When the Commonwealth Protective Security Policy Framework (PSPF) was launched in 2010, it was a significant reform that sought to adopt a more risk-based approach to security than did its predecessor (the Protective Security Manual). It achieved its immediate aims and Government practitioners, and those who supported them, started talking (and doing) more about security risk management.
Notwithstanding this, the 2010 PSPF contained 2,200 ‘shall’, ‘must’, ‘are to’, ‘need to’ etc. statements that were thus very prescriptive in nature. That meant that, while entities were encouraged to practice risk management, they were front-loaded with the details of many of the treatments that were expected to be implemented.
It’s not hard to see the conflict here, and the one-size-fits-all approach to the largest Department versus the smallest Agency did not make the task any easier for Agency Security Advisers (ASAs) and IT Security Advisers (ITSAs). Numerous controls were only semi-justifiable for some, and left others somewhat ambivalent about the notion of then needing to perform security risk management on top of a very heavily control-focused environment.
A bigger impediment was that many Government employees could not perform a credible security risk assessment, without proper training and on-the-job experience. This was manageable for those who had/have budget to contract in specialists, but the remainder remain somewhat hamstrung in terms of effective security risk-based practices.
Those entities that were doing security risk management well were carrying out enterprise assessments every two years, and sooner if the environment warranted it. Further assessments were carried out at the operational level to examine functional and process-level.
The aggregation of assessments over time is something that can also be problematic, especially if they are MS Word documents stacked in a corner. The fact that every consultant does things differently usually also means restarting the process periodically, rather than the implementation of a genuine and ongoing program of risk ‘management’. Once created, assessments should simply be reviewed and updated rather than being recreated, potentially saving a substantial amount of money in the process.
Further, security managers are not equipped with the best tools to be able to create and manage effective security risk assessments. Enterprise Risk Management platforms, where they have been procured by an entity, do not account for the nuances of security risk management, and it seems that no amount of retrofitting/customising them changes the fact. Where they are being used, they can be complex and require routine use to maintain the necessary degree of knowledge to get the most out of them.
This is where the concept of SECTARA arose from. SECTARA was specifically designed as a platform for advanced security risk assessments and management, while ensuring that the entire process was a logical and easy/step-by-step process. Much of the data is automatically populated based on the types of assets and threats that are entered, and the interactive visual charts give ASAs and ITSAs a great advantage when pitching for resources or simply justifying existing spend.
The platform is hosted within an UNCLAS DLM environment and can be similarly hosted within a PROTECTED environment. Backed by Australia’s leading light in security risk management, Industry Risk, SECTARA can be subscribed to with initial and scheduled assessments conducted by expert consultants and training and is ideal for advanced security risk management by those who may not necessarily consider themselves advanced in the subject.
As at the time of writing 1 Oct 18 was fast approaching and ASAs and ITSAs should strongly consider how they are going to manage the risks that the new PSPF will help identify, through compelling a greater risk-based focus by all. If you want to be as prepared as you possibly can be, Contact Us or subscribe to be kept up to date in the footer section of this page.
All the best, Konrad Buczynski