3 Security planning and risk management

Purpose

This policy describes how entities establish effective security planning and can embed security into risk management practices. Security planning can be used to identify and manage risks and assist decision-making by:

  1. applying appropriate controls effectively and consistently (as part of the entity's existing risk management arrangements)
  2. adapting to change while safeguarding the delivery of business and services
  3. improving resilience to threats, vulnerabilities and challenges
  4. driving protective security performance improvements.

Requirements

Core requirement

Each entity must have in place a security plan approved by the accountable authority to manage the entity's security risks. The security plan details the:

  1. security goals and strategic objectives of the entity, including how security risk management intersects with and supports broader business objectives and priorities
  2. threats, risks and vulnerabilities that impact the protection of an entity's people, information and assets
  3. entity's tolerance to security risks
  4. maturity of the entity's capability to manage security risks
  5. entity's strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF.

Where a single security plan is not practicable due to an entity's size or complexity of business, the accountable authority may approve a strategic-level overarching security plan that addresses the core requirements.

Supporting requirements

 

Supporting requirements for security planning and risk management
# Supporting requirements

Requirement 1.

Security plan review

The security plan (and supporting security plans) must be reviewed at least every two years. The review process must include how the entity will:

  1. determine the adequacy of existing measures and mitigation controls
  2. respond to and manage significant shifts in the entity's risk, threat and operating environment.

Requirement 2.

Critical assets

Entities must identify people, information and assets that are critical to the ongoing operation of the entity and the national interest and apply appropriate protections to these resources to support their core business.

Requirement 3.

Risk steward

Entities must identify a risk steward (or manager) who is responsible for each security risk or category of security risk, including for shared risks.

Requirement 4.

Impact of risks

When conducting a security risk assessment, entities must communicate to the affected Commonwealth entity any identified risks that could potentially impact on the business of another entity.

Requirement 5.

Threat levels

The security plan (and supporting security plans) must include scalable measures to meet variations in threat levels and accommodate changes in the National Terrorism Threat Level.

Requirement 6.

Alternative mitigations

Where the CSO (or security advisor on behalf of the CSO) implements an alternative mitigation measure or control to a PSPF requirement, they must document the decision and adjust the maturity level for the related PSPF requirement.

Guidance

Security planning approach

Successfully managing entity security risks and protecting people, information and assets requires an understanding of what needs protecting, what the threat is and how assets will be protected. Security planning is designing, implementing, monitoring, reviewing and continually improving practices for security risk management.

A security plan (see Security plan) specifies the approach, responsibilities and resources applied to managing protective security risks. The security plan allows entities to review the degree of security risk that exists in different areas of operations and take action to mitigate identified risks.

A security risk management process (see Annex A) manages risks across all areas of security (governance, information, personnel and physical) to determine sources of threat and risk (and potential events) that could affect government or entity business. Security risk management includes:

  1. security risk assessments, which are structured and comprehensive processes to identify, analyse and evaluate security risks and determine practical steps to minimise the risks
  2. security risk treatments, which are the considered, coordinated and efficient actions and resources required to mitigate or lessen the likelihood or negative consequences of risks.

Regardless of an entity's functions or security concerns, the central messages for managing security risks are:

  1. security is everyone's responsibility and risk management is the business of all personnel (including contractors) in the entity, supported by security awareness training
  2. security is a business enabler that informs decision-making, is part of day-to-day business and is embedded into an entity's business processes
  3. security management is logical, systematic and transparent and is part of the enterprise risk management process
  4. security processes identify changes in the threat environment and allow for adjustments to maintain acceptable levels of risk, balancing operational and security needs.

For information on how a risk-based approaches work with the PSPF core requirements, refer to section Risk-based approach to the PSPF.

Security plan

Entities develop a security plan to articulate how their security risks will be managed and how security aligns with their priorities and objectives. Where a single security plan is not practicable due to the entity's size or complexity of business, the Attorney-General's Department recommends developing an overarching security plan supported by more detailed plans (referred to as supporting security plans).

Each entity's security plan will be different. The security plan reflects an entity's protective security requirements and mitigation strategies appropriate to the levels of threat, risks to its assets and risk tolerances. Entities are encouraged to use approaches that manage risks for the Australian Government and best meet their operational environment.

Requirement 1 mandates security plans (and supporting security plans) are reviewed at least every two years. A security plan is a 'living' document and requires review and adjustment to ensure the goals and management of security risks keeps pace with changes in the entity and with emerging threats. This could include, for example, a change in the National Terrorism Threat Level or an emerging threat that alters the entity's business impact level (see Table 3). It is recommended the security plan also be reviewed when there are significant shifts in the entity's risk or operating environment.

