Enterprise Protective Security

The Australian security landscape is dynamic and continues to evolve rapidly. Contemporary threats, increasing regulatory obligations, and heightened public and media scrutiny mean even minor security failures can have significant operational, reputational, and commercial consequences.

In this environment, it is critical organisations have fit-for-purpose protective security structures, systems, and governance in place. These arrangements must enable organisations to calibrate their security posture to their risk tolerance, operating context and evolving threat environment, while meeting their obligations under the Commonwealth Directive on the Security of Government Business, Protective Security Policy Framework (PSPF), and other relevant legislation and policy. There is no one-size-fits-all approach to protective security. Effective security settings must be proportionate, defensible, and tailored to the organisation’s objectives, assets, and available resources.

Providence Consulting’s trusted advisers provide evidence-based enterprise protective security advice across the full security lifecycle. We support organisations to identify, assess, and manage security risks, strengthen governance and assurance, build internal capability, and confidently meet compliance requirements under the PSPF, the Security of Critical Infrastructure Act and associated rules. Our experts bring deep practical experience and a thorough understanding of relevant security legislation, policies, and standards, enabling organisations to protect critical assets, support decision-making at executive and board level, and maintain resilience in an increasingly complex security environment.

OUR
SERVICES

Enterprise Security Risk, Governance and Systems

A formal, enterprise-level approach to protective security contributes directly to organisational capability, reputation, and long-term operational viability. To be effective, security governance processes and controls must be aligned to organisational objectives, risk appetite, and operating context, rather than applied in isolation.

Providence supports boards, executives, and risk sub-committees to establish confidence that security risks are being identified, managed, and reported in a defensible and effective way. Our approach embeds protective security governance within broader organisational risk and decision-making frameworks.

Our enterprise security risk, governance and systems services include:

Establishing enterprise-level security risk assessment frameworks
Conducting enterprise and organisation-wide security risk assessments
Supporting board and executive security risk briefings and governance activity
Defining security risk appetite and tolerance in organisational context
Aligning delegations, reporting structures, and dashboards to enable clear oversight
Assessing the effectiveness of existing security governance arrangements
Developing security management systems aligned to organisational risk settings
Integrating security assessment and reporting into broader organisational risk systems
Identifying a single, accountable board-level owner of security risk
Reviewing security maturity, control effectiveness, and mitigation arrangement.

This approach delivers clear accountability, stronger risk confidence and well-informed executive and board decision-making

Security Assurance

Security assurance is essential to maintaining ongoing organisational capability, reputation, and resilience. It requires confidence that threats are understood, risks are managed proportionately, and assurance activities provide meaningful visibility across the workforce, supply chain, and operating environment.

Providence supports organisations to strengthen confidence in their protective security arrangements through a coordinated, risk-based approach that focuses on people and security controls, and assures alignment with policy requirements.

Our security risk assurance services include:

Establishing and reviewing end-to-end security assurance frameworks
Conducting security risk assessments focused on human-based threat vectors
Enabling supply chain security and resilience across third-party providers
Assessing security risks arising from foreign threats, opportunistic criminals, insiders, organised crime, transnational groups, extremist ideologies and issue-motivated actors
Evaluating security risks across supply chain activities, including exporters, customs brokerage, freight forwarding, logistics, warehousing, and on-forwarding
Supporting compliance with the SOCI Risk Management Program Rules and related regulatory requirements

Workforce assurance and insider threat management services include:

Establishing proportionate, risk-based insider threat and workforce assurance programs
Introducing in-house vetting and ongoing suitability assessment capability
Matching pre-employment checks to organisational risk profiles and critical roles
Managing ongoing suitability of trusted and sensitive positions
Introducing early detection and response mechanisms to minimise impact
Strengthening security culture while supporting wellbeing, performance and retention

Our services provide organisations with clear visibility of their security posture, credible evidence to support executive and board decision-making, and the ability to adapt to evolving risk.

