Cyber Security Capability Framework & Mapping of ISM Roles - agimo

More documents

Recommendations

Info

Information SecurityAnalyses and Evaluates1. Specifies organisational procedures for the assessment of an activity, process,product or service, against recognised criteria, such as ISO 27001.2. Provides leadership and guidelines on information assurance security expertise forthe organisation, working effectively with strategic organisational functions such aslegal experts and technical support to provide authoritative advice and guidance onthe requirements for security controls.3. Reviews security plans and procedural documentation, including disaster recoveryplans, to ensure that information security incidents are avoided during shutdown andlong term protection of archived resources is achieved.Technology Audit1. Develops plans for risk-based audit coverage of technology systems for inclusion inaudit planning and uses experience to ensure audit coverage is sufficient to providethe business with assurance of adequacy and integrity.2. Leads and manages complex technical audits, managing specialists contracted tocontribute highly specialised technical knowledge and experience.3. Identifies areas of risk and specifies interrogation programs. Recommends changesin processes and control procedures based on audit findings, including, whereappropriate, the assessment of safety-related software systems to determinecompliance with standards and required levels of safety integrity.Emerging Technology Monitoring1. Co-ordinates the identification and assessment of new and emerging hardware,software and communication technologies, products, methods and techniques.2. Evaluates likely relevance of these for the organisation. Provides regular briefingsto staff and management.3. Works with the CISO to formulate the organisation’s information security budget.4. Interprets and/or approves security requirements as they relate to the capabilitiesof new information technologies, taking into account organisational policies andgovernment guidelines and legislation.Applies Technical Proficiency1. Evaluates and approves development efforts to ensure that baseline security safeguards areappropriately installed.2. Provides for restoration of information systems by ensuring that protection, detection, andreaction capabilities are incorporated.3. Recommends and schedules information security related repairs within the organisation’sinfrastructure and undertakes more complex repairs.4. Validates the planning and scheduling of the installation of new or modified hardware, operatingsystems, and software applications ensuring integration with information security requirementsfor the infrastructure.4. Provides general and specific advice, and authorises the issue of formal reports tomanagement on the effectiveness and efficiency of control mechanisms.5. Reviews or develops effective vulnerability countermeasures6. Reviews the report of, or participates in, an information security risk assessment or review.7. Oversees the development of the audit planning process.8. Reports to senior managers on technical aspects of information security management, andcompliance with and enforcement of policies across the agency.5. Ensures that protection and detection capabilities are acquired or developed using anengineering approach and are consistent with the organisation’s information technologysecurity architecture.6. Identifies security program implications of new technologies or technology upgrades.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 18
INFORMATION TECHNOLOGY SECURITY OFFICEROverview of the roleStaff in this role work report directly to the Information Technology Security Manager (ITSM). The ITSO role may be combined with that of the ITSM in small agencies.Agencies may also chose to have this role performed by existing system administrators with an additional reporting chain to an ITSM for the information security aspects oftheir role. Agencies may also choose to have the responsibilities of an ITSO undertaken externally as part of outsourcing of their ICT services.ITSOs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level of authoritybased on the size of the agency or their area of responsibility within an agency. Where an ITSO is appointed by the agency, it would be expected that this position would beas an Executive Level 1 officer.ITSOs must be cleared for access to all information processed by the agency’s systems and able to be briefed into any compartmented information on the agency’ssystems.Required capabilitiesService DeliverySupports System Security1. Reviews information systems for actual or potential breaches in security andensures that all identified breaches in security are promptly and thoroughlyinvestigated.2. Ensures that security records are accurate and complete including certificationdocumentation.3. Validates and authorises user and access administration on systems inaccordance with the defined policies, standards and procedures of the agency.4. Ensures patches are applied and removes known system weaknesses inaccordance with information security policies and standards.Delivers Service Excellence1. Develops and manages customer service performance requirements forinformation security2. Assists operational staff to locate and repair information security problems andfailures.Leads and Develops People1. Provides direction to system developers regarding correction of security problems identifiedduring testing.2. Provides on the job training and coaching for team members.Supports Shared Purpose and Direction1. Drafts and maintains the policy, standards, procedures and documentation for security.2. Interprets security policy and contributes to development of standards and guidelines thatcomply with this.3. Monitors contract performance and reviews deliverables and contract requirements related toorganisational information technology security and privacy.4. Communicates with system owners and personnel to increase their awareness of applicableinformation security policies and standards.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 19
Page 1 and 2: AUSTRALIAN GOVERNMENT INFORMATION M
Page 3 and 4: Introduction and BackgroundIn May 2
Page 5 and 6: WorkshopOnce the documents had been
Page 7 and 8: CYBER SECURITY CAPABILITY FRAMEWORK
Page 9 and 10: SERVICE DELIVERY The authorisation
Page 11 and 12: INFORMATION SECURITY The management
Page 13 and 14: TECHNOLOGY AUDIT The independent, r
Page 15 and 16: EMERGING TECHNOLOGY MONITORING The
Page 17: INFORMATION TECHNOLOGY SECURITY MAN

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?