11.07.2015 Views

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENTOFFICECYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF <strong>ISM</strong>ROLESFinal ReportPrepared byDr Janet Tweedie&Dr Julie WestJune 2010Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 1


CONTENTSIntroduction and Backgroundp3Methodology (Part 1)p3<strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>p7Methodology (Part 2)p16Mapped <strong>ISM</strong> <strong>Roles</strong>p17Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 2


Introduction and BackgroundIn May 2010, Workplace Research Associates was engaged by the Australian GovernmentInformation Management Office (AGIMO) to assist in the mapping <strong>of</strong> <strong>Cyber</strong> <strong>Security</strong>Capabilities to the Australian Public Service Commission’s (APSC) ICT <strong>Capability</strong><strong>Framework</strong>. Specifically, the aim <strong>of</strong> the project was to:• Map and validate the Department <strong>of</strong> Defence’s Development and CompetencyAssessment <strong>Framework</strong> (DeCAF) competencies to the security capability areasdefined in the Australian Public Service Commission’s ICT <strong>Capability</strong> <strong>Framework</strong>;• Map and validate the DeCAF competencies to the Chief Information <strong>Security</strong> Officer,IT <strong>Security</strong> Manager and IT <strong>Security</strong> Officer roles defined in the AustralianGovernment’s Information <strong>Security</strong> Manual (<strong>ISM</strong>);This report presents the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>, which is the outcome <strong>of</strong> thefirst <strong>of</strong> the aims above and the Mapped <strong>ISM</strong> <strong>Roles</strong>, which is the outcome <strong>of</strong> the second <strong>of</strong>the aims above.MethodologyThe methodology for the project included the following stages:Part 1 – <strong>Mapping</strong> <strong>of</strong> the DeCAF to the ICT <strong>Capability</strong> <strong>Framework</strong>:1. Initial meeting with AGIMO representatives to confirm the scope <strong>of</strong> the project andthe documents to be mapped;2. Review <strong>of</strong> the Department <strong>of</strong> Defence’s Development and Competency Assessment<strong>Framework</strong> (DeCAF) and the Australian Public Service Commission’s ICT <strong>Capability</strong><strong>Framework</strong>;3. <strong>Mapping</strong> <strong>of</strong> the DeCAF to the APSC’s ICT <strong>Capability</strong> <strong>Framework</strong>;4. A workshop to validate the initial mapping process and initial draft <strong>of</strong> the <strong>Cyber</strong><strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>;5. Review and redrafting <strong>of</strong> the <strong>Framework</strong> in line with the results <strong>of</strong> the workshop.Part 2 – <strong>Mapping</strong> <strong>of</strong> the <strong>ISM</strong> roles to the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>:1. <strong>Mapping</strong> <strong>of</strong> the Chief Information <strong>Security</strong> Officer, IT <strong>Security</strong> Advisor, IT <strong>Security</strong>Manager and IT <strong>Security</strong> Officer roles to the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>.PART 1APSC ICT <strong>Capability</strong> <strong>Framework</strong>The documents used to produce the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> included theAPSC’s ICT <strong>Capability</strong> <strong>Framework</strong>. This <strong>Framework</strong> has a two level structure with thefollowing main categories <strong>of</strong> capability:Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 3


• Service Delivery;• IT Business Management;• Business Change;• Solutions Development;• Solutions Implementation;• Service Support.The <strong>Security</strong> domain sits within the Service Delivery area and is further broken down into thefollowing capability groupings:• Service Delivery;• Information <strong>Security</strong>;• Technology Audit;• Emerging Technology MonitoringFollowing discussion with AGIMO, these capability groupings were used to structure the<strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>.Department <strong>of</strong> Defence Development and Competency Assessment <strong>Framework</strong>(DeCAF)The second document used to create the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> was theDeCAF, produced by the Defence Signals Directorate (DSD), as an attempt to formalisetraining, certification, competency and development requirements for staff employed withinthe IT <strong>Security</strong> pr<strong>of</strong>ession. It is designed to be a framework for base-lining experience andcompetency and identifies categories and specialisations within the organisation. Thesecategories are then sub-divided into levels, each based on functional skill requirements. Thecategories and levels are:• Information <strong>Security</strong> – Technical, Levels 1 through 5;• Information <strong>Security</strong> – Management, Levels 3 through 5;• Information <strong>Security</strong> – Specialist, Levels 3 through 5.Each Level in a category is described in terms <strong>of</strong> attributes such as experience, systemenvironment, training and organisational role and contains a detailed list <strong>of</strong> competenciesand performance expectations. As agreed with AGIMO, this list <strong>of</strong> competencies wasmapped to the APSC’s ICT <strong>Capability</strong> <strong>Framework</strong> to produce the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong><strong>Framework</strong> presented in this report.<strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>The <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> uses the capability groupings from the APSC’sICT <strong>Capability</strong> <strong>Framework</strong>, as outlined above. These capability groupings are delineated ateach APS Classification Level. Initially, the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> includedall APS levels from APS1 through to EL2, with APS1-3 broad-banded. The competencieswere then mapped onto this <strong>Framework</strong> based on:• Complexity <strong>of</strong> work;• Expected level <strong>of</strong> experience for each DeCAF level;• Expected level <strong>of</strong> skill and knowledge required;• Proposed level <strong>of</strong> responsibility including management and leadership capability;• Expected degree <strong>of</strong> supervision required and classification level <strong>of</strong> supervisor;• A logical grouping <strong>of</strong> particular competencies under sub-headings to give structure tothe document.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 4