Technical Assessment and Advisory

Organisations operate within a complex framework of Commonwealth and state security legislation, policies, and technical security standards. These requirements affect facility security, personnel, threat management, information and data protection, delivery of events and conduct of operations.

Providence provides technical protective security assessment and advisory services grounded in a deep understanding of regulatory requirements and operational practicalities. Our work applies recognised security risk assessment methodologies to support decisions that are defensible, proportionate, and aligned to organisational objectives.

Our technical assessment and advisory services include:

Identification and assessment of threats, vulnerabilities, and security risk exposure
Enterprise and organisational protective security risk assessments
Development of tailored protective security risk management strategies and frameworks
Event and operational security risk assessments for conferences, public events, trials, and VIP engagements
Desktop and on-site threat and vulnerability assessments of venues, sites, and operations
Development of proportionate mitigation strategies aligned to the PSPF and other policies. E.g. DSPF, SOCI and RMP
Emergency response and preparedness planning for protest, disruption or heightened threat environments
Review and assessment of sensitive facilities, including Security Zones up to Zone 4
Physical and technical security assessments aligned to PSPF requirements and ASIO Technical Notes
Security risk-informed design advice for buildings, precincts, SCIFs, and secure facilities
Support to develop defensible business cases for security investment and remediation

This capability enables organisations to manage complex security risks across environments, activities and infrastructure while maintaining compliance, operational effectiveness and resilience.

Training and Awareness

Security practitioners and the decision-makers who rely on their advice must keep pace with changes in risk-based protective security practice. This applies equally to dedicated security roles and to leaders responsible for governance, assurance, and resourcing decisions.

Providence supports organisations in building and sustaining practical protective security capability through targeted training and awareness programs. Our approach focuses on equipping people to understand risk, apply security judgement, and provide detailed security advice in a logical and defensible manner.

Our training and awareness services include:

Onboarding and initial training for organisational security staff
Legislative, policy, and regulatory awareness aligned with protective security requirements
Understanding and integrating the protective security domains of Governance, Personnel (PERSEC), Information (INFOSEC), Cyber, and Physical (PHYSEC), to support a cohesive, risk-based security posture
Foundations of security risk assessment, analysis, and management
Practical application of risk-based and compliance-based security approaches
Threat, vulnerability, and risk assessment in organisational context
In-house training for Security Officers and Regional Security Advisors or equivalent
Security zone certification, certification planning, and delivery support
Development of templates, tools, and security assessment methods
Mentoring and practical, ‘on-the-job’ capability uplift
Trusted trader and protected pathway security training programs
Supply chain security awareness and assurance training

Our training enables participants to understand security threat actors, security risk events and the practical methods required to assess and treat risk. This builds confident, independent and defensible security decision-making capability across the organisation.

Construction Security Assurance

Major construction and infrastructure projects introduce unique security risks that span design, delivery, certification, accreditation, and transition into operations. Traditional construction security services often focus narrowly on technical design compliance or contractor responsibilities, and don’t consider the broader acceptance and integration of these new capabilities that the construction project provides into the organisation.

Providence provides end-to-end construction security advice and assurance, supporting clients to embed protective security by design throughout the construction lifecycle. Our approach ensures security design intent is maintained, certification requirements are met, and security risks are managed proportionately from project inception through to occupation and operational handover.

Our construction security services support:

Construction security assurance and governance
Pre-design and detailed design security risk assessment (Construction Security Risk Assessments)
Construction Security Management Plans
Security design advice and functional requirement specification aligned to PSPF and ASIO technical requirements
Construction phase security risk management and assurance
Security certification and commissioning support
Transition planning and readiness for operational environments
Security accreditation residual risk assessment
Security governance across complex, multi-party projects

This capability draws directly on Providence’s enterprise protective security expertise, enabling clients, delivery partners and asset owners to manage risk, minimise rework and achieve secure, certifiable outcomes.

