GOVSEC-5: Security planning

The GOVSEC-5 Security planning policy and guidance will assist agencies to achieve an effective protective security outcome within the security governance domain of the TAS‑PSPF. They address core requirement 5 and its supplementary requirements.

The Accountable Authority will be responsible for adopting protective security planning and monitoring to manage security risks.

To identify and manage security risks, the Accountable Authority will:

1. conduct a criticality assessment to identify the agency’s key functionality and assets
2. identify agency‑specific, and shared intergovernmental, security risks
3. consider site‑specific security risk assessments where necessary^[1]
4. determine the risk tolerance for the agency, which is subject to measuring and monitoring
5. plan and determine priority application of protective security measures to manage identified agency security risks and capture decisions which deviate from, or alter, the agency security plan
6. review and evaluate the security plan as necessary or when risks or circumstances change.^[2]

Adequate security planning and preparedness will support and enable business objectives while protecting vulnerabilities. The adoption of protective security planning will improve agency‑specific resilience appropriate to risk appetite and tolerance.

1. Such circumstances may include multi-site agencies or complex and varied agency sites. Where site-specific plans are actioned, there must still be an overarching agency security plan.

   [Back]

2. For example, where the agency functions vary, certain functions are relocated, or new or evolving threats are identified.

   [Back]

To be successful at managing security risks, agencies need to understand the threats they face, what resources need protecting, and how to protect them.

The TAS-PSPF policy: Establish security governance (GOVSEC-1) requires agencies to develop a security plan. A security plan enables agencies to review strategic and operational risks and implement the appropriate treatments that manage those risks to an acceptable level.

Security planning uses sound risk management processes to design, implement, monitor and review an agency’s protective security arrangements to ensure efficient and effective delivery of government services. All security planning should be based upon achieving a cycle of continuous improvement.

Conducting assessments strengthens your familiarity with the environment in which your agency operates, promotes situational awareness, and supports sound decision‑making.

Criticality assessment

Addressing risk management requires you to identify your agency’s most crucial assets – those that are essential to the ongoing operation of your agency. Identifying these assets and understanding your agency’s operational risk environment will help you to apply prioritised risk treatment strategies that are proportionate to your agency’s environment.

A criticality assessment will depend upon your agency’s function, business objectives and risk environment. Performing this assessment allows you to make informed risk management decisions.

Typically, a criticality assessment includes:

• criticality ratings – a measure of the importance of the assets to your agency, e.g. numerical scale, importance value scale or business impact level (BIL). Applying a BIL^[3] is based on the assessed impact to your agency in the event of integrity or availability compromise to the asset.
• consequence of compromise – what could happen
• category – what part of the agency or business this would impact (e.g. people, information, property, reputation, finances, business operations or services).

Assets identified as being critical should have the greatest protections assigned to them, in priority order.

Threat assessment

A threat assessment identifies where the threats to your agency, or its assets, come from and considers the likelihood of the threat eventuating. The level of threat is a combination of the intent and capability to cause harm or damage. Threats can be either malicious or accidental.

Vulnerability assessment

A vulnerability assessment identifies how likely your agency, or its assets, are to be impacted by the identified risks. Understanding your agency’s vulnerability to risk informs the likelihood and consequence of those risks which, in turn, helps you to prioritise risks and develop treatments.

3. See TAS-PSPF policy: Protecting official information (INFOSEC-2) for advice relating to BILs when determining the consequences of compromise, or loss of agency information or assets, or harm to your people.

   [Back]

Identifying security risks is imperative to effective security risk management. Developing good security risk management supports your agency’s resilience and builds a positive risk culture. It enables your people to know your agency’s risks, make coordinated and informed decisions in managing those risks, identify new opportunities, and learn from mistakes.

Agency-specific risks

A security risk can result in compromise, loss, unavailability or damage to your agency’s resources, including causing harm to people. Security risk is measured in terms of the chance of the risk event occurring (likelihood) and the outcomes if the risk event occurs (consequence).

Identifying security risks generates a clear, comprehensive and concise list of potential sources of risks and threats which could impact the Tasmanian Government, your agency and its ability to deliver its core function for government.