WorkshopOnce the documents had been reviewed and the initial mapping process completed, aworkshop was held to validate the outcomes. Approximately 25 people attended the 17 May2010 workshop with participants being sourced from a range <strong>of</strong> Government Departmentsand Agencies such as:• Attorney General’s Department;• APSC;• Murray-Darling Basin Authority;• Department <strong>of</strong> Finance and Deregulation;• Department <strong>of</strong> Health and Ageing;• Australian Taxation Office;• Centrelink;• Department <strong>of</strong> Veterans’ Affairs;• Office <strong>of</strong> the Prime Minister and Cabinet.The workshop comprised a number <strong>of</strong> exercises that were completed either in a small group,as a whole group or individually by the participants.Exercise 1After introductions and an overview <strong>of</strong> the process to this point, workshop participantsworked in small groups on a re-translation exercise. This exercise involved thereconstruction <strong>of</strong> ‘deconstructed’ copies <strong>of</strong> the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>. Theaim <strong>of</strong> the exercise was to validate the accuracy <strong>of</strong> the mapping by allowing participants tore-map the content <strong>of</strong> the <strong>Framework</strong> against subheadings within each <strong>of</strong> the capabilitygroupings.Reconstructed <strong>Framework</strong>s were then collected and compared with the original draft <strong>of</strong> the<strong>Framework</strong>. The results <strong>of</strong> the exercise informed the second phase <strong>of</strong> mapping to producethe draft documents presented here.Exercise 2Two further exercises aided in the validation process. In the second exercise, groups weregiven a copy <strong>of</strong> the DeCAF and were asked to assign an APS classification level to each <strong>of</strong>the Levels within the three categories <strong>of</strong> Information <strong>Security</strong> - Technical, Information<strong>Security</strong> - Management and Information <strong>Security</strong> - Specialist.The results <strong>of</strong> this exercise revealed that the initial draft <strong>of</strong> the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong><strong>Framework</strong> had been quite accurate in identifying the most appropriate APS classification foreach <strong>of</strong> the Levels. Importantly, it was noted that all participants considered that the startingor entry point in terms <strong>of</strong> the Levels within the DeCAF was at the APS 3 level. There wasstrong consensus, by workshop participants, that the <strong>Capability</strong> <strong>Framework</strong> should notcontain APS Levels 1 and 2 and should start with APS3-4 as a broad-banded entry level.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 5


Exercise 3The final exercise was an Expert Review where groups were given copies <strong>of</strong> the first draft <strong>of</strong>the <strong>Capability</strong> <strong>Framework</strong> in its entirety. Participants were asked to work individually or ingroups to comment on the document.The results <strong>of</strong> this exercise indicated that there was again consensus that the frameworkshould not include the APS Levels 1 and 2 and should commence at a broad-bandedAPS3/4 level. Other comments provided by participants were also used to inform the remapping.Re-mappingFollowing the workshop, re-mapping and editing <strong>of</strong> the competencies was undertaken basedon feedback from the exercises. This process produced the second draft <strong>of</strong> the <strong>Cyber</strong><strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>.Final Consultation RoundThe second draft <strong>of</strong> the <strong>Framework</strong> was then sent out electronically for further comment toall participants <strong>of</strong> the initial workshop. Participants were given a chance to provide feedbackon the re-mapped and edited <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> along with the results <strong>of</strong> themapping <strong>of</strong> the <strong>Mapping</strong> <strong>of</strong> the Chief Information <strong>Security</strong> Officer, IT <strong>Security</strong> Advisor, IT<strong>Security</strong> Manager and IT <strong>Security</strong> Officer roles to the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>(see Part 2 below).Feedback from this process was incorporated into the final version <strong>of</strong> both documents.Presented below is the final version <strong>of</strong> the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> followed byinformation about the mapping process for Part 2 <strong>of</strong> the project and the finalised roledescriptions.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 6


