AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 1

CONTENTS Introduction and Background p3 Methodology (Part 1) p3 Cyber Security Capability Framework p7 Methodology (Part 2) p16 Mapped ISM Roles p17 Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 2

Introduction and Background In May 2010, Workplace Research Associates was engaged by the Australian Government Information Management Office (AGIMO) to assist in the mapping of Cyber Security Capabilities to the Australian Public Service Commission s (APSC) ICT Capability Framework. Specifically, the aim of the project was to: Map and validate the Department of Defence s Development and Competency Assessment Framework (DeCAF) competencies to the security capability areas defined in the Australian Public Service Commission s ICT Capability Framework; Map and validate the DeCAF competencies to the Chief Information Security Officer, IT Security Manager and IT Security Officer roles defined in the Australian Government s Information Security Manual (ISM); This report presents the Cyber Security Capability Framework, which is the outcome of the first of the aims above and the Mapped ISM Roles, which is the outcome of the second of the aims above. Methodology The methodology for the project included the following stages: Part 1 Mapping of the DeCAF to the ICT Capability Framework: 1. Initial meeting with AGIMO representatives to confirm the scope of the project and the documents to be mapped; 2. Review of the Department of Defence s Development and Competency Assessment Framework (DeCAF) and the Australian Public Service Commission s ICT Capability Framework; 3. Mapping of the DeCAF to the APSC s ICT Capability Framework; 4. A workshop to validate the initial mapping process and initial draft of the Cyber Security Capability Framework; 5. Review and redrafting of the Framework in line with the results of the workshop. Part 2 Mapping of the ISM roles to the Cyber Security Capability Framework: 1. Mapping of the Chief Information Security Officer, IT Security Advisor, IT Security Manager and IT Security Officer roles to the Cyber Security Capability Framework. PART 1 APSC ICT Capability Framework The documents used to produce the Cyber Security Capability Framework included the APSC s ICT Capability Framework. This Framework has a two level structure with the following main categories of capability: Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 3

Service Delivery; IT Business Management; Business Change; Solutions Development; Solutions Implementation; Service Support. The Security domain sits within the Service Delivery area and is further broken down into the following capability groupings: Service Delivery; Information Security; Technology Audit; Emerging Technology Monitoring Following discussion with AGIMO, these capability groupings were used to structure the Cyber Security Capability Framework. Department of Defence Development and Competency Assessment Framework (DeCAF) The second document used to create the Cyber Security Capability Framework was the DeCAF, produced by the Defence Signals Directorate (DSD), as an attempt to formalise training, certification, competency and development requirements for staff employed within the IT Security profession. It is designed to be a framework for base-lining experience and competency and identifies categories and specialisations within the organisation. These categories are then sub-divided into levels, each based on functional skill requirements. The categories and levels are: Information Security Technical, Levels 1 through 5; Information Security Management, Levels 3 through 5; Information Security Specialist, Levels 3 through 5. Each Level in a category is described in terms of attributes such as experience, system environment, training and organisational role and contains a detailed list of competencies and performance expectations. As agreed with AGIMO, this list of competencies was mapped to the APSC s ICT Capability Framework to produce the Cyber Security Capability Framework presented in this report. Cyber Security Capability Framework The Cyber Security Capability Framework uses the capability groupings from the APSC s ICT Capability Framework, as outlined above. These capability groupings are delineated at each APS Classification Level. Initially, the Cyber Security Capability Framework included all APS levels from APS1 through to EL2, with APS1-3 broad-banded. The competencies were then mapped onto this Framework based on: Complexity of work; Expected level of experience for each DeCAF level; Expected level of skill and knowledge required; Proposed level of responsibility including management and leadership capability; Expected degree of supervision required and classification level of supervisor; A logical grouping of particular competencies under sub-headings to give structure to the document. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 4

