3.1
This chapter sets out the Committee’s findings in relation to Department of Foreign Affairs and Trade (DFAT) staff skills and training in overseas post security. The Chapter comprises the following sections:
Committee conclusions and recommendations
Security training program
Committee conclusions and recommendations
3.2
It is the Committee’s view that governance arrangements can only be effective with the necessary staff skills and capability underpinning them. On review of the available evidence, improvements were required to DFAT’s monitoring and assurance to obtain sufficient visibility over staff capability.
3.3
The Committee notes DFAT’s comments that work is underway on its human resource (HR) management system to address limitations in the recording of security training information. However, the Committee was concerned that these limitations prevent the consistent monitoring and assurance over whether staff have received the required security training for their posting. It was not clear, from the evidence provided, which of the HR upgrades referred to is expected to facilitate ‘greater assurance’ and when.
3.4
The Committee recommends that the Department of Foreign Affairs and Trade provide the Committee with a detailed outline of:
how recent improvements to DFAT’s systems are providing assurance that staff have received the required security training for their posting
any further improvements to these systems that DFAT is planning to implement, including timeframes
3.5
As discussed in Chapter 2, DFAT outlined several ways in which it measures the department’s security culture. The Committee considers that ensuring staff have completed the appropriate training is paramount to fostering an effective security culture.
3.6
In addition to ensuring staff complete the required training, DFAT should ensure that the required training is appropriate. That is, DFAT should ensure there are appropriate arrangements to measure the effectiveness of its security training program. This would include assessing whether courses contribute to improving the department’s security culture and are offered on a sufficiently regular basis.
3.7
The Committee recommends that the Department of Foreign Affairs and Trade:
review the level of support it provides to Canberra-based and out-posted staff regarding post security, with particular attention to the effectiveness of the security training program
report back to the Committee on the methodology and results of this review
implement improvements to strengthen the security training program as necessary
3.8
The Committee sees benefit in requiring locally engaged staff to complete mandatory cyber security training, and welcomes DFAT’s consideration of implementing such arrangements. In line with the above recommendation, DFAT should evaluate whether current cyber security training provided to Australian staff is adequate to establish a culture of, and capability for, cyber resilience.
3.9
The Australian Cyber Security Growth Network has stated: ‘An organisation will only be successful in fending off cyber adversaries if it creates a strong culture of risk awareness’ and that it ‘needs to ensure that all staff are well‑trained and conscious of common cyber security threats.’ Consistent with such statements, the Committee was pleased to note that DFAT has in place a security communications program and expects that this would include cyber security, to ensure staff are educated on the risks and mitigation strategies.
3.10
The Committee recommends that the Department of Foreign Affairs and Trade:
mandate the completion of cyber security training for locally engaged staff
make available to the Committee a summary of key initiatives under the department’s security communications program, and outline for the Committee how this program contributes to staff education on cyber security
Review of evidence
Overview of staffing
3.11
As at 30 June 2017, DFAT’s 104 posts were staffed by approximately 897 Australian, and 2419 locally engaged, DFAT staff. Australian staff include Post Security Officers (PSOs) and Regional Security Advisers. PSOs manage the security at overseas posts through activities such as: delivering training, managing and implementing measures, and undertaking risk management and reporting. Regional Security advisers provide specialist support to posts that are assessed to be high threat or located in volatile security environments.
3.12
As at 7 February 2018, the Security Branches division in Canberra had 61 APS staff and around 27 contractors. The division’s responsibilities include: setting and providing advice on security policies, undertaking threat and risk assessments, and conducting overseas security inspections. Contractors are employed for various purposes, including contract management, vetting and security fit-outs.
Security training program
3.13
DFAT’s annual overseas security training program consists of six core courses for Australian staff (including one for PSOs) and several optional courses for locally engaged staff (LES), with three delivered in 2015–16 (to a total of 27 staff). DFAT provides some training to LES on request, however was unable to fulfil a request identified by the ANAO, due to ‘other current work pressures, resource constraints and staff absences’.
3.14
DFAT outlined its overseas security training requirements:
All DFAT security-cleared staff must complete the new starter’s security awareness training within 3 months of commencing and complete the annual protective security e-quiz.
