When launched in 2010, the Commonwealth Protective Security Policy Framework (PSPF) was a significant reform. It adopted a greater focus on risk than did its predecessor (the Protective Security Manual).
It achieved its immediate aims and Government practitioners, and those who supported them, started talking (and doing) more about security risk management.
Notwithstanding this, the 2010 PSPF contained 2,200 ‘shall’, ‘must’, ‘are to’, ‘need to’ etc. statements that were very prescriptive in nature. That meant that, while entities were encouraged to practice risk management, the treatments were provided up front.
It’s not hard to see the conflict here, and the one-size-fits-all approach to the largest Department versus the smallest Agency did not make the task any easier for Agency Security Advisers (ASAs) and IT Security Advisers (ITSAs). Numerous controls were only semi-justifiable for some, and left others somewhat ambivalent about the notion of then needing to perform security risk management on top of a very heavily control-focused environment.
A bigger impediment was that many Government employees could not perform a credible security risk assessment, without proper training and on-the-job experience. This was manageable for those who had/have budget to contract in specialists, but the remainder remain somewhat hamstrung in terms of effective security risk-based practices.
PSPF Risk Asssessment Frequency
Those entities that were doing security risk management well were carrying out enterprise assessments every two years, and sooner if the environment warranted it. Further assessments were carried out at the operational level to examine functional and process-level risk profiles.
The aggregation of assessments over time is something that can also be problematic, especially if they are MS Word/Excel documents. The fact that every consultant does things differently usually also means restarting the process periodically, rather than the implementation of a genuine and ongoing program of risk ‘management’.
Once created, assessments should simply be reviewed and updated rather than being recreated. This can potentially save a substantial amount of money in the process.
RELATED ARTICLES: Musings On Security Risk Assessments | The Benefits Of SECTARA’s Advanced & Intuitive Risk Assessment Methodologies | What Is A Risk Assessment Template? | What Is A Risk Assessment Matrix?
PSPF Risk Assessment Tools
Further, security managers are not equipped with the best tools to be able to create and manage effective security risk assessments. Enterprise Risk Management platforms do not account for the nuances of security risk management, and it seems that no amount of retrofitting/customising them changes the fact. Where they are being used, they can be complex and require routine use to maintain the necessary degree of knowledge to get the most out of them.
The Risk Management Solution
This is where the concept of SECTARA arose from. SECTARA was specifically designed as a platform for advanced security risk assessments and management, while ensuring that the entire process was a logical and easy/step-by-step process.
Much of the data is automatically populated based on the types of assets and threats that are entered, and the interactive visual charts give ASAs and ITSAs a great advantage when pitching for resources or justifying existing spend.
As at the time of writing 1 Oct 18 was fast approaching. ASAs and ITSAs should consider how they are going to manage the risks that the new PSPF will help identify, through a greater risk-based focus by all.
Contact Us or subscribe and to be kept up to date with all things PSPF.
How to get started with SECTARA
If you see the same great benefits that we do in SECTARA, there are several methods to get started:
- Register for one of our Bronze, Silver or Gold Plans.
- Sign up to our absolutely Free Plan.
- Arrange an online demo.
- Contact us
As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to. Best of all, all subscribers are entitled to a free copy of the Security Risk Management Aide-Memoire (SRMAM) when they register (applies to both free and paid plans). SRMAM was written by Julian Talbot, the original author of SRMBoK.
We look forward to seeing you on SECTARA!