Assessor Resource

PSPSEC016
Define information systems framework

Assessment tool

Version 1.0
Issue Date: April 2024


This unit describes the skills required to identify and establish the information system security framework for an organisation or a business unit at functional level. It includes determining the organisational context, determining principal areas of risk, determining system requirements and establishing the security framework.

This unit applies to those with organisation-wide responsibility for defining systems and procedures which impact on organisational security.

The skills and knowledge described in this unit must be applied within the legislative, regulatory and policy environment in which they are carried out. Organisational policies and procedures must be consulted and adhered to, particularly those related to defining information systems for security.

Those undertaking this unit would work autonomously while frequently accessing and evaluating support from a broad range of sources. They would perform sophisticated tasks in a broad range of contexts.

No licensing, legislative or certification requirements apply to unit at the time of publication.

You may want to include more information here about the target group and the purpose of the assessments (eg formative, summative, recognition)


Evidence Required

List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.

ELEMENTS

PERFORMANCE CRITERIA

Elements describe the essential outcomes

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section.

1. Establish the organisational context

1.1 Identify and document legislative and regulatory requirements for the organisation.

1.2 Analyse legislation for any information management security implications and document outcomes.

1.3 Review organisational purpose and function for compliance requirements.

1.4 Analyse broad social context in which the organisation operates to determine community expectations.

2. Determine the principal areas of risk requiring information strategy

2.1 Review and update existing risk analyses.

2.2 Review and document regulatory requirements and legal liabilities for their impact on the information systems framework.

2.3 Determine and document risks and liabilities to be managed by information systems, informing the development of the framework.

3. Determine the information system requirements for each business function

3.1 Analyse risks, liabilities and regulatory requirements.

3.2 Document and communicate identified requirements as evidence to be captured as records.

3.3 Formulate information system specifications from the evidence requirements.

3.4 Determine information security requirements.

3.5 Determine specifications for information systems security measures.

4. Establish information systems framework for organisation

4.1 Develop and communicate an overview of responsibilities for information management within the organisation.

4.2 Define responsibilities and authorities in relation to regulatory requirements.

4.3 Define information management responsibilities and rights for each business function.

4.4 Integrate identified risks and liabilities managed by information systems.

4.5 Define, assign and document levels of accountability and responsibility within the framework.

4.6 Formulate and document security procedures for information systems.

5. Obtain approval for framework

5.1 Communicate completed and documented framework for review and endorsement.

5.2 Establish review process and assign appropriate persons with maintaining the currency of the organisation’s information systems framework.

Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least two occasions.

applying legislation, regulations and policies relating to government information systems security

analysing process functions and problems

preparing, compiling and writing complex documents and reports

communicating complex relationships and processes effectively to users and management

documenting complex relationships and processes

identifying and viewing component parts as integral elements of the whole system

reading and interpreting mathematical concepts and values embedded in specifications and complex technical documentation

analysing and interpreting legal, regulatory and security requirements and organisation policies and procedures

analysing and synthesising documentation, verbally delivered information, and observed behaviours

consulting with diverse stakeholders to elicit relevant information for analysis

Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the depth of knowledge demonstrated must be appropriate to the job context of the candidate.

Operational knowledge of:

legislation, regulations, policies, procedures and guidelines relating to government information system security

equal employment opportunity, equity and diversity principles

public sector legislation in the context of government information systems security

sources of information about jurisdictional requirements for information systems

equal employment opportunity, equity and diversity principles

public sector legislation, including WHS and environment, in the context of government information systems security

requires comprehensive knowledge of functions and structures in the organisation

policies and strategies that apply across the jurisdiction

information management principles and processes

information security requirements

Assessment of this unit requires evidence gathered over time in a workplace environment or one that closely resembles normal work practice and replicates the diverse conditions likely to be encountered when defining information systems.

Assessors must satisfy the NVR/AQTF mandatory competency requirements for assessors.

Submission Requirements

List each assessment task's title, type (eg project, observation/demonstration, essay, assingnment, checklist) and due date here

Assessment task 1: [title]      Due date:

(add new lines for each of the assessment tasks)

Assessment Tasks

Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.

ELEMENTS

PERFORMANCE CRITERIA

Elements describe the essential outcomes

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section.

1. Establish the organisational context

1.1 Identify and document legislative and regulatory requirements for the organisation.

1.2 Analyse legislation for any information management security implications and document outcomes.

1.3 Review organisational purpose and function for compliance requirements.

1.4 Analyse broad social context in which the organisation operates to determine community expectations.

2. Determine the principal areas of risk requiring information strategy

2.1 Review and update existing risk analyses.

2.2 Review and document regulatory requirements and legal liabilities for their impact on the information systems framework.

2.3 Determine and document risks and liabilities to be managed by information systems, informing the development of the framework.