Entities determine how the review of the security plan (and supporting security plans) is conducted. Security plans may be reviewed by the CSO or appointed security advisor, an external security consultant or through a security governance oversight committee for larger or more complex business operations.

Security plans are best developed by a person who also has an understanding of the entity's strategic goals and objectives and the appropriate level of security risk management knowledge and expertise.

Entities are encouraged to make the security plan (and supporting security plans) available across the entity, particularly for those with obligations or responsibilities identified in the plan, helps to build a positive security culture based on a common understanding of security.

 

Table 1 Security plan overview

Sections of the plan

Suggested content coverage

Goals and objectives

The accountable authority's commitment to effective security risk management, expectations for a positive security culture, outlining the entity's security priorities, goals and objectives (see Security plan – goals and objectives).

Security risk environment

The environment in which the entity operates; the threats, risks and vulnerabilities effecting the entity's protection (see Security plan – threats, risks and vulnerabilities), including:

  1. what the entity needs to protect (via a risk assessment) being the people, information and assets assessed as critical to its ongoing operation and to the national interest (mandated in Requirement 2)
  2. what it needs to protect against (via threat assessment)
  3. how the risk will be managed within the entity.

See Annex A for the security risk management process.

Risk tolerance

The entity's level of risk tolerance. Each entity's level of tolerance for risk will vary depending on the level of potential damage to the Australian Government or to the entity (see Security plan – tolerance to security risks).

Security capability

The maturity of the entity's capability to manage security risks (see Security plan - capability to manage security risks).

Security risk management strategies

Strategies to manage security, maintain a positive risk culture and deliver the PSPF requirements (see Security plan – strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF).

The entity's approach to managing security risks, including identifying how it will apply proportional and sufficient controls to deter, detect, delay and respond to threats (internal or external) that affect the security of its people, information or assets. This includes:

  1. establishing risk stewards and managers (mandated in Requirement 3)
  2. instigating steps that minimise risks (according to risk environment and tolerances)
  3. managing residual risks to ensure the protection of people, information and assets.

Supporting and evidentiary documents

Entities are encouraged to consider what, if any, evidentiary documents support the security plan (and supporting security plans).

Examples:

  1. security risk assessment report
  2. security alert levels
  3. threat assessment
  4. site security plan
  5. vulnerability assessment
  6. entity-specific security procedure
  7. security risk register
  8. entity-specific PSPF security maturity monitoring
  9. critical asset register
  10. security incident register/response procedure
  11. privacy impact assessment
  12. ICT system security plans (see ISM)
  13. information asset register
  14. other entity operational or compliance plans

The Attorney-General's Department recommends security plans be comprehensive and span all areas of protective security. This includes governance arrangements and information, ICT, personnel and physical security as outlined in Table 2.

 

Table 2 Suggested coverage for security plan

Governance arrangement

Suggested coverage for governance arrangements:

  1. roles and responsibilities
  2. risk tolerances
  3. security risk management (including threat, vulnerability and criticality assessments)
  4. security incidents
  5. security culture
  6. security awareness training
  7. security monitoring
  8. reporting security maturity
  9. contracted service providers.

Information (including ICT) security

Suggested coverage for information security:

  1. classification and management arrangements for information holdings
  2. access to information including sharing information
  3. ICT access and system security
  4. cyber security to mitigate targeted intrusions
  5. information handling within the entity as well as when in transit or out of the office.

Personnel security

Suggested coverage for personnel security:

  1. personnel security provisions during recruitment in conjunction with human resource management
  2. security clearance maintenance plans that address risks identified by security vetting agencies
  3. security assessment position list
  4. contact reporting
  5. security clearance aftercare
  6. ongoing security awareness training
  7. managing the separation of personnel.

Physical security

Suggested coverage for physical security:

  1. access control systems
  2. security monitoring and alarm systems

measures to increase security if the National Terrorism Alert Level or entity-specific threats increase.

When developing or reviewing the security plan (and supporting security plans), entities are encouraged to seek advice and technical assistance from specialist entities such as:

  1. Australian Security Intelligence Organisation for threat assessments
  2. ASIO-T4 Protective Security for physical security advice or technical assistance
  3. local police for state and territory criminal threat information
  4. Australian Government Security Vetting Agency for security vetting procedural advice
  5. Australian Signals Directorate for ICT, cyber security and certified cloud services advice
  6. subject-matter experts.

