This is the multi-page printable view of this section. Click here to print.
Defence Industry Security Program (DISP)
1 - Contact the DISP team
2 - What is DISP?
The Defence Industry Security Program (DISP) is an Australian Government membership program designed to help companies meet the necessary security requirements when working with the Department of Defence or handling sensitive Defence information. Its underpinned by the Defence Security Principles Framework - Principle 16, Control 16.1, Defence Industry Security.
It is essentially security vetting for Australian entities.
The purpose of DISP is to:
- ensure industry has the right security in place for Defence tenders and contracts
- provide industry with access to security advice and support services
- help industry to understand and manage security risks
- provide assurance to Defence and other government entities when working with DISP members.
DISP has several levels of accreditation, and we are currently focused on Entry Level compliance, which covers the foundational security requirements for working with Defence-related contracts and information.
DISP covers four core areas (“security domains”):
- Security governance: Managing security risks and maintaining compliance with security standards.
- Personnel security: Ensuring that staff with access to sensitive information are vetted and trustworthy.
- Physical security: Protecting facilities and locations where defense information or assets are stored.
- ICT and cyber security: Safeguarding Defence-related data and systems in the cyber realm.
Our commitment to DISP compliance helps us protect Defence information, meet government standards, and ensure trust with our Defence partners.
Why does DISP matter to me?
Regardless of your role at Vaxa, DISP compliance is essential because it affects how we all handle sensitive information and protect the security of our workplace–even if this is not Defence-related information. It’s forms part of our standard that we strive to achieve across our entire organisation, you included.
Here’s why it matters:
- Protecting sensitive information: DISP requires that we handle Defence-related data with the utmost care. This means following strict guidelines when accessing, sharing, or storing information to prevent leaks or unauthorized access.
- Maintaining trust: Our ability to work with Defence, Defence industry, and some Commonwealth contracts depends on meeting DISP requirements. By following these guidelines, we demonstrate that we can be trusted to handle their sensitive information securely.
- Personal responsibility: Every employee plays a part in keeping Vaxa compliant. Whether it’s following the Acceptable Use Policy for IT systems, participating in security training, or reporting suspicious activity, your actions directly contribute to our overall security.
- Job security and growth: Being compliant with DISP allows Vaxa to continue working with government clients and Defence, which helps the company grow and secure more opportunities. That stability benefits every employee by creating a safer, more secure workplace and ensuring the long-term success of our projects.
In short, DISP compliance means keeping our workplace secure, maintaining trust with our clients, and contributing to the success and growth of Vaxa. Every action you take to support security helps ensure we meet these standards.
3 - Our DISP Compliance Statement
Overview of Our Compliance Approach
Our compliance strategy is built on four key pillars:
- Risk Management: Continuous identification, assessment, and mitigation of risks related to Defence information and operations.
- Policy Implementation: Comprehensive and up-to-date policies governing information security, access control, incident response, and personnel security.
- Training and Awareness: Regular training programs for staff to ensure they understand and adhere to DISP requirements and security best practices.
- Monitoring and Auditing: Ongoing monitoring of compliance measures, supported by regular internal and external audits to identify and address any gaps.
We leverage industry best practices, a proactive risk management approach, and strict adherence to security protocols to protect Defence information and our interests.
Our Risk Management Policy drives our compliance efforts by focusing on:
- Identifying Risks: We systematically assess risks associated with handling Defence-related information, supplier relationships, and internal processes.
- Mitigating Risks: Our mitigation strategy incorporates a range of controls, both Vaxa and Defence-specified, such as access restrictions, cryptographic measures, and incident response protocols to address potential vulnerabilities.
- Monitoring Risks: We continuously monitor potential risks through regular assessments, incident tracking, and analytics, coupled with our broader external audit program
By integrating risk management with DISP requirements, we ensure that threats are addressed proactively and compliance is maintained at all times.
Our compliance relies on a comprehensive set of policies, endorsed at the highest level and implemented in our day-to-day. These are designed to meet not only DISP Entry Level standards, but the requirements of Essential Eight (now) and ISO27001 (in future).
