The governance domain includes developing organisational responsibility and investment in security including through appointing staff with designated responsibilities, identifying organisational risks and implementing plans to manage these and monitoring and reporting on organisational security maturity.

Desired outcome

Each agency identifies and manages security risks while establishing and maintaining a positive security culture, and a cycle of continuous improvement.

To support agencies to achieve this outcome, the South Australian Protective Security Framework (SAPSF) includes six Governance Security (GOVSEC) policies, each comprised of one core requirement and varying number of supporting requirements. These requirements cover the scope of what agencies must do in relation to their protective security governance.

Governance Security Policies

Purpose

This policy describes how an agency’s accountable authority can establish effective security governance to protect their agency’s people, information and assets. An effective governance structure ensures employees with the appropriate knowledge and position are empowered and resourced to maintain agency security.

Core requirement

The accountable authority must establish the right security governance for the agency

Access: GOVSEC1 Guidance

Download: GOVSEC1 Guidance (PDF, 973.4 KB)

Purpose

Good security planning will assist agencies to identify and manage security risks while maintaining the continuous delivery of efficient and effective government services. This policy describes how agencies can effectively manage security risks through planning and embedding security into risk management practices and procedures.

Security planning through risk management processes enables agencies to prioritise the most critical risks, set protective security targets, adjust objectives based on changes to the risk environment, improve agency resilience to threats and overall protective security maturity.

Core requirement

Maintain a security plan to manage security risks

Access: GOVSEC2 Guidance

Download: GOVSEC2 Guidance (PDF, 833.6 KB)

Purpose

Security maturity is a meaningful way of measuring an agency’s overall security capability in line with the risk environment and the agency’s risk tolerances. Maturity recognises the inherent differences between agencies, functions, risk environments and security risks, and acknowledges the journey agencies may need to take to achieve their security goals and objectives, while helping to identify areas for improvement.

This policy ensures that agencies develop and implement processes to routinely monitor and assess their security maturity in line with the security goals of their security plan. An agency’s security maturity includes the ability to actively respond to changes in the agency’s security risk environment, including to new and emerging threats or vulnerabilities, to ensure the ongoing protection of its people, information and assets.

Core requirement

Monitor security maturity against the security plan

Access: GOVSEC3 Guidance

Download: GOVSEC3 Guidance (PDF, 688.4 KB)

Purpose

The policies of the SAPSF are designed to ensure the security information, people and assets within the South Australian Government. However, how each agency applies the policies and their effectiveness depends significantly on the risks identified, the risk environment an agency operates in, and each agency’s individual risk appetite and tolerance.

The annual security attestation, signed by an agency’s accountable authority, provides a mechanism for each agency to provide a level of assurance and demonstrate its level of confidence that it is achieving the overall security outcomes of the South Australian Government, while also identifying broader protective security risks or challenges.

Core requirement

Provide an annual security attestation to the Department of the Premier and Cabinet on progress against the security plan

Access: GOVSEC4 Guidance

Download: GOVSEC 4 Guidance (PDF, 1.1 MB)

Purpose

Security risks can arise through the procurement of goods and services and effective risk management is required to reduce the likelihood and consequence of security issues or incidents.

This policy supports the South Australian Government’s procurement requirements which detail how agencies procure goods and services. The requirements of this policy seek to ensure security risk is a considered element in all procurement processes.

Core requirement 

Manage any security risks that arise from the procurement of goods and services

Access: GOVSEC5 Guidance

Download: GOVSEC 5 Guidance (PDF, 1003.9 KB)

Purpose

From time to time, agencies in South Australia  may need to enter official relationships with foreign partners or entities. Security protections are required to ensure that the information or assets are not compromised or exposed to uncontrollable risks.

This policy ensures all agencies formalise all partnerships or relationships with foreign partners or agencies through international agreements or arrangements that safeguard the interests, information and assets of both the South Australian and Commonwealth Governments.

Communicating, or making available, security classified information with another country or foreign organisation could be considered espionage under the Criminal Code.

However, specific legislative provisions authorise agencies to share information internationally under arrangements made or directions given by the relevant minister

Core requirement

Ensure adherence to any provisions for the security of people, information and assets contained in international agreements and arrangements to which Australia is a party

Access: GOVSEC6 Guidance

Download: GOVSEC6 Guidance (PDF, 680.8 KB)