Modification History
Release |
TP Version |
Comments |
3 |
PSP12V1 |
Unit descriptor edited. |
2 |
PSP04V4.2. |
Layout adjusted. No changes to content. |
1 |
PSP04V4.1 |
Primary release. |
Unit Descriptor
This unit covers work at an operational level, to analyse risk against the organisation's security plan. It includes establishing the security risk context; identifying, analysing and evaluating risk against the organisation's security plan; and compiling of a security risk register. Depending on the size of the organisation, work may be in a discrete area such as information technology or across all areas within the organisation.
Implementation of risk treatment options and countermeasures are not included. This is covered in the unit PSPSEC402A Implement security risk treatments.
In practice, undertaking government security risk analysis may overlap with other generalist or specialist public sector work activities such as working ethically, complying with legislation, applying government processes, gathering and analysing information, exercising regulatory powers.
No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.
Application of the Unit
Not applicable.
Licensing/Regulatory Information
Not applicable.
Pre-Requisites
Not applicable.
Employability Skills Information
This unit contains employability skills.
Elements and Performance Criteria Pre-Content
Elements are the essential outcomes of the unit of competency. |
Together, performance criteria specify the requirements for competent performance. Text in bold italics is explained in the Range Statement following. |
Elements and Performance Criteria
ELEMENT |
PERFORMANCE CRITERIA |
1 . Establish security risk context |
1.1 Strategic and organisational contexts are confirmed in accordance with the organisation's security plan. 1.2 Stakeholders are identified and their expectations and input are gathered in accordance with legislation, policy and procedures . 1.3 Security risk criteria are identified from the security plan and confirmed as current and relevant. 1.4 Information and resources are obtained to conduct the risk analysis in accordance with organisational policy and procedures. |
2 . Identify security risk |
2.1 Sources of security risk are identified and recorded in accordance with organisational policy and procedures. 2.2 Risks are identified using a specified methodology or tools in accordance with the security plan. 2.3 Sources of risk are identified from the perspective of all stakeholders. 2.4 Stakeholders are consulted during the risk identification process to finalise a list of risks. |
3 . Analyse security risk |
3.1 Threat assessments , current exposure and current security arrangements are identified in accordance with the security plan to estimate the likelihood of each risk event occurring. 3.2 Potential consequences of each risk are determined in accordance with the security plan, including critical lead time for recovery . 3.3 Risk ratings are determined, documented and communicated in accordance with the security plan and organisational standards. 3.4 A rationale for each risk rating is included in accordance with organisational requirements. |
4 . Evaluate security risk |
4.1 Risks are assessed against the organisation's security risk criteria. 4.2 Risks are prioritised for treatment in accordance with the security plan. 4.3 Risks are monitored in accordance with the security plan until treatment measures have been implemented. |
5 . Compile security risk register |
5.1 A security risk register is developed that records identified risks, their nature and source. 5.2 The consequences and likelihood of risks, and the adequacy of existing controls are identified in the register. 5.3 Risk ratings are recorded for identified risks in accordance with organisational procedures. 5.4 The security risk register is compiled to meet organisational standards for content, format and presentation and reflects changes in circumstances. 5.5 Risk register is referred to management for decision on which risks will be accepted and which will require treatment. |
Required Skills and Knowledge
This section describes the essential skills and knowledge and their level, required for this unit. |
Skill requirements Look for evidence that confirms skills in:
|
Knowledge requirements Look for evidence that confirms knowledge and understanding of:
|
Evidence Guide
The Evidence Guide specifies the evidence required to demonstrate achievement in the unit of competency as a whole. It must be read in conjunction with the Unit descriptor, Performance Criteria, the Range Statement and the Assessment Guidelines for the Public Sector Training Package. |
|
Units to be assessed together |
|
Overview of evidence requirements |
In addition to integrated demonstration of the elements and their related performance criteria, look for evidence that confirms:
|
Resources required to carry out assessment |
These resources include:
|
Where and how to assess evidence |
Valid assessment of this unit requires:
Assessment methods should reflect workplace demands, such as literacy, and the needs of particular groups, such as:
Assessment methods suitable for valid and reliable assessment of this competency may include, but are not limited to, a combination of 2 or more of:
|
For consistency of assessment |
Evidence must be gathered over time in a range of contexts to ensure the person can achieve the unit outcome and apply the competency in different situations or environments |
Range Statement
The Range Statement provides information about the context in which the unit of competency is carried out. The variables cater for differences between States and Territories and the Commonwealth, and between organisations and workplaces. They allow for different work requirements, work practices and knowledge. The Range Statement also provides a focus for assessment. It relates to the unit as a whole. Text in bold italics in the Performance Criteria is explained here. |
|
Strategic context may include: |
|
Organisational context may include: |
|
Stakeholders may include: |
|
Legislation, policy and procedures may include |
|
Security risk criteria may concern: |
|
Risk may be to: |
|
Sources of security risk may include: |
|
Specified methodology or tools may be: |
|
Threat assessment : |
|
Threats may be: |
|
Risk exposure is: |
|
Likelihood of risk may be determined through analysis of: |
|
Consequences may include: |
|
Critical lead time for recovery is: |
|
Risk ratings may include: |
|
Security risk register may include: |
|
Unit Sector(s)
Not applicable.
Competency field
Government Security Management.