26 June 2012

Vetting

Previous posts have noted concerns about the timeliness and effectiveness of vetting by the Australian Security Intelligence Organisation (ASIO) and other agencies. 

The Australian National Audit Office (ANAO) has now released its 108 page report [PDF] on Security Assessments of Individuals (Audit Report No. 49 2011–12) by ASIO.

ANAO concludes that -
 The provision of security assessment advice of individuals to Australian Government client agencies is one of ASIO’s key responsibilities. For the past six years ASIO has finalised, on average, nearly 180 000 security assessments annually in relation to people who have applied for visas, Australian Government security clearances, access to sensitive air and maritime port areas, and health security checks. The environment within which ASIO provides this service is dynamic, with demand for security assessments, and the complexity of the caseload, fluctuating substantially. In seeking to meet the changing demand for particular security assessments, and to take into account government and client agencies’ policies and processing priorities, ASIO also applies an approach that gives precedence to Australia’s national security considerations. 
ASIO security assessments can range from a basic check of personal details against intelligence holdings, to a complex, in‐depth investigation to determine the nature and extent of an identified threat to Australia’s national security. Complex investigations can take a considerable time to complete. While any security assessment can be complex, the more complex cases fall predominantly within the visa security assessment caseload, particularly in the IMA component of this caseload. 
ASIO’s capacity to respond to changes in its security assessment operating environment was challenged in 2009–10 and 2010–11 when demand for more complex assessments increased, in line with the increase in IMA cases. A backlog of security assessments ensued and the processing times of certain security assessments, particularly for IMAs who were in mandatory detention, attracted public comment and criticism. The ANAO’s sample included some cases with prolonged processing times (up to 918 days), particularly in the visa security assessments stream. For visa security assessment components that had informal time standards in place, around 51% of sampled cases met expected timeframes. However, personnel security and counter‐terrorism security assessments were generally processed more promptly—75% of personnel security cases were processed within one day, and 90% of counter‐terrorism cases were processed within five days. 
A range of factors have contributed to the time taken to process security assessments. The most influential factors identified by ASIO were the increase in the number and complexity of cases in the visa security assessments stream, and changes in Government policies and client agencies’ priorities, particularly DIAC. While some of these factors were environmental, and beyond ASIO’s direct control, ASIO has sought to inform Government and client agencies of the effects of particular policy approaches on the security assessment caseload. Areas of particular focus in this regard include decisions by Government and DIAC to suspend, and then subsequently, to prioritise elements of the IMA caseload. Assessment data shows that the number of pending cases has fallen from its peaks, as recent management initiatives, discussed below, have taken effect. 
Within this context, the ANAO concluded that ASIO’s arrangements for providing security assessments of individuals to client agencies are robust and, broadly, effective. The agency has a sound governance framework in place, including strategic risk management arrangements that are updated regularly. There is an effective mechanism to report to the ASIO Executive and the Government on risks that affect security assessment processes, including most recently, the emerging area of risk arising from the rapidly increasing number of security checks for immigration community detention cases. However, at an operational level, there are some aspects of the security assessment regime that deserve further focus. These aspects limit assurance that the agency is making sound assessments that result in non‐prejudicial advice, and that the recent initiatives implemented to reduce the IMA security assessment caseload are being managed sustainably. It is also important to address impediments to mutual accountability between ASIO and its client agencies, and that ASIO puts in place workforce planning strategies to respond to future changes in demand for security assessments. 
Assurance that security assessments are soundly based 
ASIO staff are well‐trained and follow clearly defined procedures in conducting security assessments. All 411 cases examined by the ANAO complied fully with ASIO’s processes and procedures. In terms of the quality of the judgements made by ASIO assessors, there are quality assurance processes in place for the small proportion of security assessments that result in prejudicial advice. However, for those assessments that result in non‐prejudicial advice, the quality assurance processes are not as robust and vary across assessment categories. Given that a security assessment may contribute to a client agency’s decision to allow a person entry to Australia or access to sensitive information and/or locations, it would be prudent for ASIO to have in place a consistent quality assurance process to regularly validate, on a sample basis, its non‐prejudicial security assessments. Sustaining successful initiatives to improve IMA processing. 
ASIO and DIAC have worked together to streamline the IMA security assessments caseload. In particular, the introduction of a risk‐based ‘triaging’ approach has successfully reduced the IMA backlog, and eased pressure on the overall security assessment function. However, the approach, which involves an ASIO team conducting an initial security check of IMA cases to decide whether the IMA will be referred to ASIO for a thorough security assessment, or sent back to DIAC for protection visa processing, could have been introduced in a more timely fashion. It would also be strengthened with documented guidance and a more robust IT supporting system. Formalising relationships with key client agencies. ASIO has an ongoing working relationship with three key client agencies (DIAC, AGSVA, and AusCheck), and has in place a formal arrangement with one, AusCheck, which clearly articulates the responsibilities of both agencies. However, the absence of such arrangements with DIAC and AGSVA impedes the accountability of ASIO and the client agencies to each other in relation to the conduct of security assessments. Presently, there are no formally settled processing times, or service standards, for ASIO’s security assessment of non‐complex cases, nor any agreed arrangements for ASIO to proactively provide to client agencies regular updates on the status of complex cases—particularly those that may have lengthy processing times. At the same time, the quality of the data provided by DIAC and AGSVA, upon