Modification History
Release |
TP Version |
Comments |
3 |
PSP12V1 |
Unit descriptor edited. |
2 |
PSP04V4.2. |
Layout adjusted. No changes to content. |
1 |
PSP04V4.1 |
Primary release. |
.
Unit Descriptor
This unit covers assessment of government security risks. It includes establishing the risk context, gathering and analysing information, identifying and analysing risks, and assessing and prioritising risks to underpin development of a security plan, which is covered in unit PSPSEC502A Develop security risk management plans.
In practice, assessment of security risks may overlap with other generalist or specialist public sector work activities such as acting ethically, promoting compliance with legislation, developing client services, undertaking research and analysis.
No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.
Application of the Unit
Not applicable.
Licensing/Regulatory Information
Not applicable.
Pre-Requisites
Not applicable.
Employability Skills Information
This unit contains employability skills.
Elements and Performance Criteria Pre-Content
Elements are the essential outcomes of the unit of competency. |
Together, performance criteria specify the requirements for competent performance. Text in bold italics is explained in the Range Statement following. |
Elements and Performance Criteria
ELEMENT |
PERFORMANCE CRITERIA |
1 . Establish security risk context |
1.1 The scope of the risk assessment and its strategic and organisational context are identified in accordance with organisational requirements. 1.2 Legislation, policies, procedures and guidelines related to security risk management are identified and complied with. 1.3 Stakeholders are identified and their expectations and input are obtained in accordance with organisational policy and procedures. 1.4 Security risk criteria are identified in accordance with the organisation's security policy, jurisdictional policies and legislation . 1.5 A risk assessment plan is developed in accordance with organisational priorities, and endorsement is obtained. |
2 . Gather and analyse information |
2.1 Sources of information are identified and information is gathered in accordance with organisational policy and procedures. 2.2 Internal information including historical information is reviewed. 2.3 New information from internal/external sources is aggregated. 2.4 Information is contextualised to the organisational context. 2.5 Gaps in information are identified and addressed. |
3 . Identify security risks |
3.1 Sources of threat to the organisation's resources and functions are identified, and threats/potential threats are determined in accordance with organisational policy and procedures. 3.2 Threat assessment is conducted against organisational policies, procedures and guidelines. 3.3 Access to, availability of and procedures relating to resources/areas are analysed to determine risk exposure . 3.4 Risks are assessed using risk assessment techniques to suit the type and level of risk in accordance with organisational policy and procedures. 3.5 Risk potential is determined and risks are documented in accordance with organisational requirements. |
4 . Analyse security risks |
4.1 Potential consequences of risks/threats are analysed in light of potential damage to agency, including critical lead time for recovery . 4.2 Analysis techniques are used in accordance with organisational policy and procedures. 4.3 Intent, capability and opportunity for each risk/threat to occur are assessed. 4.4 Using all known information, likelihood of risks /threats occurring is assessed. 4.5 Current security countermeasures/treatment options are analysed to determine areas of vulnerability. 4.6 Risk ratings are determined and documented in agreed format using all known information. |
5 . Assess and prioritise security risks |
5.1 Stakeholders are consulted about acceptable/unacceptable risk levels. 5.2 Acceptable/unacceptable levels of risk are documented. 5.3 Identified risks are compared with security risk criteria to determine whether they are acceptable/unacceptable. 5.4 Identified risks are prioritised in accordance with security criteria. 5.5 Risks are documented in priority order in accordance with organisational policies, procedures and guidelines. 5.6 Residual risks are determined and documented in accordance with organisational policies, procedures and guidelines. |
Required Skills and Knowledge
This section describes the essential skills and knowledge and their level, required for this unit. |
Skill requirements Look for evidence that confirms skills in:
|
Knowledge requirements Look for evidence that confirms knowledge and understanding of:
|
Evidence Guide
The Evidence Guide specifies the evidence required to demonstrate achievement in the unit of competency as a whole. It must be read in conjunction with the Unit descriptor, Performance Criteria, the Range Statement and the Assessment Guidelines for the Public Sector Training Package. |
|
Units to be assessed together |
|
Overview of evidence requirements |
In addition to integrated demonstration of the elements and their related performance criteria, look for evidence that confirms:
|
Resources required to carry out assessment |
These resources include:
|
Where and how to assess evidence |
Valid assessment of this unit requires:
Assessment methods should reflect workplace demands, such as literacy, and the needs of particular groups, such as:
Assessment methods suitable for valid and reliable assessment of this competency may include, but are not limited to, a combination of 2 or more of:
|
For consistency of assessment |
Evidence must be gathered over time in a range of contexts to ensure the person can achieve the unit outcome and apply the competency in different situations or environments |
Range Statement
The Range Statement provides information about the context in which the unit of competency is carried out. The variables cater for differences between States and Territories and the Commonwealth, and between organisations and workplaces. They allow for different work requirements, work practices and knowledge. The Range Statement also provides a focus for assessment. It relates to the unit as a whole. Text in bold italics in the Performance Criteria is explained here. |
|
Strategic context may include: |
|
Organisational context may include: |
|
Legislation, policies procedures and guidelines may include: |
|
Stakeholders may include: |
|
Security risk criteria may concern: |
|
Jurisdictional policies and legislation relating to risk criteria cover: |
|
Risk assessment plan will include: |
|
Information may be: |
|
Sources of threat may include: |
|
Resources may be: |
|
Threats/potential threats may be: |
|
Threat assessment : |
|
Risk exposure is: |
|
Risk assessment techniques may include: |
|
Consequences may include: |
|
Critical lead time for recovery is |
|
Likelihood of risk may be determined through analysis of: |
|
Risk ratings may include: |
|
Format for risk documentation may include: |
|
Acceptable risks are: |
|
Unacceptable risks are: |
|
Residual risks are: |
|
Unit Sector(s)
Not applicable.
Competency field
Government Security Management.