You can develop this list by determining the importance of the agency assets (criticality of assets – as above) and mapping those against sources of the risk (threat assessment) and the manner in which these elements may facilitate or inhibit this interaction (vulnerability assessment).

When determining what risks, threats, vulnerabilities or criticalities could affect your agency or its assets, you should consider the following questions:

• What could happen? (potential event or incident)
• What is the likely outcome and impact if it does happen? (consequences)
• When could it happen? (frequency)
• Where could it happen? (location and assets affected)
• What could make it happen? (sources, potential threats, triggers, catalysts)
• Do we need more information to properly assess this risk?
• Why could it happen? (vulnerabilities, gaps, inadequate arrangements)
• Who could be affected? (individuals or groups, stakeholders, service providers)
• Does mitigating this risk create other risks to clients or the public?

Manipulating risk assessment inputs (the consequence or likelihood of a risk event^[4]) to achieve a lower result is not an appropriate method of risk management and bypasses the intent of risk tolerance. You should develop appropriate rating scales for likelihood and consequence in accordance with your agency’s risk tolerances.

Analysing security risks

Analysing your agency’s security risks involves assessing the likelihood of the risk event occurring and potential consequence should the risk event occur. You should also determine if existing security controls or risk treatments are adequate in managing the identified risks.

The likelihood and consequence of an event are defined by considering:

• Likelihood – the chance or probability of the event occurring.
• Consequence – the outcome affecting objectives if the event occurs (consequences can be expressed qualitatively or quantitatively and can be certain or uncertain and have positive or negative effects on objectives). There may be a number of possible outcomes associated with an event.

Defining your risks in terms of likelihood and consequence allow you to produce a risk rating, which is then used to assist in prioritising the risks in descending order. It is recommended that you adopt a risk rating-matrix approach to determining the levels of risk which align to your agency’s risk tolerances.

Evaluating security risks

Following analysis, security risks must be evaluated to determine if those risks are acceptable (tolerable, within existing controls) or unacceptable (intolerable, in need of additional treatments or prohibited). Refer to the section on risk tolerance below for more information.

Shared risks

Shared security risks extend across multiple agencies and/or their premises, the community, industry and international or interstate jurisdictions or partners. Shared security risks require a high level of cooperation and communication between all stakeholders to be effectively understood and managed.

It is recommended that, where you share tenancies or facilities with other agencies, you conduct risk assessments to evaluate the security risks for the co-tenancy.

If your agency assesses a security risk to be shared due to your location (for example, physical boundaries, shared public spaces, government precincts), you should identify and engage with any other agencies or entities that are affected by the security risk, and coordinate any risk treatment accordingly.

If no other party with whom the security risk can be shared can be reasonably identified, you must mitigate the combined security risk to the extent you are able to within your agency’s function and operations.

Where there are shared security risks, but each party has a different tolerance for the risk, it is recommended that all parties identify the areas of difference and determine whether additional treatments can be implemented to alleviate any concerns.

Roles and responsibilities for shared risks must be clearly defined to reduce the likelihood that a security risk is neglected or overlooked. It is recommended that parties negotiate an appropriate risk manager for all shared risks.

4. Event: as defined in ISO Guide 73: 2009 Risk Management – Vocabulary

   [Back]

If your agency operates over multiple locations or with complex and varied sites, you should consider if site-specific security risk assessments are necessary to establish an effective and comprehensive security plan. This includes any new sites or facilities under construction or major refurbishment.

Conducting site-specific security risk assessments can help you to prepare site security plans and identify security requirements that should be included within existing or future site development plans, design briefs, requests for tender and contracts. Please note, though, that you are still required to have an overarching agency security plan.

The process of developing a site security plan is the same as for the development of your agency’s overall security plan (described below). A site-specific plan documents protective security measures to counter risks to your agency’s functions and resources at a particular location or site, identified through the risk assessment (refer to the section above on identifying risk for more information about how to do this).

Site security plans, like your overarching agency security plan, contain valuable information about your agency’s security and operations. For this reason, it is important that you assess the impact of any loss or harm to each plan and apply a protective marking if necessary.

Your Accountable Authority is responsible for determining and managing your agency’s security risks, which includes determining your agency’s risk appetite and risk tolerance.