which ASIO depends, has frequently been poor, and required re‐work, which has delayed processing. Formalising arrangements with client agencies would provide a basis for better managing mutual expectations and responsibilities in relation to these matters. Workforce planning strategies for the security assessment areas. To manage the allocation of staffing resources across the whole organisation, ASIO has developed a strategic workforce plan. However, given its agency‐level focus, this plan does not address the needs of individual operational areas. The security assessment areas have specialised staffing requirements that have historically proved difficult to fill. At the time of the audit, these areas were significantly under‐staffed—by some 30%. The agency has sought to respond to staffing shortfalls through temporary measures such as internal staffing, re‐allocations and overtime. However, going forward the agency’s capacity to respond, at an operational level, to future changes in the security assessment caseload would be strengthened by putting in place more long‐term workforce planning strategies, including for a contingency or ‘surge’ capacity for this function. 
Against this background, the ANAO has made four recommendations aimed at strengthening the effectiveness of ASIO’s arrangements for providing timely and soundly based security assessments of individuals to client agencies. 
The recommendations relate to: implementing quality assurance processes for non‐prejudicial assessments; sustaining the risk‐based ‘triaging’ initiative for IMA cases; formalising agency relationships; and strengthening workforce planning strategies for the security assessment areas. 
 ANAO goes on to comment that -
ASIO has a current Memorandum of Understanding with AusCheck. However, there are no formal arrangements in place between ASIO and its other key client agencies, DIAC and AGSVA. ASIO has expressed a general reluctance to be ‘tied‐down’ to specific service standards or timeframes with DIAC and AGSVA, given the complexities surrounding particular security assessments that can prolong the process. 
The data provided by DIAC and AGSVA to ASIO has frequently been incomplete or of poor quality. For example, in relation to the ANAO’s sample, 38% of permanent visa referrals and 30% of temporary visa referrals had incomplete mandatory information, and/or data quality issues, which required the case to be sent back to DIAC. The time taken to provide the complete information was lengthy in some cases. Similarly, ASIO advised that there have been referrals returned to AGSVA, with error codes that relate to missing mandatory information. 
In addition, ASIO is not able to provide its client agencies with the underlying reasons as to why some complex cases are taking longer to process or specific aspects of a security assessment investigation, as the provision of substantive security information on an individual could constitute ‘security advice’ under the ASIO Act. Such advice is only given at the conclusion of a security assessment. These issues should be taken into account in any steps taken to formalise arrangements between ASIO and its client agencies.
To manage the allocation of staffing resources across the whole organisation, ASIO has developed a strategic workforce plan, which details, among other things: a scan of the current internal and external workforce environment, the challenges facing ASIO over the coming years, and ASIO’s approach to these challenges. The strategic workforce plan is high level and, given its focus, does not address the needs of individual divisions or branches. While systemic workforce shortages have been raised corporately by the security assessment branches, there is no long‐term strategy in place to address these issues or to develop a contingency, or surge capacity, to respond to future changes in demand for security assessments. In practice, ASIO has found it difficult to recruit assessors to perform work on security assessments. The staffing complement of the security assessment areas has been consistently below authorised levels—in early 2012 the shortfall was around 30%. 
ASIO’s security assessments range from relatively straightforward checks of names against data holdings to more complex investigations where an in‐depth knowledge of an applicant (for a visa, for example) is obtained, and this knowledge is used to make more informed investigations, evaluations and determinations. 
The ANAO examined a sample of 411 cases drawn from six security assessment categories. The results of ANAO’s analysis are very positive: all 411 cases complied with the agency’s defined processes and procedures for security assessments.
In 1999 ANAO Audit Report No.7, 1999–2000 on 'Operation of the Classification System for Protecting Sensitive Information' concluded -
  • a high proportion of staff had clearances in excess of work requirements; 
  • some staff had access to information for which they were not cleared, particularly during the long lead time for obtaining initial clearances; and 
  • most organisations did not maintain the currency of their security clearances.
In 2001 an ANAO report [PDF] 'Personnel Security—Management of Security Clearances' centred on negative vetting concluded -
While security clearance policy and procedures of organisations were consistent with the requirements of the PSM, overall the audit found shortcomings in relation to the management, resourcing and operation of personnel security. Among the organisations examined the audit encountered a backlog of initial clearances, poor clearance aftercare processes, inadequate security information management and a failure to establish and enforce appropriate procedures to re-validate initial clearances in an acceptable timeframe. As a result, these organisations were exposed to breakdowns in the operation of their personnel security process which, amongst other things, may lead to inappropriate access to classified information. This problem is compounded when these issues occur in organisations which have not prepared, or which have inadequate risk management plans to appropriately integrate protective security risk management priorities into the organisation’s overall risk management requirements.
In light of this situation, the ANAO suggests that all organisations with a personnel security requirement review their personnel security arrangements as a matter of priority. This review should include, but not necessarily be limited to:
  • carrying out a risk management review of protective security arrangements and integrating the results of the review into organisation-wide risk planning; 
  • developing and implementing a process for clearing any backlog of initial clearances; 
  • actively seeking ways to reduce the processing cycle time for security clearances, in conjunction with vetting service providers and contributors; 
  • implementing appropriate information support systems to effectively support the management of personnel security; and 
  • establishing processes for clearing any backlog of security clearance reviews and ensuring timely reviews in the future.