Good security planning will assist agencies to identify and manage security risks while maintaining the continuous delivery of efficient and effective government services. This policy describes how agencies can effectively manage security risks through planning and embedding security into risk management practices and procedures.

Security planning through risk management processes enables agencies to prioritise the most critical risks, set protective security targets, adjust objectives based on changes to the risk environment, improve agency resilience to threats and overall protective security maturity.

Core requirement

Maintain a security plan* to manage security risks

Supporting requirements

To establish a security plan that manages security risks, agencies** must:

  1. determine the agency’s security goals and strategic objectives
  2. determine the risk tolerance for the agency
  3. identify the agency’s security risks, including shared risks
  4. plan and implement treatments to manage agency security risks
  5. identify a risk manager to be responsible for each security risk, or category of security risk
  6. document any decisions to deviate from the security plan, including justifications and alternative treatments implemented
  7. review the security plan (and any supporting security plans) at least every two years for:
    1. the adequacy of existing security arrangements and risk treatments
    2. significant changes to the risk environment or tolerance.

GOVSEC2 Guidance (PDF, 1.2 MB)

SAPSF – Security maturity indicators (PDF, 680.0 KB)

Security Maturity Diagram (XLSX, 73.8 KB)

Security Roadmap (XLSX, 69.1 KB)

*Where a single security plan is not practicable due to the agency’s size or complexity of business, the accountable authority may approve a single, strategic-level overarching security plan that addresses the core requirements of the SAPSF, which is then supported by other more detailed plans (supporting security plans).

**This policy applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.