AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Size: px
Start display at page:

Download "AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES"

Transcription

1 AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 1

2 CONTENTS Introduction and Background p3 Methodology (Part 1) p3 Cyber Security Capability Framework p7 Methodology (Part 2) p16 Mapped ISM Roles p17 Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 2

3 Introduction and Background In May 2010, Workplace Research Associates was engaged by the Australian Government Information Management Office (AGIMO) to assist in the mapping of Cyber Security Capabilities to the Australian Public Service Commission s (APSC) ICT Capability Framework. Specifically, the aim of the project was to: Map and validate the Department of Defence s Development and Competency Assessment Framework (DeCAF) competencies to the security capability areas defined in the Australian Public Service Commission s ICT Capability Framework; Map and validate the DeCAF competencies to the Chief Information Security Officer, IT Security Manager and IT Security Officer roles defined in the Australian Government s Information Security Manual (ISM); This report presents the Cyber Security Capability Framework, which is the outcome of the first of the aims above and the Mapped ISM Roles, which is the outcome of the second of the aims above. Methodology The methodology for the project included the following stages: Part 1 Mapping of the DeCAF to the ICT Capability Framework: 1. Initial meeting with AGIMO representatives to confirm the scope of the project and the documents to be mapped; 2. Review of the Department of Defence s Development and Competency Assessment Framework (DeCAF) and the Australian Public Service Commission s ICT Capability Framework; 3. Mapping of the DeCAF to the APSC s ICT Capability Framework; 4. A workshop to validate the initial mapping process and initial draft of the Cyber Security Capability Framework; 5. Review and redrafting of the Framework in line with the results of the workshop. Part 2 Mapping of the ISM roles to the Cyber Security Capability Framework: 1. Mapping of the Chief Information Security Officer, IT Security Advisor, IT Security Manager and IT Security Officer roles to the Cyber Security Capability Framework. PART 1 APSC ICT Capability Framework The documents used to produce the Cyber Security Capability Framework included the APSC s ICT Capability Framework. This Framework has a two level structure with the following main categories of capability: Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 3

4 Service Delivery; IT Business Management; Business Change; Solutions Development; Solutions Implementation; Service Support. The Security domain sits within the Service Delivery area and is further broken down into the following capability groupings: Service Delivery; Information Security; Technology Audit; Emerging Technology Monitoring Following discussion with AGIMO, these capability groupings were used to structure the Cyber Security Capability Framework. Department of Defence Development and Competency Assessment Framework (DeCAF) The second document used to create the Cyber Security Capability Framework was the DeCAF, produced by the Defence Signals Directorate (DSD), as an attempt to formalise training, certification, competency and development requirements for staff employed within the IT Security profession. It is designed to be a framework for base-lining experience and competency and identifies categories and specialisations within the organisation. These categories are then sub-divided into levels, each based on functional skill requirements. The categories and levels are: Information Security Technical, Levels 1 through 5; Information Security Management, Levels 3 through 5; Information Security Specialist, Levels 3 through 5. Each Level in a category is described in terms of attributes such as experience, system environment, training and organisational role and contains a detailed list of competencies and performance expectations. As agreed with AGIMO, this list of competencies was mapped to the APSC s ICT Capability Framework to produce the Cyber Security Capability Framework presented in this report. Cyber Security Capability Framework The Cyber Security Capability Framework uses the capability groupings from the APSC s ICT Capability Framework, as outlined above. These capability groupings are delineated at each APS Classification Level. Initially, the Cyber Security Capability Framework included all APS levels from APS1 through to EL2, with APS1-3 broad-banded. The competencies were then mapped onto this Framework based on: Complexity of work; Expected level of experience for each DeCAF level; Expected level of skill and knowledge required; Proposed level of responsibility including management and leadership capability; Expected degree of supervision required and classification level of supervisor; A logical grouping of particular competencies under sub-headings to give structure to the document. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 4

