Skip to content
Knighthood Documentation

Protective Security Roles & Responsibilities

Purpose

Use this guidance to plan and assign protective security responsibilities. It includes information about roles within your organisation and across government, as well as security policies.

Who This Information Is For

Chief Executives, Chief Security Officers, Security practitioners and contractors offering protective security advice should find this useful.

Security Policy at Your Organisation

Why Security Policy Matters

Protective security measures ensure the operational environment necessary for government business to be conducted safely and securely. Effective security management helps protect people, information and assets from risks.

Protective Security Principles

We must create and maintain an appropriate security environment that safeguards people and clients from foreseeable risks; enables the appropriate sharing of official information; prevents the compromise of confidentiality, integrity and availability of official information and assets; and ensures the delivery of essential business regardless of disruptions.

Security should be integrated into the agency’s culture, practices and operational plans and viewed as a business enabler. All managers should understand that risk management and good security practices are fundamental.

An effective security plan requires a systematic and coordinated approach. Knighthood wil identify and assess the risk environment, then develop the security plan.

Security Policy Document

Knighthood will approve, promulgate and implement a security policy that sets out management’s approach to security and their commitment to it.

The policy must be based on a robust risk analysis, support agency operations and business continuity, be practical and cost-effective, and contain guidance on security roles and responsibilities; clear definitions of security processes; where necessary, more detailed guidance for individual sites, systems or services; definitions of responsibility for protectively marked material (digital or hard copy); and an ongoing user awareness and education programme.

Review and Evaluation

The policy must be reviewed after significant security incidents, the introduction of new vulnerabilities, or changes to the agency’s functions, structure or technical infrastructure.

The policy’s effectiveness should be measured by the nature, number and impact of recorded security incidents; the cost and impact of security controls; and user compliance.

Roles and Responsibilities

Knighthood will be responsible for all aspects of security. Knighthood ensures it’s capacity to function, safeguarding of official resources and information held on trust, and the safety of employees and clients.

A security structure will be in place with clear roles and responsibilities.

Chief Security Officer

Knighthood will designate a senior person as the CSO, who is answerable to the CEO and has free access to them on security matters. In most cases, the CSO role will be part-time, additional to another existing role.

Responsibilities of the CSO include

  • Oversight of agency protective security includes:
  • Circulating and implementing policy
  • Providing guidance
  • Managing and reporting security incidents
  • Implementing a security awareness program
  • Liaising with security agencies.

Depending on the assignment the CSO may or may not hold operational responsibilities for corporate services such as HR or finance. Depending on customer size, risk profile, and amount of protectively marked material and equipment, Knighthood may create a specialist protective security unit or appoint specialist security personnel.

Security Committees

A cross-functional Security Reference Group (SRG) or an existing Risk and Audit Committee will be convened to coordinate security controls. The committe will focuson:

  • Agreement of security roles and responsibilities
  • Integrate protective security into risk management
  • Audit and assurance processes
  • Agree on methodologies and processes for security
  • Assess and coordinate the implementation of specific security controls
  • Review security incidents and recommend process improvements
  • Support customer-wide security initiatives.