Workshop Once the documents had been reviewed and the initial mapping process completed, a workshop was held to validate the outcomes. Approximately 25 people attended the 17 May 2010 workshop with participants being sourced from a range of Government Departments and Agencies such as: Attorney General s Department; APSC; Murray-Darling Basin Authority; Department of Finance and Deregulation; Department of Health and Ageing; Australian Taxation Office; Centrelink; Department of Veterans Affairs; Office of the Prime Minister and Cabinet. The workshop comprised a number of exercises that were completed either in a small group, as a whole group or individually by the participants. Exercise 1 After introductions and an overview of the process to this point, workshop participants worked in small groups on a re-translation exercise. This exercise involved the reconstruction of deconstructed copies of the Cyber Security Capability Framework. The aim of the exercise was to validate the accuracy of the mapping by allowing participants to re-map the content of the Framework against subheadings within each of the capability groupings. Reconstructed Frameworks were then collected and compared with the original draft of the Framework. The results of the exercise informed the second phase of mapping to produce the draft documents presented here. Exercise 2 Two further exercises aided in the validation process. In the second exercise, groups were given a copy of the DeCAF and were asked to assign an APS classification level to each of the Levels within the three categories of Information Security - Technical, Information Security - Management and Information Security - Specialist. The results of this exercise revealed that the initial draft of the Cyber Security Capability Framework had been quite accurate in identifying the most appropriate APS classification for each of the Levels. Importantly, it was noted that all participants considered that the starting or entry point in terms of the Levels within the DeCAF was at the APS 3 level. There was strong consensus, by workshop participants, that the Capability Framework should not contain APS Levels 1 and 2 and should start with APS3-4 as a broad-banded entry level. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 5

Exercise 3 The final exercise was an Expert Review where groups were given copies of the first draft of the Capability Framework in its entirety. Participants were asked to work individually or in groups to comment on the document. The results of this exercise indicated that there was again consensus that the framework should not include the APS Levels 1 and 2 and should commence at a broad-banded APS3/4 level. Other comments provided by participants were also used to inform the remapping. Re-mapping Following the workshop, re-mapping and editing of the competencies was undertaken based on feedback from the exercises. This process produced the second draft of the Cyber Security Capability Framework. Final Consultation Round The second draft of the Framework was then sent out electronically for further comment to all participants of the initial workshop. Participants were given a chance to provide feedback on the re-mapped and edited Security Capability Framework along with the results of the mapping of the Mapping of the Chief Information Security Officer, IT Security Advisor, IT Security Manager and IT Security Officer roles to the Cyber Security Capability Framework (see Part 2 below). Feedback from this process was incorporated into the final version of both documents. Presented below is the final version of the Cyber Security Capability Framework followed by information about the mapping process for Part 2 of the project and the finalised role descriptions. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 6

CYBER SECURITY CAPABILITY FRAMEWORK The Cyber Security Capability Framework describes the capabilities expected of information security staff operating at each classification level from APS 3/4 to EL 2. It provides comprehensive statements of the competencies, behaviours, and skills that underpin effective performance at a particular work level. The Cyber Security Capability Framework is a tool that can be used in: Job design or redesign Recruitment and selection Performance management Learning and development Career and succession planning Organisational capability assessment The Capability Framework is based on the Department of Defence Development and Competency Assessment Framework for Cyber Security practitioners and mapped against the security capability groups defined by the Australian Public Service Commission. It is structured against four capability groups: Service Delivery Information Security Technology Audit Emerging Technology Monitoring Service Delivery and Information Security have a number of sub-components that further define the capability. The Capability Framework standardises expectations of competency, skills and performance within the sphere of Cyber Security. The Capability Framework describes expectations of competence in a generic way, so that it can be applied to any individual in any job in any area of Cyber Security. It is important to remember that the capabilities outlined in the Capability Framework will apply differently to each employee depending on the specific requirements of their position. For example, although the capability Service Delivery is relevant to all staff, the specific competencies, skills and behaviours that would be expected in terms of this capability will vary across jobs as a function of the role and the environment in which the job is performed. Because the framework is a generic document, not every aspect of each capability will be required for every job at a given classification level. The Capability Framework should be used, in conjunction with job-specific information, to guide the specific capability expectations of employees in Cyber Security positions. It should also be noted that the Cyber Security Capability Framework describes those capabilities that are specifically related to the information security aspects of a job and it should be used in conjunction with the five APSC ILS Capabilities: Strategic Thinking, Achieving Results, Productive Working Relationships, Personal Drive and Integrity and Communicating with Influence. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 7