5 Workshop Once the documents had been reviewed and the initial mapping process completed, a workshop was held to validate the outcomes. Approximately 25 people attended the 17 May 2010 workshop with participants being sourced from a range of Government Departments and Agencies such as: Attorney General s Department; APSC; Murray-Darling Basin Authority; Department of Finance and Deregulation; Department of Health and Ageing; Australian Taxation Office; Centrelink; Department of Veterans Affairs; Office of the Prime Minister and Cabinet. The workshop comprised a number of exercises that were completed either in a small group, as a whole group or individually by the participants. Exercise 1 After introductions and an overview of the process to this point, workshop participants worked in small groups on a re-translation exercise. This exercise involved the reconstruction of deconstructed copies of the Cyber Security Capability Framework. The aim of the exercise was to validate the accuracy of the mapping by allowing participants to re-map the content of the Framework against subheadings within each of the capability groupings. Reconstructed Frameworks were then collected and compared with the original draft of the Framework. The results of the exercise informed the second phase of mapping to produce the draft documents presented here. Exercise 2 Two further exercises aided in the validation process. In the second exercise, groups were given a copy of the DeCAF and were asked to assign an APS classification level to each of the Levels within the three categories of Information Security - Technical, Information Security - Management and Information Security - Specialist. The results of this exercise revealed that the initial draft of the Cyber Security Capability Framework had been quite accurate in identifying the most appropriate APS classification for each of the Levels. Importantly, it was noted that all participants considered that the starting or entry point in terms of the Levels within the DeCAF was at the APS 3 level. There was strong consensus, by workshop participants, that the Capability Framework should not contain APS Levels 1 and 2 and should start with APS3-4 as a broad-banded entry level. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 5

6 Exercise 3 The final exercise was an Expert Review where groups were given copies of the first draft of the Capability Framework in its entirety. Participants were asked to work individually or in groups to comment on the document. The results of this exercise indicated that there was again consensus that the framework should not include the APS Levels 1 and 2 and should commence at a broad-banded APS3/4 level. Other comments provided by participants were also used to inform the remapping. Re-mapping Following the workshop, re-mapping and editing of the competencies was undertaken based on feedback from the exercises. This process produced the second draft of the Cyber Security Capability Framework. Final Consultation Round The second draft of the Framework was then sent out electronically for further comment to all participants of the initial workshop. Participants were given a chance to provide feedback on the re-mapped and edited Security Capability Framework along with the results of the mapping of the Mapping of the Chief Information Security Officer, IT Security Advisor, IT Security Manager and IT Security Officer roles to the Cyber Security Capability Framework (see Part 2 below). Feedback from this process was incorporated into the final version of both documents. Presented below is the final version of the Cyber Security Capability Framework followed by information about the mapping process for Part 2 of the project and the finalised role descriptions. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 6

7 CYBER SECURITY CAPABILITY FRAMEWORK The Cyber Security Capability Framework describes the capabilities expected of information security staff operating at each classification level from APS 3/4 to EL 2. It provides comprehensive statements of the competencies, behaviours, and skills that underpin effective performance at a particular work level. The Cyber Security Capability Framework is a tool that can be used in: Job design or redesign Recruitment and selection Performance management Learning and development Career and succession planning Organisational capability assessment The Capability Framework is based on the Department of Defence Development and Competency Assessment Framework for Cyber Security practitioners and mapped against the security capability groups defined by the Australian Public Service Commission. It is structured against four capability groups: Service Delivery Information Security Technology Audit Emerging Technology Monitoring Service Delivery and Information Security have a number of sub-components that further define the capability. The Capability Framework standardises expectations of competency, skills and performance within the sphere of Cyber Security. The Capability Framework describes expectations of competence in a generic way, so that it can be applied to any individual in any job in any area of Cyber Security. It is important to remember that the capabilities outlined in the Capability Framework will apply differently to each employee depending on the specific requirements of their position. For example, although the capability Service Delivery is relevant to all staff, the specific competencies, skills and behaviours that would be expected in terms of this capability will vary across jobs as a function of the role and the environment in which the job is performed. Because the framework is a generic document, not every aspect of each capability will be required for every job at a given classification level. The Capability Framework should be used, in conjunction with job-specific information, to guide the specific capability expectations of employees in Cyber Security positions. It should also be noted that the Cyber Security Capability Framework describes those capabilities that are specifically related to the information security aspects of a job and it should be used in conjunction with the five APSC ILS Capabilities: Strategic Thinking, Achieving Results, Productive Working Relationships, Personal Drive and Integrity and Communicating with Influence. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 7