Risk appetite reflects an agency’s attitude to risk, and how much risk the agency or Accountable Authority is willing to accept.

Risk tolerance is the level of risk an agency is comfortable taking after risk treatments have been applied to achieve an objective or manage a security risk. It is an informed decision to accept risk.

Although you must try to minimise your agency’s level of risk to as low as is reasonable, risk tolerance allows for the practical application of risk appetite and can lead to innovative business practices, positive business outcomes and a positive risk environment.

Risk tolerance includes:

• expectations for mitigating, accepting and pursuing specific types of risk
• boundaries and thresholds for acceptable risk‑taking (measurable operational limits)
• actions to be taken or consequences for exceeding approved tolerances.

Risk tolerance is often specified for relevant identified risks and can be expressed as acceptable/tolerable or unacceptable/intolerable and are subject to measuring and monitoring. The risk tolerance for your agency can be affected by modifications in evaluation criteria and your appetite for risk. It can vary depending on:

• prevailing political and community sensitivities and expectations
• the nature of a security incident (e.g. terrorist act, hacking)
• existing or emerging security incidents (trusted insider, cyber-attacks)
• strategic or business priorities
• vigilance, resilience and adaptability of your people and how effective they are at applying security awareness principles
• resource availability for treatment
• the ability of the government, agency or an individual to absorb losses.

In most cases, determining risk tolerance and levels of risk appetite can be understood as a gradient scale, where the appetite for the risk becomes progressively less tolerable as the risk level increases.

An agency’s Accountable Authority is responsible for the agency’s security plan, supported by the Responsible Executive (RE) and Agency Security Advisor (ASA). It is important to note that every agency’s security plan will, and should, be different. Your security plan must reflect your agency’s protective security requirements in line with the risks that your agency faces.

As an agency of the Tasmanian Government, the way you manage the risks in your agency can have broader impact across other agencies and the Tasmanian Government. For this reason, you must consider the aggregate risk-based decisions you make.

Your agency security plan should be developed by a person/s who has in-depth knowledge and understanding of the agency’s strategic objectives and an appropriate level of security risk management knowledge and experience.

A less specific version of your security plan (that does not disclose complete criticalities, threats and vulnerabilities) should be shared and made available across the agency, as it assists to build security awareness and culture. Sharing your security plan provides common understanding of the protective security obligations and responsibilities across your agency.

You should align your security plan with the core and supplementary requirements of the TAS‑PSPF.

The following box provides an overview of the recommended structure and content to cover in your security plan.

Priority application of risk treatments

Using the steps outlined in this policy (GOVSEC-5), you must develop a security plan for your agency. The security plan must outline the approach, responsibilities and resources that will be applied to manage the protective security risks in line with the core and supplementary requirements of the TAS-PSPF. Your security plan will enable you to review strategic and operational risks and implement the appropriate treatments to manage those risks to an acceptable level.

Your agency security plan should take a risk-management approach to protective security and address threats, risks and vulnerabilities across all areas of security in your agency (security governance, information security, people security and physical security).

A risk-management approach means making informed decisions about how to implement the core and supplementary requirements of the TAS-PSPF, and includes:

• identifying your most critical assets to ensure the ongoing operation of your agency
• undertaking structured risk assessments to identify, analyse and prioritise security risks
• implementing risk treatments that are considered and coordinated and that involve the efficient and effective use of resources to mitigate security risks.

Risk treatments are the controls or mitigations put in place to reduce or manage the security risks you have identified - to within your agency’s risk tolerance levels. You can apply risk treatments separately or in combination with other treatments to achieve a desired outcome.

In planning and implementing treatments for security risks, you must consider how treatments can be scaled to account for risk increases and decreases according to your operating environment and threat levels.^[5]

Scalable measures should consider:

• how the threat level is identified and monitored for change
• who needs to be informed of changes to the threat level
• who is responsible for implementing changes to the risk treatment/s
• ensuring business continuity planning can account for the heightened threat level
• what additional resources may be needed if the threat level increases.

Risk treatments can be applied separately or in combination. It is recommended that you balance the cost and effort of implementing treatments against the expected benefits to ensure that the treatment is proportional to the risk rating. It may not be possible or cost-effective to implement all possible risk treatments; however, you must prioritise and implement the most appropriate or effective treatments.