OUR ENTERPRISE PROTECTIVE SECURITY ADVICE IS CONSISTENT WITH:

Commonwealth Protective Security Policy Framework and Guidelines (2025 Release)
Information Security Manual
Emanation Security Manual
Defence Security Principles Framework
Defence Industry Security Program
Australian Government Investigation Standards
Security of Critical Infrastructure Act 2018
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023
Aviation Transport Security Act 2004
Aviation Transport Security Regulations 2005
Maritime Transport and Offshore Facilities Security Act 2003
Maritime Transport and Offshore Facilities Security Regulations 2003

HB 167:2025 Security Risk Management
AS ISO 31000:2018 Risk management – Guidelines
ISO 22316:2017 Security and resilience – Organizational resilience – Principles and attributes
AS 4811:2022 Workforce screening
AS 8001:2021 Fraud and corruption control
AS ISO 15489.1 Information and documentation
ISO 28000:2022 Security and resilience – Security management systems – Requirements
ISO 28001:2007 Security management systems for the supply chain.
ISO 28002:2011 Security management systems for the supply chain – Development of resilience in the supply chain.
ISO/IEC 27036-2:2022 Cybersecurity – Supplier relationships.
AS ISO 22301:2020 Business continuity management systems–requirements
Security Equipment Evaluated Product List and ASIO Tech Notes

Projects we have worked on

Home Affairs - Security Uplift

The Department of Home Affairs required uplift of its enterprise protective security capability to address gaps in policy, frameworks and risk visibility. Providence embedded a team of security advisers to design and implement foundational artefacts, including the Agency Security Plan, Security Risk Management Framework and supporting policies, while conducting site‑level risk assessments and engaging extensively with stakeholders to validate risk profiles. This work standardised how security risks are identified, assessed and managed across the Department, strengthened workforce capability through training and engagement, and provided the Chief Security Officer with a clear view of the Department’s security risk posture. The resulting prioritised program of security improvements enabled more effective allocation of resources and enhanced enterprise‑wide security resilience.

Australian Electoral Commission - Protective Security Governance

The Australian Electoral Commission engaged Providence to modernise its protective security capability in line with the Protective Security Policy Framework and relevant ASIO guidance. Providence conducted comprehensive physical security assessments across all office locations and developed a standardised framework to assess and compare security risk profiles across the estate. Providence designed key governance artefacts, including an Agency Security Plan, Security Risk Management Framework, and structured mechanisms to adjust security posture in response to changing risk environments. This work strengthened the AEC’s ability to manage, report and prioritise protective security risks, and established a consistent, repeatable approach to assessing security maturity across the organisation.

Australian Electoral Commission - Major Event Security

The AEC required assurance that its national operations were secure and resilient in the lead up to and during a Federal Election, with risks heightened by the scale, geographic spread, and surge workforce associated with election delivery. Providence conducted a national security risk assessment across AEC operations, including specific assessment activities to support the election period. Providence’s analysis and recommendations enabled the AEC to strengthen its security posture ahead of and during the election, implementing targeted event security enhancements that mitigated previously intolerable risks and improved readiness across polling activities

Defence - Security Training and Capability Development

Defence engaged Providence to design and deliver bespoke security training programs tailored to the needs of multiple groups, including DSA SYINT, CIOG, Defence Signals, Estate and Infrastructure Group, and DS&VS SyOps. Each course was developed through targeted engagement to align with specific learning objectives and delivered through practical, scenario‑based training supported by tailored materials, including instructional content, exercises and assessments. The training strengthened participants’ ability to apply security risk concepts in operational contexts, accommodating a wide range of experience levels. Providence’s practical, application‑focused approach and engaging delivery model resulted in consistently positive feedback and improved workforce capability across participating organisations.