8 SERVICE DELIVERY The authorisation and monitoring of access to IT facilities or infrastructure in accordance with established organisational policy. Includes investigation of unauthorised access, compliance with relevant legislation and the performance of other administrative duties relating to security management. APS 3/4 APS 5 APS 6 Supports System Security 1. Performs information security related support functions for the organisation s network. 2. Applies organisational instructions and preestablished guidelines to perform information security tasks within the organisation s computing environment. 3. Applies appropriate access controls and privileges to an organisation s computing environment. 4. Recognises a potential security violation. 5. Takes appropriate action to report incidents as required by procedure and, where applicable, legislation, in order to avert any effect from it. 6. Complies with system shutdown procedures 7. Supports Government Information Security Manual (ISM) password complexity and frequency of change policies. Delivers Service Excellence 1. Provides end user information security support. 2. Implements online warnings, or other such devices to inform others about access rules of the organisation s computing environment. Supports System Security 1. Investigates minor security breaches in accordance with established procedures. 2. Works with other administrator level and technical staff to resolve information security problems. 3. Applies appropriate access controls and privileges to an organisation s computing environment. 4. Determines when security issues should be escalated to a higher level. 5. Maintains agreed security records and documentation. 6. Reviews logs as per logging procedures. Delivers Service Excellence 1. Assists users in defining their access rights and privileges, and operates agreed logical access controls and security systems. 2. Manages accounts, network rights and access. 3. Demonstrates effective communication of security issues to business managers and others. Leads and Develops People 1. Provides on the job training for junior personnel. Supports System Security 1. Investigates identified security breaches in accordance with established procedures and recommends any required actions. 2. Examines potential security violations to determine if the network environment security policy has been breached, assesses the impact and if appropriate preserves evidence. 3. Analyses patterns of non-compliance (potential breaches) and takes appropriate administrative or technological action to minimise security risks and insider threats. 4. Maintains security records and documentation. Delivers Service Excellence 1. Assists users in defining their access rights and privileges, and administers logical access controls and security systems. 2. Coordinates and ensures end user support for all infrastructure applications and operations. 3. Implements the organisation s information security related customer support policies, procedures and standards. Leads and Develops People 1. Leads a small team to quickly and completely solve information security problems for the organisation. 2. Provides on the job training for junior personnel. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 8

9 SERVICE DELIVERY The authorisation and monitoring of access to IT facilities or infrastructure in accordance with established organisational policy. Includes investigation of unauthorised access, compliance with relevant legislation and the performance of other administrative duties relating to security management. EL 1 EL 2 Supports System Security 1. Reviews information systems for actual or potential breaches in security and ensures that all identified breaches in security are promptly and thoroughly investigated. 2. Ensures that security records are accurate and complete including certification documentation. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security Leads and Develops People 1. Provides on the job training and coaching for team members. Supports Shared Purpose and Direction 1. Drafts and maintains the policy, standards, procedures and documentation for security. 2. Interprets security policy and contributes to development of standards and guidelines that comply with this. 3. Monitors contract performance and reviews deliverables and contract requirements related to organisational information technology security and privacy. Supports System Security 1. Reviews reports on, or analyses information on, security incidents and patterns to determine remedial actions to correct vulnerabilities. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security. 2. Ensures information ownership responsibilities are established for each information system and implements a role based access scheme. Leads and Develops People 1. Performs project management duties where appropriate. 2. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program. 3. Oversees an information security section. 4. Acts as a mentor. Supports Shared Purpose and Direction 1. Develops strategies for ensuring the security of automated systems. 2. Develops ICT Security direction and policy. 3. Ensures that the policy and standards for security are fit for purpose, current and are correctly implemented. 4. Reviews new business proposals and provides specialist advice on security issues and implications. 5. Advises the appropriate stakeholders of changes affecting the organisation s information technology security posture Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 9

10 INFORMATION SECURITY The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems APS 3/4 APS 5 APS 6 Applies Technical Proficiency 1. Implements response actions in reaction to security incidents. 2. Applies organisation s established information security procedures and safeguards and complies with responsibilities of assignment. 3. Adheres to information security laws and regulations in order to support functional operations of the network environment. 4. Configures, optimises and tests network file servers, hubs, routers and switches to ensure they comply with the organisation s security policy, procedures, government legislation and guidelines, and the organisation s technical requirements prior to deployment. 5. Recommends information security related repairs or changes in the network environment. 6. Supports security tests and evaluations. 7. Understands and implements basic technical vulnerability corrections. 8. Conducts tests of information security safeguards for the organisation s computer environment, in accordance with implementation plans, standard operating environment procedures, and security section directives. Analyses and Evaluates 1. Understands, applies and maintains specific security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and to enhance resilience to unauthorised access. 2. Diagnoses and resolves information security problems in response to reported incidents. Applies Technical Proficiency 1. Recognises when an IT network/system has been attacked, and takes immediate action to limit damage assesses the impact and if appropriate preserves evidence. 2. Installs and operates IT systems in the organisation s computer environment in a test configuration manner that does not alter the program code or compromise security safeguards. 3. Assesses the performance of information security controls within the network. 4. Supports, monitors, tests and troubleshoots hardware and software information security problems pertaining to the organisation s computing environment. 5. Implements applicable patches for the organisation s computing environment. Analyses and Evaluates 1. Conducts security risk assessments for defined business applications or IT installations in defined areas, and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls 2. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. Applies Technical Proficiency 1. Assists in the gathering and preservation of evidence, maintaining evidentiary integrity. 3. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program for the infrastructure, including boundary defence, incident detection and response, and key management. 5. Designs and installs perimeter defence systems including IDS, firewalls, grid sensors, etc and, under direction, enhances the rule sets to block sources of malicious traffic. 6. Installs, tests, maintains, and upgrades network operating systems software and hardware to ensure they comply with information security requirements. 7. Notifies and schedules information security related repairs within the organisation s network environment. 8. Writes and maintains scripts required to ensure security of the organisation s infrastructure. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 10