CYBER SECURITY CAPABILITY FRAMEWORKThe <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> describes the capabilities expected <strong>of</strong> information security staff operating at each classification level from APS3/4 to EL 2. It provides comprehensive statements <strong>of</strong> the competencies, behaviours, and skills that underpin effective performance at a particular work level.The <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> is a tool that can be used in:• Job design or redesign• Recruitment and selection• Performance management• Learning and development• Career and succession planning• Organisational capability assessmentThe <strong>Capability</strong> <strong>Framework</strong> is based on the Department <strong>of</strong> Defence Development and Competency Assessment <strong>Framework</strong> for <strong>Cyber</strong> <strong>Security</strong> practitionersand mapped against the security capability groups defined by the Australian Public Service Commission. It is structured against four capability groups:• Service Delivery• Information <strong>Security</strong>• Technology Audit• Emerging Technology MonitoringService Delivery and Information <strong>Security</strong> have a number <strong>of</strong> sub-components that further define the capability.The <strong>Capability</strong> <strong>Framework</strong> standardises expectations <strong>of</strong> competency, skills and performance within the sphere <strong>of</strong> <strong>Cyber</strong> <strong>Security</strong>. The <strong>Capability</strong><strong>Framework</strong> describes expectations <strong>of</strong> competence in a generic way, so that it can be applied to any individual in any job in any area <strong>of</strong> <strong>Cyber</strong> <strong>Security</strong>.It is important to remember that the capabilities outlined in the <strong>Capability</strong> <strong>Framework</strong> will apply differently to each employee depending on the specificrequirements <strong>of</strong> their position. For example, although the capability Service Delivery is relevant to all staff, the specific competencies, skills and behavioursthat would be expected in terms <strong>of</strong> this capability will vary across jobs as a function <strong>of</strong> the role and the environment in which the job is performed. Becausethe framework is a generic document, not every aspect <strong>of</strong> each capability will be required for every job at a given classification level.The <strong>Capability</strong> <strong>Framework</strong> should be used, in conjunction with job-specific information, to guide the specific capability expectations <strong>of</strong> employees in <strong>Cyber</strong><strong>Security</strong> positions. It should also be noted that the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> describes those capabilities that are specifically related to theinformation security aspects <strong>of</strong> a job and it should be used in conjunction with the five APSC ILS Capabilities: Strategic Thinking, Achieving Results,Productive Working Relationships, Personal Drive and Integrity and Communicating with Influence.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 7


SERVICE DELIVERY The authorisation and monitoring <strong>of</strong> access to IT facilities or infrastructure in accordance withestablished organisational policy. Includes investigation <strong>of</strong> unauthorised access, compliance with relevant legislation and theperformance <strong>of</strong> other administrative duties relating to security management.APS 3/4 APS 5 APS 6Supports System <strong>Security</strong>1. Performs information security related supportfunctions for the organisation’s network.2. Applies organisational instructions and preestablishedguidelines to perform informationsecurity tasks within the organisation’s computingenvironment.3. Applies appropriate access controls and privilegesto an organisation’s computing environment.4. Recognises a potential security violation.5. Takes appropriate action to report incidents asrequired by procedure and, where applicable,legislation, in order to avert any effect from it.6. Complies with system shutdown procedures7. Supports Government Information <strong>Security</strong>Manual (<strong>ISM</strong>) password complexity and frequency<strong>of</strong> change policies.Delivers Service Excellence1. Provides end user information security support.2. Implements online warnings, or other suchdevices to inform others about access rules <strong>of</strong> theorganisation’s computing environment.Supports System <strong>Security</strong>1. Investigates minor security breaches inaccordance with established procedures.2. Works with other administrator level and technicalstaff to resolve information security problems.3. Applies appropriate access controls and privilegesto an organisation’s computing environment.4. Determines when security issues should beescalated to a higher level.5. Maintains agreed security records anddocumentation.6. Reviews logs as per logging procedures.Delivers Service Excellence1. Assists users in defining their access rights andprivileges, and operates agreed logical accesscontrols and security systems.2. Manages accounts, network rights and access.3. Demonstrates effective communication <strong>of</strong> securityissues to business managers and others.Leads and Develops People1. Provides on the job training for junior personnel.Supports System <strong>Security</strong>1. Investigates identified security breaches inaccordance with established procedures andrecommends any required actions.2. Examines potential security violations todetermine if the network environment securitypolicy has been breached, assesses the impactand if appropriate preserves evidence.3. Analyses patterns <strong>of</strong> non-compliance (potentialbreaches) and takes appropriate administrative ortechnological action to minimise security risks andinsider threats.4. Maintains security records and documentation.Delivers Service Excellence1. Assists users in defining their access rights andprivileges, and administers logical access controlsand security systems.2. Coordinates and ensures end user support for allinfrastructure applications and operations.3. Implements the organisation’s information securityrelated customer support policies, procedures andstandards.Leads and Develops People1. Leads a small team to quickly and completelysolve information security problems for theorganisation.2. Provides on the job training for junior personnel.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 8


SERVICE DELIVERY The authorisation and monitoring <strong>of</strong> access to IT facilities or infrastructure in accordance withestablished organisational policy. Includes investigation <strong>of</strong> unauthorised access, compliance with relevant legislation and theperformance <strong>of</strong> other administrative duties relating to security management.EL 1 EL 2Supports System <strong>Security</strong>1. Reviews information systems for actual or potential breaches in security andensures that all identified breaches in security are promptly and thoroughlyinvestigated.2. Ensures that security records are accurate and complete includingcertification documentation.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation securityLeads and Develops People1. Provides on the job training and coaching for team members.Supports Shared Purpose and Direction1. Drafts and maintains the policy, standards, procedures and documentationfor security.2. Interprets security policy and contributes to development <strong>of</strong> standards andguidelines that comply with this.3. Monitors contract performance and reviews deliverables and contractrequirements related to organisational information technology security andprivacy.Supports System <strong>Security</strong>1. Reviews reports on, or analyses information on, security incidents andpatterns to determine remedial actions to correct vulnerabilities.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation security.2. Ensures information ownership responsibilities are established for eachinformation system and implements a role based access scheme.Leads and Develops People1. Performs project management duties where appropriate.2. Directs the implementation <strong>of</strong> appropriate operational structures andprocesses to ensure an effective information security program.3. Oversees an information security section.4. Acts as a mentor.Supports Shared Purpose and Direction1. Develops strategies for ensuring the security <strong>of</strong> automated systems.2. Develops ICT <strong>Security</strong> direction and policy.3. Ensures that the policy and standards for security are fit for purpose, currentand are correctly implemented.4. Reviews new business proposals and provides specialist advice on securityissues and implications.5. Advises the appropriate stakeholders <strong>of</strong> changes affecting the organisation’sinformation technology security postureProduced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 9


