Cyber Security Capability Framework & Mapping of ISM Roles - agimo

More documents

Recommendations

Info

PART 2Australian Government Information Security ManualThe second part of the project was mapping of the Chief Information Security Officer, ITSecurity Manager and IT Security Officer roles from the Australian Government InformationSecurity Manual (ISM) to the competencies originally in the DeCAF, now embedded into theCyber Security Capability Framework.The ISM provides a framework that enables agencies to address both new and existingsecurity risks to systems. The manual sets down minimum requirements for informationsecurity and describes a number of roles within the security environment. These include thethree roles outlined for mapping:The target audience for this manual is information security practitioners within, or contractedto, an agency. This includes, but is not limited to:• security executives / chief information security officers (CISOs)• agency security advisors (ASAs)• information technology security advisors (ITSAs)• information technology security managers (ITSMs)• information technology security officers (ITSOs), and• infosec-registered assessors.The roles in the manual are described in terms of the context, risks and controls that shouldbe accounted for within the roles plus a rationale for appointing each of the roles.Mapping of the rolesAt the original workshop validating the DeCAF competencies mapped onto the APSC ICTCapabilities, workshop participants reported high consensus that the DeCAF documentdescribed competencies up to and including the EL2 level of classification. Therefore, theresultant Cyber Security Capability Framework did not extend to the SES level.Upon examination of the roles, it was noted that the Chief Information Security Officer roleshould be appointed at the Senior Executive Service level and is described as beingresponsible for co-ordination of security at a strategic level within the agency. Due to thehigh classification level of this role, it was decided that the role would not be mapped againstthe Capability Framework.The remaining three roles, the IT Security Advisor, the IT Security Manager and the ITSecurity Officer were mapped at the EL2 and EL1 levels. This process involved examinationof the responsibilities of each role as set out in the ISM and comparison of these with thosecompetencies previously mapped to the Cyber Security Capability Framework. Areas ofoverlap were noted and duplication avoided. Where new competencies were identifiedthese were included in the final mapping.As noted in Part 1, this document was then sent out for comment and feedback as part ofthe final consultation round of the Cyber Security Capability Framework. Feedback receivedwas incorporated into the final versions of the mapped roles which are presented below.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 16
INFORMATION TECHNOLOGY SECURITY MANAGER/ADVISOROverview of the roleStaff in this role work report directly to the Chief Information Officer (CISO). ITSAs and ITSMs are executives within an agency that act as a conduit between the strategicdirections provided by the CISO and the technical efforts of Information Technology Security Officers. The main area of responsibility of an ITSA/ITSM is that of theadministrative controls relating to information security within the agency.ITSA/ITSMs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level ofauthority based on the size of the agency or their area of responsibility within an agency. Where there are multiple ITSMs within an agency, there must also be adesignated ITSA (Information Technology Security Advisor). Where there is only one ITSM within an agency, that role automatically includes the role of ITSA. The ITSA isresponsible for the coordination and oversight of other ITSMs within the agency and has overall responsibility for information technology security management. In all otherrespects, the ITSA has the same role responsibilities as an ITSM. In some agencies the ITSA may be appointed at the EL2 level while the ITSMs are appointed at the EL1level. ITSMs may also be appointed at the EL2 level where appropriate.ITSA/ITSMs must be cleared for access to all information processed by the agency’s systems and able to be briefed into any compartmented information on the agency’ssystems.Required capabilitiesService DeliverySupports System Security1. Reviews reports on, or analyses information on, security incidents and patterns todetermine remedial actions to correct vulnerabilities.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation security.2. Ensures information ownership responsibilities are established for eachinformation system and implements a role based access scheme.3. Liaises with stakeholders to establish mutually acceptable contracts and serviceagreements.Leads and Develops People1. Performs project management duties where appropriate.2. Directs the implementation of appropriate operational structures and processes toensure an effective information security program.3. Provides direction to system developers and architects.4. Oversees an information security section.5. Acts as a mentor6. Co-ordinates communication, awareness and training in information security for the agencySupports Shared Purpose and Direction1. Develops strategies for ensuring the security of automated systems.2. Ensures that the policy and standards for security are fit for purpose, current and are correctlyimplemented.3. Reviews new business proposals and provides specialist advice on security issues andimplications.4. Advises the appropriate stakeholders of changes affecting the organisation’s informationtechnology security posture.5. Works with system owners to determine appropriate information security policies for theirsystems and to respond to recommendations from audits.6. Works with system owners to obtain and maintain the accreditation of their systems.7. Provides technical advice to committees, including other agency and inter-agency committeesas required.8. Maintains security knowledge base.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 17
Page 1 and 2: AUSTRALIAN GOVERNMENT INFORMATION M
Page 3 and 4: Introduction and BackgroundIn May 2
Page 5 and 6: WorkshopOnce the documents had been
Page 7 and 8: CYBER SECURITY CAPABILITY FRAMEWORK
Page 9 and 10: SERVICE DELIVERY The authorisation
Page 11 and 12: INFORMATION SECURITY The management
Page 13 and 14: TECHNOLOGY AUDIT The independent, r
Page 15: EMERGING TECHNOLOGY MONITORING The
Page 19 and 20: INFORMATION TECHNOLOGY SECURITY OFF

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?