Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Governance » Security maturity monitoring

4 Security maturity monitoring

Purpose

This policy describes how an entity monitors and assesses the maturity of its security capability and risk culture. This includes an entity's capability to actively respond to emerging threats and changes in its security environment, while maintaining the protection of its people, information and assets.

Requirements

Core requirement

Each entity must assess the maturity of its security capability and risk culture by considering its progress against the goals and strategic objectives identified in its security plan.

Supporting requirements

 

Supporting requirements for security maturity monitoring

#

Supporting requirements

Requirement 1.
Security maturity records

Entities must document and evidence their assessment of the entity's security maturity.

 

Guidance

Security capability maturity

Security capability maturity refers to an entity's security position in relation to its specific risk environment and risk tolerances. This includes acknowledging the successes and effectiveness of PSPF implementation, as well as highlighting areas for improvement.

Maturity of security capability considers how holistically and effectively each entity:

  1. implements and meets the intent of the PSPF core and supporting requirements
  2. minimises harm to the government's people information and assets
  3. fosters a positive security culture
  4. responds to and learns from security incidents
  5. understands and manages its security risks
  6. achieves security outcomes while delivering business objectives.

Back to top

Security risk culture

Security risk culture is the entity's system of values and its personnel's behaviours, attitudes and understanding that are related to security risk that shapes the risk decisions of the entity leadership and personnel. Having a mature risk culture is a fundamental enabler of good government business. Maturity of risk culture is driven by the accountable authority and is underpinned by the PSPF policy: Role of accountable authority.

An entity with a mature security risk culture is one where the leadership team and personnel:

  1. comprehensively understand security risks
  2. appropriately manage security risks in their operational environments
  3. prioritise security risk management in their everyday practices
  4. make informed decisions on risks within agreed entity security risk tolerances
  5. react and respond to changes in the security risk environment.

For information see the PSPF policy: Security planning and risk management.

Monitoring security maturity

Monitoring security maturity is an ongoing process and involves routine assessment of the entity's security capability and risk culture against a set of indicators. 

The benefits of effective security maturity monitoring include improved:

  1. understanding of the entity's security risks and risk mitigation strategies
  2. performance of the entity in:
    1. implementing the minimum core and supporting PSPF requirements in relation to its risk environment
    2. driving a strong security culture through awareness of agreed security behaviours
    3. identifying and implementing changes that achieve robust security outcomes
    4. using resources efficiently and effectively to protect people, information and assets
  3. assurance that the entity's:
    1. people, information and assets are adequately protected consistent with government policy
    2. security risks are managed appropriately (including security incidents) and clear lines of accountability and sound planning and proportionate reporting are undertaken.

The Attorney‑General's Department recommends entities develop their security maturity monitoring plan as part of their overarching security plan. This includes:

  1. using security maturity indicators as detailed in the PSPF Maturity Self-Assessment Model (Annex A to the PSPF policy: Reporting on security)
  2. setting goals and objectives and identifying the impact on security of any goals and objectives detailed in the entity security plan
  3. developing methodologies to manage the collection, measurement and analysis of data in relation to the entity's security maturity indicators
  4. determining the frequency of security monitoring advice to be given to the accountable authority, Chief Security Officer, audit committee (see the PSPF policy: Management structure and responsibilities) and relevant security governance committee (if established in the entity)
  5. setting pre-determined levels of change in security maturity metrics that trigger escalation to the accountable authority, Chief Security Officer, audit committee and relevant security governance committees
  6. where applicable, identifying the responsible area and timeframes to:
    1. manage implementation of PSPF core and supporting requirements
    2. implement strategies that achieve improvements in security culture.

Requirement 1 mandates that an entity must document and evidence its assessment of its security maturity. This can be part of the security maturity monitoring plan where the entity records its progress against the goals and objectives of the security plan.

Figure 1 illustrates the stages of effective security maturity monitoring as a continuous improvement cycle. This can assist an entity to respond to changes in its security environment and emerging security risks. It can help entities implement the PSPF core and supporting requirements necessary to protect people, information and assets.

Back to top

Figure 1 Security maturity monitoring cycle

This figure outlines a four-step maturity morning cycle.

Step 1: Collect
Consistent information collection (Note i) and documentation on the entity's: 
1.a. engagement with, and decisions on, security risks and risk tolerances
1.b. risk mitigation strategies
1.c. implementation of the PSPF's core and supporting requirements (see PSPF Resources - PSPF requirements summary)
1.d. personnel security behaviours and security training programs influencing security culture
1.e. response to, timely reporting of, and learnings from security incidents and near misses
1.f. lead security entity (Note ii) responsibilities.

Step 2: Analyse and interpret
Analysis and interpretation of collected information against the four-level PSPF Maturity Self-Assessment Model including:
2.a. establishing cause-and-effect relationships where possible, for example - are entity processes effective and achieving the required outcomes
2.b. identifying and interpreting any root issues affecting maturity, for example - low entity awareness of risk culture may be due to ad hoc security training programs.

Step 3: Advise and respond
Frequent security monitoring advice to relevant stakeholders (Note iii) 
Where there is low level maturity (ie maturity levels Ad Hoc or Developing) advising relevant stakeholders of:
3.a. mitigation strategies to address risks
3.b. a time-defined implementation pathway to achieve 'managing' maturity level
3.c. responsibilities for mitigation strategy and implementation pathway management.
Response to and implementation of identified changes.

Step 4: Review and learn
Review of strategies and implementation pathways to ensure expected results are being achieved within appropriate predetermined timeframes and unmitigated risks are addressed in line with the entity security plan.  

Figure 1 notes:

iStep 1 sources of information collection include:

  1. pre-existing information
    1. systematic and routine audits of entity security practices
    2. security incident and near miss reporting
    3. direct observations and security facility inspections
    4. informal and formal security networks
  2. tasks to derive information  
    1. reviews of entity security practices and commissioned research
    2. internal focus groups and security questionnaires
    3. stakeholder consultation
    4. horizon scanning for early identification of emerging security issues internal and external to government that may impact security maturity.

iiWhere an entity has been identified as a lead security entity (see the PSPF policy: Management structures and responsibilities), the Attorney-General's Department recommends additional information is collected and assessed on the entity's:

  1. provision of effective and timely advice, guidance and services related to the entity's area of security expertise
  2. management of responsibilities and accountabilities for partnerships and security service arrangements with other entities.

iiiRelevant stakeholders to advise under Step 3 may include the accountable authority, the Chief Security Officer, audit committee and relevant security governance committees (if established in the entity).


Back to top

Security maturity monitoring is a continuous cycle and the information collected informs the entity security plan and the PSPF policy: Reporting on security.

Find out more

Other standards that may be relevant:

  1. Australian Standards HB 167 Security risk management
  2. AS/NZS ISO 31000 – Risk Management – Guidelines.
​​

<<< Security planning and risk management

Reporting on security >>>

​​