Security planning for projects

The Attorney-General's Department recommends that security is considered during all stages of project management and planning. This is particularly important for projects that involve:

  1. major acquisitions
  2. establishment of infrastructure or major modifications to existing infrastructure
  3. information that is:
    1. sensitive in nature or security classified
    2. proprietary in nature or
    3. meets the financial and economic impact threshold with a business impact of low to medium (level two) or higher.

Security plan – goals and objectives

Security is everyone's responsibility, however, overall accountability for security planning and risk management rests with the entity's accountable authority, supported by the CSO.

Security arrangements support an entity's business objectives by identifying and managing risks that could adversely affect achieving those objectives. The accountable authority and CSO determine the security arrangements required for:

  1. vigilance, resilience and adaptability of personnel to security risks
  2. capacity to function, including during security incidents, disruptions or emergencies
  3. safety of personnel (including contractors) and those who have dealings with government (including visitors)
  4. protection of resources, information and assets held in the entity.

Clear protective security goals and objectives allow effective implementation of security risk management that is consistent with the entity's operating objectives. This includes how security underpins business priorities and functions as reflected in the entity's corporate plan.

When setting goals, entities are encouraged to consider historical security experience and knowledge, results from previous performance indicators and past compliance with the PSPF.

The Attorney-General's Department recommends that entities assess their existing protective security arrangements and procedures to identify areas for improvement. This could be areas of exposure, vulnerability or 'target attractiveness'. Target attractiveness is the value of an entity or its components to an adversary when viewed as a target. Reviewing protective security arrangements also considers the entity's maturity in implementing PSPF requirements.

Security plan – threats, risks and vulnerabilities

When implementing the core requirement to detail threats, risks and vulnerabilities that affect the protection of people, information and assets, entities:

  1. identify the people, information (including ICT) and assets to be safeguarded (Requirement 2)
  2. determine specific risks (including shared risks) to its people, information and assets in Australia and abroad (risk identification)
  3. identify and assess criticality of people, information and assets (criticality assessment)
  4. identify the threats to people, information and assets (threat assessment)
  5. assess the degree of susceptibility and resilience to hazards (vulnerability assessment)
  6. assess the likelihood and consequence of each risk occurring (risk analysis)
  7. determine adequacy of existing safeguards and whether current risks (or residual vulnerabilities) are acceptable or not (evaluate risks)
  8. implement protective security measures to mitigate or reduce identified risks to an acceptable level (risk treatments)
  9. manage residual risks (treatable and untreatable) and vulnerabilities
  10. identify and accept responsibility for risks (Requirement 3).

Requirement 2 mandates that entities must identify the people, information and assets that are critical to the ongoing operation of the entity and to the national interest.

  1. Assets are items that have a value to the entity, including resources and property that are relied on to sustain operations and capabilities. These are in addition to people and information (including ICT) identified as critical to ongoing operations.
  2. Critical assets (and components of an asset) are essential to the ongoing operation of the entity.
  3. Asset attractiveness is how a threat source may view the asset in relation to the activity it seeks to undertake.
  4. Asset attributes are the qualities that determine the nature and extent of impact on the entity operations following an event or incident.

Annex A provides details on the security risk management process. The Attorney-General's Department recommends entities ensure methodologies are appropriate, compatible with security and align with their risk management standards when developing their security risk management approach. Entities may consider:

  1. Department of Finance Commonwealth Risk Management Policy
  2. Australian Standards AS/NZS ISO 31000 Risk Management – Guidelines and HB 167 – Security Risk Management.

These standards are a non-prescriptive method of managing risk. They are applicable for all types of organisations, including government.

Where risks are identified that could potentially affect the operations of another government entity, Requirement 4 mandates that entities communicate these risks to the affected entity. 1

Where a risk with national security implications is identified, the Attorney-General's Department recommends the entity inform ASIO of these risks. 2

What is a security risk?

A security risk is something that could result in the compromise, loss, unavailability or damage to information or assets, or cause harm to people. Security risk is the effect of uncertainty on objectives and is often measured in terms of its likelihood and consequences. The causes are generally people, systems, processes, procedures, crime, attacks or natural events. An:

  1. effect is a deviation from the expected and may be positive or negative
  2. objective has different aspects such as financial, health and safety and environmental goals, and can apply at multiple levels such as strategic, organisation-wide, project, product and process levels.

Entities are encouraged to consider where security risks intersect with other risks including fraud, privacy and business continuity. Entities are encouraged to treat risk holistically across its operations. For example, there may be opportunities to treat multiple risks with one mitigation control.

Shared security risks

Shared security risks are those that extend across entities, premises, the community, industry, international partners and other jurisdictions. They require high levels of cooperation between stakeholders to effectively understand and manage those risks.

