Embed Size (px)
Citation preview
2015 Australian Safe & Secure Hospitals Conference.
Peter Butler.Senior Manager Protective Security &
Agency Security Adviser (ASA). ACT Health.
Challenges to implementing a Protective Security Framework into a Health
environment. The ACT Health journey.
Commonwealth Protective Security Policy Framework?
The Protective Security Policy Framework (PSPF) provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas (Commonwealth Attorney Generals Department). http://www.protectivesecurity.gov.au/Pages/default.aspx
HISTORY:The PSPF is the framework by which the CommonwealthGovernment has been operating under since 2008. At a recentCommonwealth Heads of Government Meeting (CHOGM), allstate premiers and territorial heads of government agreed toadopt and implement the PSPF principles over the next tenyear period. Each jurisdiction will develop a version of the PSPFto meet their business needs.
What is Protective Security?
Protective Security is the various components or streams ofsecurity that collectively band together through aframework to adopt a formalised structure in order tomanage government security, based on a risk managementapproach.
The ACT Government PSPF model has been modelled on theCommonwealth model, adopting 23 of the 33 mandatorycomponents which are grouped into four categories:
1. Governance Security 2. Physical Security3. Personnel Security4. Information Security
Simply, Protective Security Policy Framework canbe compared to a whole of government set ofstandards for security to ensure that allgovernment agencies and authorities apply aconsistent approach to the way in which agencysecurity is implemented and managed.
What is PSPF cont…..
By adopting this approach governments can implement,manage, risk assess and compliance audit security principles and governance consistently across their jurisdictions.
ACT Government PSPF Model.
Application of PSPF in a Hospital Healthcare environment.
ACT Health as an agency of the ACT Government is inthe process of developing and implementing aProtective Security Policy Framework aligned to theACT whole of government model.
When fully implemented, ACT Health’s PSPF will be theover-arching Protective Security Policy, ProtectiveSecurity S.O.P.s and governance framework for all ofthe agencies protective security requirements.
ACT Health PSPF
• The application of Protective Security principles isalways based on a risk management approach toassessing security requirements against identified risksand vulnerabilities throughout the health facility.
• The ACT Health Protective Security Policy is the over-arching document linking the four streams of securitymentioned in the previous slides and is the foundationof security principles/guidelines for the organisation tomanage, risk assess and compliance audit against allaspects of the organisation’s security requirements.
• Protective Security principles must be considered inthe design and development stages of all new buildprojects, facility upgrades, fit-outs and redesigns.
ACT Health PSPF.
The ACT Health PSPF is made up of a structured governance framework that collectively guides the management of all security requirements and capabilities.
1. Governance (GOVSEC).
• Agency Security Plan
• Business Continuity Plans (BCPs)
• Fraud Control Plans
• Emergency Management Framework
• Risk Management Framework
• Security Investigations Framework.
• Security Audit Framework. Annual Reports.
• Enterprise Security Risk Assessment
ACT Health PSPF cont.…...
2. Physical Security (PHYSEC).
• Security guarding services
• Access control systems
• Intruder alarm systems
• Alarm monitoring & alarm response
• Mobile vehicle patrols
• CCTV surveillance systems
• Radiation security plans & response
• Biological security plans & response.
• Code responses (Black, grey etc.).
ACT Health PSPF cont…
3. Information Security (INFOSEC).
• IT security, systems & networks.
• Information security: medical records, patient files, research data, cabinet files.
• Clear desk policy. Securing confidential files etc, not leaving out on desks or in public view.
• Appropriate storage facilities for private/confidential files & material.
• Classification of files: Confidential, Classified, Protected
• Workforce education regarding leaving confidential documents on photocopiers, printers etc.
• Working away from office & mobile data devices
• Appropriate destruction of files & documents
ACT Health PSPF cont…
4. Personnel Security (PERSEC).
• Pre-employment screening (Police, AFP, Crimtrac).
