Policy 5: Reporting on security
- Security governance
Entities must undertake an annual assessment of the maturity of their security capability and how they are implementing the PSPF core and supporting requirements. This policy sets out how to report and what information entities must include.
Annual reporting provides assurance that sound and responsible protective security practices are in place and summarises the maturity of each entity’s security capability. It also identifies security risks and vulnerabilities and the strategies in place to mitigate or manage them.
How to report
The Attorney-General's Department provides 2 options for entities to complete their annual assessment report:
- an online reporting portal (for information classified up to PROTECTED)
- a reporting template (for information classified higher than PROTECTED).
Maturity self-assessment model
The assessment report is based on the PSPF maturity self-assessment model.
The model provides entities with a meaningful scale to help them consider their overall security position within their specific risk environment and risk tolerances.
Under the model, entities must assess their security capability against 4 levels of maturity:
- ad hoc (partial or basic implementation)
- developing (substantial but not fully effective implementation)
- managing (full and effective implementation)
- embedded (excelled, comprehensive and effective implementation).
What to report
In their PSPF assessment report, entities must provide:
- rationales to support their security maturity assessment for the 16 core requirements
- details of strategies to mitigate identified security risks
- a summary of the security risk environment
- key risks to people, information and assets.
Entities must also report to the relevant lead security authority and other affected entities on any significant security incidents, as they occur.
Each year the Attorney-General's Department consolidates all reporting data into an aggregated whole-of-government PSPF assessment report for the Attorney-General.
Once the Attorney-General has considered it, the department publishes the consolidated PSPF assessment report on the protective security website.