DISP Security Policy & Plans

This is a Controlled Document

In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.

Version	Effective	Reviewed	Next review due
1.0.0	2024-09-24	2024-09-24	2025-09-24

Purpose

This policy outlines Vaxa’s approach to maintaining compliance under the Defence Industry Security Program (DISP) and the requirements for safeguarding DISP-scoped information. It’s supplementary to the organanisation’s overarching Information Security Policy. This set of Security Policy and Plans are designed for Vaxa’s primary (and only) facility located in Brisbane, Australia.

Scope

The DISP Security Policy applies to all Vaxa personnel who handle DISP-scoped information or systems, including temporary workers and external contractors.

Roles & Responsibilities

Role	Responsibility
DISP Chief Security Officer	Oversees the implementation of DISP security controls and ensures compliance with DISP requirements.
DISP Security Officer	Acts as the primary point of contact for DISP-related matters and liaises with Defence on operational matters.
CTO	Ensures DISP requirements are integrated into the organisation’s technology strategy and architecture.

Chief Security Officer

The Chief Security Officer (CSO) must be a member of the organisation’s board of directors (or similar governing body), executive personnel, general partner, or senior management official with the ability to implement policy and direct resources. They must be able to obtain and maintain a minimum Baseline Security Clearance.

Todd Crowley is Vaxa’s CSO, and is responsible for oversight of, and responsibility for, security arrangements and championing a security culture in Vaxa.

The CSO is accountable for ensuring:

all obligations contained in the DISP principle and control policy documents for their level of membership are met;
an appropriate system of risk, oversight and management is maintained;
DISP reporting obligations are fulfilled;
any sensitive and classified materials entrusted to the Vaxa are safeguarded at all times;
Security Officer(s) are appointed to develop and implement the Entity’s security policies and plans, on the CSO’s behalf;
DISP Annual Security Report (ASR) is agreed by the executive (Board equivalent), and all recommendations are implemented within agreed timeframes;
any change in Foreign Ownership Control and Influence (FOCI) status of Vaxa is reported to Defence via the FOCI Declaration (AE250-1); and
any change in Vaxa’s circumstances that may impact their ability to maintain DISP membership (including changes in ownership and control) is reported to Defence.

Security Officer

The SO is responsible for the development and implementation of the security policies and plans and acts on behalf of the CSO. The SO must be an Australian citizen and be able to obtain and maintain a Personnel Security Clearance at the Baseline level or above, as appropriate with the level of DISP membership.

Curtis West as Vaxa’s SO is responsible for:

the development and application of security policies and plans within Vaxa; *ensuring sensitive and classified materials entrusted to Vaxa are protected in line with the Defence Security Principles Framework (DSPF);
maintaining a Security Register (SR);
facilitating annual security awareness training of personnel:
reporting security incidents and fraud incidents, and contact reports, in accordance with DSPF, Control 77.1 – Security Incidents and Investigations;
actively monitoring and managing ongoing suitability of sponsored security cleared personnel including their security attitudes and behaviours;
notifying AGSVA when a clearance holder no longer requires their clearance or when they separate from the Vaxa; and
yearly assurance activities to support the CSO.

Policy

DISP has four key pillars:

Governance Security: Ensuring that the organisation has the appropriate governance arrangements in place to manage security risks.
Personnel Security: Ensuring that personnel are suitable to access DISP information.
Physical Security: Ensuring that physical security measures are in place to protect DISP information.
Information & Cyber Security: Ensuring that information security measures are in place to protect DISP information, in line with our broader Information Security Policy.

This policy document is structured to address each of these pillars in turn.

Governance Security

Security Policies and Plans

Vaxa maintains Security Policies and Plans (SPP) to guide personnel on their security responsibilities. The SO is responsible for developing and maintaining these policies.

All Vaxa employees shall review the SPP annually. New employees shall review it as part of their security briefing.