These include:
| Policy | Description |
|---|---|
| Information Security Policy | Defines the overarching framework for protecting sensitive information. |
| Access Control Policy | Manages access to systems and information based on the principle of least privilege, supported by multi-factor authentication (MFA). |
| Incident Response Policy | Provides a structured approach for responding to security incidents, including breaches of Defence information. |
| Personnel Security Policy | Details security clearance and vetting processes for all personnel handling sensitive Defence information. |
Each policy is regularly reviewed on a set cadence to stay aligned with changes in DISP requirements and the evolving threat landscape.
Every Vaxa employee should consider themselves playing a key role in ensuring compliance with DISP standards, whether they’re technically in scope or not. This includes you.
To support them, we have a robust training and awareness program that covers:
- DISP Security Awareness Training: Mandatory for all staff, focusing on the requirements of DISP and defense-related information handling.
- Role-Specific Training: Additional training for staff with elevated access to sensitive information or Defence/Commonwealth contracts.
- Ongoing Awareness Initiatives: Regular updates on emerging threats and security best practices, with real-time security alerts.
By embedding security awareness in Vaxa’s culture, we ensure that every employee is equipped to maintain DISP compliance.
We take a proactive approach to monitoring and improving our compliance processes through:
- Audit Logs and Evidence of Compliance: We maintain detailed records of access control, system changes, and incidents to provide evidence of compliance during audits.
- Internal and External Audits: Regular audits are conducted to assess our compliance with DISP requirements, Essential Eight controls, and (eventually) ISO27001. This includes a review of policies, incident handling, and system vulnerabilities.
- Continuous Improvement: Findings from audits and assessments are used to inform our strategy and make necessary adjustments to our security policies and procedures.
Our continuous improvement framework ensures that we not only meet current DISP Entry Level requirements but also evolve our compliance measures in line with changing Defence, industry, and regulatory needs.
How our DISP strategy integrates with our other compliance efforts
While our primary focus in this Handbook section is obviously our DISP compliance, Vaxa recognises the value and need to comply with other frameworks including ACSC’s Essential Eight and ISO27001.
To comply with these frameworks at once, Vaxa’s approach to each of those frameworks must recognise how these frameworks would interact.
Here is how we see those two frameworks interacting with DISP:
- Essential Eight: Our implementation of the Essential Eight strategies helps protect against cybersecurity incidents, with particular emphasis on patch management, application control, and privileged access management.
- ISO27001: Our Information Security Management System (ISMS) aligns closely with DISP requirements, ensuring that we meet global standards for information security.
This integrated approach ensures that we meet a high standard of security across all aspects of our operations, from Defence information handling, to client information handling, to how we engage 3rd party suppliers—-if we’re in business, we’re in the business of security.
What Vaxa needs from you
It is a requirement of all Vaxa staff to:
- Review our key policies and training materials: Make sure you are familiar with the latest policies and training resources.
- Participate in ongoing security awareness initiatives: Stay up-to-date with security alerts and participate in regular training sessions.
- Report any security concerns or incidents immediately: Use the Incident Reporting Form (or contact the Security Officer directly) to report any suspected or actual security breaches.
For questions, concerns, or more detailed information about our compliance strategy, please contact the DISP Team.
4 - DISP Security Policy & Plans
Purpose
This policy outlines Vaxa’s approach to maintaining compliance under the Defence Industry Security Program (DISP) and the requirements for safeguarding DISP-scoped information. It’s supplementary to the organanisation’s overarching Information Security Policy. This set of Security Policy and Plans are designed for Vaxa’s primary (and only) facility located in Brisbane, Australia.
Scope
The DISP Security Policy applies to all Vaxa personnel who handle DISP-scoped information or systems, including temporary workers and external contractors.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| DISP Chief Security Officer | Oversees the implementation of DISP security controls and ensures compliance with DISP requirements. |
| DISP Security Officer | Acts as the primary point of contact for DISP-related matters and liaises with Defence on operational matters. |
| CTO | Ensures DISP requirements are integrated into the organisation’s technology strategy and architecture. |
Chief Security Officer
The Chief Security Officer (CSO) must be a member of the organisation’s board of directors (or similar governing body), executive personnel, general partner, or senior management official with the ability to implement policy and direct resources. They must be able to obtain and maintain a minimum Baseline Security Clearance.
Todd Crowley is Vaxa’s CSO, and is responsible for oversight of, and responsibility for, security arrangements and championing a security culture in Vaxa.
