The Range Statement provides information about the context in which the unit of competency is carried out. The variables cater for differences between States and Territories and the Commonwealth, and between organisations and workplaces. They allow for different work requirements, work practices and knowledge. The Range Statement also provides a focus for assessment. It relates to the unit as a whole. Text in bold italics in the Performance Criteria is explained here. |
Strategic context may include: | the relationship between the organisation and the environment in which it operates the organisation's functions: political operational financial social legal commercial the various stakeholders and clients |
Organisational context may include: | the organisation, how it is organised, and its capabilities any official resources, including physical areas and assets, that are vital to the operation of the organisation key operational elements of the organisation any major projects |
Legislation, policies procedures and guidelines may include: | Commonwealth and State/Territory legislation relating to security national and international codes of practice and standards the organisation's policies and practices jurisdictional policies codes of conduct/codes of ethics AS/NZS ISO 31000:2009 Risk management - Principles and guidelines Australian Government Information Security Manual (ISM) Protective Security Policy Framework |
Stakeholders may include: | supervisors managers other areas within the organisation other organisations government third parties |
Security risk criteria may concern: | vital functions and capabilities the expectations of stakeholders and clients the personal security of employees and clients general expectations about confidentiality the availability of the organisation's official resources |
Jurisdictional policies and legislation relating to risk criteria cover: | expectations about the care and confidentiality of official information reflected in legislation such as Public Service Act 1999, Crimes Act 1914 and Criminal Code 1985 the availability of official information to the public (Freedom of Information Act 1982) expectations about the collection, use and care of personal information (the Privacy Act 1988) expectations about the well-being and personal security of staff (Occupational Health and Safety [Commonwealth Employment] Act 1991) the measures and procedures agencies must adopt to protect official resources from fraud (Commonwealth fraud control policy) the expectation that there will be a Commonwealth-wide system for providing appropriate protection to security classified information (Commonwealth protective security policy) |
Risk assessment plan will include: | the strategic and organisational context of the agency (or organisation, area or project under review) the scope and objectives of the review information and resources required to complete the review the security risk criteria |
Information may be: | hardcopy audio-visual electronic |
Sources of threat may include: | people systems environmental financial natural conflict terrorism political circumstances internal external local national international |
Resources may be: | agency owned contractor owned hired leased owned by third parties |
Threats/potential threats may be: | internal external national international real perceived to: people property information reputation criminal terrorist from foreign intelligence services from commercial/industrial competitors from malicious people |
Threat assessment: | is used to provide information about people and events that may pose a risk to a particular resource or function evaluates and discusses the likelihood of a threat being realised determines the potential of a threat to actually cause harm |
Risk exposure is: | a measure of how open a resource is to harm, or the potential of a resource to attract harm |
Risk assessment techniques may include: | qualitative and/or semi-quantitative and/or quantitative brainstorming focus groups expert judgment strengths, weaknesses, opportunities and threats (SWOT) analysis analysis of risk registers examination of available data such as audit results, incident reports nomogram risk matrix scenario analysis business continuity planning |
Consequences may include: | degree of harm who would be affected and how how much disruption would occur damage to: the organisation other organisations government third parties critical lead time for recovery |
Critical lead time for recovery is | the period of time a function is compromised critical if the function is vital to the organisation |
Likelihood of risk may be determined through analysis of: | current controls to deter, detect or prevent harm effectiveness of current controls level of exposure threat assessment determination of threat source/s competence/capability of threat source/s opportunity for threat to occur |
Risk ratings may include: | severe high major significant moderate low trivial |
Format for risk documentation may include: | matrix table graphs graphics computer modelling |
Acceptable risks are: | those which an organisation has determined have the least potential for harm |
Unacceptable risks are: | those which an organisation has determined have the most potential for harm |
Residual risks are: | those which cannot be treated but still need to be documented |