Each agency identifies and manages security risks while establishing and maintaining a positive security culture, and a cycle of continuous improvement.
To support agencies to achieve this outcome, the SAPSF includes six Governance Security (GOVSEC) policies, each comprised of one core requirement and varying number of supporting requirements. These requirements cover the scope of what agencies must do in relation to their protective security governance.
GOVSEC1: Security governance
Core requirement 1: The accountable authority* must establish the right security governance for the agency
This policy describes how an agency’s accountable authoritycan establish effective security governance to protect their agency’s people, information and assets. An effective governance structure ensures employees with the appropriate knowledge and position are empowered and resourced to maintain agency security.
*the person or group of persons responsible for, and with control over, the agency’s operations
GOVSEC2: Security planning
Core requirement 2: Maintain a security plan to manage security risks
This policy describes how agencies can effectively manage security risks through planning and embedding security into risk management practices and procedures. Good security planning will assist agencies to identify and manage security risks while maintaining the continuous delivery of efficient and effective government services.
GOVSEC3: Security monitoring
Core requirement 3: Monitor security maturity against the security plan
This policy ensures that agencies develop and implement processes to routinely monitor and assess their security maturity in line with the security goals of their security plan. Security maturity is a meaningful way of measuring an agency’s overall security capability in line with the risk environment and the agency’s risk tolerances.
GOVSEC4: Annual security attestation
Core requirement 4: Provide an annual security attestation to the Department of the Premier and Cabinet on progress against the security plan
The annual security attestation, signed by an agency’s accountable authority, provides a mechanism for each agency to provide a level of assurance and demonstrate its level of confidence that it is achieving the overall security outcomes of the South Australian Government, while also identifying broader protective security risks or challenges.
GOVSEC5: Managing the security of contractors and service providers
Core requirement 5: Manage any security risks that arise from the procurement of goods and services
This policy supports the South Australian Government’s procurement requirements**which detail how agencies procure goods and services. The requirements of this policy seek to ensure security risk is a considered element in all procurement processes.
**The State Procurement Board (SPB) issues the Procurement Policy Framework to guide procurement in the South Australian Government. A new South Australian Government Procurement Framework is currently being prepared by Procurement Services South Australia and is expected to commence in December 2020.
GOVSEC6: Security governance for international sharing
Core requirement 6: Ensure adherence to any provisions for the security of people, information and assets contained in international agreements and arrangements to which Australia is a party
This policy ensures all agencies formalise all partnerships or relationships with foreign partners or agencies through international agreements or arrangements that safeguard the interests, information and assets of both the South Australian and Commonwealth Governments.