Purpose

This policy describes how an agency’s accountable authority* can establish effective security governance to protect their agency’s people, information and assets. An effective governance structure ensures employees with the appropriate knowledge and position are empowered and resourced to maintain agency security.

Core requirement

The accountable authority must establish the right security governance for the agency

Supporting requirements

To ensure an agency** establishes the right security governance, the accountable authority must:

  1. be responsible for protective security within the agency, including:
  2. putting in place protective security arrangements that implement the core and supporting requirements of the SAPSF
  3. determine and manage the agency’s security risks
  4. appoint an Agency Security Executive (ASE) to be responsible for directing protective security and empower them to make decisions about the agency’s security, including:
    1. appointing security advisors (ASAs and ITSAs) to advise on, and support delivery of, security outcomes, including sound information and communication technology (ICT) policies and procedures
  5. develop practices and procedures that deliver the security plan
  6. detect, respond, investigate and report security incidents
  7. be aware of and meet all security policy or legislative requirements
  8. provide and maintain security awareness training for all employees and service providers
  9. establish, maintain and monitor a central email address for all security matters across all protective security domains, including ICT.

GOVSEC1 Guidance (PDF, 1.2 MB)

*The person or group of persons responsible for, and with control over, the agency’s operations.

**This policy applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.