3. Determine the information system requirements for each business function

3.1 Analyse risks, liabilities and regulatory requirements.

3.2 Document and communicate identified requirements as evidence to be captured as records.

3.3 Formulate information system specifications from the evidence requirements.

3.4 Determine information security requirements.

3.5 Determine specifications for information systems security measures.

4. Establish information systems framework for organisation

4.1 Develop and communicate an overview of responsibilities for information management within the organisation.

4.2 Define responsibilities and authorities in relation to regulatory requirements.

4.3 Define information management responsibilities and rights for each business function.

4.4 Integrate identified risks and liabilities managed by information systems.

4.5 Define, assign and document levels of accountability and responsibility within the framework.

4.6 Formulate and document security procedures for information systems.

5. Obtain approval for framework

5.1 Communicate completed and documented framework for review and endorsement.

5.2 Establish review process and assign appropriate persons with maintaining the currency of the organisation’s information systems framework.

Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least two occasions.

applying legislation, regulations and policies relating to government information systems security

analysing process functions and problems

preparing, compiling and writing complex documents and reports

communicating complex relationships and processes effectively to users and management

documenting complex relationships and processes

identifying and viewing component parts as integral elements of the whole system

reading and interpreting mathematical concepts and values embedded in specifications and complex technical documentation

analysing and interpreting legal, regulatory and security requirements and organisation policies and procedures

analysing and synthesising documentation, verbally delivered information, and observed behaviours

consulting with diverse stakeholders to elicit relevant information for analysis

Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the depth of knowledge demonstrated must be appropriate to the job context of the candidate.

Operational knowledge of:

legislation, regulations, policies, procedures and guidelines relating to government information system security

equal employment opportunity, equity and diversity principles

public sector legislation in the context of government information systems security

sources of information about jurisdictional requirements for information systems

equal employment opportunity, equity and diversity principles

public sector legislation, including WHS and environment, in the context of government information systems security

requires comprehensive knowledge of functions and structures in the organisation

policies and strategies that apply across the jurisdiction

information management principles and processes

information security requirements

Assessment of this unit requires evidence gathered over time in a workplace environment or one that closely resembles normal work practice and replicates the diverse conditions likely to be encountered when defining information systems.

Assessors must satisfy the NVR/AQTF mandatory competency requirements for assessors.

Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.

Observation Checklist

Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice Yes No Comments/feedback
Identify and document legislative and regulatory requirements for the organisation. 
Analyse legislation for any information management security implications and document outcomes. 
Review organisational purpose and function for compliance requirements. 
Analyse broad social context in which the organisation operates to determine community expectations. 
Review and update existing risk analyses. 
Review and document regulatory requirements and legal liabilities for their impact on the information systems framework. 
Determine and document risks and liabilities to be managed by information systems, informing the development of the framework. 
Analyse risks, liabilities and regulatory requirements. 
Document and communicate identified requirements as evidence to be captured as records. 
Formulate information system specifications from the evidence requirements. 
Determine information security requirements. 
Determine specifications for information systems security measures. 
Develop and communicate an overview of responsibilities for information management within the organisation. 
Define responsibilities and authorities in relation to regulatory requirements. 
Define information management responsibilities and rights for each business function. 
Integrate identified risks and liabilities managed by information systems. 
Define, assign and document levels of accountability and responsibility within the framework. 
Formulate and document security procedures for information systems. 
Communicate completed and documented framework for review and endorsement. 
Establish review process and assign appropriate persons with maintaining the currency of the organisation’s information systems framework. 
Identify and document legislative and regulatory requirements for the organisation. 
Analyse legislation for any information management security implications and document outcomes. 
Review organisational purpose and function for compliance requirements. 
Analyse broad social context in which the organisation operates to determine community expectations. 
Review and update existing risk analyses. 
Review and document regulatory requirements and legal liabilities for their impact on the information systems framework. 
Determine and document risks and liabilities to be managed by information systems, informing the development of the framework. 
Analyse risks, liabilities and regulatory requirements. 
Document and communicate identified requirements as evidence to be captured as records. 
Formulate information system specifications from the evidence requirements. 
Determine information security requirements. 
Determine specifications for information systems security measures. 
Develop and communicate an overview of responsibilities for information management within the organisation. 
Define responsibilities and authorities in relation to regulatory requirements. 
Define information management responsibilities and rights for each business function. 
Integrate identified risks and liabilities managed by information systems. 
Define, assign and document levels of accountability and responsibility within the framework. 
Formulate and document security procedures for information systems. 
Communicate completed and documented framework for review and endorsement. 
Establish review process and assign appropriate persons with maintaining the currency of the organisation’s information systems framework. 

Forms

Assessment Cover Sheet

PSPSEC016 - Define information systems framework
Assessment task 1: [title]

Student name:

Student ID:

I declare that the assessment tasks submitted for this unit are my own work.

Student signature:

Result: Competent Not yet competent

Feedback to student

 

 

 

 

 

 

 

 

Assessor name:

Signature:

Date:

Assessment Record Sheet

PSPSEC016 - Define information systems framework

Student name:

Student ID:

Assessment task 1: [title] Result: Competent Not yet competent

(add lines for each task)

Feedback to student:

 

 

 

 

 

 

 

 

Overall assessment result: Competent Not yet competent

Assessor name:

Signature:

Date:

Student signature:

Date: