ELEMENT

PERFORMANCE CRITERIA

1. Identify countermeasures

1.1 Documented risks/threats are reviewed and management decisions on acceptable and unacceptable risks are confirmed.

1.2 Treatment options/countermeasures are determined that are consistent with organisational policies, procedures and guidelines to reduce the likelihood of occurrence or the consequences of the risk, or both.

1.3 Treatments include continuity plans, where appropriate, in accordance with organisational policy and procedures.

1.4 Treatments match the level and type of risk and the importance of the function or resource.

1.5 A cost-benefit analysis is conducted to determine cost-effective countermeasures.

1.6 Stakeholders are consulted on the cost-benefit analysis, and countermeasures are determined and submitted for decision/prioritising in accordance with organisational policy and procedures.

2. Develop security plan

2.1 Security plan is prepared in accordance with organisational policy and procedures.

2.2 The plan contains explanatory information on the importance of security and the organisation's security objectives in achieving corporate and business objectives.

2.3 The plan summarises threat assessments undertaken, current exposure and current protective security arrangements.

2.4 The plan outlines security strategies for implementation of countermeasures, monitoring and evaluation.

2.5 The plan includes a timetable and security budget for implementation of countermeasures including how they will be implemented and by whom.

2.6 Security plan is submitted for approval and communicated to stakeholders in accordance with organisational policy and procedures.

This section describes the essential skills and knowledge and their level, required for this unit.

Skill requirements

Look for evidence that confirms skills in:

applying legislation, regulations and policies relating to security risk management plans

using evaluation and deductive reasoning

undertaking problem solving and decision making

using communication with diverse stakeholders involving presentation, listening, questioning, paraphrasing, clarifying, summarising

reading and analysing the complex information in standards, legislation and security plans

writing reports requiring formality of language and structure

using computer technology to gather and analyse information, and prepare reports

using numerical, graphical and statistical information

representing mathematical information in a range of formats to suit the information and the purpose

responding to diversity, including gender and disability

applying procedures relating to occupational health and safety and environment in the context of developing security risk management plans

Knowledge requirements

Look for evidence that confirms knowledge and understanding of:

legislation, regulations, policies, procedures and guidelines relating to security risk management such as:

occupational health and safety

public service acts

Crimes Act 1914 and Criminal Code 1985

Freedom of Information Act 1982

Privacy Act 1988

fraud control policy

protective security policy

Australian Government Information Security Manual (ISM)

Protective Security Policy Framework

Australian standards, quality assurance and certification requirements

international treaties and protocols

cross-jurisdictional protocols

organisation's strategic objectives

national strategic objectives

formats for different types of reports

cost-benefit analysis techniques

equal employment opportunity, equity and diversity principles

public sector legislation such as occupational health and safety and environment in the context of security risk assessment

The Evidence Guide specifies the evidence required to demonstrate achievement in the unit of competency as a whole. It must be read in conjunction with the Unit descriptor, Performance Criteria, the Range Statement and the Assessment Guidelines for the Public Sector Training Package.

Units to be assessed together

Pre-requisite units that must be achieved prior to this unit:Nil

Co-requisite units that must be assessed with this unit:Nil

Co-assessed units that may be assessed with this unit to increase the efficiency and realism of the assessment process include, but are not limited to:

PSPETHC501B Promote the values and ethos of public service

PSPGOV502B Develop client services

PSPGOV504B Undertake research and analysis

PSPLEGN501B Promote compliance with legislation in the public sector

PSPSEC501A Assess security risks

PSPSEC503A Implement and monitor security risk management plans

Overview of evidence requirements

In addition to integrated demonstration of the elements and their related performance criteria, look for evidence that confirms:

the knowledge requirements of this unit

the skill requirements of this unit

application of the Employability Skills as they relate to this unit (see Employability Summaries in Qualifications Framework)

security risk management plans developed in a range of (2 or more) contexts (or occasions, over time)

Resources required to carry out assessment

These resources include:

legislation, policy, procedures and protocols relating to security risk management plans

Australian Government Information Manual (ISM)

Protective Security Policy Framework

case studies and workplace scenarios to capture the range of situations likely to be encountered when developing security risk management plans

Where and how to assess evidence

Valid assessment of this unit requires:

a workplace environment or one that closely resembles normal work practice and replicates the range of conditions likely to be encountered when developing security risk management plans, including coping with difficulties, irregularities and breakdowns in routine

security risk management plans developed in a range of (2 or more) contexts (or occasions, over time)

Assessment methods should reflect workplace demands, such as literacy, and the needs of particular groups, such as:

people with disabilities

people from culturally and linguistically diverse backgrounds

Aboriginal and Torres Strait Islander people

women

young people

older people

people in rural and remote locations

Assessment methods suitable for valid and reliable assessment of this competency may include, but are not limited to, a combination of 2 or more of:

case studies

portfolios

questioning

scenarios

simulation or role plays

authenticated evidence from the workplace and/or training courses, such as security risk management plan

For consistency of assessment

Evidence must be gathered over time in a range of contexts to ensure the person can achieve the unit outcome and apply the competency in different situations or environments

The Range Statement provides information about the context in which the unit of competency is carried out. The variables cater for differences between States and Territories and the Commonwealth, and between organisations and workplaces. They allow for different work requirements, work practices and knowledge. The Range Statement also provides a focus for assessment. It relates to the unit as a whole. Text in bold italics in the Performance Criteria is explained here.

Risks/threats may be:

internal

external

national

international

real

perceived

to:

people

property

information

reputation

criminal

terrorist

from foreign intelligence services

from commercial/industrial competitors

from malicious people

Risk review includes:

consideration of current and historical information

Acceptable risks are:

those which an organisation has determined have the least potential for harm

Unacceptable risks are:

those which an organisation has determined have the most potential for harm

Treatment options may include:

addition of security measures

reduction of security measures

avoiding the risk through change of practice

acceptance of residual risk

minimisation of harm through response mechanisms

accepting the risk

Countermeasures may include:

revision of agency security plan

upgrade of existing security

installation of new security measures

technical controls

training

personnel-oriented

information-oriented

property-oriented

reputation-oriented

Likelihood of risk may be determined through analysis of:

current controls to deter, detect or prevent harm

effectiveness of current controls

level of exposure

threat assessment

determination of threat source/s

competence/capability of threat source/s

opportunity for threat to occur

Consequences may include:

degree of harm

who would be affected and how

how much disruption would occur

damage to:

the organisation

other organisations

government

third parties

critical lead time for recovery:

the period of time a function is compromised

critical if the function is vital to the organisation

Continuity plans:

may lessen the adverse consequences of risk

provide a set of planned procedures that enable organisations to continue or recover services to the government and the public with minimal disruption over a given period, irrespective of the source of the disruption

Level of risk may be:

severe

high

major

significant

moderate

low

trivial

Cost-benefit analysis may be against:

existing requirements

future requirements

forecast requirements

Stakeholders may include:

supervisors

managers

other areas within the organisation

other organisations

government

third parties

workgroup

Threat assessment:

is used to provide information about people and events that may pose a threat to a particular resource or function

evaluates and discusses the likelihood of a threat being realised

determines the potential of a threat to actually cause harm

Risk exposure is:

a measure of how open a resource is to harm, or

the potential of a resource to attract harm