Grounds Buildings & Grounds Buildings & Grounds 2010 - 201 I

efficiency in buildings
Efficiency in Buildings Nipun Batra

Data Driven Energy Efficiency in Buildings Nipun Batra Why study buildings?

buildings energy
Buildings & Energy ! Buildings are

E MPIRICAL C HARACTERIZATION AND M ODELING OF E LECTRICAL L OADS IN S MART H

why buildings why buildings
Why Buildings? Why Buildings? A way to

Top 10 Issues in Building Science Terry Brennan Camroden Associates Why

security briefing for commercial government facilities
Security Briefing for Commercial &

Matt Smith Direct or of S ecurit y, Vornado/ Charles E. S mit h Security

heritage security
Heritage Security Protecting the Past

Heritage Security Protecting the Past for the Future Mitigating the Crime and

welcome to san francisco unified school district
Welcome to San Francisco Unified

Welcome to San Francisco Unified School District Buildings and Grounds

integrating local and remote meeting participants
Integrating Local and Remote Meeting

Integrating Local and Remote Meeting Participants Kris Schulze , MNIT

accommodation
accommodation portfolio in the UK 23

Acquisition of student accommodation portfolio in the UK 23 December 2019

public hearing presentation january 13 2020
Public Hearing Presentation January

Boyd House (985 Duchess Avenue) Heritage Revitalization Agreement Bylaw &

to accommodate or not to accommodate americans with
To Accommodate or Not To Accommodate?

To Accommodate or Not To Accommodate? Americans with Disabilities Act Update

university of tasmania s management of student
University of Tasmanias management of

University of Tasmanias management of student accommodation Report of the

company presentation
Company presentation 2 Disclaimer

March 2012 Company presentation 2 Disclaimer All statements in this

ticket to work and reasonable accommodations
Ticket to Work and Reasonable

Ticket to Work and Reasonable Accommodations Date: Wednesday, July 25, 2018

accommodations for students with an iep or 504 plan amp
Accommodations For Students With An IEP

Accommodations For Students With An IEP or 504 Plan & How To Help Your

arlington public schools cip process
Arlington Public Schools - CIP Process

Arlington Public Schools - CIP Process John Chadwick, Assistant

why use portfolios rubric based projects and project
Why Use Portfolios / Rubric Based

Rachel Schles NCDB 7/18/2018 Handout 1 Page 1 of 6 Raschles@gmail.com

31 7 2018
31.7.2018 TOPICS ABOUT PREMIKI GOOD

31.7.2018 TOPICS ABOUT PREMIKI GOOD EXAMPLES OF ACCESSIBLE ACCOMMODATION

lessons learned for presentation to seafarers fsi 20 1
LESSONS LEARNED FOR PRESENTATION TO

LESSONS LEARNED FOR PRESENTATION TO SEAFARERS (FSI 20) 1 FATALITY Very