UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Defence Security Manual
DSM Part
2:33 Physical Transfer of Classified Information and Security-Protected
Assets
Version
5
Publication date July 2015
Amendment list
16
Optimised for Screen; Print; Screen Reader
Releasable to Public
ic
Defence personnel are, and external service providers subject to the terms and conditions of their
Compliance
Requirements contract may be, bound by security policy contained in the DSM and Information Security Manual
(ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in
action under the relevant contract provision or legislation including, but not limited to; the Defence
Force Discipline Act 1982, the Public Service Act 1999, and the Crimes Act 1914.
bl
Mandatory requirements in the DSM and ISM are identified through the use of the terms must /
must not and should / should not. Compliance with these requirements is mandatory unless
the appropriate authority, if applicable, has considered the justification for non-compliance and
accepted the associated risk through the granting of a dispensation.
The terms ‘recommend’ and ‘may’ are used to denote a sensible security practice and noncompliance need not be approved or documented.
Pu
Note: Non-compliance with a sensible security practice ought to be informed by
sound risk management principles.
The DSM compliance regime, including the authority to approve non-compliance with mandatory
requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed
in DSM Part 2:1 Dispensations.
Copyright
© Commonwealth of Australia 2010
This work is copyright. Apart from any use as permitted under the Copyright Act 1968,
no part may be reproduced by any process without prior written permission from the
Department of Defence. Requests and inquiries concerning reproduction and rights should be
addressed to Defence Publishing Services, Department of Defence.
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Introduction
1.
Defence needs to regularly transfer classified information and security protected assets to Defence
and non-Defence locations both in Australia and overseas. Secure means of transfer are needed to protect
classified information and security protected assets from loss or compromise.
2.
The purpose of Defence Security Manual (DSM) Part 2:33 is to detail security policy relating to the
physical transfer of classified information and security protected assets.
Policy
3.
Defence is to ensure that classified information and security-protected assets are transferred in a
secure manner and are only received by the intended recipient.
ic
Process
General
bl
4.
The security measures required to protect classified information and security-protected assets during
physical transfer will depend on the protective markings used, the Business Impact Level (BIL) of the
aggregated information or asset, source and destination, and the transfer method used. Any person who
intends to transfer classified information or security protected assets to another person must confirm, prior to
transfer, that:
a.
the intended recipient has a need-to-know and the required security clearance; and
b.
the recipient facility is accredited to the standard required to protect the information or asset.
Pu
Note:
If in doubt, contact the Defence Security and Vetting Service (DS&VS) especially before
transferring classified information or security protected assets overseas.
5.
Some classified information and classified assets may have special handling requirements. The
compartment controller must [Auth:None] be consulted before transferring information or assets in the
TALENT KEYHOLE compartment.
6.
Approval to release classified information may be required, see DSM Part 2:30 Classification and
Protection of Official Information.
7.
Classified assets. Defence personnel and external service providers must handle, package and
transfer classified assets using the same processes as classified information of the corresponding
classification. Where this is inappropriate due to shape and size of the asset or other similar impracticalities,
classified assets are to be transported in accordance with Annex F.
Preferred Use of ICT Systems for Classified Information
It is recommended that any transfer of classified information be conducted over accredited information
8.
and communication technology (ICT) systems and networks rather than by physical transfer. It is
recommended that physical transfer of such information only occur if no electronic means of transfer are
available.
Example:
An investigation report classified SECRET is produced in-theatre in a location with
full SECRET-level connectivity with Australia. Rather than transfer the report on a thumb drive, the
investigator organises for the report to be emailed from in-theatre to Australia over a SECRET system.
DSM Part 2:33 Page 2 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
9.
Transmission of classified information via facsimile. For all procedures regarding the transmission
of classified information via facsimile contact DS&VS.
Removal of Classified Information
10. The removal of classified information must [Auth:None] only be allowed when there is a definite need
(eg, attendance at meetings or short-term work at home) and when appropriate protection can be maintained
en route and at the final destination.
11. Classified information must not be taken home unless the custodian has the appropriate protective
security arrangements at his or her place of residence. For further information on the security requirements
for working offsite refer to DSM Part 2:31 Offsite Work.
ic
12. If the security of information required for meetings interstate cannot be guaranteed by the person
attending that meeting (eg. when staying overnight in a hotel), it may be forwarded in advance by
appropriate transfer arrangements to a regional or branch office (see below for information on appropriate
transfer methods). Where necessary, similar arrangements are to be made for its return. If this is impractical,
DS&VS or Service Security Authority (SSA) advice is required.