Vaxa personnel working at Defence establishments shall comply with all applicable local security instructions.

Security Register

The Security Register (SR) is maintained by the SO and shall capture all security-related matters relevant to Vaxa.

The SR is a living document and shall be updated regularly. It includes records on governance, physical security, personnel security, security education and training, information security, and security incidents.

Designated Security Assessed Positions Register

Vaxa’s Designated Security Assessed Positions (DSAP) register shall be maintained within the Security Register.

Foreign Ownership, Control or Influence (FOCI) Reporting

Vaxa shall report any potential or actual change in FOCI status.

The SO shall submit FOCI changes using the AE250-1 webform, available on the DISP website or DISP Portal, to DISP.submit@defence.gov.au.

Annual Security Report

The ASR is a declaration by the CSO, under the authority of the Directors, that Vaxa continues to meet the eligibility and suitability requirements of DISP.

The SO shall ensure the ASR is submitted to Defence annually. The ASR form is located on the DISP website or DISP Portal and shall be submitted to DISP.submit@defence.gov.au.

Copies of the ASR shall be retained in DISP SharePoint under the Annual Security Report document library.

Security Risk Assessments

Vaxa shall maintain Security Risk Assessments (SRA) to identify and manage risks. A Defence-specific SRA shall be maintained for any Defence contract Vaxa is engaged in.

Completed SRAs shall be retained in DISP SharePoint under the Security Risk Assessment document library.

Security Awareness Training

All Vaxa employees shall complete annual security awareness training. The SO is responsible for ensuring training completion and maintaining records.

Defence may require Vaxa personnel to complete additional security awareness training via Campus Anywhere.

Insider Threat Program

The SO shall ensure all Vaxa employees receive Insider Threat awareness training.

Contact Reporting

All security-significant contact with foreign representatives, extremist groups, criminal organisations, or politically motivated entities shall be reported.

Employees shall report any such contact immediately using Form XP168 - Report of Security Contact Concern, submitted to the Security Incident Centre at security.incidentcentre@defence.gov.au.

XP168 forms are available on the Defence Security Incident Reporting System.

Security Incident Reporting

Vaxa personnel shall report all security incidents in accordance with DSPF Principle 77.

The SO shall submit security incidents via Form XP188 - Security Incident Report through the DSPF system. If DSPF access is unavailable, incidents shall be reported via email to security.incidentcentre@defence.gov.au.

Security Officer Training

The SO shall complete the Introduction to DISP training course.

Curtis West, as SO for Vaxa, completed this training on <date>. Renewal is due <date>.

DISP Portal Access

The DISP Portal provides access to security resources via the Defence Online Security Dashboard (DOSD).

The SO has DISP Portal access. Additional access requests shall be submitted using Form SCS 001 to dsvs.awareness@defence.gov.au.

Close of Business Security Checks

A close of business security check shall be conducted daily to secure classified materials and ensure physical security zones are locked.

The SO shall ensure all personnel are familiar with close of business procedures.

Random Security Checks

Defence may conduct random security checks on DISP members, reviewing security policies, personnel, and physical security measures.

The SO shall also conduct internal security checks to ensure classified materials are protected and personnel comply with security protocols.

All random security checks shall be recorded in the Security Register.

Emergency Situations

In an emergency, security-cleared personnel shall:

Secure classified materials in approved security containers, or
Retain personal custody of classified materials until relieved by the SO or appropriate custodian.

Emergency responders may require escorted access by security-cleared personnel.

Personnel Security

Personnel Screening Policy

Vaxa maintains a Personnel Screening Policy that complies with AS 4811:2022.

The policy is available in our handbook at Personnel Screening Policy.

Personnel Security Clearances

The SO shall record all granted security clearances in the Security Register.

All security-cleared Vaxa personnel shall understand and comply with their ongoing security responsibilities.

Further information, including change-of-circumstances reporting, is available on the AGSVA website.