SERVICE DELIVERY The authorisation and monitoring of access to IT facilities or infrastructure in accordance with established organisational policy. Includes investigation of unauthorised access, compliance with relevant legislation and the performance of other administrative duties relating to security management. APS 3/4 APS 5 APS 6 Supports System Security 1. Performs information security related support functions for the organisation s network. 2. Applies organisational instructions and preestablished guidelines to perform information security tasks within the organisation s computing environment. 3. Applies appropriate access controls and privileges to an organisation s computing environment. 4. Recognises a potential security violation. 5. Takes appropriate action to report incidents as required by procedure and, where applicable, legislation, in order to avert any effect from it. 6. Complies with system shutdown procedures 7. Supports Government Information Security Manual (ISM) password complexity and frequency of change policies. Delivers Service Excellence 1. Provides end user information security support. 2. Implements online warnings, or other such devices to inform others about access rules of the organisation s computing environment. Supports System Security 1. Investigates minor security breaches in accordance with established procedures. 2. Works with other administrator level and technical staff to resolve information security problems. 3. Applies appropriate access controls and privileges to an organisation s computing environment. 4. Determines when security issues should be escalated to a higher level. 5. Maintains agreed security records and documentation. 6. Reviews logs as per logging procedures. Delivers Service Excellence 1. Assists users in defining their access rights and privileges, and operates agreed logical access controls and security systems. 2. Manages accounts, network rights and access. 3. Demonstrates effective communication of security issues to business managers and others. Leads and Develops People 1. Provides on the job training for junior personnel. Supports System Security 1. Investigates identified security breaches in accordance with established procedures and recommends any required actions. 2. Examines potential security violations to determine if the network environment security policy has been breached, assesses the impact and if appropriate preserves evidence. 3. Analyses patterns of non-compliance (potential breaches) and takes appropriate administrative or technological action to minimise security risks and insider threats. 4. Maintains security records and documentation. Delivers Service Excellence 1. Assists users in defining their access rights and privileges, and administers logical access controls and security systems. 2. Coordinates and ensures end user support for all infrastructure applications and operations. 3. Implements the organisation s information security related customer support policies, procedures and standards. Leads and Develops People 1. Leads a small team to quickly and completely solve information security problems for the organisation. 2. Provides on the job training for junior personnel. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 8

SERVICE DELIVERY The authorisation and monitoring of access to IT facilities or infrastructure in accordance with established organisational policy. Includes investigation of unauthorised access, compliance with relevant legislation and the performance of other administrative duties relating to security management. EL 1 EL 2 Supports System Security 1. Reviews information systems for actual or potential breaches in security and ensures that all identified breaches in security are promptly and thoroughly investigated. 2. Ensures that security records are accurate and complete including certification documentation. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security Leads and Develops People 1. Provides on the job training and coaching for team members. Supports Shared Purpose and Direction 1. Drafts and maintains the policy, standards, procedures and documentation for security. 2. Interprets security policy and contributes to development of standards and guidelines that comply with this. 3. Monitors contract performance and reviews deliverables and contract requirements related to organisational information technology security and privacy. Supports System Security 1. Reviews reports on, or analyses information on, security incidents and patterns to determine remedial actions to correct vulnerabilities. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security. 2. Ensures information ownership responsibilities are established for each information system and implements a role based access scheme. Leads and Develops People 1. Performs project management duties where appropriate. 2. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program. 3. Oversees an information security section. 4. Acts as a mentor. Supports Shared Purpose and Direction 1. Develops strategies for ensuring the security of automated systems. 2. Develops ICT Security direction and policy. 3. Ensures that the policy and standards for security are fit for purpose, current and are correctly implemented. 4. Reviews new business proposals and provides specialist advice on security issues and implications. 5. Advises the appropriate stakeholders of changes affecting the organisation s information technology security posture Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 9

INFORMATION SECURITY The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems APS 3/4 APS 5 APS 6 Applies Technical Proficiency 1. Implements response actions in reaction to security incidents. 2. Applies organisation s established information security procedures and safeguards and complies with responsibilities of assignment. 3. Adheres to information security laws and regulations in order to support functional operations of the network environment. 4. Configures, optimises and tests network file servers, hubs, routers and switches to ensure they comply with the organisation s security policy, procedures, government legislation and guidelines, and the organisation s technical requirements prior to deployment. 5. Recommends information security related repairs or changes in the network environment. 6. Supports security tests and evaluations. 7. Understands and implements basic technical vulnerability corrections. 8. Conducts tests of information security safeguards for the organisation s computer environment, in accordance with implementation plans, standard operating environment procedures, and security section directives. Analyses and Evaluates 1. Understands, applies and maintains specific security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and to enhance resilience to unauthorised access. 2. Diagnoses and resolves information security problems in response to reported incidents. Applies Technical Proficiency 1. Recognises when an IT network/system has been attacked, and takes immediate action to limit damage assesses the impact and if appropriate preserves evidence. 2. Installs and operates IT systems in the organisation s computer environment in a test configuration manner that does not alter the program code or compromise security safeguards. 3. Assesses the performance of information security controls within the network. 4. Supports, monitors, tests and troubleshoots hardware and software information security problems pertaining to the organisation s computing environment. 5. Implements applicable patches for the organisation s computing environment. Analyses and Evaluates 1. Conducts security risk assessments for defined business applications or IT installations in defined areas, and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls 2. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. Applies Technical Proficiency 1. Assists in the gathering and preservation of evidence, maintaining evidentiary integrity. 3. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program for the infrastructure, including boundary defence, incident detection and response, and key management. 5. Designs and installs perimeter defence systems including IDS, firewalls, grid sensors, etc and, under direction, enhances the rule sets to block sources of malicious traffic. 6. Installs, tests, maintains, and upgrades network operating systems software and hardware to ensure they comply with information security requirements. 7. Notifies and schedules information security related repairs within the organisation s network environment. 8. Writes and maintains scripts required to ensure security of the organisation s infrastructure. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 10