The Australian Standards HB 167: 2006 Security Risk Management (chapter 7) provides a 6-step process for treating risks that entails:

• prioritising intolerable risks
• establishing treatment options
• identifying and developing treatment options
• evaluating treatment options
• detailing the design and review of chosen options, including management of residual risks
• communicating and implementing the selected treatments.

Developing treatment plans will assist you to select, implement, monitor and review risk treatments to ensure their effectiveness and appropriateness. Effective treatment plans:

• prioritise the risks to be treated
• monitor the risks after treatments have been applied
• identify gaps and residual risks that may require further treatments
• record decisions about treatments and actions taken
• determine and monitor time frames for implementation of treatments
• identify resources and responsibilities required to achieve treatment outcomes
• establish monitoring and reviewing processes.

The box below provides some examples for you to consider using when assessing whether risk treatments will be effective in reducing security risks.

5. Including changes to Australia’s national terrorism threat level.

   [Back]

You must review your agency security plan at least every 2 years to ensure the adequacy of existing protective security arrangements and risk treatments, while also monitoring for significant changes to your agency’s risk environment or tolerance levels.

You must consider amendments to your agency security plan where:

• new or changing risks, threats, vulnerabilities or capabilities are identified (including shared risks)
• significant discrepancies are identified between assessed and actual security maturity
• your agency’s risk tolerance changes
• your agency’s function changes significantly (e.g. machinery of government changes).

You must determine how your agency security plan and any supporting documents or additional site security plans will be reviewed. It is recommended that your agency security plan is reviewed by your ASA, or by an external security consultant.

When you review the security plan, it is recommended that you seek advice and technical assistance from specialist agencies or entities such as:

• the Australian Security Intelligence Organisation (ASIO) for threat assessments^[6]
• ASIO-T4 Protective Security for physical security advice or technical assistance^[7]
• Tasmania Police for state criminal threat information
• the Australian Government Security Vetting Agency^[8] for security vetting procedural advice
• other subject matter experts, as necessary.

6. Contact ASIO via their Outreach team on (02) 6234 1668.

   [Back]

7. Available via GovTEAMS, where users are required to register for an account and request access to the Protective Security Policy community.

   [Back]

8. For more information, refer to the Australian Government Security Vetting Agency website.

   [Back]

Maturity level indicators

Maturity level 1

• Partial or basic TAS-PSPF implementation.
• Success is reliant upon individuals, not processes.
• Protective security is not well understood across the agency.
• Security resources are assigned reactively and based on who is available rather than competency or role responsibilities.
• Security information is siloed, duplicated and inconsistent.

Maturity level 2

• Foundational practices with substantial implementation of the TAS-PSPF.
• Protective security requirements are not fully implemented into business practices, though the agency is meeting most security outcomes.
• The importance of security is recognised, and key leadership responsibilities are assigned and understood.
• Known security risks are understood and sometimes reviewed, including effectiveness of treatments.
• Required security policies are in place, but awareness and application is sporadic and not procedurally driven.
• Tools and technologies to assist security management meet basic needs but are not centrally organised or well‑integrated.

Maturity level 3

• Complete and effective risk-based security measures are implemented.
• Protective security requirements are integrated into business practices.
• The agency is meeting security outcomes.
• Effective security governance has been established. The agency’s leadership supports and demonstrates a high level of security awareness and practice.
• Security is factored into the strategic objectives and all agency outputs.
• Agency leadership is empowered to make decisions to support good security.
• Risks are routinely identified, monitored and reviewed – new risks are quickly identified and addressed.
• Tools and technologies to assist security management are effective, well managed and integrated effectively.
• Strategic objectives and maturity targets are achieved or sustained.Investment in security is ongoing to sustain measures at this level.

Maturity level 4

• Comprehensive and adaptive operating environment with effective TAS-PSPF implementation.
• Protective security requirements are proactively integrated into business practices and exceeding security outcomes.
• The agency is excelling at implementing better-practice protective security.
• Security culture is embedded and ubiquitous.
• Employees undertake regular security refreshers or training to ensure skills are current and relevant to the agency’s needs.
• Security is maintained through role successions.
• Processes are in place to identify and test security improvement.
• The agency has achieved a cycle of continuous improvement.
• Tools and technologies to assist security management enable collaboration across the agency and improve process efficiency.
• Security planning integrates short, medium and long-term objectives effectively and seamlessly and adapts quickly to sudden changes.
• Security management information is captured, analysed and circulated in real time when needed.

