NTISthis.com

Evidence Guide: PSPSEC011 - Assess security risks

Student: __________________________________________________

Signature: _________________________________________________

Tips for gathering evidence to demonstrate your skills

The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!

From the Wiki University

 

PSPSEC011 - Assess security risks

What evidence can you provide to prove your understanding of each of the following citeria?

Establish security risk context

  1. Identify the scope and strategic and organisational contexts of the risk assessment.
  2. Identify and comply with legislation, policies, procedures and guidelines related to security risk management.
  3. Identify stakeholders and their expectations and obtain their input.
  4. Identify security risk criteria.
  5. Develop and obtain endorsement for a risk assessment plan according to organisational priorities.
Identify the scope and strategic and organisational contexts of the risk assessment.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify and comply with legislation, policies, procedures and guidelines related to security risk management.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify stakeholders and their expectations and obtain their input.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify security risk criteria.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Develop and obtain endorsement for a risk assessment plan according to organisational priorities.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Gather and analyse information

  1. Identify sources and gather information.
  2. Review relevant internal and historical information.
  3. Aggregate and contextualise new information from internal and external sources.
  4. Identify and address information gaps.
Identify sources and gather information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Review relevant internal and historical information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Aggregate and contextualise new information from internal and external sources.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify and address information gaps.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify security risks

  1. Determine sources of threat to the organisation’s resources and functions.
  2. Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.
  3. Use risk assessment techniques which suit the type and level of risk.
  4. Determine and document risk potential.
Determine sources of threat to the organisation’s resources and functions.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Use risk assessment techniques which suit the type and level of risk.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Determine and document risk potential.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Analyse security risks

  1. Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.
  2. Assess intent, capability and opportunity for each risk or threat to occur, using all available information.
  3. Analyse current security countermeasures and treatment options to determine areas of vulnerability.
  4. Determine and document risk ratings in agreed format.
Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Assess intent, capability and opportunity for each risk or threat to occur, using all available information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Analyse current security countermeasures and treatment options to determine areas of vulnerability.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Determine and document risk ratings in agreed format.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Assess and prioritise security risks

  1. Consult stakeholders regarding acceptable and unacceptable risk levels.
  2. Document acceptable and unacceptable levels of risk.
  3. Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.
  4. Prioritise and document identified risks in accordance with security criteria.
  5. Document determined residual risks.
Consult stakeholders regarding acceptable and unacceptable risk levels.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Document acceptable and unacceptable levels of risk.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Prioritise and document identified risks in accordance with security criteria.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Document determined residual risks.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Establish security risk context

  1. Identify the scope and strategic and organisational contexts of the risk assessment.
  2. Identify and comply with legislation, policies, procedures and guidelines related to security risk management.
  3. Identify stakeholders and their expectations and obtain their input.
  4. Identify security risk criteria.
  5. Develop and obtain endorsement for a risk assessment plan according to organisational priorities.
Identify the scope and strategic and organisational contexts of the risk assessment.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify and comply with legislation, policies, procedures and guidelines related to security risk management.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify stakeholders and their expectations and obtain their input.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify security risk criteria.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Develop and obtain endorsement for a risk assessment plan according to organisational priorities.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Gather and analyse information

  1. Identify sources and gather information.
  2. Review relevant internal and historical information.
  3. Aggregate and contextualise new information from internal and external sources.
  4. Identify and address information gaps.
Identify sources and gather information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Review relevant internal and historical information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Aggregate and contextualise new information from internal and external sources.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify and address information gaps.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Identify security risks

  1. Determine sources of threat to the organisation’s resources and functions.
  2. Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.
  3. Use risk assessment techniques which suit the type and level of risk.
  4. Determine and document risk potential.
Determine sources of threat to the organisation’s resources and functions.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Use risk assessment techniques which suit the type and level of risk.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Determine and document risk potential.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Analyse security risks

  1. Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.
  2. Assess intent, capability and opportunity for each risk or threat to occur, using all available information.
  3. Analyse current security countermeasures and treatment options to determine areas of vulnerability.
  4. Determine and document risk ratings in agreed format.
Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Assess intent, capability and opportunity for each risk or threat to occur, using all available information.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Analyse current security countermeasures and treatment options to determine areas of vulnerability.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Determine and document risk ratings in agreed format.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Assess and prioritise security risks

  1. Consult stakeholders regarding acceptable and unacceptable risk levels.
  2. Document acceptable and unacceptable levels of risk.
  3. Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.
  4. Prioritise and document identified risks in accordance with security criteria.
  5. Document determined residual risks.
Consult stakeholders regarding acceptable and unacceptable risk levels.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Document acceptable and unacceptable levels of risk.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Prioritise and document identified risks in accordance with security criteria.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Document determined residual risks.

