Please read below and complete the task assignment.

GUIDING PRINCIPLES for Aspects of Security

The principles outlined in the following table propose a baseline (minimum) standard at the broad operational, technical, and user levels. Organizations should assess security risks based on the nature of their business and on the information in their care, and the principles should be applied as required to protect their assets and ensure organizational resilience.

Principle 1 - Commitment

The primary principle is management leadership and commitment. It is critical to have the leadership and commitment of management because they drive the process of integrating safe security and risk cultures into core business.

In providing leadership, senior management must commit to Security Risk Management and ensure that adequate human and financial resources are allocated. This will enable implementation and integration of Security Risk Management with other management systems. Senior management must also be willing to participate in an initial review of the organization's current position, as well as be involved in subsequent reviews. This will provide a clear picture of performance over time, including:

Hot spots or business units that have higher numbers of security-related incidents Security and safety trends The effectiveness of methods used for risk assessment/control The identification of gaps in the system Overall compliance with legislative, regulatory, and operational requirements

Principle 2 - Organization-wide Security and Risk Policies

Senior management should provide clear directions regarding the importance of security and risk management within their organization in the form of a commitment statement and security policy.

As part of this process, organizations should define and publish a set of clear guidelines for the classification of sensitive assets held, handled, created, or received according to sensitivity, confidentiality, and business importance based on their legislative, regulatory, and contractual obligations. To maintain a suitable level of protection for assets, organizations should identify and document major assets and processes, and they should assign responsibilities for the maintenance of their security.

Policies should be reviewed and evaluated in line with changes to environmental context, business processes, or security risks. These should then be communicated as appropriate to all staff, contractors, suppliers, and customers.

Policies should consist of a hierarchy of documents that express how the Security Risk Management system links with legislative and corporate objectives, assigned responsibilities, methodologies and guidelines/standards, as well as the organization's commitment to continuous improvement.

Principle 3 - Link Strategy, Planning, and Delivery

Organizations should outline how the policies and commitments are going to be met.

For example:

Communicating the agency's requirements Undertaking security and SRM system training Completing annual security risk assessments to determine budget requirements

Monitoring and using threat assessments and intelligence received to define and update risk profiles Undertaking security incident reporting and analysis Allocating resources and providing requisite physical assets to mitigate risk to the as low as reasonably practical (ALARP) level Undertaking subsequent security risk reviews based on risk profiles Benchmarking our findings to measure effectiveness Reporting back to management on findings and the need to make adjustments

Ultimately, strategy in this context provides the nexus between what senior management requires to be done and how the different operational business units intend to carry it out.

All levels of staff will need to be made aware of security and safety risks. It is of paramount importance, therefore, that information about security risk is readily available so that management and staff can take responsibility for managing security risks. This means that training, education, and security awareness briefings should form a central part of all planning. Additionally, business unit managers will need to integrate their SRM activities with related elements of other corporate governance arrangements, including:

Business continuity planning Emergency and crisis management Broader risk management systems

As part of planning for implementations, business managers will be required to map out and formally document:

Details of their priorities, objectives, targets, and performance indicators Financial and human resources allocated to assist in achieving these objec tives, including the allocation of responsibilities Communication mechanisms for informing staff of the implementation of, or improvements to, the management system Particulars of security or safety audit procedures currently in place, or to be implemented, in core business activities Activities necessary to bring the business unit to full compliance with all rel evant legislation and policies The procedures that will allow for the regular monitoring and evaluation of the system

Principle 4 - Establish and Manage to an Agreed Risk Threshold

Regardless of the business unit's functions or security concerns, the central messages surrounding Security Risk Management remain the same:

Do not accept unnecessary risk. Unnecessary risk comes without a commen surate return in benefits or opportunities. The most logical options for accom plishing tasks are those that meet all business requirements with the least risk. Notwithstanding the acceptable risk threshold that may be appropriate for a task, risks should be treated wherever possible so that the residual risks are judged to be ALARP. The basis for the ALARP judgment is that the risk should be treated to the point where the cost of further treatment is excessive compared with the resulting reduction in risk, no further treatment is possible, or the risk is negligible. Options to mitigate the consequence of a risk are to be adopted wherever this can be reasonably achieved with the resources available. Accept risk only when the benefits outweigh the cost. Risk is judged to be tolerable if the importance and benefits of the task for the organization are of such magnitude that acceptance of the risks associated with the task is justi fied. Risks are therefore tolerated in the conduct of the activity, with the intent to reduce the risk to a negligible level if and when this becomes practicable. Make risk decisions at the appropriate level. A fundamental principle of the management system is that those accountable for the success or failure of the task must be included in the risk evaluation and decision process. However, they are required to elevate decisions to the next level in the chain of command, where it is determined that available risk treatment options, in the immediate operational context, will not reduce the residual risk to an acceptable level.

Principle 5 - People Security

People are the strongest and weakest links in Security Risk Management.

Organizations should minimize the risk of loss or misuse of assets by ensuring that security controls are incorporated into recruitment, supervision, and separation processes for all staff, contractors, suppliers, customers, and other individuals that may be able to access organizational assets.

Ongoing security awareness should be incorporated into organizational training programs to communicate responsibilities and disciplinary processes regarding the appropriate use of corporate information and systems.

________________________________________________________

Task: Regarding the following Principal Write One Paragraph in your own words where you will simply describe in 3 sentences how YOU perceive this principle as SIGNIFICANT, i.e.. It deals with PEOPLE.