GOVSEC-1: Establish security governance

Maturity level 1

Your Accountable Authority is partially aware of protective security requirements across your agency.

Partial understanding, assessment and management of security risks to your agency’s people, information and assets. Security is not dealt with in a consistent manner.

Maturity level 2

Your Accountable Authority substantially applies protective security requirements across your agency.

Most security risks and risk tolerances are identified and managed, monitored or reassessed on a regular basis.

Security risk decisions and shared risks that affect other agencies are substantially managed and communicated to affected agencies.

Maturity level 3

Your Accountable Authority consistently applies protective security requirements across your agency, determines the agency’s tolerance for security risks, promotes sound risk management processes and ensures appropriate governance arrangements are in place to protect your agency’s people, information and assets.

Security risk decisions and shared risks that affect other agencies are understood and communicated in a timely manner.

Maturity level 4

Your Accountable Authority has an integrated, continuous-improvement approach to security management across your agency.

Security risk management is a significant priority for your agency, is embedded in your agency’s operations and practices and is aligned to business objectives.

Your agency identifies and operates within agreed and defendable risk tolerances, and leverages better practice to drive business and security decisions.

Formal risk management processes and initiatives to connect security risk management and operations are in place.

Your agency promotes inter-agency collaboration to improve management of security risk decisions and shared risks that affect other agencies.

Where appropriate, your agency provides better practice advice, beyond TAS‑PSPF requirements, to other agencies in its area of expertise.

GOVSEC-2: Security advice and responsibilities

Maturity level 1

Your agency nominates an Agency Security Advisor (ASA) who has partial capacity to conduct their responsibilities under the core and supplementary requirements of the TAS‑PSPF.

Maturity level 2

Your agency nominates an ASA who is substantially supported and able to conduct their responsibilities under the core and supplementary requirements of the TAS-PSPF.

Maturity level 3

Your ASA is supported to complete their responsibilities consistently. They fully understand your agency’s risk tolerance and operating environment and make sound protective security decisions accordingly.

Your ASA regularly briefs the Responsible Executive (RE) and is empowered to make necessary protective security decisions which support the TAS-PSPF.

Maturity level 4

In addition to those items in Maturity level 3:

Your ASA proactively engages across your agency in relation to protective security, enhancing awareness and assisting everyone to understand their responsibilities under the TAS-PSPF.

Your ASA consistently monitors your agency’s compliance with the TAS‑PSPF and identifies opportunities to improve or exceed performance.

Your ASA engages with other agencies to build better practice and share learnings.

GOVSEC-3: Security awareness

Maturity level 1

Your agency partially develops a positive security culture by ensuring staff complete any mandatory whole-of-government protective security training.

Maturity level 2

Your agency has created substantial security awareness where your people collectively foster a positive security culture.

Maturity level 3

Your people are provided with security awareness training relevant to your agency and/or their roles (where required).

Your agency provides contemporary and tailored training according to changes in your security environment.

Your agency provides role‑specific training for people in emergency, safety or security‑specific roles.

Maturity level 4

In addition to those items in Maturity level 3:

The security culture of your agency is embedded in every aspect.

You provide regular refresher training to agency people. Post‑incident learnings are incorporated into policies, processes and/or procedures.

Your agency has established effective communication and information‑sharing channels.

GOVSEC-4: Annual reporting

Maturity level 1

Your agency partially monitors the security maturity performance of its security capability and risk culture against the goals and strategic objectives identified in your agency’s security plan.

Maturity level 2

Performance and progress against the security plan’s goals and strategic objectives is substantially monitored regularly.

Your agency’s achievement against the security outcomes, implementation of core requirements, maturity of security capability, key risks to people, information and assets and mitigation strategies to manage identified risks is substantially captured in your annual security report.

Maturity level 3

Consistent and defined approach to monitoring your agency’s security performance, which is tailored to its risk environment.