INFORMATION SECURITY The management <strong>of</strong>, and provision <strong>of</strong> expert advice on, the selection, design, justification,implementation and operation <strong>of</strong> information security controls and management strategies to maintain the confidentiality, integrity,availability, accountability and relevant compliance <strong>of</strong> information systemsAPS 3/4 APS 5 APS 6Applies Technical Pr<strong>of</strong>iciency1. Implements response actions in reaction tosecurity incidents.2. Applies organisation’s established informationsecurity procedures and safeguards and complieswith responsibilities <strong>of</strong> assignment.3. Adheres to information security laws andregulations in order to support functionaloperations <strong>of</strong> the network environment.4. Configures, optimises and tests network fileservers, hubs, routers and switches to ensurethey comply with the organisation’s securitypolicy, procedures, government legislation andguidelines, and the organisation’s technicalrequirements prior to deployment.5. Recommends information security related repairsor changes in the network environment.6. Supports security tests and evaluations.7. Understands and implements basic technicalvulnerability corrections.8. Conducts tests <strong>of</strong> information security safeguardsfor the organisation’s computer environment, inaccordance with implementation plans, standardoperating environment procedures, and securitysection directives.Analyses and Evaluates1. Understands, applies and maintains specificsecurity controls as required by organisationalpolicy and local risk assessments to maintainconfidentiality, integrity and availability <strong>of</strong> businessinformation systems and to enhance resilience tounauthorised access.2. Diagnoses and resolves information securityproblems in response to reported incidents.Applies Technical Pr<strong>of</strong>iciency1. Recognises when an IT network/system has beenattacked, and takes immediate action to limitdamage assesses the impact and if appropriatepreserves evidence.2. Installs and operates IT systems in theorganisation’s computer environment in a testconfiguration manner that does not alter theprogram code or compromise security safeguards.3. Assesses the performance <strong>of</strong> information securitycontrols within the network.4. Supports, monitors, tests and troubleshootshardware and s<strong>of</strong>tware information securityproblems pertaining to the organisation’s computingenvironment.5. Implements applicable patches for theorganisation’s computing environment.Analyses and Evaluates1. Conducts security risk assessments for definedbusiness applications or IT installations in definedareas, and provides advice and guidance on theapplication and operation <strong>of</strong> elementary physical,procedural and technical security controls2. Monitors and evaluates the effectiveness <strong>of</strong> theorganisation’s information security proceduresand safeguards for the infrastructure.Applies Technical Pr<strong>of</strong>iciency1. Assists in the gathering and preservation <strong>of</strong>evidence, maintaining evidentiary integrity.3. Directs the implementation <strong>of</strong> appropriateoperational structures and processes to ensure aneffective information security program for theinfrastructure, including boundary defence,incident detection and response, and keymanagement.5. Designs and installs perimeter defence systemsincluding IDS, firewalls, grid sensors, etc and,under direction, enhances the rule sets to blocksources <strong>of</strong> malicious traffic.6. Installs, tests, maintains, and upgrades networkoperating systems s<strong>of</strong>tware and hardware toensure they comply with information securityrequirements.7. Notifies and schedules information securityrelated repairs within the organisation’s networkenvironment.8. Writes and maintains scripts required to ensuresecurity <strong>of</strong> the organisation’s infrastructure.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 10


INFORMATION SECURITY The management <strong>of</strong>, and provision <strong>of</strong> expert advice on, the selection, design, justification,implementation and operation <strong>of</strong> information security controls and management strategies to maintain the confidentiality,integrity, availability, accountability and relevant compliance <strong>of</strong> information systemsEL 1 EL 2Analyses and Evaluates1. Conducts security risk assessments for business applications and computerinstallations; provides authoritative advice and guidance on security strategies tomanage the identified risk.2. Investigates major breaches <strong>of</strong> security, and recommends appropriate controlimprovements.3. Writes and publishes reports on incident outcomes and distributes to appropriatestakeholders.4. Analyses information security incidents and patterns to determine remedial actionsto correct vulnerabilities.5. Monitors and evaluates the effectiveness <strong>of</strong> the organisation’s information securityprocedures and safeguards for the infrastructure.6. Develops and implements the necessary security plans and proceduraldocumentation to ensure that information security incidents are avoided duringshutdown and long term protection <strong>of</strong> archived resources is achieved.7. Formulates or provides input to the organisation’s information security budget.Applies Technical Pr<strong>of</strong>iciency1. Ensures that any system changes required to maintain security areimplemented.2. Recommends and schedules information security related repairs, upgrades orproject tasks within the organisation’s environment.3. Writes and maintains scripts required to ensure security <strong>of</strong> the infrastructure’senvironment.4. Provides direction to system developers regarding correction <strong>of</strong> security problemsidentified during testing.5. Plans and schedules the installation <strong>of</strong> new or modified hardware, operatingsystems, and s<strong>of</strong>tware applications ensuring integration with information securityrequirements for the infrastructure.6. Schedules and performs regular and special backups on all infrastructure systems.Analyses and Evaluates1. Specifies organisational procedures for the assessment <strong>of</strong> an activity,process, product or service, against recognised criteria, such as ISO27001.2. Provides leadership and guidelines on information assurance securityexpertise for the organisation, working effectively with strategicorganisational functions such as legal experts and technical support toprovide authoritative advice and guidance on the requirements for securitycontrols.3. Reviews security plans and procedural documentation to ensure thatinformation security incidents are avoided during shutdown and long termprotection <strong>of</strong> archived resources is achieved.4. Formulates the organisation’s information security budgetApplies Technical Pr<strong>of</strong>iciency1. Evaluates and approves development efforts to ensure that baselinesecurity safeguards are appropriately installed.2. Provides for restoration <strong>of</strong> information systems by ensuring that protection,detection, and reaction capabilities are incorporated.3. Recommends and schedules more complex repairs, upgrades or projecttasks.4. Validates the planning and scheduling <strong>of</strong> the installation <strong>of</strong> new or modifiedhardware, operating systems, and s<strong>of</strong>tware applications ensuringintegration with information security requirements for the infrastructure.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 11


