Compliance with any framework or regulation starts with a thorough understanding of all the requirements it entails. PSPF has 16 policies, each of which has a core requirement and several supporting requirements. These policies describe the minimum level of security a government agency should maintain.

Some of the most important policies of PSPF include:

• Classifying and handling official information according to its sensitivity and value using protective markings. This policy applies to all communication material, including digital and physical channels.
• Vetting staff who have access to highly-sensitive and classified information or assets or who work in high-risk environments.
• Implementing security measures to address physical security threats such as unauthorised access, theft, damage or compromising of people, information, or assets.

Once you have a clear understanding of all the requirements of PSPF, you should evaluate the current security maturity level and compare the results against PSPF findings to identify compliance gaps.

The framework has a maturity assessment model that government agencies can use to assess their security capabilities across five levels (ad hoc, developing, managing, embedded or leading)

According to the model, you need to follow three steps when conducting the maturity self-assessment:

• Identify the evidence sources that demonstrate your compliance with each PSPF requirement, such as policies, procedures, plans, reports, audits or reviews.
• Rate your maturity level for each requirement based on the evidence sources and the PSPF maturity descriptors.
• Document your findings and rationale in a maturity self-assessment report.

All government agencies that have completed the self-maturity assessment should communicate the results of their assessments to the Attorney General’s Department which is responsible for overseeing the implementation of the PSPF across all government entities.

The security maturity level report should be submitted to the Attorney General’s Department before the 31st of October each financial year.

The report should include:

• Your agency’s overall security maturity level and rating for each PSPF requirement.
• A brief summary of your strengths and areas for improvement.
• A summary of any significant security incidents or breaches that occurred during the reporting period.
• A summary of any corrective actions or initiatives that you have taken or plan to take to address any gaps or weaknesses in your security practices.

The final step is to develop and implement a security improvement plan, which should include your agency’s security objectives, strategies, actions, timelines, responsibilities and performance indicators for achieving compliance with the PSPF.

Here are some strategies for developing and implementing a security improvement plan for your organisation:

• Align your objectives and priorities with business goals and risk appetite.
• Engage all stakeholders in setting the direction and scope of your security improvement plan.
• Communicate your security expectations and requirements to your staff, contractors and partners.
• Provide regular training and awareness programs to enhance staff’s security knowledge and skills.
• Review and update your security policies, procedures and controls to reflect changes in the threat environment.
• Monitor and measure your progress and performance.