Your agency meets these obligations through effective reporting on achievement of security outcomes, implementation of core requirements, maturity of security capability, key risks to people, information and personnel and mitigation strategies.

Key findings and trends are shared within the agency.

Maturity level 4

Your agency proactively engages in ongoing monitoring and continuous improvement of security capability and culture through long-term planning to predict and prepare for security challenges.

Your agency exceeds reporting obligations and uses annual reporting to drive improvements, strengthen security culture and inform future planning, in line with better practice.

GOVSEC-5: Security planning

Maturity level 1

Security planning is conducted in a manner that is basic and not consistent.

The security plan is partially developed and implemented but may not be current or comprehensive.

Maturity level 2

A security plan is endorsed by your Accountable Authority and captures most of your agency’s goals and strategic objectives, key threats, risks, vulnerabilities and details of security risk tolerances and risk mitigation strategies.

The plan is consistently applied across your agency in the majority of instances.

Maturity level 3

A security plan is endorsed by your Accountable Authority and captures your agency’s goals and strategic objectives, key threats, risks, vulnerabilities and details of security risk tolerances and risk mitigation strategies.

The plan is regularly reviewed and informs decision-making within your agency.

The plan is used to determine security objectives and clearly supports broader business goals. The security plan is communicated and accessible across your agency.

Maturity level 4

The security plan is comprehensive in identifying goals, strategic objectives, key threats, risks, vulnerabilities, risk tolerances and risk mitigations.

The security plan influences executive management decision-making and planning.

Your agency proactively and continuously adapts the security plan in response to emerging or changing risks and threat levels.

GOVSEC-6: Reporting incidents and security investigations

Maturity level 1

Your agency has partially established internal security reporting requirements and understands any external reporting requirements (where necessary).

Investigation of security breaches and incidents is not consistent.

Maturity level 2

Your agency has substantially established and pursues internal security reporting requirements.

Your agency coordinates and reports to external organisations where necessary.

Your people understand what constitutes a reportable incident and are comfortable to report.

Maturity level 3

Your agency has established and pursues internal and external security reporting requirements.

Incidents are actively investigated, with learnings shared across the agency.

Any identified corrections are addressed.

Maturity level 4

Your agency has an exemplary security culture with proactive security leadership. Your people trust the reporting process and incidents are few.

Learnings from those incidents are used to define better practice.

INFOSEC-1: Access to, and management of, official information

Maturity level 1

Some information access controls and security procedures are in place.

Supporting requirements on information sharing, access to sensitive and security‑classified information and controlling access to supporting ICT systems, networks, infrastructure, devices, applications and data holdings are partially applied.

Maturity level 2

Processes are substantially in place to enable appropriate sharing of information with relevant stakeholders who have a ‘need to know’ and are appropriately security cleared.

Access controls are substantially implemented to limit unauthorised access to supporting ICT systems, networks, infrastructure, devices, applications and data holdings in accordance with the information access control supporting requirements.

Maturity level 3

Information holdings are accessed and shared with appropriately security‑cleared personnel who have a ‘need to know’.

Access controls support the integrity of ICT systems, networks, infrastructure, devices, applications and data holdings.

Maturity level 4

Your agency proactively refines and reinforces information management processes and access controls to ensure superior protection of information and currency of systems to protect against emerging threats and issues.

Information is shared with appropriately security‑cleared personnel who have a ‘need to know’.

Systems are in place to detect, monitor and respond to irregular access to information or ICT systems, networks, infrastructure, devices and applications in real time.

INFOSEC-2: Protecting official information

Maturity level 1

Your agency has a partial understanding of its information holdings.

Procedures and operational controls to protect official information proportional to their value, importance and sensitivity are basic and not consistent.

Maturity level 2

Your agency knows the value of its information holdings and has substantially established operational controls to ensure official information is managed in accordance with minimum protections identified in TAS-PSPF policy: Protecting official information (INFOSEC-2).

Your agency monitors and controls classified information holdings in the context of its risk environment.

Maturity level 3

Your agency clearly understands the value of its information holdings and operational controls are in place to ensure official information holdings are consistently handled in accordance with minimum protections identified in the TAS-PSPF policy: Protecting official information (INFOSEC-2), proportional to their value, importance and sensitivity.