TECHNOLOGY AUDIT The independent, risk-based assessment <strong>of</strong> the adequacy and integrity <strong>of</strong> controls in informationprocessing systems, including hardware, s<strong>of</strong>tware solutions, information management systems, security systems and tools,communications technologies – both web-based and physical. The structured analysis <strong>of</strong> the risks to achievement <strong>of</strong> businessobjectives, including the risk that the organisation fails to make effective use <strong>of</strong> new technology to improve delivery and internaleffectiveness.APS 3/4 APS 5 APS 61. Enters assets in an asset management and trackingsystem.2. Assists with basic risk assessments for smallinformation systems.3. Conducts audits <strong>of</strong> physical components thatsupport information system security.1. Ensures that the hardware, s<strong>of</strong>tware, data andfacility resources are archived, sanitised ordisposed <strong>of</strong> in a manner consistent with systemsecurity plans and government requirements.2. Assists in the performance <strong>of</strong> system audits toassess security related factors within theorganisation’s network environment.3. Analyses system performance for potential securityproblems.4. Performs basic risk assessments for smallinformation systems.5. Ensures application and system developmentscomply with organisational standards for logging,including content, format and location.1. Ensures that the hardware, s<strong>of</strong>tware, data andfacility resources are archived, sanitised ordisposed <strong>of</strong> in a manner consistent with systemsecurity plans and government requirements.2. Examines infrastructure vulnerabilities anddetermines actions to mitigate them. Develops andapplies effective vulnerability countermeasures.3. Analyses information security vulnerability bulletinsfor their potential impact on the computing ornetwork environment, and takes or recommendsappropriate action.4. Perform system audits to assess security relatedfactors within the network environment.5. Performs risk assessment, and business impactanalysis for medium size information systems.6. Establishes logging procedures to include importantevents; services and proxies; log archiving facility.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 12


TECHNOLOGY AUDIT The independent, risk-based assessment <strong>of</strong> the adequacy and integrity <strong>of</strong> controls in informationprocessing systems, including hardware, s<strong>of</strong>tware solutions, information management systems, security systems and tools,communications technologies – both web-based and physical. The structured analysis <strong>of</strong> the risks to achievement <strong>of</strong> businessobjectives, including the risk that the organisation fails to make effective use <strong>of</strong> new technology to improve delivery and internaleffectiveness.EL 1 EL 21. Evaluates functional operation and performance in light <strong>of</strong> test results andmakes recommendations regarding certification or accreditation.2. Examines vulnerabilities and determines actions to mitigate them. Developsand applies effective vulnerability countermeasures.3. Analyses information security vulnerability bulletins for their potential impact onthe computing or network environment, and takes or recommends appropriateaction.4. Performs risk assessment, business impact analysis and accreditation for allmajor information systems within the organisation.5. Interprets patterns <strong>of</strong> non-compliance to determine their impact on levels <strong>of</strong> riskand/or overall effectiveness <strong>of</strong> the organisation’s information technologysecurity program.6. Oversees the development <strong>of</strong> organisational logging standards to comply withaudit requirements.1. Develops plans for risk-based audit coverage <strong>of</strong> technology systems forinclusion in audit planning and uses experience to ensure audit coverage issufficient to provide the business with assurance <strong>of</strong> adequacy and integrity.2. Leads and manages complex technical audits, managing specialistscontracted to contribute highly specialised technical knowledge andexperience.3. Identifies areas <strong>of</strong> risk and specifies interrogation programs. Recommendschanges in processes and control procedures based on audit findings,including, where appropriate, the assessment <strong>of</strong> safety-related s<strong>of</strong>twaresystems to determine compliance with standards and required levels <strong>of</strong> safetyintegrity.4. Provides general and specific advice, and authorises the issue <strong>of</strong> formalreports to management on the effectiveness and efficiency <strong>of</strong> controlmechanisms.5. Reviews or develops effective vulnerability countermeasures6. Reviews the report <strong>of</strong>, or participates in, an information security riskassessment or review.7. Oversees the development <strong>of</strong> the audit planning process.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 13