Where entities share accommodation or facilities, the Attorney-General's Department recommends entities conduct a risk assessment to evaluate the security risks for the co-tenancy and apply protective security measures to address the combined risks.

Where an entity considers a risk is shared due to its location (eg physical boundaries, crowded public space, government precinct) and there is no identifiable other party to share the assessment and management of the risk, the entity is expected to mitigate the risk to the extent it is able to within its operations.

In situations where risks are shared between parties with differing risk tolerances, it is recommended that the parties identify the areas of difference and whether concerns might be alleviated by applying additional controls.

Where shared risks are identified, it is important to develop clear roles and responsibilities, including those mandated in Requirement 3.

For information on managing shared risks, see the Commonwealth Risk Management Policy Understanding and managing shared risks information sheet.

Security plan – tolerance to security risks

The PSPF policy: Role of accountable authority mandates that the accountable authority determine their entity's tolerance for security risks, supported by a transparent and justifiable process. When setting risk tolerance levels, some entities may decide to differentiate between ICT risks and other security risks.

Risk tolerance is an informed decision to accept a risk. It is the level of acceptable risk after risk treatment to achieve an objective or manage a category of risk. Determining whether a risk is acceptable involves judgment. It is highly dependent on the entity context and the accountable authority's approach.

Risk tolerance is based on the principle of managing risk to a level that is as low as reasonably practicable, allowing for flexible and innovative business practices. It is a practical application of risk appetite, which is the amount of risk an entity is willing to accept or retain within its tolerance levels and the limits of PSPF requirements. Risk tolerance includes:

  1. expectations for mitigating, accepting and pursuing specific types of risk
  2. boundaries and thresholds of acceptable risk taking
  3. actions to be taken or consequences for acting beyond approved tolerances.

An entity's risk tolerance can be affected by changes in evaluation criteria and the accountable authority's appetite for risk. It can vary depending on:

  1. prevailing political and community sensitivities and expectations
  2. the nature of a security incident (eg terrorist act, hacking)
  3. existing or emerging security incidents (trusted insider, cyber-attacks)
  4. strategic or business priorities
  5. vigilance, resilience and adaptability of personnel and how effective they are at applying security awareness principles
  6. resource availability for treatment
  7. the ability of the government, entity or individual to absorb losses.

Manipulating risk assessment inputs (consequence or likelihood of a risk) to achieve a lower result is not an appropriate method of risk management and bypasses the intent of risk tolerance. Entities are encouraged to develop appropriate rating scales for likelihood and consequence in accordance with their risk tolerances.

In most cases, determining risk tolerance and levels of risk appetite can be understood as a gradient scale, where the appetite for the risk becomes progressively less tolerable as the risk level increases (see Figure 1).

 

Figure 1 Risk tolerance regions (example only)

 

For information, refer to the Commonwealth Risk Management Policy Defining risk appetite and tolerance information sheet.

Security plan – capability to manage security risks

The PSPF governance outcome is that 'each entity manages security risks and supports a positive security culture in an appropriately mature manner.' The PSPF policy: Reporting on security outlines that maturity is a meaningful scale to measure an entity's overall security position within its risk environment and risk tolerances. Maturity acknowledges the progression in achieving a security culture and highlights areas for improvement. Security capability maturity is how an entity:

  1. implements and meets the PSPF core and supporting requirements
  2. minimises harm to people and resources
  3. fosters a positive security culture
  4. responds to and learns from security incidents
  5. understands and manages security risks
  6. achieves security outcomes while delivering business objectives.

Security plan - strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF

The success of security risk management depends on the effectiveness of security planning and how well arrangements are supported by the entity's senior leadership and integrated into business processes. This includes meeting core and supporting requirements of the PSPF or adopting mitigations that are equivalent to or exceed those requirements.

It is important that entities foster a culture where risk management is an important and valued aspect of decision-making, where risk management processes are understood and applied appropriately; and where personnel can be confident in managing and taking risks, within defined parameters, in order to achieve objectives.

Effective security risk management supports better decision-making and builds positive risk culture by:

  1. identifying possible risks and opportunities in advance, lessening the potential of adverse outcomes and increasing the likelihood of desirable outcomes
  2. having processes in place to monitor risks and provide access to reliable, up-to-date information about risks
  3. providing guidance around appropriate limits through well understood risk appetite and risk tolerance statements
  4. providing transparency over the decision-making process and the achievement of entity objectives.

When security risk management is done well, it underpins organisational resilience and a positive risk culture because entities know their security risks, make coordinated and informed decisions in managing those risks, identify opportunities and learns from mistakes. This is reinforced with meaningful training and support across all levels of management.

