Auditor slams govt’s security vetting systems

Information systems at the Australian Government Security Vetting Agency (AGSVA) are still failing to meet the agency’s business needs resulting in “inefficient processes and data quality and integrity issues,” an audit has concluded.

The AGSVA was established with the Department of Defence in October 2010 to provide centralised security vetting of government personnel.

The Australian National Audit Office (ANAO) has released the results of its scrutiny of the AGSVA as well as the personnel security standards at five agencies, including the Digital Transformation Agency (DTA).

The audit highlighted a range of shortcomings at the AGSVA, with the ANAO report finding that a “significant proportion” of vetting assessments conducted in 2015-16 and 2016-17 “resulted in potential security concerns being identified” — however, 99.88 per cent of vetting decisions “were to grant a clearance without additional risk mitigation”.

“On rare occasions AGSVA minimised risk by denying the requested clearance level and granting a lower level, or avoided risk by denying a clearance,” the report states.

The agency “does not provide information about identified security concerns to sponsoring entities outside Defence due to a concern that disclosure would breach the Privacy Act 1988,” the report adds.

In mid-2015, the ANAO warned that despite Defence investing $37 million since 2008 in upgrading AGSVA’s ePack2 system and PSAMS2 (Personnel Security Assessment Management System), the systems still lacked “reliability and functionality”.

Defence “is in the scoping and approval stages of a project to develop a replacement ICT system, which is expected to be fully operational in 2023,” the new ANAO report states

“Due to concerns about system stability, AGSVA has not been able to provide its contractors with access to PSAMS2, which means clearance records are communicated via both mail and email,” the report reveals. “As a result, contractors accumulate a considerable volume of hard-copy and electronic information, over which AGSVA has limited oversight.”

DTA shortcomings

The audit found shortcomings across all the agencies whose personnel security policies were scrutinised. However, the DTA, which is the youngest of the agencies covered by the report, stood out for its failure to develop adequate plans and policies.

DTA has only a draft security plan, the report states. The agency “did not have any formal protective security policies”; the DTA “had developed draft protocols for physical and information security, but not for personnel security,” the report states.

“The DTA is currently is in the process of developing the DTA security plan and the protective and personal security policies,” the agency said. “The DTA acknowledges that this is an immediate action and implementation.”