The CSO is accountable for ensuring:
- all obligations contained in the DISP principle and control policy documents for their level of membership are met;
- an appropriate system of risk, oversight and management is maintained;
- DISP reporting obligations are fulfilled;
- any sensitive and classified materials entrusted to the Vaxa are safeguarded at all times;
- Security Officer(s) are appointed to develop and implement the Entity’s security policies and plans, on the CSO’s behalf;
- DISP Annual Security Report (ASR) is agreed by the executive (Board equivalent), and all recommendations are implemented within agreed timeframes;
- any change in Foreign Ownership Control and Influence (FOCI) status of Vaxa is reported to Defence via the FOCI Declaration (AE250-1); and
- any change in Vaxa’s circumstances that may impact their ability to maintain DISP membership (including changes in ownership and control) is reported to Defence.
Security Officer
The SO is responsible for the development and implementation of the security policies and plans and acts on behalf of the CSO. The SO must be an Australian citizen and be able to obtain and maintain a Personnel Security Clearance at the Baseline level or above, as appropriate with the level of DISP membership.
Curtis West as Vaxa’s SO is responsible for:
- the development and application of security policies and plans within Vaxa; *ensuring sensitive and classified materials entrusted to Vaxa are protected in line with the Defence Security Principles Framework (DSPF);
- maintaining a Security Register (SR);
- facilitating annual security awareness training of personnel:
- reporting security incidents and fraud incidents, and contact reports, in accordance with DSPF, Control 77.1 – Security Incidents and Investigations;
- actively monitoring and managing ongoing suitability of sponsored security cleared personnel including their security attitudes and behaviours;
- notifying AGSVA when a clearance holder no longer requires their clearance or when they separate from the Vaxa; and
- yearly assurance activities to support the CSO.
Policy
DISP has four key pillars:
- Governance Security: Ensuring that the organisation has the appropriate governance arrangements in place to manage security risks.
- Personnel Security: Ensuring that personnel are suitable to access DISP information.
- Physical Security: Ensuring that physical security measures are in place to protect DISP information.
- Information & Cyber Security: Ensuring that information security measures are in place to protect DISP information, in line with our broader Information Security Policy.
This policy document is structured to address each of these pillars in turn.
Governance Security
Security Policies and Plans
Vaxa maintains Security Policies and Plans (SPP) to guide personnel on their security responsibilities. The SO is responsible for developing and maintaining these policies.
All Vaxa employees shall review the SPP annually. New employees shall review it as part of their security briefing.
Vaxa personnel working at Defence establishments shall comply with all applicable local security instructions.
Security Register
The Security Register (SR) is maintained by the SO and shall capture all security-related matters relevant to Vaxa.
The SR is a living document and shall be updated regularly. It includes records on governance, physical security, personnel security, security education and training, information security, and security incidents.
Designated Security Assessed Positions Register
Vaxa’s Designated Security Assessed Positions (DSAP) register shall be maintained within the Security Register.
Foreign Ownership, Control or Influence (FOCI) Reporting
Vaxa shall report any potential or actual change in FOCI status.
The SO shall submit FOCI changes using the AE250-1 webform, available on the DISP website or DISP Portal, to DISP.submit@defence.gov.au.
Annual Security Report
The ASR is a declaration by the CSO, under the authority of the Directors, that Vaxa continues to meet the eligibility and suitability requirements of DISP.
The SO shall ensure the ASR is submitted to Defence annually. The ASR form is located on the DISP website or DISP Portal and shall be submitted to DISP.submit@defence.gov.au.
Copies of the ASR shall be retained in DISP SharePoint under the Annual Security Report document library.
Security Risk Assessments
Vaxa shall maintain Security Risk Assessments (SRA) to identify and manage risks. A Defence-specific SRA shall be maintained for any Defence contract Vaxa is engaged in.
Completed SRAs shall be retained in DISP SharePoint under the Security Risk Assessment document library.
Security Awareness Training
All Vaxa employees shall complete annual security awareness training. The SO is responsible for ensuring training completion and maintaining records.
Defence may require Vaxa personnel to complete additional security awareness training via Campus Anywhere.
Insider Threat Program
The SO shall ensure all Vaxa employees receive Insider Threat awareness training.
