ContactInsightsRecognitionFAQs
1300 453 285 Get Started
ContactInsightsRecognitionFAQs
1300 453 285 Get Started
  • Home
  • Security Overview

Security Overview

Overview

At WorkSec, security is at the core of everything we do. As a DISP-accredited organisation, we operate at Essential 8 Maturity Level 2 to protect sensitive information and uphold the trust placed in us by Defence, government, and industry partners.

Our security strategy is built around clear frameworks and best practices, ensuring resilience across:

 

  • Organisational governance and compliance
  • Physical security of our facilities and people
  • Infrastructure security aligned to the ISM and Essential 8
  • Data security and privacy safeguards
  • Identity and access management
  • Operational monitoring and threat response
  • Incident reporting and response planning
  • Secure vendor and supply chain management
  • Shared security responsibilities with our customers

By embedding security into our people, processes, and technology, we ensure that client data and operations remain safe, compliant, and resilient against evolving threats.

 

 

Organisational Security

As a Defence Industry Security Program (DISP) Member, WorkSec maintains a rigorous security governance framework aligned with the Defence Security Principles Framework (DSPF) and the Protective Security Policy Framework (PSPF).

 

Workforce Assurance

 

All WorkSec personnel undergo pre-employment screening in accordance with AS 4811:2022, and staff in positions of trust hold active security clearances where their roles demand higher levels of assurance or involve access to classified government information.

 

Audits and Continuous Compliance

 

To maintain ongoing compliance, WorkSec participates in audit and assurance activities conducted under the DISP framework, including:

 

  • Cyber Assurance Program – assisting members to meet obligations through eligibility assessments, cyber assessments and uplift, annual self-reporting, Ongoing Suitability Assessments, and Deep-Dive Audits.
  • Ongoing Suitability Assessments (OSA) – desktop audits that confirm WorkSec continues to meet its security obligations. These reviews strengthen our risk management strategies and identify opportunities for continuous improvement.

Through these structured assurance activities, WorkSec continually strengthens its policies, procedures, and risk management frameworks – embedding resilience and confidence in every engagement.

 

 

Physical Security

WorkSec applies layered physical security measures to safeguard our people, facilities, and information. These controls are aligned to DISP and PSPF requirements and are regularly reviewed to ensure they remain effective.

 

Workplace Security

 

Our facilities are protected by access-controlled entry systems, with tailored access levels for staff, contractors, and visitors. All visitors are required to sign in, display identification, and be escorted at all times. Facilities are also protected by monitored CCTV, intrusion detection, and alarm systems to detect and respond to unauthorised access attempts.

 

Secure Storage and Handling

 

Sensitive materials, devices, and records are stored in restricted access areas and managed in accordance with DISP and PSPF protective security requirements. Disposal of sensitive material follows approved destruction methods to prevent any possibility of recovery.

 

Remote and Offsite Security

 

Where personnel work remotely or at client sites, they are required to maintain the same security standards as our facilities. This includes secure storage, confidentiality practices, and adherence to approved protocols for handling information outside the workplace.

 

 

Infrastructure Security

WorkSec’s ICT environment is designed and operated in line with the ACSC Essential 8 Maturity Level 2 controls, ensuring a resilient and secure foundation for our operations.

 

Network Security

 

We employ multi-layered network security measures including segmentation, firewalls, and continuous monitoring to prevent unauthorised access and detect anomalies. These measures are implemented in alignment with the Australian Signals Directorate’s Information Security Manual (ISM).

 

System Hardening and Patching

 

All cloud systems are configured in accordance with the ASD’s Guidelines for System Hardening, and security patches are applied in a timely manner. Regular vulnerability scanning ensures our infrastructure remains protected against evolving threats.

 

Resilience and Redundancy

 

Critical systems and data are supported by redundant infrastructure and backup regimes. This ensures that operations can continue with minimal disruption in the event of a failure or incident. Recovery processes are tested regularly to validate their effectiveness and readiness.

