Cyber Security Capability Framework & Mapping of ISM Roles - agimo

More documents

Recommendations

Info

• Service Delivery;• IT Business Management;• Business Change;• Solutions Development;• Solutions Implementation;• Service Support.The Security domain sits within the Service Delivery area and is further broken down into thefollowing capability groupings:• Service Delivery;• Information Security;• Technology Audit;• Emerging Technology MonitoringFollowing discussion with AGIMO, these capability groupings were used to structure theCyber Security Capability Framework.Department of Defence Development and Competency Assessment Framework(DeCAF)The second document used to create the Cyber Security Capability Framework was theDeCAF, produced by the Defence Signals Directorate (DSD), as an attempt to formalisetraining, certification, competency and development requirements for staff employed withinthe IT Security profession. It is designed to be a framework for base-lining experience andcompetency and identifies categories and specialisations within the organisation. Thesecategories are then sub-divided into levels, each based on functional skill requirements. Thecategories and levels are:• Information Security – Technical, Levels 1 through 5;• Information Security – Management, Levels 3 through 5;• Information Security – Specialist, Levels 3 through 5.Each Level in a category is described in terms of attributes such as experience, systemenvironment, training and organisational role and contains a detailed list of competenciesand performance expectations. As agreed with AGIMO, this list of competencies wasmapped to the APSC’s ICT Capability Framework to produce the Cyber Security CapabilityFramework presented in this report.Cyber Security Capability FrameworkThe Cyber Security Capability Framework uses the capability groupings from the APSC’sICT Capability Framework, as outlined above. These capability groupings are delineated ateach APS Classification Level. Initially, the Cyber Security Capability Framework includedall APS levels from APS1 through to EL2, with APS1-3 broad-banded. The competencieswere then mapped onto this Framework based on:• Complexity of work;• Expected level of experience for each DeCAF level;• Expected level of skill and knowledge required;• Proposed level of responsibility including management and leadership capability;• Expected degree of supervision required and classification level of supervisor;• A logical grouping of particular competencies under sub-headings to give structure tothe document.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 4
WorkshopOnce the documents had been reviewed and the initial mapping process completed, aworkshop was held to validate the outcomes. Approximately 25 people attended the 17 May2010 workshop with participants being sourced from a range of Government Departmentsand Agencies such as:• Attorney General’s Department;• APSC;• Murray-Darling Basin Authority;• Department of Finance and Deregulation;• Department of Health and Ageing;• Australian Taxation Office;• Centrelink;• Department of Veterans’ Affairs;• Office of the Prime Minister and Cabinet.The workshop comprised a number of exercises that were completed either in a small group,as a whole group or individually by the participants.Exercise 1After introductions and an overview of the process to this point, workshop participantsworked in small groups on a re-translation exercise. This exercise involved thereconstruction of ‘deconstructed’ copies of the Cyber Security Capability Framework. Theaim of the exercise was to validate the accuracy of the mapping by allowing participants tore-map the content of the Framework against subheadings within each of the capabilitygroupings.Reconstructed Frameworks were then collected and compared with the original draft of theFramework. The results of the exercise informed the second phase of mapping to producethe draft documents presented here.Exercise 2Two further exercises aided in the validation process. In the second exercise, groups weregiven a copy of the DeCAF and were asked to assign an APS classification level to each ofthe Levels within the three categories of Information Security - Technical, InformationSecurity - Management and Information Security - Specialist.The results of this exercise revealed that the initial draft of the Cyber Security CapabilityFramework had been quite accurate in identifying the most appropriate APS classification foreach of the Levels. Importantly, it was noted that all participants considered that the startingor entry point in terms of the Levels within the DeCAF was at the APS 3 level. There wasstrong consensus, by workshop participants, that the Capability Framework should notcontain APS Levels 1 and 2 and should start with APS3-4 as a broad-banded entry level.Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 5
Page 1 and 2: AUSTRALIAN GOVERNMENT INFORMATION M
Page 3: Introduction and BackgroundIn May 2
Page 7 and 8: CYBER SECURITY CAPABILITY FRAMEWORK
Page 9 and 10: SERVICE DELIVERY The authorisation
Page 11 and 12: INFORMATION SECURITY The management
Page 13 and 14: TECHNOLOGY AUDIT The independent, r
Page 15 and 16: EMERGING TECHNOLOGY MONITORING The
Page 17 and 18: INFORMATION TECHNOLOGY SECURITY MAN
Page 19 and 20: INFORMATION TECHNOLOGY SECURITY OFF

Cyber Security Capability Framework & Mapping of ISM Roles - agimo

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?