Cyber Security Capability Framework & Mapping of ISM Roles - agimo

More documents

Recommendations

Info

TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in informationprocessing systems, including hardware, software solutions, information management systems, security systems and tools,communications technologies – both web-based and physical. The structured analysis of the risks to achievement of businessobjectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internaleffectiveness.APS 3/4 APS 5 APS 61. Enters assets in an asset management and trackingsystem.2. Assists with basic risk assessments for smallinformation systems.3. Conducts audits of physical components thatsupport information system security.1. Ensures that the hardware, software, data andfacility resources are archived, sanitised ordisposed of in a manner consistent with systemsecurity plans and government requirements.2. Assists in the performance of system audits toassess security related factors within theorganisation’s network environment.3. Analyses system performance for potential securityproblems.4. Performs basic risk assessments for smallinformation systems.5. Ensures application and system developmentscomply with organisational standards for logging,including content, format and location.1. Ensures that the hardware, software, data andfacility resources are archived, sanitised ordisposed of in a manner consistent with systemsecurity plans and government requirements.2. Examines infrastructure vulnerabilities anddetermines actions to mitigate them. Develops andapplies effective vulnerability countermeasures.3. Analyses information security vulnerability bulletinsfor their potential impact on the computing ornetwork environment, and takes or recommendsappropriate action.4. Perform system audits to assess security relatedfactors within the network environment.5. Performs risk assessment, and business impactanalysis for medium size information systems.6. Establishes logging procedures to include importantevents; services and proxies; log archiving facility.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 12
TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in informationprocessing systems, including hardware, software solutions, information management systems, security systems and tools,communications technologies – both web-based and physical. The structured analysis of the risks to achievement of businessobjectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internaleffectiveness.EL 1 EL 21. Evaluates functional operation and performance in light of test results andmakes recommendations regarding certification or accreditation.2. Examines vulnerabilities and determines actions to mitigate them. Developsand applies effective vulnerability countermeasures.3. Analyses information security vulnerability bulletins for their potential impact onthe computing or network environment, and takes or recommends appropriateaction.4. Performs risk assessment, business impact analysis and accreditation for allmajor information systems within the organisation.5. Interprets patterns of non-compliance to determine their impact on levels of riskand/or overall effectiveness of the organisation’s information technologysecurity program.6. Oversees the development of organisational logging standards to comply withaudit requirements.1. Develops plans for risk-based audit coverage of technology systems forinclusion in audit planning and uses experience to ensure audit coverage issufficient to provide the business with assurance of adequacy and integrity.2. Leads and manages complex technical audits, managing specialistscontracted to contribute highly specialised technical knowledge andexperience.3. Identifies areas of risk and specifies interrogation programs. Recommendschanges in processes and control procedures based on audit findings,including, where appropriate, the assessment of safety-related softwaresystems to determine compliance with standards and required levels of safetyintegrity.4. Provides general and specific advice, and authorises the issue of formalreports to management on the effectiveness and efficiency of controlmechanisms.5. Reviews or develops effective vulnerability countermeasures6. Reviews the report of, or participates in, an information security riskassessment or review.7. Oversees the development of the audit planning process.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 13
Page 1 and 2: AUSTRALIAN GOVERNMENT INFORMATION M
Page 3 and 4: Introduction and BackgroundIn May 2
Page 5 and 6: WorkshopOnce the documents had been
Page 7 and 8: CYBER SECURITY CAPABILITY FRAMEWORK
Page 9 and 10: SERVICE DELIVERY The authorisation
Page 11: INFORMATION SECURITY The management
Page 15 and 16: EMERGING TECHNOLOGY MONITORING The
Page 17 and 18: INFORMATION TECHNOLOGY SECURITY MAN
Page 19 and 20: INFORMATION TECHNOLOGY SECURITY OFF

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

Create successful ePaper yourself

Delete template?

Save as template?