Additionally, all staff assigned a posting or short-term mission must undertake mandatory overseas security training before deployment. Each post has its own program of mandatory security training specific to its threat and risk environment, which is reviewed annually by the Security Training Section and the Threat and Operational Security Section.
Staff must also complete the annual e-learning exercise as a refresher.
3.15
Feedback provided to the ANAO by DFAT staff indicated that security training ‘could include more specific information and examples relevant to the roles at post and corresponding threat environments.’ The ANAO also observed that the ‘training for staff in the Security Branches division undertaking security inspections [was] limited’.
3.16
While the ANAO also identified opportunities to strengthen PSO training, recent initiatives by DFAT suggest some improvements to the support provided. For example, DFAT advised that the new DSF includes a PSO Handbook outlining key obligations and responsibilities. DFAT also submitted:
In developing a ‘community of practice’ for PSOs, DFAT has undertaken six PSO workshops over the last 12 months to provide further training and networking opportunities. A new Sharepoint site, accessible by all PSOs, allows them to access ‘real-time’ threat and risk reports maintained by the Security Branches in Canberra.
3.17
In addition to formal courses, DFAT has an ‘active security communications program’ which ‘undertakes a minimum of four major campaigns a year, based on key security risks.’ Crisis Action Plan exercises are also required to be undertaken annually at post.
Cybersecurity training
3.18
Various organisations, including the Australian Cyber Security Growth Network, have emphasised the importance of staff awareness and training in cyber security. The Prime Minister highlighted the need for Australian businesses and governments to ‘better educate and empower [their] employees to use sound practices online.’ Consistent with such statements, DFAT informed the Committee of several measures it has in place.
3.19
Firstly, a cybersecurity component is included in the day-long Overseas Security Awareness course (face-to-face). This is mandatory for all staff going on posting. To supplement this, senior officers are provided with briefings on cyber security issues prior to their departure. Additionally, when staff from the Information Management and Technology Division are ‘doing a maintenance program or visiting a post’ they provide ‘awareness training’ to staff available at that post.
3.20
A 45 minute e-learning module on cyber security is also offered. DFAT ‘strongly [encourages]’ its staff to complete this, ‘whether they be locally engaged or Australian based’.
3.21
LES are currently not required to complete training in cybersecurity. DFAT advised that it is considering mandating such training for these staff.
Assurance over training
3.22
The ANAO found that the ‘information systems used to record [DFAT’s] security training information [did] not provide management with informative reporting and assurance that staff deployed overseas have the appropriate security training.’
3.23
In response to questions on notice from the Committee, DFAT submitted:
Staff enrol in security training courses through DFAT’s human resources management information system. Attendance at each course is verified by the trainer and cross-referenced against the staff member’s enrolment. The trainer also records satisfactory completion of the course in the system. Records of completed security training are visible to all staff with administrator rights to the system.
Staff are only granted permission to travel once the Security Training Section have advised DFAT’s Staffing Branch that all mandatory training has been completed.
3.24
At the public hearing, DFAT advised that there is ‘also the ultimate assurance, which is that no one gets to go on postings overseas… unless they have the signature of [the] head of security training section confirming that they have undertaken all of the mandatory security training.’
3.25
Noting that the ANAO did not ‘do an audit of that process’ for DFAT, the Auditor-General referred to previous audits of agencies ‘which purported to have those outcomes but didn’t have the underlying data systems to assure themselves that they knew who had done the training’. In those audits, the ANAO identified cases where some of these approvals were provided in the absence of underlying evidence. However, the Auditor-General emphasised that the ANAO ‘didn’t do work to come to that conclusion’ for DFAT.
3.26
DFAT acknowledged that its systems have not been able to ‘record and… be interrogated to provide’ information on ‘who’s had training’ in a ‘consistent way’. The department advised that it has recently undergone an upgrade to its human resource management system, and is currently planning another ‘in three or four years’ time’. It was not clear, from the evidence provided, which of these upgrades is expected to facilitate ‘greater assurance’ and when.
3.27
DFAT was also unable to advise how many LES had completed e‑learning or face-to-face awareness training on cyber security. The department does not expect to have a single holistic system to monitor whether LES have completed cybersecurity training for a number of years.
3 May 2018