Legal and Constitutional Committee Estimates - question taken on notice by the AFP on 24 May 2012
Senator LUDLAM: ... There was reporting that on 1 March a former AFP officer, Mr Warren Tamplin, was charged with illegally accessing that database base. What has the AFP done since then to address the deficiencies in security that this case revealed, given that there are tens of thousands of records of ordinary people on this database?
Mr Wood: Senator, I can respond to that. In relation to Tamplin himself, of course we terminated his employment. We prosecuted him through the courts and he was convicted. In terms of our response, both in terms of reinforcing existing requirements as well as introducing new requirements, there are about a dozen points here that I am happy to go through that are specifically as a result of the Tamplin matter.
Senator LUDLAM: We are short of time. Are you able to table that piece of paper or a version that you would be happy to table?
Mr Wood: I can do that.
Senator LUDLAM: Thank you
Senator LUDLAM: ... How many of those dot points are new and how many of them were already extant as far as your existing security policy is concerned?
Mr Wood: I will take it on notice, giving a clear indication of which ones we already in place but we just confirmed in place and confirmed they were working, and those that were actually new.
Senator LUDLAM: Thanks very much.
The answer to the honourable senator's question is as follows:
On 26 August 2010 the AFP received information that an AFP appointee Protective Services Officer, Mr Warren Tamplin had disclosed classified information to members of a website external to the AFP via his AFP email account. The AFP responded to this matter by reinforcing existing and introducing new requirements.
The Senator was provided a number of points at the hearing on the 24 May 2012 (in bold below) and the following response to the Senator's questions are listed in the same sequence as that originally provided by Mr Wood:
All AFP appointees must undergo online security awareness training.
Extant - mandatory Security Awareness Training was released in August 2010. This training has regular ongoing advertisement.
All AFP business plans include a security goal.
Updated - a generic Security goal had existed in 2010 but was modified to specifically include completion of online course and area specific training May/June 2011.
In 2011 security obligations of AFP members has been included as a screen saver message on the AFP Network.
New - commenced September 2011 as an education initiative.
In 2011 the AFP introduced policy and governance relating to social networking for all AFP staff.
New - Released 15 August 2011
At the same time, the AFP introduced a web coaching system that electronically guides access to external websites.
Updated - On 15 August 2011 extra conditions on coaching of sites was introduced, and increase of number of restricted external sites.
The AFP now blocks e-mails sent from AFP e-mail accounts to external accounts where the original classification of the e-mail has been changed.
Extant - resulting from an upgrade of software in March 2010
The AFP has delivered classified material handling guides through the AFP internal website.
Extant - however in September 2010 handling guides were re-issued for additional emphasis.
The AFP has a program where any staff who are identified as 'high risk' with respect to security or conduct may be subject to increased monitoring of information system usage.
Extant - The AFP maintains an "Aftercare" program for such appointees with a Security Clearance. They are also placed on alert lists with PRS and Security (Vetting). These appointees can be further investigated or undergo a ‘Review for Cause' which may result in security clearance withdrawal or recommendation to National Manager Human Resources that they are not suitable for employment.
All new recruits to the AFP discuss inappropriate dealing with official information as a key integrity and security issue.
Extant - This has always been a component of AFP recruit induction training.
Post sentencing the Chief Operating Officer issued an all staff email to the AFP advising of the outcome and highlighting the importance of security compliance.
New - On 5 March 2012 Mr Wood, the Chief Operating Officer (Chair, AFP Security Committee), issued an all staff email "Reminder: Code of Conduct and Security Responsibilities."