11 INFORMATION SECURITY The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems EL 1 EL 2 Analyses and Evaluates 1. Conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. 2. Investigates major breaches of security, and recommends appropriate control improvements. 3. Writes and publishes reports on incident outcomes and distributes to appropriate stakeholders. 4. Analyses information security incidents and patterns to determine remedial actions to correct vulnerabilities. 5. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. 6. Develops and implements the necessary security plans and procedural documentation to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 7. Formulates or provides input to the organisation s information security budget. Applies Technical Proficiency 1. Ensures that any system changes required to maintain security are implemented. 2. Recommends and schedules information security related repairs, upgrades or project tasks within the organisation s environment. 3. Writes and maintains scripts required to ensure security of the infrastructure s environment. 4. Provides direction to system developers regarding correction of security problems identified during testing. 5. Plans and schedules the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 6. Schedules and performs regular and special backups on all infrastructure systems. Analyses and Evaluates 1. Specifies organisational procedures for the assessment of an activity, process, product or service, against recognised criteria, such as ISO Provides leadership and guidelines on information assurance security expertise for the organisation, working effectively with strategic organisational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. 3. Reviews security plans and procedural documentation to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 4. Formulates the organisation s information security budget Applies Technical Proficiency 1. Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed. 2. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated. 3. Recommends and schedules more complex repairs, upgrades or project tasks. 4. Validates the planning and scheduling of the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 11

12 TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in information processing systems, including hardware, software solutions, information management systems, security systems and tools, communications technologies both web-based and physical. The structured analysis of the risks to achievement of business objectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internal effectiveness. APS 3/4 APS 5 APS 6 1. Enters assets in an asset management and tracking system. 2. Assists with basic risk assessments for small information systems. 3. Conducts audits of physical components that support information system security. 1. Ensures that the hardware, software, data and facility resources are archived, sanitised or disposed of in a manner consistent with system security plans and government requirements. 2. Assists in the performance of system audits to assess security related factors within the organisation s network environment. 3. Analyses system performance for potential security problems. 4. Performs basic risk assessments for small information systems. 5. Ensures application and system developments comply with organisational standards for logging, including content, format and location. 1. Ensures that the hardware, software, data and facility resources are archived, sanitised or disposed of in a manner consistent with system security plans and government requirements. 2. Examines infrastructure vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. 4. Perform system audits to assess security related factors within the network environment. 5. Performs risk assessment, and business impact analysis for medium size information systems. 6. Establishes logging procedures to include important events; services and proxies; log archiving facility. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 12

13 TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in information processing systems, including hardware, software solutions, information management systems, security systems and tools, communications technologies both web-based and physical. The structured analysis of the risks to achievement of business objectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internal effectiveness. EL 1 EL 2 1. Evaluates functional operation and performance in light of test results and makes recommendations regarding certification or accreditation. 2. Examines vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. 4. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organisation. 5. Interprets patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the organisation s information technology security program. 6. Oversees the development of organisational logging standards to comply with audit requirements. 1. Develops plans for risk-based audit coverage of technology systems for inclusion in audit planning and uses experience to ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity. 2. Leads and manages complex technical audits, managing specialists contracted to contribute highly specialised technical knowledge and experience. 3. Identifies areas of risk and specifies interrogation programs. Recommends changes in processes and control procedures based on audit findings, including, where appropriate, the assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity. 4. Provides general and specific advice, and authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms. 5. Reviews or develops effective vulnerability countermeasures 6. Reviews the report of, or participates in, an information security risk assessment or review. 7. Oversees the development of the audit planning process. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 13

14 EMERGING TECHNOLOGY MONITORING The identification of new and emerging hardware, software and communication technologies and products, services, methods and techniques and the assessment of their relevance and potential value to an organisation. The promotion of emerging technology awareness among staff and business management. APS 3/4 APS 5 APS 6 1. Assists in the monitoring of new technologies and has a basic understanding of the way in which these might be incorporated into the organisation s computer environment 1. Is aware of new technology and its possible relevance for the organisation s computer environment. 2. Assists in the monitoring of the market to gain knowledge and understanding of currently emerging technologies. 1. Is aware of new technology and its relevance for the organisation s computer environment. 2. Monitors the market to gain knowledge and understanding of currently emerging technologies. 3. Identifies new and emerging hardware and software technologies and products based on own area of expertise. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 14