13. The removal of classified information outside the secure or authorised work area requires approval
and an audit trail must be established for accountability purposes. Removal of classified information must
have the authorisation of the commander or manager responsible for that information. Form XC019 Permit to
Remove Classified Matter must be completed prior to removal.
bl
Note:
Forms XC040 – Classified Document Register and XC051 – Dispatch Advice / Receipt for
Classified Matter are also used to record the removal of classified material; however, other
mechanisms such as electronic classified document registers may be in place. Details regarding
return receipt times for form XC051 can be found on the inside cover of form XC040.
Pu
14. Before approval is given for the removal of classified information, the person removing the information
must be made aware of the risks involved and accept responsibility for its safe custody. The authorising
commander or manager is to be satisfied that there are adequate arrangements for the safe custody of the
information.
Transfer of Classified Information
15. Electronic media, such as laptops and disks that have been used to process classified information,
must be protected to the same standard as paper-based official information equivalent to the highest level of
information ever placed on the media, until such time as it is sanitised. For further details refer to the
Information Security Manual (ISM).
16. The use of Australian Signals Directorate (ASD)-approved encryption products can be used to reduce
the handling and storage requirements for computing equipment and media. Where ASD approved
encryption is used, the asset is transferred in accordance with its ‘handle as’ classification. Refer to DSM
Part 2:52 Portable Electronic Devices and Laptops.
Preparing Classified Information for Physical Transfer
17. Specific protective security measures are required for classified information carried outside of Defence
facilities. This can include Security Construction and Equipment Committee (SCEC) approved briefcases,
satchels, seals, pouches or transit bags or special enveloping procedures and transfer by hand between
people with the appropriate security clearance or by authorised messengers.
DSM Part 2:33 Page 3 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Methods of Transfer
18. The methods outlined in Table 2:33-1 are approved for the transfer of classified information between
Defence establishments and to non-Defence establishments in Australia.
Table 2:33-1: Domestic Transfer of Information
Classification
Transfer Method
TOP SECRET
Defence Safehand Service (DSHS);
SCEC endorsed Safehand courier; or
Hand carriage.
SECRET, CONFIDENTIAL, or
PROTECTED
SCEC endorsed overnight courier; or
UNCLASSIFIED DLM marked
information
Defence mailing system;
Hand carriage.
ic
Australia Post; or
Hand carriage.
Safehand
bl
19. Defence personnel and contractors in Defence facilities may organise safehand or SCEC endorsed
commercial courier services through the local registry or shopfront. If the registry or shopfront provides this
service, then classified information must be hand-delivered to them for processing and a receipt must be
obtained by the sender.
20. Carriage of security classified information by safehand means that it is despatched to the addressee in
the care of an authorised person or succession of authorised personnel who are responsible for its carriage
and safekeeping. At each handover, a receipt must be obtained showing, as a minimum, the identification
number of the package, the time and date of the handover, and the name and signature of the gaining entity.
Pu
Carriage by SCEC Endorsed Commercial Courier
21. As an alternative to safehand procedures, a number of commercial courier services have been
approved by SCEC to carry security classified information. A list of approved companies and guidance on
their use is held by ASIO. If the location is not serviced by a SCEC endorsed commercial courier, advice can
be sought from DS&VS.
Note:
Special handling requirements, which apply to some security classified information carrying
caveats or codewords, may preclude the use of a commercial courier. Information marked AUSTEO is
to be transferred according to its security classification. The requirements for other caveats and
codewords are established by the controlling agency. If unsure which couriers are endorsed and to
what level, contact DS&VS.
22. For carriage by SCEC endorsed commercial courier or DSHS, security classified information is to be
packaged in accordance with DS&VS advice. The courier bag itself can stand as the outer envelope.
Envelopes and wrappings are to be robust enough to withstand the wear and tear of transit.
23. Security classified information must not be left unattended while awaiting pick up by the courier or
DSHS.
24. It is recommended that security classified information not be despatched by overnight couriers on
days before weekends or public holidays, unless the gaining entity is able to receive it the following day and
secure it appropriately.
DSM Part 2:33 Page 4 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Hand Carriage
25. Classified information may be carried in Australia personally. The custodian of the information is
responsible for the security of the material at all times.
26. The SCEC has endorsed a number of briefcases suitable for carrying security classified information.
Details can be obtained from the Security Equipment Catalogue which DS&VS and SSA has access to.