EMERGING TECHNOLOGY MONITORING The identification <strong>of</strong> new and emerging hardware, s<strong>of</strong>tware andcommunication technologies and products, services, methods and techniques and the assessment <strong>of</strong> their relevance and potentialvalue to an organisation. The promotion <strong>of</strong> emerging technology awareness among staff and business management.APS 3/4 APS 5 APS 61. Assists in the monitoring <strong>of</strong> new technologies andhas a basic understanding <strong>of</strong> the way in whichthese might be incorporated into the organisation’scomputer environment1. Is aware <strong>of</strong> new technology and its possiblerelevance for the organisation’s computerenvironment.2. Assists in the monitoring <strong>of</strong> the market to gainknowledge and understanding <strong>of</strong> currentlyemerging technologies.1. Is aware <strong>of</strong> new technology and its relevance forthe organisation’s computer environment.2. Monitors the market to gain knowledge andunderstanding <strong>of</strong> currently emergingtechnologies.3. Identifies new and emerging hardware ands<strong>of</strong>tware technologies and products based onown area <strong>of</strong> expertise.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 14


EMERGING TECHNOLOGY MONITORING The identification <strong>of</strong> new and emerging hardware, s<strong>of</strong>tware andcommunication technologies and products, services, methods and techniques and the assessment <strong>of</strong> their relevance andpotential value to an organisation. The promotion <strong>of</strong> emerging technology awareness among staff and business management.EL 1 EL 28. Monitors the market to gain knowledge and understanding <strong>of</strong> currentlyemerging technologies.9. Identifies new and emerging hardware and s<strong>of</strong>tware technologies andproducts based on own area <strong>of</strong> expertise, assesses their relevance andpotential value to the organisation, contributes to briefings <strong>of</strong> staff andmanagement.10. Develops network security requirements specific to an acquisition forinclusion in procurement documents1. Co-ordinates the identification and assessment <strong>of</strong> new and emerginghardware, s<strong>of</strong>tware and communication technologies, products, methods andtechniques.2. Evaluates likely relevance <strong>of</strong> these for the organisation. Provides regularbriefings to staff and management.3. Interprets and/or approves security requirements as they relate to thecapabilities <strong>of</strong> new information technologies, taking into account organisationalpolicies and government guidelines and legislation.4. Ensures that protection and detection capabilities are acquired or developedusing an engineering approach and are consistent with the organisation’sinformation technology security architecture.5. Identifies security program implications <strong>of</strong> new technologies or technologyupgrades.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 15


PART 2Australian Government Information <strong>Security</strong> ManualThe second part <strong>of</strong> the project was mapping <strong>of</strong> the Chief Information <strong>Security</strong> Officer, IT<strong>Security</strong> Manager and IT <strong>Security</strong> Officer roles from the Australian Government Information<strong>Security</strong> Manual (<strong>ISM</strong>) to the competencies originally in the DeCAF, now embedded into the<strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>.The <strong>ISM</strong> provides a framework that enables agencies to address both new and existingsecurity risks to systems. The manual sets down minimum requirements for informationsecurity and describes a number <strong>of</strong> roles within the security environment. These include thethree roles outlined for mapping:The target audience for this manual is information security practitioners within, or contractedto, an agency. This includes, but is not limited to:• security executives / chief information security <strong>of</strong>ficers (CISOs)• agency security advisors (ASAs)• information technology security advisors (ITSAs)• information technology security managers (ITSMs)• information technology security <strong>of</strong>ficers (ITSOs), and• infosec-registered assessors.The roles in the manual are described in terms <strong>of</strong> the context, risks and controls that shouldbe accounted for within the roles plus a rationale for appointing each <strong>of</strong> the roles.<strong>Mapping</strong> <strong>of</strong> the rolesAt the original workshop validating the DeCAF competencies mapped onto the APSC ICTCapabilities, workshop participants reported high consensus that the DeCAF documentdescribed competencies up to and including the EL2 level <strong>of</strong> classification. Therefore, theresultant <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong> did not extend to the SES level.Upon examination <strong>of</strong> the roles, it was noted that the Chief Information <strong>Security</strong> Officer roleshould be appointed at the Senior Executive Service level and is described as beingresponsible for co-ordination <strong>of</strong> security at a strategic level within the agency. Due to thehigh classification level <strong>of</strong> this role, it was decided that the role would not be mapped againstthe <strong>Capability</strong> <strong>Framework</strong>.The remaining three roles, the IT <strong>Security</strong> Advisor, the IT <strong>Security</strong> Manager and the IT<strong>Security</strong> Officer were mapped at the EL2 and EL1 levels. This process involved examination<strong>of</strong> the responsibilities <strong>of</strong> each role as set out in the <strong>ISM</strong> and comparison <strong>of</strong> these with thosecompetencies previously mapped to the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>. Areas <strong>of</strong>overlap were noted and duplication avoided. Where new competencies were identifiedthese were included in the final mapping.As noted in Part 1, this document was then sent out for comment and feedback as part <strong>of</strong>the final consultation round <strong>of</strong> the <strong>Cyber</strong> <strong>Security</strong> <strong>Capability</strong> <strong>Framework</strong>. Feedback receivedwas incorporated into the final versions <strong>of</strong> the mapped roles which are presented below.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 16