Security Clearance After-Care

When an employee leaves Vaxa, Defence manages the security clearance after-care process.

The SO shall update the Security Register as required.

Identification (ID) and Access Passes

Access passes are required to enter Vaxa’s offices at Level 54, 111 Eagle Street.

Vaxa personnel shall:

Ensure safekeeping of their pass.
Wear their pass visibly at all times in the workplace.
Report lost passes immediately to the SO.
Ensure no unauthorised person uses or possesses their pass.
Challenge any unidentified individual not wearing a pass.
Return their pass to the SO upon expiration, end of requirement, or termination.
Surrender any Defence access pass during their debriefing.

Electronic access cards are considered security keys and shall be recorded in the Security Register.

The SO shall conduct an annual audit to account for all Vaxa access cards.

Personnel visiting Defence sites shall wear their Defence Visitor or Defence Access pass visibly at all times.

International Travel

Vaxa personnel engaged under a Defence contract shall:

Notify the SO of travel plans using Form AB 644, following the prescribed process.
Be aware of security risks at their destination.
Understand additional risks if they hold Sensitive Compartmented Information (SCI) access.
Protect official information if carried or accessed during travel.
Report suspicious contacts as per Section 6.9.3.
Ensure official visits to allied facilities comply with bilateral security agreements.
Maintain security awareness as per DSPF requirements.

Vaxa personnel engaged under a Defence contract shall not make false employment declarations. If required, they shall list their status as “contractor”.

Pre-Travel Briefing

Vaxa personnel travelling overseas shall follow the overseas travel briefing process to ensure security awareness and compliance.

Stage	Responsible Party	Description
1	Person Travelling	Complete Form AB644 – Overseas Travel Briefing and Debriefing for personal or official travel. Submit the form to the SO as soon as travel is planned.
2	Security Officer	Conduct an overseas travel briefing with the traveller. Complete the pre-travel Security Officer section of Form AB644. Confirm that the traveller has completed any required compartment briefings.
3	Person Travelling	Obtain travel advice from the DFAT Smartraveller website for all countries being visited or transited through.
4	Security Officer	Record travel details in the Security Register. Retain Form AB644 (private travel) or Form AA062 (official travel). Conduct a detailed security briefing if: 1) The traveller has a high-level security clearance. 2) DFAT has issued a Consular Travel Advisory Notice or Bulletin for any country on the itinerary. 3) The traveller is carrying a Defence or DISP-issued laptop or Portable Electronic Device (PED) that is not protected by a Laissez-Passer.

Post-Travel Debriefing

Upon returning from overseas travel, Vaxa personnel shall follow the debriefing process to ensure security compliance and report any security concerns.

Stage	Responsible Party	Description
1	Person Travelling	Complete the debriefing section of Form AB644 (private or official) with the SO.
2	Security Officer	Conduct an initial debriefing using the debriefing section of Form AB644.
3	Person Travelling	Submit any required online forms, including: - XP188 – Defence Security Report (if applicable).
4	Security Officer	Retain copies of Form AB644 and XP188 (if applicable) in the Security Register.

Visitor Security Protocols

Visitors to Vaxa, beyond the public areas of in the office (Zone 1, i.e. the public lounge and kitchen), shall not be granted access to classified material unless their identity, security clearance, and “Need to Know” have been confirmed. They must also sign in at reception upon arrival and be escorted by a security-cleared Vaxa employee at all times if entering secure areas.

The escorting officer is responsible for ensuring the visitor leaves the facility upon conclusion of their visit.

Physical Security

Physical Certification of Zones

Vaxa’s premises include a Zone 1 foyer on the ground floor and the reception/shared areas on Level 54. The main office area with our workstations is classified as a Zone 2 restricted employee access area.

Security Containers

All official and classified material shall be stored in approved security containers. Access to security containers shall be restricted to approved custodians.

The SO shall maintain records of all security containers, including their locations and custodians, in the Security Register (SR).