15 EMERGING TECHNOLOGY MONITORING The identification of new and emerging hardware, software and communication technologies and products, services, methods and techniques and the assessment of their relevance and potential value to an organisation. The promotion of emerging technology awareness among staff and business management. EL 1 EL 2 8. Monitors the market to gain knowledge and understanding of currently emerging technologies. 9. Identifies new and emerging hardware and software technologies and products based on own area of expertise, assesses their relevance and potential value to the organisation, contributes to briefings of staff and management. 10. Develops network security requirements specific to an acquisition for inclusion in procurement documents 1. Co-ordinates the identification and assessment of new and emerging hardware, software and communication technologies, products, methods and techniques. 2. Evaluates likely relevance of these for the organisation. Provides regular briefings to staff and management. 3. Interprets and/or approves security requirements as they relate to the capabilities of new information technologies, taking into account organisational policies and government guidelines and legislation. 4. Ensures that protection and detection capabilities are acquired or developed using an engineering approach and are consistent with the organisation s information technology security architecture. 5. Identifies security program implications of new technologies or technology upgrades. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 15

16 PART 2 Australian Government Information Security Manual The second part of the project was mapping of the Chief Information Security Officer, IT Security Manager and IT Security Officer roles from the Australian Government Information Security Manual (ISM) to the competencies originally in the DeCAF, now embedded into the Cyber Security Capability Framework. The ISM provides a framework that enables agencies to address both new and existing security risks to systems. The manual sets down minimum requirements for information security and describes a number of roles within the security environment. These include the three roles outlined for mapping: The target audience for this manual is information security practitioners within, or contracted to, an agency. This includes, but is not limited to: security executives / chief information security officers (CISOs) agency security advisors (ASAs) information technology security advisors (ITSAs) information technology security managers (ITSMs) information technology security officers (ITSOs), and infosec-registered assessors. The roles in the manual are described in terms of the context, risks and controls that should be accounted for within the roles plus a rationale for appointing each of the roles. Mapping of the roles At the original workshop validating the DeCAF competencies mapped onto the APSC ICT Capabilities, workshop participants reported high consensus that the DeCAF document described competencies up to and including the EL2 level of classification. Therefore, the resultant Cyber Security Capability Framework did not extend to the SES level. Upon examination of the roles, it was noted that the Chief Information Security Officer role should be appointed at the Senior Executive Service level and is described as being responsible for co-ordination of security at a strategic level within the agency. Due to the high classification level of this role, it was decided that the role would not be mapped against the Capability Framework. The remaining three roles, the IT Security Advisor, the IT Security Manager and the IT Security Officer were mapped at the EL2 and EL1 levels. This process involved examination of the responsibilities of each role as set out in the ISM and comparison of these with those competencies previously mapped to the Cyber Security Capability Framework. Areas of overlap were noted and duplication avoided. Where new competencies were identified these were included in the final mapping. As noted in Part 1, this document was then sent out for comment and feedback as part of the final consultation round of the Cyber Security Capability Framework. Feedback received was incorporated into the final versions of the mapped roles which are presented below. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 16

17 INFORMATION TECHNOLOGY SECURITY MANAGER/ADVISOR Overview of the role Staff in this role work report directly to the Chief Information Officer (CISO). ITSAs and ITSMs are executives within an agency that act as a conduit between the strategic directions provided by the CISO and the technical efforts of Information Technology Security Officers. The main area of responsibility of an ITSA/ITSM is that of the administrative controls relating to information security within the agency. ITSA/ITSMs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level of authority based on the size of the agency or their area of responsibility within an agency. Where there are multiple ITSMs within an agency, there must also be a designated ITSA (Information Technology Security Advisor). Where there is only one ITSM within an agency, that role automatically includes the role of ITSA. The ITSA is responsible for the coordination and oversight of other ITSMs within the agency and has overall responsibility for information technology security management. In all other respects, the ITSA has the same role responsibilities as an ITSM. In some agencies the ITSA may be appointed at the EL2 level while the ITSMs are appointed at the EL1 level. ITSMs may also be appointed at the EL2 level where appropriate. ITSA/ITSMs must be cleared for access to all information processed by the agency s systems and able to be briefed into any compartmented information on the agency s systems. Required capabilities Service Delivery Supports System Security 1. Reviews reports on, or analyses information on, security incidents and patterns to determine remedial actions to correct vulnerabilities. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security. 2. Ensures information ownership responsibilities are established for each information system and implements a role based access scheme. 3. Liaises with stakeholders to establish mutually acceptable contracts and service agreements. Leads and Develops People 1. Performs project management duties where appropriate. 2. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program. 3. Provides direction to system developers and architects. 4. Oversees an information security section. 5. Acts as a mentor 6. Co-ordinates communication, awareness and training in information security for the agency Supports Shared Purpose and Direction 1. Develops strategies for ensuring the security of automated systems. 2. Ensures that the policy and standards for security are fit for purpose, current and are correctly implemented. 3. Reviews new business proposals and provides specialist advice on security issues and implications. 4. Advises the appropriate stakeholders of changes affecting the organisation s information technology security posture. 5. Works with system owners to determine appropriate information security policies for their systems and to respond to recommendations from audits. 6. Works with system owners to obtain and maintain the accreditation of their systems. 7. Provides technical advice to committees, including other agency and inter-agency committees as required. 8. Maintains security knowledge base. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 17