INFORMATION TECHNOLOGY SECURITY MANAGER/ADVISOROverview <strong>of</strong> the roleStaff in this role work report directly to the Chief Information Officer (CISO). ITSAs and ITSMs are executives within an agency that act as a conduit between the strategicdirections provided by the CISO and the technical efforts <strong>of</strong> Information Technology <strong>Security</strong> Officers. The main area <strong>of</strong> responsibility <strong>of</strong> an ITSA/ITSM is that <strong>of</strong> theadministrative controls relating to information security within the agency.ITSA/ITSMs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level <strong>of</strong>authority based on the size <strong>of</strong> the agency or their area <strong>of</strong> responsibility within an agency. Where there are multiple ITSMs within an agency, there must also be adesignated ITSA (Information Technology <strong>Security</strong> Advisor). Where there is only one ITSM within an agency, that role automatically includes the role <strong>of</strong> ITSA. The ITSA isresponsible for the coordination and oversight <strong>of</strong> other ITSMs within the agency and has overall responsibility for information technology security management. In all otherrespects, the ITSA has the same role responsibilities as an ITSM. In some agencies the ITSA may be appointed at the EL2 level while the ITSMs are appointed at the EL1level. ITSMs may also be appointed at the EL2 level where appropriate.ITSA/ITSMs must be cleared for access to all information processed by the agency’s systems and able to be briefed into any compartmented information on the agency’ssystems.Required capabilitiesService DeliverySupports System <strong>Security</strong>1. Reviews reports on, or analyses information on, security incidents and patterns todetermine remedial actions to correct vulnerabilities.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation security.2. Ensures information ownership responsibilities are established for eachinformation system and implements a role based access scheme.3. Liaises with stakeholders to establish mutually acceptable contracts and serviceagreements.Leads and Develops People1. Performs project management duties where appropriate.2. Directs the implementation <strong>of</strong> appropriate operational structures and processes toensure an effective information security program.3. Provides direction to system developers and architects.4. Oversees an information security section.5. Acts as a mentor6. Co-ordinates communication, awareness and training in information security for the agencySupports Shared Purpose and Direction1. Develops strategies for ensuring the security <strong>of</strong> automated systems.2. Ensures that the policy and standards for security are fit for purpose, current and are correctlyimplemented.3. Reviews new business proposals and provides specialist advice on security issues andimplications.4. Advises the appropriate stakeholders <strong>of</strong> changes affecting the organisation’s informationtechnology security posture.5. Works with system owners to determine appropriate information security policies for theirsystems and to respond to recommendations from audits.6. Works with system owners to obtain and maintain the accreditation <strong>of</strong> their systems.7. Provides technical advice to committees, including other agency and inter-agency committeesas required.8. Maintains security knowledge base.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 17


Information <strong>Security</strong>Analyses and Evaluates1. Specifies organisational procedures for the assessment <strong>of</strong> an activity, process,product or service, against recognised criteria, such as ISO 27001.2. Provides leadership and guidelines on information assurance security expertise forthe organisation, working effectively with strategic organisational functions such aslegal experts and technical support to provide authoritative advice and guidance onthe requirements for security controls.3. Reviews security plans and procedural documentation, including disaster recoveryplans, to ensure that information security incidents are avoided during shutdown andlong term protection <strong>of</strong> archived resources is achieved.Technology Audit1. Develops plans for risk-based audit coverage <strong>of</strong> technology systems for inclusion inaudit planning and uses experience to ensure audit coverage is sufficient to providethe business with assurance <strong>of</strong> adequacy and integrity.2. Leads and manages complex technical audits, managing specialists contracted tocontribute highly specialised technical knowledge and experience.3. Identifies areas <strong>of</strong> risk and specifies interrogation programs. Recommends changesin processes and control procedures based on audit findings, including, whereappropriate, the assessment <strong>of</strong> safety-related s<strong>of</strong>tware systems to determinecompliance with standards and required levels <strong>of</strong> safety integrity.Emerging Technology Monitoring1. Co-ordinates the identification and assessment <strong>of</strong> new and emerging hardware,s<strong>of</strong>tware and communication technologies, products, methods and techniques.2. Evaluates likely relevance <strong>of</strong> these for the organisation. Provides regular briefingsto staff and management.3. Works with the CISO to formulate the organisation’s information security budget.4. Interprets and/or approves security requirements as they relate to the capabilities<strong>of</strong> new information technologies, taking into account organisational policies andgovernment guidelines and legislation.Applies Technical Pr<strong>of</strong>iciency1. Evaluates and approves development efforts to ensure that baseline security safeguards areappropriately installed.2. Provides for restoration <strong>of</strong> information systems by ensuring that protection, detection, andreaction capabilities are incorporated.3. Recommends and schedules information security related repairs within the organisation’sinfrastructure and undertakes more complex repairs.4. Validates the planning and scheduling <strong>of</strong> the installation <strong>of</strong> new or modified hardware, operatingsystems, and s<strong>of</strong>tware applications ensuring integration with information security requirementsfor the infrastructure.4. Provides general and specific advice, and authorises the issue <strong>of</strong> formal reports tomanagement on the effectiveness and efficiency <strong>of</strong> control mechanisms.5. Reviews or develops effective vulnerability countermeasures6. Reviews the report <strong>of</strong>, or participates in, an information security risk assessment or review.7. Oversees the development <strong>of</strong> the audit planning process.8. Reports to senior managers on technical aspects <strong>of</strong> information security management, andcompliance with and enforcement <strong>of</strong> policies across the agency.5. Ensures that protection and detection capabilities are acquired or developed using anengineering approach and are consistent with the organisation’s information technologysecurity architecture.6. Identifies security program implications <strong>of</strong> new technologies or technology upgrades.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 18