Completed
Date:

Teacher:
Evidence:

 

 

 

 

 

 

 

Assessed

Teacher: ___________________________________ Date: _________

Signature: ________________________________________________

Comments:

 

 

 

 

 

 

 

 

Instructions to Assessors

Evidence Guide

ELEMENTS

PERFORMANCE CRITERIA

Elements describe the essential outcomes

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section.

1. Establish security risk context

1.1 Identify the scope and strategic and organisational contexts of the risk assessment.

1.2 Identify and comply with legislation, policies, procedures and guidelines related to security risk management.

1.3 Identify stakeholders and their expectations and obtain their input.

1.4 Identify security risk criteria.

1.5 Develop and obtain endorsement for a risk assessment plan according to organisational priorities.

2. Gather and analyse information

2.1 Identify sources and gather information.

2.2 Review relevant internal and historical information.

2.3 Aggregate and contextualise new information from internal and external sources.

2.4 Identify and address information gaps.

3. Identify security risks

3.1 Determine sources of threat to the organisation’s resources and functions.

3.2 Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.

3.3 Use risk assessment techniques which suit the type and level of risk.

3.4 Determine and document risk potential.

4. Analyse security risks

4.1 Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.

4.2 Assess intent, capability and opportunity for each risk or threat to occur, using all available information.

4.3 Analyse current security countermeasures and treatment options to determine areas of vulnerability.

4.4 Determine and document risk ratings in agreed format.

5. Assess and prioritise security risks

5.1 Consult stakeholders regarding acceptable and unacceptable risk levels.

5.2 Document acceptable and unacceptable levels of risk.

5.3 Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.

5.4 Prioritise and document identified risks in accordance with security criteria.

5.5 Document determined residual risks.

Required Skills and Knowledge

ELEMENTS

PERFORMANCE CRITERIA

Elements describe the essential outcomes

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section.

1. Establish security risk context

1.1 Identify the scope and strategic and organisational contexts of the risk assessment.

1.2 Identify and comply with legislation, policies, procedures and guidelines related to security risk management.

1.3 Identify stakeholders and their expectations and obtain their input.

1.4 Identify security risk criteria.

1.5 Develop and obtain endorsement for a risk assessment plan according to organisational priorities.

2. Gather and analyse information

2.1 Identify sources and gather information.

2.2 Review relevant internal and historical information.

2.3 Aggregate and contextualise new information from internal and external sources.

2.4 Identify and address information gaps.

3. Identify security risks

3.1 Determine sources of threat to the organisation’s resources and functions.

3.2 Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.

3.3 Use risk assessment techniques which suit the type and level of risk.

3.4 Determine and document risk potential.

4. Analyse security risks

4.1 Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.

4.2 Assess intent, capability and opportunity for each risk or threat to occur, using all available information.

4.3 Analyse current security countermeasures and treatment options to determine areas of vulnerability.

4.4 Determine and document risk ratings in agreed format.

5. Assess and prioritise security risks

5.1 Consult stakeholders regarding acceptable and unacceptable risk levels.

5.2 Document acceptable and unacceptable levels of risk.

5.3 Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.

5.4 Prioritise and document identified risks in accordance with security criteria.

5.5 Document determined residual risks.

Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least two occasions.

applying legislation, regulations and policies relating to security risk management

undertaking risk assessment

reading and analysing the complex information in standards and security plans

researching and analysing the operational environment and drawing accurate conclusions

applying critical analysis, evaluation and deductive reasoning

using problem solving and creative thinking in decision making

communicating with diverse stakeholders: interviewing, listening, questioning, paraphrasing, clarifying, summarising

writing reports requiring formal language and structure

using computer technology and modelling to gather and analyse information and prepare reports

representing numerical, graphical and statistical information in diverse formats

Operational knowledge of:

public service Acts

Crimes Act 1914 and Criminal Code 1985

Freedom of Information Act 1982

Privacy Act 1988

fraud control policy

protective security policy

Australian Government Information Security Manual (ISM)

Protective Security Policy Framework

Australian standards, quality assurance and certification requirements

Complex knowledge of:

risk assessment techniques/processes

information handling

qualitative and quantitative analysis techniques

incident reports and statistics

asset holdings and recording mechanisms

international treaties and protocols

cross-jurisdictional protocols

organisation’s strategic objectives

national strategic objectives

requirements of user groups