Maturity level 4

Your agency culture proactively supports the consistent and appropriate handling of official government information asset holdings, exceeding minimum protections identified in TAS-PSPF policy: Protecting official information (INFOSEC-2).

In a heightened risk environment, your agency closely monitors and controls classified information holdings.

INFOSEC-3: Robust technology and information systems

Maturity level 1

Partial security measures are in place for ICT system development.

Management of ICT systems certification and accreditation (or assessment and authorisation) is basic and not consistently implemented.

Maturity level 2

Security measures are substantially in place for ICT system development.

Certification and accreditation (or assessment and authorisation) of ICT systems is consistent and in accordance with TAS-PSPF policy: Robust technology and information systems (INFOSEC-3).

Maturity level 3

Security measures are applied during all stages of ICT system development.

ICT systems are certified and accredited (or assessed and authorised) in accordance with TAS-PSPF policy: Robust technology and information systems (INFOSEC-3).

Maturity level 4

ICT security measures, including ICT systems certification and accreditation (or assessment and authorisation) exceed expected standards.

Your agency excels in proactively exploring opportunities to further improve ICT security protections in response to ICT security threats.

PESEC-1: Recruiting the right people

Maturity level 1

Your agency has partially implemented procedures and systems to ensure people are eligible and suitable to access Tasmanian Government resources.

Pre-employment screening is not consistent and security vetting requirements (where relevant) are partially followed.

Some risks associated with eligibility and suitability of people are managed.

Maturity level 2

Your agency has developed the majority of its procedures and systems to ensure that people are eligible and suitable to access Tasmanian Government resources.

Pre-employment screening practices are substantially in place and security vetting requirements (where relevant) are mostly followed.

Your agency manages the majority of risks associated with eligibility and suitability of people.

Maturity level 3

Procedures and systems are in place to ensure that all of your people are eligible and suitable to access Tasmanian Government resources.

All pre-employment screening and security vetting (where relevant) requirements are followed.

These procedures and systems mitigate risks identified in your agency’s people security risk assessment.

Maturity level 4

Your agency excels in implementing efficient and timely processes to ensure the eligibility and suitability of people to access Tasmanian Government resources.

All requirements are followed and your agency has comprehensive practices in place to proactively manage risks identified in its people security risk assessment.

PESEC-2: Ongoing suitability assessment

Maturity level 1

Your agency partially assesses and manages the ongoing suitability of its people.

Information of security concern for the ongoing suitability of people is not consistently assessed and shared with relevant stakeholders.

Some security clearance maintenance requirements (where relevant) are met.

Maturity level 2

Your agency has substantially developed its procedures and systems to assess and manage the ongoing suitability of its people.

In the majority of cases, information of security concern for the ongoing suitability of people is assessed and shared by your agency with relevant stakeholders.

Procedures are mostly in place to ensure compliance with security clearance maintenance requirements (where relevant).

Maturity level 3

Procedures and systems are in place to ensure that the ongoing suitability of people is assessed and managed in accordance with your agency’s people security risk assessment.

Your agency has established lines of communication and processes to ensure information of security concern is shared with stakeholders as appropriate.

Your agency has procedures in place to ensure compliance with all security clearance maintenance requirements (where relevant).

Maturity level 4

Your agency is proactive in assessing and managing the suitability of people, including security clearance maintenance requirements (where relevant), to ensure integrity of the agency’s core business.

Your agency has well‑established lines of communication and robust processes to ensure information of security concern for ongoing suitability of people is shared with stakeholders in a timely manner.

PESEC-3: Managing separating people

Maturity level 1

Your agency has partially implemented processes to ensure that separating people have their access to Tasmanian Government resources withdrawn and are informed of their ongoing security obligations.

Maturity level 2

Separating people, in the majority of cases, understand their ongoing security obligations and have their access to Tasmanian Government resources withdrawn.

Systems and processes are substantially developed to verify consistency of separating people practices across your agency.

Maturity level 3

Your agency has in place systems and processes to ensure that all separating people understand their ongoing security obligations, particularly where they have had access to sensitive and security‑classified information and resources during their employment.

