Essential Eight Maturity Model Essential Eight - Suggested mitigation strategy implementation order
Security governance | Protective Security Policy Framework
PSPF Policy 1 - Role of accountable authority (protectivesecurity.gov.au)
Outcome
Each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring:
- clear lines of accountability
- sound planning
- investigation and response
- assurance and review processes
- proportionate reporting.
Policy 1: Role of accountable authority
Core requirement
The accountable authority is answerable to their minister and the government for the security of their entity.
The accountable authority of each entity must:
- determine their entity’s tolerance for security risks
- manage the security risks of their entity
- consider the implications their risk management decisions have for other entities, and share information on risks where appropriate
The accountable authority of a lead security entity must:
- provide other entities with advice, guidance and services related to government security
- ensure that the security support it provides helps relevant entities achieve and maintain an acceptable level of security
- establish and document responsibilities and accountabilities for partnerships or security service arrangements with other entities.
Core requirements
The accountable authority is answerable to their minister and the government for the security of their entity.
The accountable authority of each entity must: a. determine their entity’s tolerance for security risks b. manage the security risks of their entity c. consider the implications their risk management decisions have for other entities, and share information on risks where appropriate, and d. adhere to any direction issued by the Secretary of the Department of Home Affairs under the PSPF.
The accountable authority of a lead security entity must: a. provide other entities with advice, guidance and services related to government security b. ensure that the security support it provides helps relevant entities achieve and maintain an acceptable level of security, and c. establish and document responsibilities and accountabilities for partnerships or security service arrangements with other entities.
Key topics
- Accountable authority role and responsibilities
- Security risk management
- Lead protective security entities
- Exceptional circumstances
Policy 2: Management structures and responsibilities
Policy 2: Management structures and responsibilities | Protective Security Policy Framework
Core requirement
The accountable authority must:
- appoint a Chief Security Officer (CSO) at the Senior Executive Service level to be responsible for security in the entity
- empower the CSO to make decisions about:
- appointing security advisors within the entity
- the entity’s protective security planning
- the entity’s protective security practices and procedures
- investigating, responding to, and reporting on security incidents, and
- ensure personnel and contractors are aware of their collective responsibility to foster a positive security culture, and are provided sufficient information and training to support this.
Key topics
- Management structures
- Chief Security Officer responsibilities
- Security governance committee
- Appointing security advisors
- Protective security planning
- Protective security practices and procedures
- Investigating, responding to and reporting on security incidents
- Fostering a positive security culture
- Security awareness training
NOTE
Given the range and complexity of security functions, it may be appropriate to the entity’s operations or size to appoint separate advisors for information, personnel and physical security matters.
NOTE
The knowledge, competencies and skills can be attained through on-the-job training, prior experience in a related field or formal qualifications (eg tertiary qualifications such as the Certificate IV, Diploma in Government Security or equivalent qualification). Where entities provide training towards formal qualifications for security advisors, the Department of Home Affairs recommends that this training be delivered by a Registered Training Organisation (RTO). RTOs are accredited training providers that offer nationally recognised training courses. A list of these organisations is available from www.training.gov.au.
NOTE
- Where the CSO or CISO contracts service providers for specific security functions, including where professional technical certification is required (eg SCEC security zone consultants for Type 1a security alarm system compliance and IRAP Assessors for ICT systems), the entity retains the security accountability. This does not transfer to the contractor. The Department of Home Affairs recommends the CSO, CSIO or appointed security advisor establishes arrangements to monitor any outsourced security service providers.
Policy 3: Security planning and risk management
policy-3-security-planning-and-risk-management.pdf (protectivesecurity.gov.au)
Core requirement
Each entity must have in place a security plan approved by the accountable authority to manage the entity’s security risks. The security plan details the:
- security goals and strategic objectives of the entity, including how security risk management intersects with and supports broader business objectives and priorities
- threats, risks and vulnerabilities that impact the protection of an entity’s people, information and assets
- entity’s tolerance to security risks
- maturity of the entity’s capability to manage security risks
- entity’s strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF.
Key topics
- Security planning approach
- Security plan
- Security threat levels
- Risk-based approach to the PSPF
Criticality assessment
14. Criticality assessment identifies and assigns importance to all resources (something that has value to the entity including personnel, information and physical assets or processes that support them) that are critical to the ongoing operation of the entity or to the national interest. Asset identification and security risk management documents can form part of the security plan or be standalone and inform the security plan.