18 Information Security Analyses and Evaluates 1. Specifies organisational procedures for the assessment of an activity, process, product or service, against recognised criteria, such as ISO Provides leadership and guidelines on information assurance security expertise for the organisation, working effectively with strategic organisational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. 3. Reviews security plans and procedural documentation, including disaster recovery plans, to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. Technology Audit 1. Develops plans for risk-based audit coverage of technology systems for inclusion in audit planning and uses experience to ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity. 2. Leads and manages complex technical audits, managing specialists contracted to contribute highly specialised technical knowledge and experience. 3. Identifies areas of risk and specifies interrogation programs. Recommends changes in processes and control procedures based on audit findings, including, where appropriate, the assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity. Emerging Technology Monitoring 1. Co-ordinates the identification and assessment of new and emerging hardware, software and communication technologies, products, methods and techniques. 2. Evaluates likely relevance of these for the organisation. Provides regular briefings to staff and management. 3. Works with the CISO to formulate the organisation s information security budget. 4. Interprets and/or approves security requirements as they relate to the capabilities of new information technologies, taking into account organisational policies and government guidelines and legislation. Applies Technical Proficiency 1. Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed. 2. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated. 3. Recommends and schedules information security related repairs within the organisation s infrastructure and undertakes more complex repairs. 4. Validates the planning and scheduling of the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 4. Provides general and specific advice, and authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms. 5. Reviews or develops effective vulnerability countermeasures 6. Reviews the report of, or participates in, an information security risk assessment or review. 7. Oversees the development of the audit planning process. 8. Reports to senior managers on technical aspects of information security management, and compliance with and enforcement of policies across the agency. 5. Ensures that protection and detection capabilities are acquired or developed using an engineering approach and are consistent with the organisation s information technology security architecture. 6. Identifies security program implications of new technologies or technology upgrades. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 18

19 INFORMATION TECHNOLOGY SECURITY OFFICER Overview of the role Staff in this role work report directly to the Information Technology Security Manager (ITSM). The ITSO role may be combined with that of the ITSM in small agencies. Agencies may also chose to have this role performed by existing system administrators with an additional reporting chain to an ITSM for the information security aspects of their role. Agencies may also choose to have the responsibilities of an ITSO undertaken externally as part of outsourcing of their ICT services. ITSOs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level of authority based on the size of the agency or their area of responsibility within an agency. Where an ITSO is appointed by the agency, it would be expected that this position would be as an Executive Level 1 officer. ITSOs must be cleared for access to all information processed by the agency s systems and able to be briefed into any compartmented information on the agency s systems. Required capabilities Service Delivery Supports System Security 1. Reviews information systems for actual or potential breaches in security and ensures that all identified breaches in security are promptly and thoroughly investigated. 2. Ensures that security records are accurate and complete including certification documentation. 3. Validates and authorises user and access administration on systems in accordance with the defined policies, standards and procedures of the agency. 4. Ensures patches are applied and removes known system weaknesses in accordance with information security policies and standards. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security 2. Assists operational staff to locate and repair information security problems and failures. Leads and Develops People 1. Provides direction to system developers regarding correction of security problems identified during testing. 2. Provides on the job training and coaching for team members. Supports Shared Purpose and Direction 1. Drafts and maintains the policy, standards, procedures and documentation for security. 2. Interprets security policy and contributes to development of standards and guidelines that comply with this. 3. Monitors contract performance and reviews deliverables and contract requirements related to organisational information technology security and privacy. 4. Communicates with system owners and personnel to increase their awareness of applicable information security policies and standards. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 19