Where security classified information is transported outside a Defence facility in an endorsed briefcase, the
briefcase must be locked at all times and kept under the personal protection of the custodian. To prevent
key duplication, keys must not be left in the lock, even when the briefcase is empty and unlocked.
Note:
Security briefcases are designed to give limited protection against opportunist access and to
provide some evidence of tampering. They are not a replacement for security containers. They do not
protect against forced entry; a skilled person may covertly open a security briefcase.
27. The custodian must have the required security clearance to access the classified information. A form
XC019 Permit to Remove Classified Matter must also be completed prior to removal.
ic
28. Secure overnight storage must be arranged if classified information is to be left unattended. Secure
storage is to meet the requirements of the DSM by being stored in an appropriate area/security container.
SCEC approved briefcases must not be used for unattended storage. Safes for public use such as those
found in hotels, train stations, airports, etc, do not meet security requirements and must not be used for
secure storage under any circumstances.
bl
29. TOP SECRET and source codeword material must not be held in personal custody overnight.
CONFIDENTIAL and SECRET material may be held in personal custody overnight provided that:
a.
the commander or manager has approved overnight personal custody; and
b.
the SCEC approved container remains in the custodian's personal custody at all times.
Pu
30. Domestic air travel. Airport security officials and law enforcement officers have the legal right to
inspect all packages and material that are transported as carry-on luggage, including classified information
and assets. For further information on airport screening regulations, including items of interest to screening
officials refer to the Department of Infrastructure and Transport.
31. All items presented at an airport screening point are to be screened and cleared. Laptops are to be
removed from bags/cases to avoid 'clutter' in the x-ray image. It is acceptable, and suitable for screening, for
laptops to be presented in a thin neoprene-type cover, without the clutter of leads. This will allow laptops
carrying classification labels to be covered.
32. An individual is not entitled to request discrete screening away from the public screening point. Private
facilities are for the purposes of frisk-searching individuals only, not for the purpose of inspecting carry-on
bags.
33. In the event that sealed envelopes containing classified material are opened for inspection, it is
recommended the individual reseal the envelope on completion. It is also recommended that spare SCEC
approved envelopes and, if necessary, wafer seals be carried for this purpose. If an individual believes a
security incident has occurred, they are to report it as soon as possible in accordance with DSM Part 2:12
Security Incidents and Investigations.
34. Further, if at any time during the screening/clearance process the custodian believes a security breach
has occurred, they are to inform DS&VS as soon as possible in accordance with DSM Part 2:12 Security
Incidents and Investigations.
DSM Part 2:33 Page 5 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
35. If an inspection of classified information or assets is likely to be a concern or cause discomfort to the
custodian, then it is recommended the individual make alternative transport arrangements prior to travel (eg,
email, Safehand, SCEC endorsed courier etc).
36. International air travel. For information concerning the hand carriage of classified information and
assets on international flights, together with the restrictions applying to the overseas carriage of encrypted
equipment, contact DS&VS.
Transfer outside Australia
37. Classified information can be exposed to a far greater risk when it is taken outside Australia, requiring
increased protective measures. Special care is necessary when classified information, whether in electronic
or hard copy form, is taken overseas. Refer to Annex E for the methods of despatching classified information
overseas.
Transfer Requirements for Specific Security-Protected Assets
ic
38. The security afforded a security-protected asset under transportation is to be in accordance with any
Defence Instruction specifically related to the asset. If there is no related Defence Instruction for the asset, or
if the instruction does not provide transport security guidance, then the asset is to be transported in
accordance with the following requirements.
bl
39. Transport of classified and high risk unclassified assets. Classified assets (including classified
information) that are too bulky/impractical to be transferred using existing approved transfer methods, are to
be transported in accordance with Annex F.
40. Due to the expense, attractiveness and potential impact that their loss could have on the national
interest, Defence capability and reputation, the transport of some high risk unclassified assets requires
protection above that afforded by general freight. Therefore, high risk unclassified assets are to be
transported in accordance with Annex F.
Pu
41. Transport of a security enhanced source. A security enhanced source is a radioactive source or
aggregation of radioactive sources assigned the Category 1, 2 or 3 when using the methodology set out in
Schedule B of the Australian Radiation Protection and Nuclear Safety Agency Security of Radioactive
Sources – Code of Practice. Defence personnel and external service providers transporting security
enhanced sources must [Auth:None] comply with all requirements of the code.
42. Transport of COMSEC and controlled cryptographic items . Assets that are COMSEC or CCI are
to be transported in accordance with DS&VS advice.
