Policy 4: Security maturity monitoring
Purpose
This policy describes how an entity monitors and assesses the maturity of their security risk culture and their ability to actively respond to emerging threats and changes in their security environment, while protecting their people, information and assets.
Overview
Monitoring security maturity is a continuous cycle. It involves using a set of indicators to assess an entity's risk culture and security capability. Information collected through security maturity monitoring informs updates to the entity security plan and the entity’s annual PSPF assessment report.
Security capability maturity
Entities must assess the maturity of their security capability, including considering their implementation of PSPF requirements and highlighting areas for improvement.
Security risk culture
Having a mature risk culture is a fundamental enabler of good government business. It involves the entity's system of values and its personnel's behaviours, attitudes and understanding to security risk that shapes the risk decisions of the entity leadership and personnel.