Refer to the Department of Finance:

Security threat levels

Requirement 5 mandates the security plan (and supporting security plans) include scalable control measures to meet increases or decreases in risk as a consequence of a change in threat to the entity. These must be able to accommodate changes in the National Terrorism Threat Level. Refer to Table 3 for the business impact levels for consequences of threat levels.

Measures could include:

  1. determining who needs to know about changes in the security threat level
  2. outlining specific roles or responsibilities including who is responsible for determining the security alert level
  3. ensuring personnel are aware of the measures employed by the entity to adapt to and mitigate emergencies and heightened threat levels
  4. detailing arrangements to monitor the threat level and review the security alert level when the entity undertakes significant new projects, the risk environment changes, or after a significant incident impacting the entity's ability to operate.

 

 

Table 3 Business impact levels for consequences of threat

Business impact level

Consequence of threat

1 Low impact

Insignificant damage to the national interest, organisations or individuals.

2 Low to medium impact

Limited damage to the national interest, organisations or individuals.

3 High impact

Damage to the national interest, organisations or individuals.

4 Extreme impact

Serious damage to the national interest, organisations or individuals.

5 Catastrophic impact

Exceptionally grave damage to the national interest, organisations or individuals.

Developing entity security alert levels is one way an entity can ensure personnel are aware of the measures employed by the entity to adapt to and mitigate emergencies and heightened threat levels. Alert levels also allow entities to scale the controls used to mitigate risks as the risks increase or decrease.

The number of alert levels required for the entity will depend on its operational requirements and expected changes in risk sources. See Table 4 for examples of security alert levels.

The source of security risks can be categorised into three areas:

  1. Event – an event is an important happening or incident impacting on the entity's ability to function such as a natural event (eg storm) or an emergency event (eg fire).
  2. Threat – a threat is a declared intent to inflict harm on entity personnel or property.
  3. Activity – an activity is an action by one or more people likely to have a negative impact on physical security (eg protest activity, filming in the vicinity of premises).

When determining the security alert level, entities are encouraged to monitor:

  1. National Terrorism Threat Level Advisory System advice
  2. protective security risk reviews
  3. police advice
  4. emergency management advice
  5. Bureau of Meteorology advice
  6. entity security incident reports
  7. media reports.

 

 

Table 4 Examples of security alert levels

Security alert levels

Likelihood of threat

Security measures required

Low

Applies when only general concerns exist of an event, physical activity or general threat.

Existing security measures are sufficient.

Medium

Applies when an event, physical activity or threat is assessed as feasible.

Security measures are maintainable indefinitely, with minimal impact to the entity's operations.

High

Applies when an event, physical activity or threat is likely to occur.

Security measures are sustainable for lengthy periods without causing undue hardship to personnel, affecting operational capability or aggravating relationships with the local community.

Extreme

Applies when an event, physical activity or threat is imminent or has occurred.

Security measures will not be sustainable over the long term without creating hardship and affecting the entity's activities and personnel.

Catastrophic

Applies when a severe event, physical activity or threat is imminent or has occurred.

Advice required from the National Security Hotline on additional security measures.

Risk-based approach to the PSPF

Applying a risk-based approach to the PSPF is about making informed decisions on how to implement the core and supporting requirements to achieve a baseline security maturity level of 'managing'3. Under the CSO's direction, the entity implements PSPF requirements giving consideration to the entity's size, operations and risk environment. For example, the level of risk tolerance accepted by a national security entity may be very different to that of an administrative entity.

Outcomes from the entity's security planning and risk assessments inform these decisions, including whether additional protective security controls are required.

In the event that an entity is unable to implement a requirement, a risk-based approach allows an alternative mitigation to be implemented where it achieves a level of protection that is the same as or exceeds that afforded by the PSPF requirement. Requirement 6 mandates that where the CSO (or security advisor) implements an alternative mitigation measure or control, they must document the decision and adjust the maturity level for the related PSPF requirement accordingly. Requirement 1a also applies to any alternative mitigation measures implemented by the entity.

Accepted variances may apply where the entity has temporarily varied the application of a PSPF requirement in response to an exceptional circumstance. These circumstances are outlined in the exceptional circumstances provision in the PSPF policy: Role of accountable authority. Variances are for a limited time and take into consideration the entity's risk tolerances. When applied appropriately, the entity may maintain a 'managing' maturity level rating during the circumstance.

Find out more

Other policies and information sources:

Commonwealth Risk Management Policy available on the Security planning and risk management page on the Department of Finance website.