• Position specific security checks (AFP, ASIO etc).
• Commonwealth Security clearances, AGSVA etc.
• Security investigations
Developing a risk management approach to security and understanding the organisations risk profile and vulnerabilities.
• ACT Health , consistent with all other ACT Directorates isrequired to adopt a risk management approach to all protective security activities across the organisation.
• A risk management framework has been implemented in accordance with the Australian Standards for Risk Management AS/NZS ISO31000 & the Australian Standards HB167 risk management.
• To understand our organisation’s risk profile and vulnerabilities,we conducted an Enterprise Security Risk Assessment (ESRA). This review identified 13 enterprise-wide security risks andmade 9 major recommendations from a protective security perspective to mitigate organisational risks.
• Some of the recommendations involved security measurespertaining to:
Biological security
Radiation security
Physical security
Personnel security
Developing a risk management approach cont….
RISKS!!
• The greatest enterprise risk to ACT Health is incidents of occupational violence and aggression against clinical staff andwere rated as high to bordering on extreme.
• The second greatest risk to ACT Health was the under-reportingand down playing of occupational violence and aggression amongst clinical staff.
• The review identified that clinical staff view security risks and incidents of patient violence as an inherent part of their normalduties and were therefore reluctant to report or were obliviousto the need to report such incidents. This lack of reporting wasidentified as the major contributor to a ‘poor’ security culture.
Strategies to address OV reporting.
• Staff awareness training.
•In-service training to clinical staff
•Pre-planned security presence for difficult and known
volatile consumers.
•Patient management plans for volatile inpatients
•Workplace Protection Orders against volatile & aggressive
consumers.
•Refer to police for criminal charges.
RISKS!! Cont…
Security expertise & management structure.
The framework adopted by the ACT Government outlines five key and mandatory layers of responsibility within its structure. Each agency or authority must have the following layers of accountabilities & expertise:
1. An Executive Security Committee. Accountable for thegovernance and collective security management andreview of the agencies security operations.
2. An Agency Security Executive (ASE). Responsible for theexecutive management and financial allocations of security budgets and expenditure.
3. An Agency Security Advisor (ASA).Responsible for providingstrategic security advice to the ASE and Director General on all Protective Security matters and overseeing all securityrelated matters across the agency. Must be an appropriatelyexperienced and qualified security professional in SecurityOperations & Risk Management.
4. An Agency Security Officer (ASO). Responsible for the day to day management of security operations and assists the ASE as required.
5. Information Technology Security Advisor (ITSA). Anappropriately qualified and experienced IT securitymanager to oversee the agency’s IT platforms and ITsecurity requirements.
Security expertise & management structure cont….
Organisational Support.
• CEO or Director General acknowledgement.
• Buy in from major stakeholders: HR, Fraud, Audit. ICT etc.
• PSPF sponsor: The Agency Security Executive.
• Compliance audits.
• Support from business unit executives.
Workforce Education.
ACT Health have utilised a number of workplace strategiesto promote security education and awareness:
• E-learning modules.
• Induction presentations.
• In-service training presentations.
• Intranet security site
• Awareness posters
• Security awareness workshops.
• Security news letters.
Reinforcing security awareness and occupational violence prevention and reporting.
• Educating clinical staff on what constitutes a security incident.
• Educating clinical staff on how to report a security incident.
• Making clinical staff aware that verbal abuse and physical
assaults are NOT part of their job description and will not be tolerated.
• Emphasising to clinical staff the importance of reporting mattersto security and Police to help develop risk profiles on violent consumers.
Reinforcing security awareness cont….
• Building relationships with local police to work collaboratively
to reduce and mitigate OV.
• Security services to encourage and support clinical staff when
providing statements to police for investigation etc.
• Continuing to deliver protective security awareness training.
• Making protective security part of your everyday business.
• Demonstrating how protective security value adds to the
clinical business.
QUESTIONS?????