 

 

Data Security

Protecting sensitive and personal information is central to WorkSec’s mission. We apply strong safeguards for information at rest, in transit, and through its lifecycle, in line with the ASD’s ISM, the Privacy Act, and our DISP obligations.

 

Secure Cloud Hosting

 

All customer and business data is stored in secure, Australian-based cloud platforms. These environments are subject to strict access controls and managed in accordance with DISP, ISM, and Essential 8 requirements.

 

Encryption

 

  • In Transit – All data transmitted across public networks is encrypted using TLS 1.2/1.3 or higher.
  • At Rest – Sensitive information is encrypted using AES-256 standards, with encryption keys managed separately to ensure additional protection.

Data Retention and Disposal

 

WorkSec retains data only for as long as it is required to meet contractual, legal, or regulatory obligations. When no longer required, data is securely disposed of using approved destruction methods, including cryptographic erasure and secure shredding.

 

Privacy and Ownership

 

Customer data always remains the property of the customer. We do not share information with third parties unless required by law or authorised by the client. All handling of personal information complies with the Australian Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

 

 

Identity and Access Control

WorkSec enforces strict identity and access management practices to protect sensitive systems and data, in line with the ACSC ISM and Essential Eight Maturity Level 2 controls.

 

Role-Based and Least Privilege Access

 

Access is granted using the principle of least privilege, ensuring users only receive the minimum permissions necessary to perform their duties. Access rights are reviewed regularly and revoked promptly when no longer required.

 

Strong Authentication

 

All WorkSec accounts (including both standard and privileged) are protected by phishing-resistant multi-factor authentication (MFA). This ensures that even if credentials are compromised, attackers cannot access systems without an additional secure factor.

 

Privileged Access Management

 

Administrative access is strictly controlled through just-in-time provisioning, where elevated privileges are only activated for a short, approved duration and automatically revoked. Privileged users also operate within a dedicated secure environment that is isolated from everyday tasks.

 

Session Management

 

User sessions automatically lock after defined periods of inactivity and require re-authentication. Privileged sessions have shorter timeouts and may require re-verification before critical actions are performed.

 

Monitoring and Auditing

 

All privileged access requests and activities are logged and monitored through centralised audit systems. Regular reviews and recertification of both privileged and standard accounts ensure ongoing compliance and prevent dormant or unnecessary access from persisting.

 

 

Operational Security

WorkSec maintains a proactive operational security framework to ensure threats are detected, assessed, and addressed in a timely manner.

 

Logging and Monitoring

 

All systems generate centralised audit logs for access, authentication, and administrative activity. These logs are safeguarded against tampering and continuously monitored for anomalies.

 

Vulnerability Management

 

WorkSec uses automated tools and vulnerability scanning to detect missing patches or misconfigurations across applications, operating systems, and online services. Critical vulnerabilities are remediated within 48 hours where exploits exist, and all systems are patched in line with the Essential Eight Maturity Level 2 requirements.

 

Malware and Threat Protection

 

Endpoint and cloud environments are protected by layered security measures, including malware detection, application control, and user application hardening. These defences align with the ASD’s guidance to mitigate common attack vectors.

 

Backup and Recovery

 

Data, applications, and system configurations are backed up in accordance with business continuity requirements and the Essential Eight Maturity Level 2 controls. Backups are stored securely, protected from unauthorised access, and tested regularly to validate recovery processes.

 

Security Awareness and Training

 

All staff complete security awareness training at induction and participate in ongoing refresher programs. Regular exercises and updates reinforce a strong culture of vigilance and compliance across the organisation.

 

 

Incident Management

WorkSec has a comprehensive Cyber Incident Response Plan (CIRP) to ensure any security event is managed swiftly, effectively, and transparently. This framework is aligned to the ACSC ISM, Essential 8 Maturity Level 2, and DISP reporting obligations.

