Skip to content

Governance of Security System

Establish and maintain the right governance

Section titled “Establish and maintain the right governance”

Establish and maintain a governance structure to ensure successful leadership and oversight of protective security risk. Appoint the following members of the senior team:

  • Chief Security Officer (CSO), responsible for overall protective security policy and oversight of protective security practices.
  • Chief Information Security Officer (CISO), responsible for information security.

Adopt a risk management approach in accordance with the PSARA Guidelines for respective states to cover all areas of protective security across your organisation. Develop and maintain security policies and plans that meet your organisation’s specific business needs, addressing security requirements in governance, information, personnel and physical areas.

Maintain a business continuity management program to enable your organization’s critical functions to operate at the highest capacity during a disruption. Plan for the continuation of the resources that support your critical functions.

Provide regular information, security awareness training, and support to everyone in your organization. This will help them to meet the Protective Security Requirements and adhere to your organization’s security policies.

Identify and manage risks to personnel, data, and resources prior to engaging with potential supply chain partners.

Identify, report, respond to, investigate, and recover from security incidents promptly. Take necessary corrective action as and when required

Be able to respond to increased threat levels

Section titled “Be able to respond to increased threat levels”

Develop plans and be prepared to implement heightened security levels in emergencies or situations that pose an increased threat to your personnel, data, or assets.

Conduct an evidence-based assessment annually to ensure your organization’s security complies with necessary standards. Review policies and plans every two years, or sooner if the threat or operational environment shifts.