Contact Reporting
All security-significant contact with foreign representatives, extremist groups, criminal organisations, or politically motivated entities shall be reported.
Employees shall report any such contact immediately using Form XP168 - Report of Security Contact Concern, submitted to the Security Incident Centre at security.incidentcentre@defence.gov.au.
XP168 forms are available on the Defence Security Incident Reporting System.
Security Incident Reporting
Vaxa personnel shall report all security incidents in accordance with DSPF Principle 77.
The SO shall submit security incidents via Form XP188 - Security Incident Report through the DSPF system. If DSPF access is unavailable, incidents shall be reported via email to security.incidentcentre@defence.gov.au.
Security Officer Training
The SO shall complete the Introduction to DISP training course.
Curtis West, as SO for Vaxa, completed this training on <date>. Renewal is due <date>.
DISP Portal Access
The DISP Portal provides access to security resources via the Defence Online Security Dashboard (DOSD).
The SO has DISP Portal access. Additional access requests shall be submitted using Form SCS 001 to dsvs.awareness@defence.gov.au.
Close of Business Security Checks
A close of business security check shall be conducted daily to secure classified materials and ensure physical security zones are locked.
The SO shall ensure all personnel are familiar with close of business procedures.
Random Security Checks
Defence may conduct random security checks on DISP members, reviewing security policies, personnel, and physical security measures.
The SO shall also conduct internal security checks to ensure classified materials are protected and personnel comply with security protocols.
All random security checks shall be recorded in the Security Register.
Emergency Situations
In an emergency, security-cleared personnel shall:
- Secure classified materials in approved security containers, or
- Retain personal custody of classified materials until relieved by the SO or appropriate custodian.
Emergency responders may require escorted access by security-cleared personnel.
Personnel Security
Personnel Screening Policy
Vaxa maintains a Personnel Screening Policy that complies with AS 4811:2022.
The policy is available in our handbook at Personnel Screening Policy.
Personnel Security Clearances
The SO shall record all granted security clearances in the Security Register.
All security-cleared Vaxa personnel shall understand and comply with their ongoing security responsibilities.
Further information, including change-of-circumstances reporting, is available on the AGSVA website.
Security Clearance After-Care
When an employee leaves Vaxa, Defence manages the security clearance after-care process.
The SO shall update the Security Register as required.
Identification (ID) and Access Passes
Access passes are required to enter Vaxa’s offices at Level 54, 111 Eagle Street.
Vaxa personnel shall:
- Ensure safekeeping of their pass.
- Wear their pass visibly at all times in the workplace.
- Report lost passes immediately to the SO.
- Ensure no unauthorised person uses or possesses their pass.
- Challenge any unidentified individual not wearing a pass.
- Return their pass to the SO upon expiration, end of requirement, or termination.
- Surrender any Defence access pass during their debriefing.
Electronic access cards are considered security keys and shall be recorded in the Security Register.
The SO shall conduct an annual audit to account for all Vaxa access cards.
Personnel visiting Defence sites shall wear their Defence Visitor or Defence Access pass visibly at all times.
International Travel
Vaxa personnel engaged under a Defence contract shall:
- Notify the SO of travel plans using Form AB 644, following the prescribed process.
- Be aware of security risks at their destination.
- Understand additional risks if they hold Sensitive Compartmented Information (SCI) access.
- Protect official information if carried or accessed during travel.
- Report suspicious contacts as per Section 6.9.3.
- Ensure official visits to allied facilities comply with bilateral security agreements.
- Maintain security awareness as per DSPF requirements.
Vaxa personnel engaged under a Defence contract shall not make false employment declarations. If required, they shall list their status as “contractor”.