INFORMATION SECURITY The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems EL 1 EL 2 Analyses and Evaluates 1. Conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. 2. Investigates major breaches of security, and recommends appropriate control improvements. 3. Writes and publishes reports on incident outcomes and distributes to appropriate stakeholders. 4. Analyses information security incidents and patterns to determine remedial actions to correct vulnerabilities. 5. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. 6. Develops and implements the necessary security plans and procedural documentation to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 7. Formulates or provides input to the organisation s information security budget. Applies Technical Proficiency 1. Ensures that any system changes required to maintain security are implemented. 2. Recommends and schedules information security related repairs, upgrades or project tasks within the organisation s environment. 3. Writes and maintains scripts required to ensure security of the infrastructure s environment. 4. Provides direction to system developers regarding correction of security problems identified during testing. 5. Plans and schedules the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 6. Schedules and performs regular and special backups on all infrastructure systems. Analyses and Evaluates 1. Specifies organisational procedures for the assessment of an activity, process, product or service, against recognised criteria, such as ISO 27001. 2. Provides leadership and guidelines on information assurance security expertise for the organisation, working effectively with strategic organisational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. 3. Reviews security plans and procedural documentation to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 4. Formulates the organisation s information security budget Applies Technical Proficiency 1. Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed. 2. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated. 3. Recommends and schedules more complex repairs, upgrades or project tasks. 4. Validates the planning and scheduling of the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 11

TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in information processing systems, including hardware, software solutions, information management systems, security systems and tools, communications technologies both web-based and physical. The structured analysis of the risks to achievement of business objectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internal effectiveness. APS 3/4 APS 5 APS 6 1. Enters assets in an asset management and tracking system. 2. Assists with basic risk assessments for small information systems. 3. Conducts audits of physical components that support information system security. 1. Ensures that the hardware, software, data and facility resources are archived, sanitised or disposed of in a manner consistent with system security plans and government requirements. 2. Assists in the performance of system audits to assess security related factors within the organisation s network environment. 3. Analyses system performance for potential security problems. 4. Performs basic risk assessments for small information systems. 5. Ensures application and system developments comply with organisational standards for logging, including content, format and location. 1. Ensures that the hardware, software, data and facility resources are archived, sanitised or disposed of in a manner consistent with system security plans and government requirements. 2. Examines infrastructure vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. 4. Perform system audits to assess security related factors within the network environment. 5. Performs risk assessment, and business impact analysis for medium size information systems. 6. Establishes logging procedures to include important events; services and proxies; log archiving facility. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 12

TECHNOLOGY AUDIT The independent, risk-based assessment of the adequacy and integrity of controls in information processing systems, including hardware, software solutions, information management systems, security systems and tools, communications technologies both web-based and physical. The structured analysis of the risks to achievement of business objectives, including the risk that the organisation fails to make effective use of new technology to improve delivery and internal effectiveness. EL 1 EL 2 1. Evaluates functional operation and performance in light of test results and makes recommendations regarding certification or accreditation. 2. Examines vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. 4. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organisation. 5. Interprets patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the organisation s information technology security program. 6. Oversees the development of organisational logging standards to comply with audit requirements. 1. Develops plans for risk-based audit coverage of technology systems for inclusion in audit planning and uses experience to ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity. 2. Leads and manages complex technical audits, managing specialists contracted to contribute highly specialised technical knowledge and experience. 3. Identifies areas of risk and specifies interrogation programs. Recommends changes in processes and control procedures based on audit findings, including, where appropriate, the assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity. 4. Provides general and specific advice, and authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms. 5. Reviews or develops effective vulnerability countermeasures 6. Reviews the report of, or participates in, an information security risk assessment or review. 7. Oversees the development of the audit planning process. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 13