43. Transport of weapons and explosive ordnance. Weapons and explosive ordnance are to be
transported in accordance with DS&VS advice.
Movement Security Plans
44. A Movement Security Plan (MSP) is to be used to document the risks and mitigation strategies
involved in the movement of:
a.
bulky classified information and security-protected assets not transferred using either safehand,
SCEC endorsed commercial courier, DFAT diplomatic mail bag or hand carriage; and
b.
weapons and explosive ordnance.
DSM Part 2:33 Page 6 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Receiving Classified Information and Assets
45. Classified information must only be opened by the addressee or the alternative addressee. Group
Heads and Service Chiefs may, however, authorise a specified person or area to open all mail to perform
information or security management functions. In the case where someone other than the intended
addressee is charged with opening mail, the person involved should open the outer envelope only. If
needed, the inner envelope should only be opened in the presence of the addressee.
On arrival, the gaining entity must:
a.
check the delivery documentation to ensure that the despatched items arrived within the
expected timeframe;
b.
verify that the information/asset was transferred by the appropriate means (see Annex A) and
that its seals and packaging are still intact;
c.
check that the contents of the package and their integrity are preserved (e.g., check pages,
table of contents, etc) and sign and return any receipt accompanying the information; and
d.
if required, register the information/asset on a classified document register.
ic
46.
47. If there has been any anomaly observed during the inspection, a security incident may have occurred.
Refer to DSM Part 2:12 Security Incidents and Investigations for further information.
bl
Loss, Recovery or Compromise
48. Any loss, recovery or suspected compromise of classified information or assets is to be reported in
accordance with the procedures in the DSM Part 2:12 Security Incidents and Investigations. If there is any
indication that the consignment has been lost, the consignor must advise the appropriate DS&VS Regional
Office, SSA and, if appropriate, the state, territory or federal policing authorities.
Pu
Note:
Early reporting in accordance with DSM Part 2:12 Security Incidents and Investigations may
prevent further compromise and minimise the extent of damage of the security incident.
Roles and Responsibilities
First Assistant Secretary Security and Vetting Service
49. FAS S&VS is responsible for reviewing and approving the systems in place within Defence to transfer
classified information and security-protected assets.
First Assistant Secretary Security and Vetting Service and Service Security Authorities
50. FAS S&VS and SSA are responsible for the provision of advice regarding the physical transfer of
classified information and security-protected assets. SSA perform this function for their respective Services.
Deputy Secretary Defence Support and Reform
51.
The DEPSEC DSR is responsible for the secure operation of the Defence mail service and the DSHS.
Commanders and Managers
52. Commanders and managers are responsible for ensuring that hardcopy classified information and
security-protected assets are handled, packaged and transferred in accordance with this DSM part.
DSM Part 2:33 Page 7 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Exclusion:
High grade cryptographic and COMSEC equipment is to be handled in accordance
with DS&VS advice.
53. Commanders and managers of units where a DSHS is established are responsible for the security of
the DSHS and are to ensure that personnel employed there comply with all relevant instructions.
54. Commanders and managers are responsible for approving MSP submitted to them by issuing and
gaining entities for the transport of security-protected assets.
Issuing Entity
55. The issuing entity is responsible for the security of classified information and security-protected assets
until the gaining entity takes possession. This includes:
ensuring the freight is being handled in accordance with its classification or BIL and has the
correct container, seals and escort requirements;
b.
arranging and providing all packaging needs, contacts for handover and the identities of any
relevant persons involved in the physical transfer; and
c.
when not using a method of transfer approved in this DSM part, conducting a security risk
assessment and submitting a MSP to the responsible commander or manager for approval.
Gaining Entity
The gaining entity is responsible for:
a.
submitting a MSP to the responsible commander or manager, to cover collection from the
handover point and travel to its own storage facility if the classified information or securityprotected assets are handed over at a location that is not controlled by the gaining entity; and
b.
reporting to the issuing entity any delay in receipt of, or discrepancy between, the items
received and the items recorded on the issue voucher.
Pu
56.
A risk assessment and MSP are not required for hand carriage.
bl
Exclusion:
ic
a.
Defence Personnel and External Service Providers
57. Defence personnel and external service providers are responsible for using only approved transfer
methods to transfer classified information and security-protected assets.
Key Definitions
58. Official information. Any information received, developed or collected by, or on behalf of, the
Australian Government, through its agencies and external service providers that includes:
a.
documents and papers;
b.
data;
c.
software or systems and networks on which the information is stored, processed or
communicated;
d.
intellectual information (knowledge) acquired by individuals; and
DSM Part 2:33 Page 8 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
e.
physical items from which information regarding design, components or use could be derived.
