Policy 2: Management structures and responsibilities
- Security governance
This policy details the management structures and responsibilities that provide a governance base for entities to make security decisions that will protect their people, information and assets.
Appointing a Chief Security Officer (CSO) is mandatory. The CSO provides strategic oversight of protective security across the entity, makes security-related decisions and fosters a positive security- culture. Where required, the CSO may appoint security advisors to support them to deliver protective security and perform specialist services.
Under this policy, entities must develop, use and monitor the effectiveness of security procedures.
This ensures the entity:
- achieves all elements of their security plan
- investigates, responds to and reports security incidents
- meets relevant security policy or legislative obligations.
Security awareness training is an important part of protective security. It helps to implement governance, physical, information and personnel security policies, practices and procedures.
This policy mandates that entities provide all personnel, including contractors, with annual security awareness training. Entities must provide specific security awareness training for personnel in specialist and high-risk positions.
To ensure effective external security communications, entities must have a monitored email address for all security-related matters.