20 Information Security Analyses and Evaluates 1. Conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. 2. Investigates major breaches of security, and recommends appropriate control improvements. 3. Writes and publishes reports on incident outcomes and distributes to appropriate stakeholders. 4. Analyses information security incidents and patterns to determine remedial actions to correct vulnerabilities. 5. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. 6. Develops and implements the necessary security plans and procedural documentation, including disaster recovery plans, to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 7. Reports unresolved network security exposures, misuse of resources or noncompliance situations to an ITSM. Technology Audit 1. Evaluates functional operation and performance in light of test results and makes recommendations regarding certification or accreditation. 2. Examines vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. Emerging Technology Monitoring 1. Monitors the market to gain knowledge and understanding of currently emerging technologies. 2. Identifies new and emerging hardware and software technologies and products based on own area of expertise, assesses their relevance and potential value to the organisation, contributes to briefings of staff and management. Applies Technical Proficiency 1. Ensures that any system changes required to maintain security are implemented. 2. Recommends and schedules information security related repairs, upgrades or project tasks within the organisation s environment. 3. Writes and maintains scripts required to ensure security of the infrastructure s environment. 4. Plans and schedules the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 5. Schedules and performs regular and special backups on all infrastructure systems. 4. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organisation. 5. Interprets patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the organisation s information technology security program. 6. Oversees the development of organisational logging standards to comply with audit requirements. 7. Manages and audits system event logs. 3. Formulates or provides input to the organisation s information security budget. 4. Develops network security requirements specific to an acquisition for inclusion in procurement documents Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 20

Information System Audit Guide

Information System Audit Guide Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

JOB DESCRIPTION CONTRACTUAL POSITION

JOB DESCRIPTION CONTRACTUAL POSITION Ref #: IT/P /01 JOB DESCRIPTION CONTRACTUAL POSITION JOB TITLE: INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY SPECIALIST JOB SUMMARY: The incumbent is required to provide specialized technical

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V2.0 NOVEMBER 2014 Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide V 2.0 NOVEMBER

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide Third Party Identity Services Assurance Framework Information Security Registered Assessors Program Guide Version 2.0 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work

More information

Data Privacy Framework

Data Privacy Framework Data Privacy Framework Table of Contents 1. INTRODUCTION...4 2. SCOPE & DEFINITIONS...4 2.1 SCOPE OF THE DATA PRIVACY FRAMEWORK...4 2.2 DEFINITIONS...4 3. SECURITY ORGANIZATION & RESPONSIBILITIES...4 3.1

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2014 All material presented in this publication

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

POSITION INFORMATION DOCUMENT

POSITION INFORMATION DOCUMENT POSITION INFORMATION DOCUMENT Position Title: Manager, ICT Continuity Planning Classification Code: ASO7 Division: ICT Services Directorate: ICT Operations Type of Appointment: Branch: ICT Security Ongoing

More information

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division AUDIT OF IT SECURITY Corporate Internal Audit Division Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada September 20, 2012 Corporate

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

INFORMATION TECHNOLOGY ENGINEER V

INFORMATION TECHNOLOGY ENGINEER V 1464 INFORMATION TECHNOLOGY ENGINEER V NATURE AND VARIETY OF WORK This is senior level lead administrative, professional and technical engineering work creating, implementing, and maintaining the County

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

Please Note: Temporary Graduate 485 skills assessments applicants should only apply for ANZSCO codes listed in the Skilled Occupation List above.

Please Note: Temporary Graduate 485 skills assessments applicants should only apply for ANZSCO codes listed in the Skilled Occupation List above. ANZSCO Descriptions This ANZSCO description document has been created to assist applicants in nominating an occupation for an ICT skill assessment application. The document lists all the ANZSCO codes that

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

Appendix A-2 Generic Job Titles for respective categories

Appendix A-2 Generic Job Titles for respective categories Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide

More information

Cyber Attacks: Securing Agencies ICT Systems

Cyber Attacks: Securing Agencies ICT Systems The Auditor-General Audit Report No.50 2013 14 Performance Audit Cyber Attacks: Securing Agencies ICT Systems Across Agencies Australian National Audit Office Commonwealth of Australia 2014 ISSN 1036 7632

More information

IT Security Policy - Information Security Management System (ISMS)

IT Security Policy - Information Security Management System (ISMS) IT Security Policy - Information Security Management System (ISMS) Responsible Officer Contact Officer Vice-President, Finance & Operations Chief Digital Officer Superseded Documents IT Security Policy,

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Australian Government Information Security Manual CONTROLS

Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS 2015 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2015 All material presented in this publication

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

NOS for Network Support (903)

NOS for Network Support (903) NOS for Network Support (903) November 2014 V1.1 NOS Reference ESKITP903301 ESKITP903401 ESKITP903501 ESKITP903601 NOS Title Assist with Installation, Implementation and Handover of Network Infrastructure

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

National Occupational Standards. Compliance

National Occupational Standards. Compliance National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements

More information

Position Description

Position Description Position Description GMW is committed to: 1. Partnering with our customers 2. Creating the opportunity to increase food production in Northern Victoria 3. Being a high performing organisation DM Reference

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 Class Code(s): 0117 0118 SCOPE OF WORK: INFORMATION SYSTEMS SECURITY ANALYST Work involves the completion of technical

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

UBC Incident Response Plan

UBC Incident Response Plan UBC Incident Response Plan Contents 1. Rationale... 1 2. Objective... 1 3. Application... 1 4. Definitions... 1 4.1 Types of Incidents... 1 4.2 Incident Severity... 2 4.3 Information Security Unit... 2

More information

XXX000YY Certificate IV in Government Security

XXX000YY Certificate IV in Government Security XXX000YY Certificate IV in Government Security XXX000YY Certificate IV in Government Security Description This qualification allows for the attainment of generalist competencies in Security and also specialist

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

More information

Compliance Guide: ASD ISM OVERVIEW

Compliance Guide: ASD ISM OVERVIEW Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework

More information

CISM ITEM DEVELOPMENT GUIDE

CISM ITEM DEVELOPMENT GUIDE CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Operations. Group Standard. Business Operations process forms the core of all our business activities

Operations. Group Standard. Business Operations process forms the core of all our business activities Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations

More information

Schedule A. MITA Career Level based on Responsibility Level (SFIA v5 Responsibility Levels) https://www.sfiaonline.org/v501/en/busskills.

Schedule A. MITA Career Level based on Responsibility Level (SFIA v5 Responsibility Levels) https://www.sfiaonline.org/v501/en/busskills. PROFILE TITLE MITA Career Level based on Responsibility Level (SFIA v5 Responsibility Levels) https://www.sfiaonline.org/v501/en/busskills.html SUMMARY STATEMENT TECHNICAL SERVICES OFFICER 3 Administers

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Data Governance Policy. Version 2.0 19 October 2015

Data Governance Policy. Version 2.0 19 October 2015 Version 2.0 19 October 2015 Document Title: Summary: Date of Issue: Status: Contact Officer: Applies To: References: This policy provides the Cancer Institute NSW with an instrument to formally manage

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

DWP INFORMATION SECURITY POLICY

DWP INFORMATION SECURITY POLICY DWP INFORMATION SECURITY POLICY Contents Background... 1 Scope... 1 Accountabilities... 2 Policy Statements... 2 Responsibilities... 3 Background 1.1 DWP is committed to ensuring that effective security

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Governance and Management of Information Security

Governance and Management of Information Security Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information

More information

Digital Continuity Plan

Digital Continuity Plan Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach

More information

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES Level 37, 2 Lonsdale Street Melbourne 3000, Australia Telephone.+61 3 9302 1300 +61 1300 664 969 Facsimile +61 3 9302 1303 GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES ENERGY INDUSTRIES JANUARY

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE IT SYSTEMS COMPLIANCE AND QUALITY ASSURANCE SPECIALIST

More information

Network Resource Management Directive

Network Resource Management Directive Office of the Prime Minister Central Information Management Unit Directive document CIMU D 0036:2003 Network Resource Management Directive Version: 1.0 Effective date: 10.12.2003 Table of Contents 1. Purpose...3

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

foresightconsulting.com.au

foresightconsulting.com.au Mr. James Kavanagh National Security Officer Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 02 March 2015 Microsoft Office 365 IRAP Assessment Letter of Compliance Dear Mr. Kavanagh,

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Role Description Manager ICT Governance, Security and Risk

Role Description Manager ICT Governance, Security and Risk Role Description Manager ICT Governance, Security and Risk Classification/Grade/Band Clerk Grade 11/12 ANZSCO Code PCAT Code Date of Approval Primary purpose of the role The Manager ICT Governance, Security

More information

Four Top Emagined Security Services

Four Top Emagined Security Services Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

More information

Musina Local Municipality. Change Management and Control Policy -Draft-

Musina Local Municipality. Change Management and Control Policy -Draft- Musina Local Municipality Change Management and Control Policy -Draft- Revision History Version Date Status Author V1.0 June 2013 First Draft Perry Eccleston Page 2 of 12 Table of Contents Revision History...

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

Updating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions: Occupations in ICT

Updating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions: Occupations in ICT InternationalLabourOrganization OrganisationinternationaleduTravail OrganizaciónInternacionaldelTrabajo Updating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions:

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Practitioner Certificate in Information Assurance Architecture (PCiIAA) Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,

More information

IT Security Management

IT Security Management The Auditor-General Audit Report No.23 2005 06 Protective Security Audit Australian National Audit Office Commonwealth of Australia 2005 ISSN 1036 7632 ISBN 0 642 80882 1 COPYRIGHT INFORMATION This work

More information