Defence Base Security Improvement Program

Following a major security incident, Defence engaged Providence to support the implementation of the Base Security Improvement Program (BSIP) across its estate. Providence deployed a multidisciplinary team to conduct security risk assessments across 88 Defence sites and develop tailored security treatments spanning physical and electronic controls, workforce training, and planning improvements. Providence worked closely with stakeholders to cost and prioritise solutions, define functional requirements, and prepare procurement specifications, culminating in the development of an Acquisition Strategy for the Base Infrastructure Works Program. These efforts enabled the effective delivery of BSIP, strengthened Defence’s security posture, and established a scalable approach to future security planning.

Central Adelaide Local Health Network - Risk Management

Central Adelaide Local Health Network engaged Providence to establish a baseline Critical Infrastructure Risk Management Program across the Royal Adelaide and Queen Elizabeth hospitals, supporting compliance with the SOCI Act and CIRMP Rules. Providence conducted a structured discovery process, including workshops, document review and site assessments, to identify key risks, governance arrangements and interdependencies. This work provided CALHN with a clear baseline of CIRMP compliance and a structured, risk‑based pathway to meet legislative requirements. The engagement strengthened governance, reduced operational risk, and improved infrastructure resilience, while supporting more informed and coordinated security risk management across the hospital network.

Remote High Security Facility - Security Assessments

Providence conducted multiple security assessments at a remote high security Defence facility, evaluating the alignment of existing security measures against a complex operational and threat environment. Operating in a tightly controlled setting with significant diplomatic sensitivities and international partner involvement, the work required careful and measured stakeholder engagement to enable access to information while maintaining trust. Through a deliberate and respectful engagement approach, Providence achieved the objectives of each assessment without disrupting site operations or relationships. The work ensured that risks were clearly identified and understood, with stakeholders engaged throughout and supportive of the findings and outcomes.

Royal Australian Mint - Physical Security Review

The Royal Australian Mint engaged Providence to undertake a Physical Security Review to identify and mitigate risks associated with the unauthorised removal of mint products. Providence assessed physical security controls, procedures and vulnerabilities through stakeholder engagement, site inspections and policy review, with a focus on potential exfiltration pathways within the Production Secure Zone. Providence delivered a comprehensive set of practical recommendations to strengthen layered security controls and reduce insider risk. The work enabled RAMINT to enhance its security posture and establish a more robust approach to managing physical security risks, with the engagement rated 5/5 by the Head of Security.

Australian Border Force - Security Training and Capability Uplift

The Australian Border Force engaged Providence to develop a training and capability uplift program for officers delivering the Australian Trusted Trader Programme. Providence designed and delivered a tailored training continuum aligned to legislative requirements and risk‑based security principles, supported by over 40 security assessments of commercial entities and targeted mentoring for personnel. This work strengthened officers’ ability to conduct consistent, risk‑based security evaluations and established a sustainable internal capability. It also supported the ongoing delivery of the ATT Programme, enabling the ABF to conduct large‑scale assurance activities with greater confidence and effectiveness.

Australian National University - Security Capability Uplift

The Australian National University engaged Providence to strengthen its security risk management capability in a complex operating environment supporting staff, students and visitors. Providence worked with ANU to uplift internal practices, focusing on security risk registers, incident management processes, and the establishment of on‑call response arrangements. Providence translated Commonwealth protective security principles into a higher education context, ensuring they were practical and fit‑for‑purpose. This work strengthened ANU’s ability to manage security risks in a coordinated and consistent manner, improving organisational readiness and supporting more effective response to security incidents.

Therapeutic Goods Administration - Security Advisory

The TGA required security advice to support a high‑risk regulatory environment, including coordination across multiple stakeholders, variable security maturity, and complex end‑to‑end handling of sensitive and seized goods. This created pressure to ensure consistent, defensible security decisions while maintaining operational continuity across geographically dispersed sites and partners. Providence supported the taskforce by providing structured, evidence‑based security advice, identifying vulnerabilities and risks across the operating model, and enabling consistent decision making aligned to Commonwealth security frameworks. This strengthened governance, improved visibility of systemic risks, and supported more coordinated and defensible security outcomes across the program.