59. Classified information. Official information that meets the criteria for classification under the
Australian Government Security Classification System (AGSCS), see DSM Part 2:30 Classification and
Protection of Official Information for further details.
60. Security-protected asset. A non-financial, reportable or accountable information or asset that
requires greater than standard fire and theft protection due to either:
a.
being allocated a national security classification or Dissemination Limiting Marker (DLM);
Note:
The application of a security classification or DLM indicates that the information or asset has
inherent confidentiality requirements.
an unacceptable business impact that would result from the unauthorised modification (ie. loss
of integrity) of the information or asset, irrespective of whether that modification can be detected
or not;
c.
an unacceptable business impact that would result from the information or asset being
unavailable (ie, loss of availability) for a given period of time; or
d.
being categorised as a weapon or explosive ordnance.
ic
b.
61. Classified asset. A security-protected asset that meets the criteria for classification under the
AGSCS, see DSM Part 2:30 Classification and Protection of Official Information for further details.
bl
62. High-risk unclassified asset. An UNCLASSIFIED security-protected asset the loss or compromise of
which may have an adverse impact on capability and the Defence mission.
Note:
High-risk unclassified assets used to be known as 'Categorised assets'. These used to be
assigned categories such as MAJOR, IMPORTANT, SENSITIVE/ATTRACTIVE and SUPPORT. The
assignment of Business Impact Levels under the Protective Security Policy Framework (PSPF)
replaces the 'categorisation' process.
Pu
63. Business Impact Level (BIL). A standardised rating, that forms part of a security risk management
process, that identifies the level of impact on the national interest, Defence capability and Defence ability to
perform its mandated functions resulting from a compromise of confidentiality, loss of integrity or
unavailability of individual or aggregated information and assets. See DSM Part 2:7 Business Impact Levels
for further information.
64. Approved transfer method. A transfer method detailed in this DSM part or an alternative method that
is supported by a risk assessment, documented and approved by DS&VS.
65. Safehand. An approved method of transferring an article in the care of an authorised officer or
succession of authorised officers who are responsible for its carriage and safekeeping.
66. Defence Safehand Service (DSHS). An approved person-to-person safehand carriage service
operated by Defence.
67. SCEC endorsed commercial courier. A commercial courier service approved for use by
Commonwealth departments and agencies for the transmission of classified information and assets within
Australia. Services include:
a.
SCEC endorsed Safehand couriers - approved for the carriage of all classifications of
information and assets to the level of TOP SECRET, including security caveated and source
codeword information and assets.
DSM Part 2:33 Page 9 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
b.
SCEC endorsed Overnight couriers - approved for the carriage of information and assets to the
level of SECRET, excluding certain types of security caveated information and assets.
68. Hand carriage. The personal carriage of classified information or security-protected assets by
Defence personnel or external service providers who have the required security clearance to hold the
information or asset.
69. Laissez-passer or courier pass letter. A document issued by a national government or international
treaty organisation to allow a government employee to act as a temporary diplomatic courier. By convention
the laissez-passer or courier pass letter confers a degree of diplomatic immunity on the contents of a
diplomatic pouch carried by the person to whom the laissez-passer or courier pass letter is issued, but does
not confer diplomatic immunity on their hand luggage or other belongings. The laissez-passer or courier pass
letter and diplomatic pouch are issued to an individual and are therefore not transferable.
Note:
Not all countries recognise a laissez-passer or courier pass letter. Furthermore, some
countries that recognise the letter have reserved the right to open or inspect such items in the
presence of a consular official or return the item to the country of origin.
Further Definitions
Further definitions for common DSM terms can be found in the Glossary.
Pu
bl
71.
ic
70. Movement security plan (MSP). A set of security measures detailed for the transport of securityprotected assets, including weapons and explosive ordnance. A single MSP can be used to cover periodic
movement of equipment between the same parties, at non-changing departure and destination points.
DSM Part 2:33 Page 10 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Annexes and Attachments
This annex has not been publicly released.
Annex B
This annex has not been publicly released.
Annex C
This annex has not been publicly released.
Annex D
This annex has not been publicly released.
Annex E
International Transfer of Classified Information and Assets (current version published July
2015)
Annex F
Transfer of Classified and High Risk Unclassified Assets (current version published July
2015)
Annex G
Developing a Movement Security Plan (current version published July 2015)
Pu
bl
ic
Annex A
DSM Part 2:33 Page 11 of 11
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED