If you’re a risk management professional working for a government agency, then you probably know the importance of the Protective Security Policy Framework.

The PSPF is designed to give government organisations in Australia a guideline to ensure the security of their people, information and assets both within and outside Australia.

But, ensuring adherence to the requirements of the framework can be rather challenging. That’s why we put together a checklist to help you manage compliance.

Step 1: Understand the PSPF policies and requirements

Compliance with any framework or regulation starts with a thorough understanding of all the requirements it entails. PSPF has 16 policies, each of which has a core requirement and several supporting requirements. These policies describe the minimum level of security a government agency should maintain.

Some of the most important policies of PSPF include:

  • Classifying and handling official information according to its sensitivity and value using protective markings. This policy applies to all communication material, including digital and physical channels.
  • Vetting staff who have access to highly-sensitive and classified information or assets or who work in high-risk environments.
  • Implementing security measures to address physical security threats such as unauthorised access, theft, damage or compromising of people, information, or assets.

Compliance with any framework or regulation starts with a thorough understanding of all the requirements it entails. PSPF has 16 policies, each of which has a core requirement and several supporting requirements. These policies describe the minimum level of security a government agency should maintain.

Some of the most important policies of PSPF include:

  • Classifying and handling official information according to its sensitivity and value using protective markings. This policy applies to all communication material, including digital and physical channels.
  • Vetting staff who have access to highly-sensitive and classified information or assets or who work in high-risk environments.
  • Implementing security measures to address physical security threats such as unauthorised access, theft, damage or compromising of people, information, or assets.

Step 2: Assess your current security maturity level

Once you have a clear understanding of all the requirements of PSPF, you should evaluate the current security maturity level and compare the results against PSPF findings to identify compliance gaps.

The framework has a maturity assessment model that government agencies can use to assess their security capabilities across five levels (ad hoc, developing, managing, embedded or leading)

According to the model, you need to follow three steps when conducting the maturity self-assessment:

  • Identify the evidence sources that demonstrate your compliance with each PSPF requirement, such as policies, procedures, plans, reports, audits or reviews.
  • Rate your maturity level for each requirement based on the evidence sources and the PSPF maturity descriptors.
  • Document your findings and rationale in a maturity self-assessment report.
psp framework - image 1
psp framework - image 1

Once you have a clear understanding of all the requirements of PSPF, you should evaluate the current security maturity level and compare the results against PSPF findings to identify compliance gaps.

The framework has a maturity assessment model that government agencies can use to assess their security capabilities across five levels (ad hoc, developing, managing, embedded or leading)

According to the model, you need to follow three steps when conducting the maturity self-assessment:

  • Identify the evidence sources that demonstrate your compliance with each PSPF requirement, such as policies, procedures, plans, reports, audits or reviews.
  • Rate your maturity level for each requirement based on the evidence sources and the PSPF maturity descriptors.
  • Document your findings and rationale in a maturity self-assessment report.

Step 3: Report your security maturity level to the Attorney-General's Department

psp framework - image 2

All government agencies that have completed the self-maturity assessment should communicate the results of their assessments to the Attorney General’s Department which is responsible for overseeing the implementation of the PSPF across all government entities.

The security maturity level report should be submitted to the Attorney General’s Department before the 31st of October each financial year.

The report should include:

  • Your agency’s overall security maturity level and rating for each PSPF requirement.
  • A brief summary of your strengths and areas for improvement.
  • A summary of any significant security incidents or breaches that occurred during the reporting period.
  • A summary of any corrective actions or initiatives that you have taken or plan to take to address any gaps or weaknesses in your security practices.
psp framework - image 2

All government agencies that have completed the self-maturity assessment should communicate the results of their assessments to the Attorney General’s Department which is responsible for overseeing the implementation of the PSPF across all government entities.

The security maturity level report should be submitted to the Attorney General’s Department before the 31st of October each financial year.

The report should include:

  • Your agency’s overall security maturity level and rating for each PSPF requirement.
  • A brief summary of your strengths and areas for improvement.
  • A summary of any significant security incidents or breaches that occurred during the reporting period.
  • A summary of any corrective actions or initiatives that you have taken or plan to take to address any gaps or weaknesses in your security practices.

Step 4: Develop and implement a security improvement plan

The final step is to develop and implement a security improvement plan, which should include your agency’s security objectives, strategies, actions, timelines, responsibilities and performance indicators for achieving compliance with the PSPF.

Here are some strategies for developing and implementing a security improvement plan for your organisation:

  • Align your objectives and priorities with business goals and risk appetite.
  • Engage all stakeholders in setting the direction and scope of your security improvement plan.
  • Communicate your security expectations and requirements to your staff, contractors and partners.
  • Provide regular training and awareness programs to enhance staff’s security knowledge and skills.
  • Review and update your security policies, procedures and controls to reflect changes in the threat environment.
  • Monitor and measure your progress and performance.
psp framework - image 3
psp framework - image 3

The final step is to develop and implement a security improvement plan, which should include your agency’s security objectives, strategies, actions, timelines, responsibilities and performance indicators for achieving compliance with the PSPF.

Here are some strategies for developing and implementing a security improvement plan for your organisation:

  • Align your objectives and priorities with business goals and risk appetite.
  • Engage all stakeholders in setting the direction and scope of your security improvement plan.
  • Communicate your security expectations and requirements to your staff, contractors and partners.
  • Provide regular training and awareness programs to enhance staff’s security knowledge and skills.
  • Review and update your security policies, procedures and controls to reflect changes in the threat environment.
  • Monitor and measure your progress and performance.

Ensure compliance with PSPF with SECTARA

At SECTARA, our platform is designed to help you ensure compliance with all the leading security risk frameworks and standards including PSPF.

From customisable risk assessment templates to advanced visual analytics, our risk management software offers you a suite of tools to enhance your SRM capabilities.

Want to experience how SECTARATM works first-hand?
Sign up for our 14-day free trial today

Start your 14-day free trial

Please complete all fields.

.sectara.com

What you get with our free trial

2 users (Account Admin, Org & BU Admin, Assessor, Viewer)

2 concurrent assessments

2 organisations & business units

In product training

The ability to export assessments to MS Word

MS Excel treatment plans

White label SECTARATM platform

White-label exported documents

Audit records

Want to experience how SECTARATM works first-hand?
Sign up for our 14-day free trial today

What you get with our free trial

2 users (Account Admin, Org & BU Admin, Assessor, Viewer)

2 concurrent assessments

2 organisations & business units

In product training

The ability to export assessments to MS Word

MS Excel treatment plans

White label SECTARATM platform

White-label exported documents

Audit records

Start your 14-day free trial

Please complete all fields.

.sectara.com