Pre-Travel Briefing
Vaxa personnel travelling overseas shall follow the overseas travel briefing process to ensure security awareness and compliance.
| Stage | Responsible Party | Description |
|---|---|---|
| 1 | Person Travelling | Complete Form AB644 – Overseas Travel Briefing and Debriefing for personal or official travel. Submit the form to the SO as soon as travel is planned. |
| 2 | Security Officer | Conduct an overseas travel briefing with the traveller. Complete the pre-travel Security Officer section of Form AB644. Confirm that the traveller has completed any required compartment briefings. |
| 3 | Person Travelling | Obtain travel advice from the DFAT Smartraveller website for all countries being visited or transited through. |
| 4 | Security Officer | Record travel details in the Security Register. Retain Form AB644 (private travel) or Form AA062 (official travel). Conduct a detailed security briefing if: 1) The traveller has a high-level security clearance. 2) DFAT has issued a Consular Travel Advisory Notice or Bulletin for any country on the itinerary. 3) The traveller is carrying a Defence or DISP-issued laptop or Portable Electronic Device (PED) that is not protected by a Laissez-Passer. |
Post-Travel Debriefing
Upon returning from overseas travel, Vaxa personnel shall follow the debriefing process to ensure security compliance and report any security concerns.
| Stage | Responsible Party | Description |
|---|---|---|
| 1 | Person Travelling | Complete the debriefing section of Form AB644 (private or official) with the SO. |
| 2 | Security Officer | Conduct an initial debriefing using the debriefing section of Form AB644. |
| 3 | Person Travelling | Submit any required online forms, including: - XP188 – Defence Security Report (if applicable). |
| 4 | Security Officer | Retain copies of Form AB644 and XP188 (if applicable) in the Security Register. |
Visitor Security Protocols
Visitors to Vaxa, beyond the public areas of in the office (Zone 1, i.e. the public lounge and kitchen), shall not be granted access to classified material unless their identity, security clearance, and “Need to Know” have been confirmed. They must also sign in at reception upon arrival and be escorted by a security-cleared Vaxa employee at all times if entering secure areas.
The escorting officer is responsible for ensuring the visitor leaves the facility upon conclusion of their visit.
Physical Security
Physical Certification of Zones
Vaxa’s premises include a Zone 1 foyer on the ground floor and the reception/shared areas on Level 54. The main office area with our workstations is classified as a Zone 2 restricted employee access area.
Security Containers
All official and classified material shall be stored in approved security containers. Access to security containers shall be restricted to approved custodians.
The SO shall maintain records of all security containers, including their locations and custodians, in the Security Register (SR).
Keys and Combinations
The SO shall maintain a register of all facility keys, security containers, combinations, and custodians. Each security container must have an appointed custodian responsible for its contents and access control.
Security keys shall only be issued to authorised and security-cleared personnel.
Keys to classified material containers shall be treated with the same level of classification as the material stored inside.
Key Management
The SO shall maintain a key register. Duplicate keys shall not be made unless explicitly authorised by the SO and recorded in the register.
The SO shall conduct a facility key audit at least every six months. Loss or compromise of a security key must be reported in accordance with DSPF Principle 77 - Security Incidents and Investigations.
Security Compromise
If a security container is compromised or suspected to be compromised, the SO must be informed immediately.
Information and Cyber Security
ICT Networks Standard Operating Procedures
Vaxa, as a DISP member with Information and Cyber Security Entry Level membership, is required to meet at least one of the following ICT network accreditation standards:
- ISO-27001/2:2013
- NIST SP 800-171 Rev.1 (US ITAR requirement)
- DEFSTAN 05-138
- ASD Essential 8 Maturity Level 2
- Unclassified/DLM network compliance in accordance with the ISM/DSPF
Vaxa has completed a self-assessment and meets the ASD Essential 8 Maturity Level 2 requirements.
The Security Officer is responsible for maintaining system-specific Standard Operating Procedures (SOPs) applicable to Vaxa’s ICT systems. These are available in the Handbook under the Security heading. Employees are responsible for adhering to all relevant policies, plans, and procedures for the systems they use. Specifically, they must ensure that information provided in system or network access requests is accurate, secure unattended equipment appropriately, follow a clear desk and clear screen policy, protect their authentication credentials, and report any security incidents to the Security Officer as soon as they become aware of them.
System Integrity
The IT Security Manager (ITSM) is responsible for maintaining a ‘known good’ baseline of Vaxa’s system and network. This baseline aids in detecting and recovering from any incident that affects system integrity.
The ITSM is also responsible for implementing logical security controls in line with the DSPF, ISM, and ASD Strategies to Mitigate Cyber Security Incidents, ensuring that Vaxa’s systems remain protected against malicious code.
System Monitoring
Vaxa’s ICT systems shall be monitored in accordance with its established Standard Operating Procedures (SOPs).