Australian Standards:

  1. AS/NZS ISO 31000 – Risk Management – Guidelines
  2. ISO Guide 73 – Risk management – Vocabulary
  3. HB 167 – Security Risk Management
  4. HB 436 – Risk management guidelines – Companion to AS/NZS ISO 31000
  5. HB 327 – Communicating and consulting about risk
  6. HB 158 – Delivering assurance based on AS/NZS ISO 31000

National Terrorism Threat Level Advisory System

Links to PSPF policy and guidelines include:

  1. Role of accountable authority – for accountable authority's security risk management responsibilities
  2. Sensitive and classified information – for advice on business impact levels when determining the consequences of compromise, or loss of entity information or assets, or harm to its people
  3. Reporting on security – for risk management reporting obligations
  4. Security governance for contracted goods and service providers – for advice on security risks in contracts
  5. Physical security for entity resources – for advice on physical risks.

Annex A. Security risk management process

 

Annex A Figure 1 Security risk management process

 

Elements of this guidance are based on the recommended Australian Standards: Commonwealth Risk Management Policy, AS/NZS ISO 31000 and HB 167 – Security Risk Management).

Risk is defined as the effect of uncertainty on objectives. An effect is a deviation from the expected–positive or negative.

Communicate and consult

To ensure that risk management remains relevant and current, it is important to communicate and consult with stakeholders, contracted service providers and decision-makers throughout all stages of the process. This approach ensures stakeholders are properly represented, have their views taken into account in determining risk criteria and confirms that all participants understand their roles and responsibilities.

It is recommended that the following is documented:

  1. audience and stakeholders
  2. communication objectives and activities (what are you trying to achieve, how it will be achieved, delivery method, expectations)
  3. monitoring and review processes (noting that communication and consultation occurs at all stages of the security risk management process).

Refer to Commonwealth Risk Management Policy Element six – Communicating and consulting about risk.

Establish the context

The security risk management process addresses the strategic, operational and security risk management contexts. Defining the frame of reference provides the scope for risk management activities. The security risk management process is used to determine all applicable sources of risk and potential events that could impact government or entity business.

Organisational context

Organisational context includes:

  1. scope and parameters of activities where risk management is applied
  2. resources (or limitations) available or required for risk treatments and activities
  3. reputational expectations or objectives
  4. logistical or locational challenges
  5. outcomes of related internal or external audit reports
  6. security risk management processes adopted
  7. processes for documenting results of risk assessments and risk treatments.

External context

External context includes:

  1. Regulatory environment, including legislative or policy obligations and responsibilities, foreign laws or potential jurisdictional access to information
  2. political or economic climate
  3. community sensitivities or expectations.

Security context

Security context includes:

  1. purpose and scope of security in supporting or achieving the entity's business objectives
  2. criteria for evaluating the significance of security risks
  3. risk appetite and tolerance criteria and threshold levels for the entity (see section Security plan – tolerance to security risks for information on risk tolerances)
  4. threat and risk environment (areas of concern, specific threats identified, known vulnerabilities)
  5. decision-makers (when and by whom)
  6. critical asset statement (what are you looking to protect)
  7. interdependencies and links to other plans or security procedures
  8. details of any shared risk
  9. constraints and assumptions.

Security risk assessment

Security risk assessment is the process of risk identification, analysis and evaluation to understand the risks, their causes, consequences and probabilities. The aim is to generate a comprehensive list of threats and risks that effect the protection of the entity's people, information and assets and identify the sources, exposure and potential consequences of these threats and risks. Consideration is also given to the entity's prevailing and emerging risk environment.

Each risk is described as comprehensively as possible, so that decision-makers can fully understand the position. This may be in the style of a formal assessment undertaken by competent personnel, or a contracted service provider.

Identify security risks

Identifying security risks generates a clear, comprehensive and concise list of potential sources of risk and threats (referred to as a risk register, see example below) that could impact government, entity operations or continuous delivery of services. This is achieved by mapping the sources of risk (threat assessment), determining the importance of organisational assets (criticality of assets) and the manner in which these elements may facilitate or inhibit this interaction (vulnerability).

In preparing a list of security risks, consider questions like:

  1. What could happen? (potential event or incident and resulting outcomes or consequences)
  2. What is the likely outcome and impact of the risk eventuating?
  3. When could it happen? (how frequently)
  4. Where could it happen? (physical location and assets affected)
  5. How could it happen? (sources, potential threats, catalysts, triggers)
  6. How reliable is the information that the risk assessment is based upon?
  7. Why could it happen? (causes, underlying factors, vulnerabilities or inadequacies in protective security controls or mitigations)
  8. Who could be involved or effected? (individuals or groups, stakeholders or service providers)
  9. Do entity mitigation measures or activities create risk to clients or the public?