 

Incident Response Process

 

Our response process includes:

 

  • Preparation – ongoing training, monitoring, and readiness checks.
  • Detection & Analysis – continuous monitoring to identify and validate incidents.
  • Containment & Remediation – isolating affected systems, preserving evidence, and applying corrective actions.
  • Recovery – restoring systems and operations securely, with enhanced monitoring.
  • Lessons Learned – conducting post-incident reviews to improve resilience.

Notification and Reporting

 

WorkSec notifies relevant authorities in accordance with DISP and Australian law, including:

 

  • The Department of Defence for security incidents.
  • The Australian Cyber Security Centre (ACSC) for all cyber incidents.
  • The Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme, where applicable.

External Communications

 

When required, WorkSec informs customers, partners, and regulators of incidents in a timely and transparent manner.

 

Continuous Improvement

 

After each incident, a Post-Incident Review identifies lessons learned, which are incorporated into training, processes, and systems.

If you become aware of a potential security incident affecting WorkSec systems or services, please contact our security team immediately at [email protected].

 

 

Vendor and Supply Chain Security

WorkSec recognises that strong security extends beyond our own systems to include our suppliers, contractors, and partners. We maintain a structured approach to supply chain security, ensuring that vendors align with our security obligations under the DISP, DSPF, and PSPF.

 

Supplier Classification and Risk Management

 

Vendors are assessed and classified based on the sensitivity of the information or services they provide. Higher-risk suppliers are subject to stricter requirements, including enhanced due diligence, contractual security clauses, and ongoing monitoring.

 

Hosting and Cloud Service Providers

 

All hosting providers must demonstrate compliance with Australian security standards, including secure Australian-based data centres.

 

Ethical and Legal Compliance

 

Our supply chain management also addresses broader compliance obligations, including modern slavery legislation and ethical sourcing principles.

 

Ongoing Assurance

 

Supplier arrangements are reviewed periodically, with additional checks, audits, or assurance activities performed as required.

 

 

Customer Controls for Security

Security is a shared responsibility. While WorkSec applies rigorous controls across our people, processes, and systems, we also encourage our clients and partners to take practical steps to help maintain a secure environment.

 

Good Access Practices

 

  • Use unique, strong passphrases and keep authentication credentials confidential.
  • Ensure that any accounts with WorkSec systems are protected by multi-factor authentication wherever available.
  • Report any suspicious activity immediately to [email protected].

Device and System Hygiene

 

  • Keep operating systems, browsers, and applications up to date.
  • Use supported software and avoid untrusted applications.
  • Protect devices with up-to-date security controls.

Handling of Sensitive Information

 

  • Classify and handle information according to its sensitivity.
  • Share data only through authorised and secure channels.
  • Exercise caution with unexpected communications.

Vigilance and Reporting

 

  • Stay alert to phishing, malware, or impersonation attempts.
  • Promptly report anomalies or suspected breaches to WorkSec.

 

Conclusion

Security is not an add-on at WorkSec; it is a core requirement of how we operate. We align our controls with the Defence Security Principles Framework (DSPF), the Protective Security Policy Framework (PSPF), and the ACSC Essential Eight Maturity Level 2 requirements.

 

Through rigorous governance, independent audits, and continuous improvement, we provide assurance that sensitive information, personnel, and systems are managed to the highest standards. Our commitment to security protects not only our business, but also the Defence and government supply chains we support.

 

By partnering with WorkSec, you can be confident that your information is safeguarded, your compliance obligations are met, and your reputation is protected.

Ready to Get Started?

Whether you’re an individual seeking security clearance sponsorship or an organisation needing personnel security governance, reach out to WorkSec today to take the next step in securing your future.

Get Started
Tailored Solutions for:
SMEs DISP Members Recruiters Defence Primes Individuals
Get Started Background

Search our knowledge base

Find fast answers by typing your query below.