Governance

Outcome

Each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring:

  • clear lines of accountability
  • sound planning
  • investigation and response
  • assurance and review processes, and
  • proportionate reporting.

To support entities to achieve this desired end state, the PSPF includes seven core governance requirements. These core requirements, and the supporting requirements that go with them, articulate what entities must do in relation to protective security governance. They cover:

  • the roles and responsibilities of Accountable Authorities and others with security responsibilities
  • the requirements and guidance for planning, managing, monitoring and reporting on protective security
  • the governance arrangements for sharing Australian Government resources (including providing access to people, information and assets) with contracted service providers and with foreign partners.

Core requirements for security governance

Policy title Core requirement

Role of accountable authority

The accountable authority is answerable to their minister and the government for the security of their entity.
The accountable authority of each entity must:

  1. determine their entity's tolerance for security risks
  2. manage the security risks of their entity
  3. consider the implications their risk management decisions have for other entities, and share information on risks where appropriate.

The accountable authority of a lead security entity must:

  1. provide other entities with advice, guidance and services related to government security
  2. ensure that the security support it provides helps relevant entities achieve and maintain an acceptable level of security
  3. establish and document responsibilities and accountabilities for partnerships or security service arrangements with other entities.

Management structures and responsibilities

The accountable authority must:

  1. appoint a Chief Security Officer (CSO) at the Senior Executive Service level to be responsible for security in the entity
  2. empower the CSO to make decisions about:
    1. appointing security advisors within the entity
    2. the entity's protective security planning
    3. the entity's protective security practices and procedures
    4. investigating, responding to, and reporting on security incidents
  3. ensure personnel and contractors are aware of their collective responsibility to foster a positive security culture, and are provided sufficient information and training to support this.

Security planning and risk management

Each entity must have in place a security plan approved by the accountable authority to manage the entity's security risks. The security plan details the:

  1. security goals and strategic objectives of the entity, including how security risk management intersects with and supports broader business objectives and priorities
  2. threats, risks and vulnerabilities that impact the protection of an entity's people, information and assets
  3. entity's tolerance to security risks
  4. maturity of the entity's capability to manage security risks
  5. entity's strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF.

Where a single security plan is not practicable due to an entity's size or complexity of business, the accountable authority may approve a strategic-level overarching security plan that addresses the core requirements.

Security maturity monitoring

Each entity must assess the maturity of its security capability and risk culture by considering its progress against the goals and strategic objectives identified in its security plan.

Reporting on security

Each entity must report on security each financial year to:

  1. its portfolio minister and the Attorney-General's Department on:
    1. whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
    2. the maturity of the entity's security capability
    3. key risks to the entity's people, information and assets
    4. details of measures taken to mitigate or otherwise manage identified security risks
  2. affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation
  3. the Australian Signals Directorate in relation to cyber security matters.

Security governance for contracted service providers

Each entity is accountable for the security risks arising from procuring goods and services, and must ensure contracted providers comply with relevant PSPF requirements.

Security governance for international sharing

Each entity must adhere to any provisions concerning the security of people, information and assets contained in international agreements and arrangements to which Australia is a party.