 

Annex A Table 1 Risk register example
Item Description

Description

describe the risk (consider the questions above)

Category

people, information, property, reputation, financial, business operations

Event

occurrence or change of a particular set of circumstances

Source

threat or hazard that is the source of the risk

Cause

why the threat or hazard is a risk

Consequences

level of impact the risk will have on the entity

Risk criteria

determined tolerability against consequence and likelihood tables

Priority

comparing the level of risk (magnitude of risk = consequence + likelihood) with the risk criteria

Controls

adequacy of existing controls in place, or the known controls for the risk

Current risk rating

what is the current risk rating status

Risk decision

does the risk need treatment

Treatments

what action needs to be taken, by whom, with what resources and by when

Residual risk rating

once treatments have been implemented, what will be the residual risk rating

Stakeholders

who else is impacted by the risk (other entities, contractors, service providers etc)

Previous risk information

information on any previous risk, threat or vulnerability assessments

 

Criticality assessment

Criticality assessment identifies and assigns importance to all resources (something that has value to the entity including personnel, information and physical assets or processes that support them) that are critical to the ongoing operation of the entity or to the national interest. Asset identification and security risk management documents can form part of the security plan or be standalone and inform the security plan.

The criticality assessment will be different depending on the entity's purpose, business objectives and risk environment. Criticality assessments include:

  1. criticality ratings – the scale of the resources' importance to the entity (eg a numerical scale 1-5 or importance value scale such as catastrophic, significant, moderate, low, insignificant). Alternatively, a business impact level can be applied by assessing the impact on the entity if the integrity or availability of the resource was compromised (applying a business impact level to the confidentiality of an resource means applying a security classification. See the PSPF policy: Sensitive and classified information)
  2. consequence of loss, compromise or harm – a description of what the consequence is
  3. category – consequences can also be expressed across categories such as people, information, property, reputation, financial, business operations or services.

Threat assessment

A threat assessment identifies the source of harm and is used to inform the entity's risk assessment. Threats are assessed by determining the intent to cause harm, damage or disruption and the capability (the potential that exists to actually cause harm or carry out intentions) of the threat source.

Vulnerability assessment

Vulnerability assessment identifies the degree of susceptibility and resilience of an entity to hazards. To understand the potential of risks, it is recommended that entities assess the possible vulnerabilities to each risk to gauge the consequence and likelihood of these risks. This process of understanding possible vulnerabilities helps entities to prioritise the risks and guides the allocation of resources in mitigating their effects.

Analyse security risks

Risk analysis involves assessing the likelihood and potential consequence of each identified risk, determining the level of risk rating and assessing whether additional controls are required.

Aims of risk analysis:

Determine control effectiveness – whether the existing control measures are adequate or effective in managing identified risks.

Define the likelihood and consequence of the event. This is achieved by considering the:

  1. likelihood – the chance or probability of the event occurring,4 probability or frequency of the event (an occurrence or change in a particular set of circumstances, it can be one or more occurrences and can have several causes) occurring
  2. consequence – the outcome affecting objectives if the event occurs4 (consequences can be expressed qualitatively or quantitatively and can be certain or uncertain and have positive or negative effects on objectives). There may be a number of possible outcomes associated with an event.

Assign the level of risk rating based on the likelihood and consequence risk matrix. The overall risk rating is determined by combining the likelihood and consequence estimations. Risk rating allows the security risk to be prioritised in order of decreasing risk levels. This helps with deciding the tolerability of risk in the evaluation step. The Attorney-General's Department recommends adopting a risk-rating-matrix approach for determining the levels of risk.

Prioritise risks for subsequent evaluation of tolerance or the need for further treatment.

Provide an improved understanding of the vulnerability of critical assets to identified risks.

 

Annex A Figure 2 Using threat, criticality and vulnerability to inform risk analysis

 

Evaluate security risks

Risk evaluation involves making decisions based on the outcomes of risk analysis about whether risks are:

  1. acceptable (tolerable) with existing controls or further treatment (risks identified as acceptable or tolerable with no further treatment still need to be documented, monitored and periodically reviewed to ensure they remain acceptable)
  2. unacceptable (intolerable) and need treatments (consideration is given to the criteria for determining tolerability).

Refer to Security plan – tolerance to security risks for information on risk tolerances.

