When launched in 2010, the Commonwealth Protective Security Policy Framework (PSPF) was a significant reform. It adopted a greater focus on risk than did its predecessor (the Protective Security Manual).
It achieved its immediate aims and Government practitioners, and those who supported them, started talking (and doing) more about security risk management.
Notwithstanding this, the 2010 PSPF contained 2,200 ‘shall’, ‘must’, ‘are to’, ‘need to’ etc. statements that were very prescriptive in nature. That meant that, while entities were encouraged to practice risk management, the treatments were provided up front.
It’s not hard to see the conflict here, and the one-size-fits-all approach to the largest Department versus the smallest Agency did not make the task any easier for Agency Security Advisers (ASAs) and IT Security Advisers (ITSAs). Numerous controls were only semi-justifiable for some, and left others somewhat ambivalent about the notion of then needing to perform security risk management on top of a very heavily control-focused environment.
A bigger impediment was that many Government employees could not perform a credible security risk assessment, without proper training and on-the-job experience. This was manageable for those who had/have budget to contract in specialists, but the remainder remain somewhat hamstrung in terms of effective security risk-based practices.
PSPF Risk Asssessment Frequency
Those entities that were doing security risk management well were carrying out enterprise assessments every two years, and sooner if the environment warranted it. Further assessments were carried out at the operational level to examine functional and process-level risk profiles.
The aggregation of assessments over time is something that can also be problematic, especially if they are MS Word/Excel documents. The fact that every consultant does things differently usually also means restarting the process periodically, rather than the implementation of a genuine and ongoing program of risk ‘management’.
Once created, assessments should simply be reviewed and updated rather than being recreated. This can potentially save a substantial amount of money in the process.
RELATED ARTICLES: Musings On Security Risk Assessments | The Benefits Of SECTARA’s Advanced & Intuitive Risk Assessment Methodologies | What Is A Risk Assessment Template? | What Is A Risk Assessment Matrix?
PSPF Risk Assessment Tools
Further, security managers are not equipped with the best tools to be able to create and manage effective security risk assessments. Enterprise Risk Management platforms do not account for the nuances of security risk management, and it seems that no amount of retrofitting/customising them changes the fact. Where they are being used, they can be complex and require routine use to maintain the necessary degree of knowledge to get the most out of them.
The Risk Management Solution
This is where the concept of SECTARA arose from. SECTARA was specifically designed as a platform for advanced security risk assessments and management, while ensuring that the entire process was a logical and easy/step-by-step process.
Much of the data is automatically populated based on the types of assets and threats that are entered, and the interactive visual charts give ASAs and ITSAs a great advantage when pitching for resources or justifying existing spend.
As at the time of writing 1 Oct 18 was fast approaching. ASAs and ITSAs should consider how they are going to manage the risks that the new PSPF will help identify, through a greater risk-based focus by all.
Yours in SRM,
Konrad was a graduate of the Royal Military College Duntroon and served as an Australian Army Officer and telecommunications specialist until 2001. He has helds roles as Director of the Australian Centre for Security Management and Chief Security Officer | Crisis/Business Continuity Program Manager at Thales Australia-New Zealand, the region’s largest Defence Prime Contractor at the time.
A Certified Practising Risk Manager, Registered Security Professional, member of numerous security working groups and technical committees and designer and author of innumerable security risk management programs, Konrad was the architect and co-founder architect of SECTARA. He is a company Principal and SECTARA’s Managing Director.
How to get started with SECTARA
If you see the same great benefits that we do in SECTARA, there are several methods to get started:
- Sign up to our absolutely Free Plan.
- Register online for one of our Bronze, Silver or Gold Plans.
- Arrange an online demo.
- Contact us for Platinum Plan pricing.