Policy 3: Security planning and risk management
- Security governance
This policy describes how to establish effective security planning, embed security into risk management practices and use security planning risk management to help make decisions.
To successfully manage security risks and protect people, information and assets, an entity must understand:
- what needs protecting
- what the threat is
- how people, information and assets will be protected.
A security risk is something that could cause harm to people or that exposes information or assets to compromise, loss, unavailability or damage.
Shared security risks are risks that extend across:
- the community
- international partners
- other jurisdictions.
Stakeholders must cooperate to effectively understand and manage shared risks.
Entities must identify a risk steward (or manager) who is responsible for each security risk or category of security risk. This includes shared risks.
Under their Chief Security Officer's direction, entities must apply a risk-based approach to implementing the PSPF that considers their size, operations and risk environment.
A risk-based approach means that if an entity cannot implement a particular PSPF requirement, they can use an alternative mitigation strategy that achieves the same level of protection or better.
Security planning considers how security risk management practices are designed, implemented, monitored, reviewed and continually improved.
Entities must develop a security plan that sets out how they will manage their security risks and how security aligns with their priorities and objectives.
The plan must include scalable control measures to respond to increases or decreases in risk when a threat to the entity changes.