Keys and Combinations

The SO shall maintain a register of all facility keys, security containers, combinations, and custodians. Each security container must have an appointed custodian responsible for its contents and access control.

Security keys shall only be issued to authorised and security-cleared personnel.

Keys to classified material containers shall be treated with the same level of classification as the material stored inside.

Key Management

The SO shall maintain a key register. Duplicate keys shall not be made unless explicitly authorised by the SO and recorded in the register.

The SO shall conduct a facility key audit at least every six months. Loss or compromise of a security key must be reported in accordance with DSPF Principle 77 - Security Incidents and Investigations.

Security Compromise

If a security container is compromised or suspected to be compromised, the SO must be informed immediately.

Information and Cyber Security

ICT Networks Standard Operating Procedures

Vaxa, as a DISP member with Information and Cyber Security Entry Level membership, is required to meet at least one of the following ICT network accreditation standards:

ISO-27001/2:2013
NIST SP 800-171 Rev.1 (US ITAR requirement)
DEFSTAN 05-138
ASD Essential 8 Maturity Level 2
Unclassified/DLM network compliance in accordance with the ISM/DSPF

Vaxa has completed a self-assessment and meets the ASD Essential 8 Maturity Level 2 requirements.

The Security Officer is responsible for maintaining system-specific Standard Operating Procedures (SOPs) applicable to Vaxa’s ICT systems. These are available in the Handbook under the Security heading. Employees are responsible for adhering to all relevant policies, plans, and procedures for the systems they use. Specifically, they must ensure that information provided in system or network access requests is accurate, secure unattended equipment appropriately, follow a clear desk and clear screen policy, protect their authentication credentials, and report any security incidents to the Security Officer as soon as they become aware of them.

System Integrity

The IT Security Manager (ITSM) is responsible for maintaining a ‘known good’ baseline of Vaxa’s system and network. This baseline aids in detecting and recovering from any incident that affects system integrity.

The ITSM is also responsible for implementing logical security controls in line with the DSPF, ISM, and ASD Strategies to Mitigate Cyber Security Incidents, ensuring that Vaxa’s systems remain protected against malicious code.

System Monitoring

Vaxa’s ICT systems shall be monitored in accordance with its established Standard Operating Procedures (SOPs).

System Availability

The ITSM is responsible for implementing availability controls to mitigate identified risks, in line with DSPF Principle 10.1 – Classification and Protection of Official Information. Backup and restore processes shall be conducted as per Standard Operating Procedures, see our Backup Policy.

Official Information

Defence official information is classified according to the Australian Government Security Classification System (AGSCS) and must be protected to prevent unauthorised access or disclosure. Access is strictly limited to those with an appropriate security clearance and a need-to-know.

Vaxa personnel handling classified material must ensure that it is not subject to deliberate or casual inspection by unauthorised individuals. When not in use or under direct supervision, all classified material must be stored in an approved security container.

Protective markings assigned to official information indicate the level of protection required during use, storage, transmission, transfer, and disposal. The correct application of protective markings is detailed in DSPF Principle 10 – Classification and Protection of Classified Information.

Our implementation is detailed in our Data Classification Policy.

Protective Security Policy Framework (PSPF) provides the appropriate controls for the Australian Government to protect its people, information and assets at home and overseas. The PSPF can be found at: https://www.protectivesecurity.gov.au/Pages/default.aspx
Defence Security Principles Framework: Defence Security Principles Framework (DSPF) is available from the SO and provides information on security requirements which are specific to Defence and DISP members. The DSPF can be found on the DS&VS website and DISP Portal.
Australian Government Information Security Manual: The Australian Government Information Security Manual (ISM) is the standard which governs the security of government Information Communications Technology (ICT) systems and complements the PSPF. The ISM can be found at https://www.asd.gov.au/infosec/ism

Last modified March 3, 2025: Merge pull request #15 from vaxa-tech/add-munki-docs (6d10186)