Separating people have their access to Tasmanian Government resources withdrawn within an appropriate time frame.

Maturity level 4

Your agency has proactively implemented systems and processes that are reviewed regularly for separating people. Access to Tasmanian Government resources is withdrawn from people on separation.

Your agency ensures separating people are debriefed and provided with a comprehensive understanding of their ongoing security obligations.

Information of security concern about separating people is shared with relevant stakeholders, including internally, where appropriate.

Risk assessments are undertaken, where appropriate.

PHYSEC-1: Protecting assets

Maturity level 1

Your agency partially applies physical security requirements. Partial application increases the risk of resources being made inoperable, inaccessible, accessed or removed without proper authorisation.

Maturity level 2

Your agency substantially has in place physical security measures that minimise or remove the risk of resources being made inoperable, inaccessible, accessed or removed without proper authorisation.

The majority of physical security measures are implemented according to the requirements.

Maturity level 3

Your agency applies physical security measures that minimise or remove the risk of resources being made inoperable, inaccessible, accessed or removed without proper authorisation in accordance with requirements.

Risks to the compromise of resources are mitigated to a level consistent with agency risk tolerance levels, in accordance with your agency’s security plan.

Maturity level 4

Your agency applies physical security measures and better practice guidance that minimise or remove the risk of resources being made inoperable, inaccessible, accessed or removed without proper authorisation, which improves the delivery of business.

These measures are proportionate to the level of risk and are scalable to changes in the threat environment.

PHYSEC-2: Agency facilities

Maturity level 1

Your agency partially considers physical security in the early stages of planning, selecting, designing and modifying facilities.

Where required, facility certification, accreditation, documentation and review are partially in accordance with the TAS‑PSPF and applicable ASIO Technical Notes.

Maturity level 2

In the majority of cases, your agency considers physical security when planning, selecting, designing and modifying facilities, substantially integrating physical security requirements into all facilities.

Where required, certification, accreditation, documentation and periodic review of the majority of facilities are in accordance with the TAS‑PSPF and applicable ASIO Technical Notes.

Maturity level 3

Physical security requirements are integrated into all stages of planning and modifying facilities.

Where required, your agency facilities are certified and accredited systematically, with appropriate documentation, and in accordance with the TAS‑PSPF and applicable ASIO Technical Notes.

Maturity level 4

Physical security requirements are a key driver for selection, design or modification of your agency facilities.

Where required, your agency proactively ensures systematic certification and accreditation, with appropriate documentation, of its facilities in accordance with the TAS‑PSPF and applicable ASIO Technical Notes.

Required physical security upgrades of facilities are implemented as a priority.

Description: Describe the risk (consider the questions listed in the section on agency‑specific risks above).

Category: People, information, property, reputation, finances, business operations.

Event: Occurrence or change of a particular set of circumstances.

Source: Threat or hazard that is the source of the risk.

Cause: Why the threat or hazard is a risk.

Consequences: Level of impact the risk will have on your agency.

Risk criteria: Determined tolerability against consequence and likelihood tables.

Priority: Adequacy of existing controls in place, or the known controls for the risk.

Controls: Adequacy of existing controls in place, or the known controls for the risk.

Current risk rating: The current risk rating status.

Risk decision: Whether the risk needs treatment.

Treatments: What action needs to be taken, by whom, with what resources and when.

Residual risk rating: Once treatments have been implemented, what the residual risk rating will be.

Stakeholders: Who else is impacted by the risk (e.g. other agencies, contractors, service providers).

Previous risk information: Information about any previous risk, threat or vulnerability assessments.

• Australian Government, Protective Security Policy Framework - Policy 3: Security planning and risk management (PDF)
• South Australian Government, Security governance policies
• AS/NZS ISO 31000: 2018 – Risk management – Guidelines
• ISO Guide 73:2009 – Risk management – Vocabulary
• Standards Australia HB167: 2006 Security Risk Management

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

• V1.0 April 2023
  • Policy issued
• V2.0 February 2024
  • Definition: 'core requirement' updated
  • Definition: 'originator' updated
  • Definition: 'protected information' removed and replaced with 'security classified'
  • Definition: 'Responsible Executive' added
  • Definition: 'supplementary requirement' updated