The Security Governance domain is focused on the establishment of accountability, planning, security culture, capability and maturity. This domain provides clear details of the roles and responsibilities necessary to deliver protective security outcomes across all agency outputs.

Required outcome

Each agency identifies and manages security risks and supports a positive security culture while maintaining a cycle of continuous improvement.

To assist agencies to achieve this security outcome, Tasmania’s Protective Security Policy Framework (TAS-PSPF) includes 6 Security Governance (GOVSEC) core requirements, supported by a varying number of supplementary requirements and a guiding policy for each. These requirements cover the scope of what agencies must do in relation to their protective security governance.

Security Governance policies

GOVSEC-1: Establish security governance

Context

Establishing an appropriate security governance structure is achieved through implementation and compliance with the TAS-PSPF, and is an important step to embedding protective security in all aspects of agency outputs.

The security governance structure should be risk-based according to agency-specific business activities and requirements. This will enable the agency to prioritise risk mitigations, improve planning, increase resilience and build a greater security culture.

Core requirement

The Accountable Authority will establish and implement appropriate security governance for the agency, with specific consideration of the environment in which the agency operates.

Policy guidance

GOVSEC-2: Security advice and responsibilities

Context

The Agency Security Advisor (ASA) is a key element in an agency’s security governance structure. The ASA provides protective security advice and leadership in day-to-day protective security risk management issues, and supports the Accountable Authority with implementation, coordination and ongoing compliance with the TAS-PSPF.

Core requirement

The Accountable Authority will nominate an ASA.

Policy guidance

GOVSEC-3: Security awareness

Context

Staff must be supported to understand their role in protecting the agency and its assets from harm. Enhanced security awareness develops and supports improved security culture, which is a baseline protection against the exploitation of agency vulnerabilities.

Core requirement

The Accountable Authority will work to develop a protective security culture within their agency.

Policy guidance

GOVSEC-4: Annual reporting

Context

Agency annual reporting provides assurance of commitment to continuous improvement and an indication of security maturity across Tasmanian Government agencies. This reporting will be forwarded to DPAC for collation, review and further reporting to Cabinet as necessary.

Core requirement

The Accountable Authority will submit an annual self-assessment report, including evaluation of maturity across the TAS-PSPF, using a template provided by DPAC.

Policy guidance

GOVSEC-5: Security planning

Context

Adequate security planning and preparedness will support and enable business objectives while protecting vulnerabilities. The adoption of protective security planning will improve agency-specific resilience appropriate to risk appetite and tolerance.

Core requirement

The Accountable Authority will be responsible for adopting protective security planning and monitoring to manage security risks.

Policy guidance

GOVSEC-6: Reporting incidents and security investigations

Context

With increased security awareness and enhanced security culture, the identification of and response to security incidents will improve. Accountable Authorities must ensure reporting processes are developed and implemented in accordance with the TAS-PSPF.

Core requirement

The Accountable Authority will develop, implement and review processes to support the reporting and investigation of security breaches and incidents.

Policy guidance