System Availability
The ITSM is responsible for implementing availability controls to mitigate identified risks, in line with DSPF Principle 10.1 – Classification and Protection of Official Information. Backup and restore processes shall be conducted as per Standard Operating Procedures, see our Backup Policy.
Official Information
Defence official information is classified according to the Australian Government Security Classification System (AGSCS) and must be protected to prevent unauthorised access or disclosure. Access is strictly limited to those with an appropriate security clearance and a need-to-know.
Vaxa personnel handling classified material must ensure that it is not subject to deliberate or casual inspection by unauthorised individuals. When not in use or under direct supervision, all classified material must be stored in an approved security container.
Protective markings assigned to official information indicate the level of protection required during use, storage, transmission, transfer, and disposal. The correct application of protective markings is detailed in DSPF Principle 10 – Classification and Protection of Classified Information.
Our implementation is detailed in our Data Classification Policy.
Related Documents and Legislation
Protective Security Policy Framework (PSPF) provides the appropriate controls for the Australian Government to protect its people, information and assets at home and overseas. The PSPF can be found at: https://www.protectivesecurity.gov.au/Pages/default.aspx
Defence Security Principles Framework: Defence Security Principles Framework (DSPF) is available from the SO and provides information on security requirements which are specific to Defence and DISP members. The DSPF can be found on the DS&VS website and DISP Portal.
Australian Government Information Security Manual: The Australian Government Information Security Manual (ISM) is the standard which governs the security of government Information Communications Technology (ICT) systems and complements the PSPF. The ISM can be found at https://www.asd.gov.au/infosec/ism
5 -
Insider Threat Awareness Statement
Understanding the Trusted Insider
A trusted insider is any current or former employee or contractor who has legitimate access to either Vaxa or our client’s facilities and information. With this access, a trusted insider could pose a security risk by intentionally or inadvertently compromising operations.
Some insiders deliberately seek to harm Defence by leaking classified information, sabotaging assets, or granting unauthorised access. Others may pose a risk through careless security practices, failing to follow procedures and unintentionally exposing sensitive information.
External threat groups may also target trusted insiders, attempting to gain access to valuable information, weapons, or assets. Insiders can be manipulated, coerced, or influenced by foreign or domestic threats—including media organisations seeking unauthorised disclosures. Only authorised personnel may engage with the media.
Types of Trusted Insider Activity
A trusted insider threat can take many forms, including:
- Unauthorised disclosure of sensitive or classified information
- Corruption of processes that allow improper decisions or actions
- Facilitating third-party access to assets or information
- Physical sabotage of equipment, facilities, or operations
- Digital or ICT sabotage that disrupts systems
- Being intoxicated or affected by substances at work, which could impair judgement and security compliance
Our Responsibility
The best defence against insider threats is awareness and vigilance. Every industry professional has a responsibility to uphold security standards and report concerning behaviours.
Indicators of Concern
Signs that a colleague may pose a security risk include:
- Appearing intoxicated or under the influence of substances at work
- Unusual nervousness, anxiety, or erratic behaviour
- A noticeable decline in work performance
- Persistent interpersonal conflicts with colleagues
- Expressions of resentment, dissatisfaction, or bitterness
- Financial distress, such as creditors calling at work
- Unexplained wealth or sudden changes in lifestyle
- Unusual or excessive interest in sensitive or classified information
If you notice any of these signs, take a moment to check in with the person. A simple conversation could help them and prevent a serious security issue. If the behaviour raises a legitimate concern, report it immediately to our Security Officer. Ignoring security risks could endanger your colleagues, property, or even national security.
This is not the time to think, “She’ll be right, mate”, or “It’s un-Australian to dob in a mate.” Security is a shared responsibility, and reporting concerns is the right thing to do.
Reporting a Security Concern
If you believe someone may be a trusted insider risk, take action by following these steps:
- Speak with your supervisor or manager about your concerns.
- Contact your Security Officer, Curtis West, for guidance on reporting requirements.
- Complete Form XP168 – Report of Contact of Security Concern.
Further Information
For any security-related questions or concerns, contact:
- Vaxa Security Officer, Curtis West:
disp@vaxagroup.com - Defence Security Incident Reporting:
security.incidentcentre@defence.gov.au| Phone: 02 6266 3331