Skip to main content

Policy 5: Reporting on security

  • Security governance
Publication date
Last updated

Purpose

Entities must undertake an annual assessment of the maturity of their security capability and how they are implementing the PSPF core and supporting requirements. This policy sets out how to report and what information entities must include.

Overview

Annual reporting provides assurance that sound and responsible protective security practices are in place and summarises the maturity of each entity’s security capability. It also identifies security risks and vulnerabilities and the strategies in place to mitigate or manage them.

How to report

The Attorney-General's Department provides 2 options for entities to complete their annual assessment report:

  • an online reporting portal (for information classified up to PROTECTED)
  • a reporting template (for information classified higher than PROTECTED).

Maturity self-assessment model

The assessment report is based on the PSPF maturity self-assessment model.

The model provides entities with a meaningful scale to help them consider their overall security position within their specific risk environment and risk tolerances.

Under the model, entities must assess their security capability against 4 levels of maturity:

  • ad hoc (partial or basic implementation) 
  • developing (substantial but not fully effective implementation)
  • managing (full and effective implementation)
  • embedded (excelled, comprehensive and effective implementation).

What to report

In their PSPF assessment report, entities must provide:

  • rationales to support their security maturity assessment for the 16 core requirements
  • details of strategies to mitigate identified security risks
  • a summary of the security risk environment
  • key risks to people, information and assets.

Entities must also report to the relevant lead security authority and other affected entities on any significant security incidents, as they occur.

Consolidated reporting

Each year the Attorney-General's Department consolidates all reporting data into an aggregated whole-of-government PSPF assessment report for the Attorney-General.

Once the Attorney-General has considered it, the department publishes the consolidated PSPF assessment report on the protective security website.

Return to the Security governance page