Elements and Performance Criteria
- Determine security risk.
- Applicable provisions of legislative and organisational requirements, and relevant standards for assessment activities are identified and complied with.
- Type and nature of security risks are determined based on an accurate and current assessment of the client's operating environment and core business operations.
- Security risks are ranked in terms of degree of risk and linked to potentially suitable treatment options.
- Degree of risk is determined by an assessment of current and valid data.
- Identify and assess treatment options.
- Treatment options are identified and confirmed to be commensurate with the identified type, nature and cause of security risk.
- Treatment options applied in a similar context are researched and assessed for effectiveness against documented and verifiable evidence.
- Criteria for assessment of risks against treatment options are consistent with recognised industry practice and relevant standards.
- Treatment options appropriate to the full range of potential security risks are selected and prioritised according to established criteria.
- Review and present findings.
- A report outlining assessment findings and recommended treatment options is prepared and presented to relevant persons.
- Analysis and recommendations are clear, coherent and consistent with terms of reference and supported by verifiable evidence.
- Advice outlining possible consequences of not implementing recommended treatment options is included in the analysis.
- Effective interpersonal techniques and presentation procedures are used to enhance understanding and acceptance of recommended treatment options.