15. The criticality assessment will be different depending on the entity’s purpose, business objectives and risk environment. Criticality assessments include: a. criticality ratings – the scale of the resources’ importance to the entity (eg a numerical scale 1-5 or importance value scale such as catastrophic, significant, moderate, low, insignificant). Alternatively, a business impact level can be applied by assessing the impact on the entity if the integrity or availability of the resource was compromised (applying a business impact level to the confidentiality of an resource means applying a security classification. See the PSPF policy: Sensitive and classified information) b. consequence of loss, compromise or harm – a description of what the consequence is Protective Security Policy Framework
16. A threat assessment identifies the source of harm and is used to inform the entity’s risk assessment. Threats are assessed by determining the intent to cause harm, damage or disruption and the capability (the potential that exists to actually cause harm or carry out intentions) of the threat source. Vulnerability assessment
17. Vulnerability assessment identifies the degree of susceptibility and resilience of an entity to hazards. To understand the potential of risks, it is recommended that entities assess the possible vulnerabilities to each risk to gauge the consequence and likelihood of these risks. This process of understanding possible vulnerabilities helps entities to prioritise the risks and guides the allocation of resources in mitigating their effects. Analyse security risks
18. Risk analysis involves assessing the likelihood and potential consequence of each identified risk, determining the level of risk rating and assessing whether additional controls are required.
19. Aims of risk analysis:
20. a. Determine control effectiveness – whether the existing control measures are adequate or effective in managing identified risks.
21. b. Define the likelihood and consequence of the event. This is achieved by considering the: i. likelihood – the chance or probability of the event occurring,4 probability or frequency of the event (an occurrence or change in a particular set of circumstances, it can be one or more occurrences and can have several causes) occurring
22. ii. consequence – the outcome affecting objectives if the event occurs4 (consequences can be expressed qualitatively or quantitatively and can be certain or uncertain and have positive or negative effects on objectives). There may be a number of possible outcomes associated with an event.
23. c. Assign the level of risk rating based on the likelihood and consequence risk matrix. The overall risk rating is determined by combining the likelihood and consequence estimations. Risk rating allows the security risk to be prioritised in order of decreasing risk levels. This helps with deciding the tolerability of risk in the evaluation step.
-
The Department of Home Affairs recommends adopting a risk-rating
-
matrix approach for determining the levels of risk. d. Prioritise risks for subsequent evaluation of tolerance or the need for further treatment.
-
e. Provide an improved understanding of the vulnerability of critical assets to identified risks.
Policy 4: Security maturity monitoring
GOVSEC - 04 - Security maturity monitoring (protectivesecurity.gov.au)
Core requirement
Each entity must assess the maturity of its security capability and risk culture by considering its progress against the goals and strategic objectives identified in its security plan.
Key topics
- Security capability maturity
- Security risk culture
- Monitoring security maturity
Policy 5: Reporting on security
PSPF - Policy 5 reporting on security (protectivesecurity.gov.au)
Core requirement
Each entity must report on security:
- each financial year to its portfolio minister and the Attorney-General’s Department on:
- whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
- the maturity of the entity’s security capability
- key risks to the entity’s people, information and assets, and
- details of measures taken to mitigate or otherwise manage identified risks
- affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation, and
- the Australian Signals directorate in relation to cyber security matters.
Key topics
- Reporting to the portfolio minister and the Attorney-General’s Department
- Reporting to affected entities
- Reporting on cyber security matters
- PSPF maturity self-assessment model
The core requirement mandates that entities report on whether security outcomes have been achieved through effectively implementing and managing requirements under the PSPF.
There are four security outcomes:
a. Governance – each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring: clear lines of accountability, sound planning, investigation and response, assurance and review processes and proportionate reporting.
b. Information (including ICT) – each entity maintains the confidentiality, integrity and availability of all official information.
c. Personnel – each entity ensures its employees and contractors are suitable to access Australian Government resources, and meet an appropriate standard of integrity and honesty.
d. Physical – each entity provides a safe and secure physical environment for their people, information and assets.
. When reporting on the entity’s effectiveness in implementing and managing requirements under the PSPF, entities are asked to evaluate the degree to which implementation achieves the minimum requirements set out in the PSPF. The degree of implementation can be described as:
a. Partial – Requirement is not implemented, is partially progressed or is not well understood across the entity
b. Substantial – Requirement is largely implemented but may not be fully effective or integrated into business practices.
c. Full – Requirement is fully implemented and effective and is integrated, as applicable, into business practices.
d. Superior – Requirement and relevant better-practice guidance are proactively implemented in accordance with the entity’s risk environment, are effective in mitigating security risk and are systematically integrated into business practices.
e. Yes or No – For a small number of requirements, it is not possible to evaluate the degree of implementation and entities can only state whether they have or have not implemented the requirement, for example, the requirement to submit the Australian Signals Directorate’s annual cyber security survey.
- For an entity to assess its implementation and management of the PSPF requirements as fully effective (Maturity Level Three), the entity is expected to implement all of the core and supporting requirements or implement alternative protective security measures that provide the same (or exceed the level of) protection as the PSPF requirement and/or supporting requirements.
Reporting on maturity of security capability
The core requirement mandates that the annual security report address the maturity of the entity’s security capability. Assessing the maturity of the entity’s security capability involves considering how holistically and effectively each entity:
a. implements and meets the intent of the PSPF core and supporting requirements b. minimises harm and damage to government people, information and assets c. fosters a positive security culture d. responds to, and learns from, security incidents e. understands and manages their security risks f. achieves security outcomes while delivering business objectives.