INFORMATION TECHNOLOGY SECURITY OFFICEROverview <strong>of</strong> the roleStaff in this role work report directly to the Information Technology <strong>Security</strong> Manager (ITSM). The ITSO role may be combined with that <strong>of</strong> the ITSM in small agencies.Agencies may also chose to have this role performed by existing system administrators with an additional reporting chain to an ITSM for the information security aspects <strong>of</strong>their role. Agencies may also choose to have the responsibilities <strong>of</strong> an ITSO undertaken externally as part <strong>of</strong> outsourcing <strong>of</strong> their ICT services.ITSOs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level <strong>of</strong> authoritybased on the size <strong>of</strong> the agency or their area <strong>of</strong> responsibility within an agency. Where an ITSO is appointed by the agency, it would be expected that this position would beas an Executive Level 1 <strong>of</strong>ficer.ITSOs must be cleared for access to all information processed by the agency’s systems and able to be briefed into any compartmented information on the agency’ssystems.Required capabilitiesService DeliverySupports System <strong>Security</strong>1. Reviews information systems for actual or potential breaches in security andensures that all identified breaches in security are promptly and thoroughlyinvestigated.2. Ensures that security records are accurate and complete including certificationdocumentation.3. Validates and authorises user and access administration on systems inaccordance with the defined policies, standards and procedures <strong>of</strong> the agency.4. Ensures patches are applied and removes known system weaknesses inaccordance with information security policies and standards.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation security2. Assists operational staff to locate and repair information security problems andfailures.Leads and Develops People1. Provides direction to system developers regarding correction <strong>of</strong> security problems identifiedduring testing.2. Provides on the job training and coaching for team members.Supports Shared Purpose and Direction1. Drafts and maintains the policy, standards, procedures and documentation for security.2. Interprets security policy and contributes to development <strong>of</strong> standards and guidelines thatcomply with this.3. Monitors contract performance and reviews deliverables and contract requirements related toorganisational information technology security and privacy.4. Communicates with system owners and personnel to increase their awareness <strong>of</strong> applicableinformation security policies and standards.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 19


Information <strong>Security</strong>Analyses and Evaluates1. Conducts security risk assessments for business applications and computerinstallations; provides authoritative advice and guidance on security strategies tomanage the identified risk.2. Investigates major breaches <strong>of</strong> security, and recommends appropriate controlimprovements.3. Writes and publishes reports on incident outcomes and distributes to appropriatestakeholders.4. Analyses information security incidents and patterns to determine remedial actionsto correct vulnerabilities.5. Monitors and evaluates the effectiveness <strong>of</strong> the organisation’s information securityprocedures and safeguards for the infrastructure.6. Develops and implements the necessary security plans and proceduraldocumentation, including disaster recovery plans, to ensure that informationsecurity incidents are avoided during shutdown and long term protection <strong>of</strong>archived resources is achieved.7. Reports unresolved network security exposures, misuse <strong>of</strong> resources or noncompliancesituations to an ITSM.Technology Audit1. Evaluates functional operation and performance in light <strong>of</strong> test results and makesrecommendations regarding certification or accreditation.2. Examines vulnerabilities and determines actions to mitigate them. Develops andapplies effective vulnerability countermeasures.3. Analyses information security vulnerability bulletins for their potential impact on thecomputing or network environment, and takes or recommends appropriate action.Emerging Technology Monitoring1. Monitors the market to gain knowledge and understanding <strong>of</strong> currently emergingtechnologies.2. Identifies new and emerging hardware and s<strong>of</strong>tware technologies and productsbased on own area <strong>of</strong> expertise, assesses their relevance and potential value to theorganisation, contributes to briefings <strong>of</strong> staff and management.Applies Technical Pr<strong>of</strong>iciency1. Ensures that any system changes required to maintain security are implemented.2. Recommends and schedules information security related repairs, upgrades or projecttasks within the organisation’s environment.3. Writes and maintains scripts required to ensure security <strong>of</strong> the infrastructure’s environment.4. Plans and schedules the installation <strong>of</strong> new or modified hardware, operating systems, ands<strong>of</strong>tware applications ensuring integration with information security requirements for theinfrastructure.5. Schedules and performs regular and special backups on all infrastructure systems.4. Performs risk assessment, business impact analysis and accreditation for all major informationsystems within the organisation.5. Interprets patterns <strong>of</strong> non-compliance to determine their impact on levels <strong>of</strong> risk and/or overalleffectiveness <strong>of</strong> the organisation’s information technology security program.6. Oversees the development <strong>of</strong> organisational logging standards to comply with auditrequirements.7. Manages and audits system event logs.3. Formulates or provides input to the organisation’s information security budget.4. Develops network security requirements specific to an acquisition for inclusion inprocurement documentsProduced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 20

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!