Treat security risks

Appropriate risk mitigation treatments and controls are selected to address identified risks in accordance with the entity's security plan objectives. Efforts to treat risks will not remove them completely but aim to reduce them to a more tolerable level.

Risk treatments can be applied separately or in combination. When selecting treatment, the Attorney-General's Department recommends that the entity balances the cost and effort of implementing the treatment with the expected benefits and ensure the treatment is proportional to the determined risk rating level. It may not be possible or cost-effective to implement all possible risk treatments. However, it is necessary to choose, prioritise and implement the most appropriate treatment or combination of treatments.

Australian Standards HB 167: Security Risk Management Chapter 7 outlines strategies for risk treatment. This includes a six-step process where entities:

  1. prioritise intolerable risks
  2. establish treatment options
  3. identify and develop treatment options
  4. evaluate treatment options
  5. detail design and review of chosen options, including the management of residual risks
  6. communicate and implement.

Treatment plans:

  1. prioritise the risks to be treated
  2. assess current risk; the actual risk once all treatments have been implemented
  3. identify gaps and residual risks that remain or require further treatment
  4. capture decisions about treatments and actions to be taken to address or treat identified security risks
  5. determine appropriate timeframes to implement treatment or when further consideration of mitigations is required be considered
  6. identify resources, budget allocations, timeframes (defined and measurable) and responsibilities to achieve required treatment outcomes
  7. establish monitoring and reviewing processes.

Risk treatment strategies (examples):

Accept the risk, where:

  1. based on judgment or informed decision, the risk is considered to be tolerable (either before or after treatment)
  2. the only option is to retain the risk and continue to monitor it until the circumstances change and action can be taken
  3. taking on increased risk in order to pursue an opportunity where the benefit outweighs the risk
  4. the risk may be considered intolerable but due to capability, resources or exceptional circumstances may be accepted.

Avoid the risk 5, by:

  1. deciding not to start an activity that gives rise to the risk
  2. removing or reducing the activities or personnel, including contractors, that create the exposure.

Exploit the risk, by taking or increasing the risk in order to realise the benefit that an opportunity affords by ensuring the event occurs.

Reduce the risk, by changing the likelihood or consequence (or both) by:

  1. implementing new treatments or controls to reduce, deter, delay or detect the threat or event
  2. improving business processes, training or practices
  3. establishing or improving audit and compliance arrangements, contractual arrangements, communication channels etc.

Share the risk, where:

  1. the risk has no single owner but is shared with another party or parties (eg through shared services, entities co-located in the same building, inter-entity taskforce, partnership or joint venture)
  2. the risk may have no apparent owner.

Refer to Shared security risks for information on shared security risks.

Implementation

Implementation involves deciding on the resources required and who is responsible for implementing the risk treatments. In addition, implementation details the ongoing resources needed to maintain the required level of protective security and identifies resources that may be needed to take additional precautions if the threat level increases.

Refer to Security threat levels for information on security alert levels.

Monitoring and review performance

Security risk management requires monitoring to ensure the entity is able to adapt or respond to incidents and changes in their threat or risk environment, prevent further exposure to hazards, maintain a positive risk culture and deliver against the PSPF.

Making decisions and implementing risk treatments is not the end of risk management. The security planning cycle is continuous. Reviewing the external and internal environments and reconsidering the context allows the entity to determine how effectively their protective security controls and measures are performing and how they are achieving the objectives.

Australian Standards HB 167: 2006 Security Risk Management Chapter 8 outlines strategies for monitoring and review, including the following model.

 

Annex A Figure 3 Monitoring and reviewing security performance

 

Key questions to ask when monitoring and reviewing risk may include:

  1. Are the controls (and respective implementation strategies) effective in minimising the risks; how might improvements be made?
  2. Are the controls comparatively efficient and cost-effective?
  3. Are the assumptions made about the context/environment still valid?
  4. Do controls comply with policy requirements, legal obligations and entity procedures?
  5. Is the entity's security planning approach effective in managing security risks and achieving objectives?

Refer to:

  1. Commonwealth Risk Management Policy Element Five – Developing a positive risk culture
  2. Commonwealth Risk Management Policy Element Nine – Reviewing and continuously improving the management of risk
  3. PSPF policy: Security maturity monitoring.

1Refer to the Australian Government Directory for contacts.

2Report to the Australian Security Intelligence Organisation or call the National Security Hotline on 1800 123 400.

3For guidance on security maturity levels, see the PSPF policy: Reporting on security.

4 As defined in ISO Guide 73 – Risk Management Vocabulary.

5 Where entities have been directed to undertake the activity, they will not be able to avoid the risks. Risk treatment is preferable to risk aversion or avoidance.