EMERGING TECHNOLOGY MONITORING The identification of new and emerging hardware, software and communication technologies and products, services, methods and techniques and the assessment of their relevance and potential value to an organisation. The promotion of emerging technology awareness among staff and business management. APS 3/4 APS 5 APS 6 1. Assists in the monitoring of new technologies and has a basic understanding of the way in which these might be incorporated into the organisation s computer environment 1. Is aware of new technology and its possible relevance for the organisation s computer environment. 2. Assists in the monitoring of the market to gain knowledge and understanding of currently emerging technologies. 1. Is aware of new technology and its relevance for the organisation s computer environment. 2. Monitors the market to gain knowledge and understanding of currently emerging technologies. 3. Identifies new and emerging hardware and software technologies and products based on own area of expertise. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 14

EMERGING TECHNOLOGY MONITORING The identification of new and emerging hardware, software and communication technologies and products, services, methods and techniques and the assessment of their relevance and potential value to an organisation. The promotion of emerging technology awareness among staff and business management. EL 1 EL 2 8. Monitors the market to gain knowledge and understanding of currently emerging technologies. 9. Identifies new and emerging hardware and software technologies and products based on own area of expertise, assesses their relevance and potential value to the organisation, contributes to briefings of staff and management. 10. Develops network security requirements specific to an acquisition for inclusion in procurement documents 1. Co-ordinates the identification and assessment of new and emerging hardware, software and communication technologies, products, methods and techniques. 2. Evaluates likely relevance of these for the organisation. Provides regular briefings to staff and management. 3. Interprets and/or approves security requirements as they relate to the capabilities of new information technologies, taking into account organisational policies and government guidelines and legislation. 4. Ensures that protection and detection capabilities are acquired or developed using an engineering approach and are consistent with the organisation s information technology security architecture. 5. Identifies security program implications of new technologies or technology upgrades. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 15

PART 2 Australian Government Information Security Manual The second part of the project was mapping of the Chief Information Security Officer, IT Security Manager and IT Security Officer roles from the Australian Government Information Security Manual (ISM) to the competencies originally in the DeCAF, now embedded into the Cyber Security Capability Framework. The ISM provides a framework that enables agencies to address both new and existing security risks to systems. The manual sets down minimum requirements for information security and describes a number of roles within the security environment. These include the three roles outlined for mapping: The target audience for this manual is information security practitioners within, or contracted to, an agency. This includes, but is not limited to: security executives / chief information security officers (CISOs) agency security advisors (ASAs) information technology security advisors (ITSAs) information technology security managers (ITSMs) information technology security officers (ITSOs), and infosec-registered assessors. The roles in the manual are described in terms of the context, risks and controls that should be accounted for within the roles plus a rationale for appointing each of the roles. Mapping of the roles At the original workshop validating the DeCAF competencies mapped onto the APSC ICT Capabilities, workshop participants reported high consensus that the DeCAF document described competencies up to and including the EL2 level of classification. Therefore, the resultant Cyber Security Capability Framework did not extend to the SES level. Upon examination of the roles, it was noted that the Chief Information Security Officer role should be appointed at the Senior Executive Service level and is described as being responsible for co-ordination of security at a strategic level within the agency. Due to the high classification level of this role, it was decided that the role would not be mapped against the Capability Framework. The remaining three roles, the IT Security Advisor, the IT Security Manager and the IT Security Officer were mapped at the EL2 and EL1 levels. This process involved examination of the responsibilities of each role as set out in the ISM and comparison of these with those competencies previously mapped to the Cyber Security Capability Framework. Areas of overlap were noted and duplication avoided. Where new competencies were identified these were included in the final mapping. As noted in Part 1, this document was then sent out for comment and feedback as part of the final consultation round of the Cyber Security Capability Framework. Feedback received was incorporated into the final versions of the mapped roles which are presented below. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 16

INFORMATION TECHNOLOGY SECURITY MANAGER/ADVISOR Overview of the role Staff in this role work report directly to the Chief Information Officer (CISO). ITSAs and ITSMs are executives within an agency that act as a conduit between the strategic directions provided by the CISO and the technical efforts of Information Technology Security Officers. The main area of responsibility of an ITSA/ITSM is that of the administrative controls relating to information security within the agency. ITSA/ITSMs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level of authority based on the size of the agency or their area of responsibility within an agency. Where there are multiple ITSMs within an agency, there must also be a designated ITSA (Information Technology Security Advisor). Where there is only one ITSM within an agency, that role automatically includes the role of ITSA. The ITSA is responsible for the coordination and oversight of other ITSMs within the agency and has overall responsibility for information technology security management. In all other respects, the ITSA has the same role responsibilities as an ITSM. In some agencies the ITSA may be appointed at the EL2 level while the ITSMs are appointed at the EL1 level. ITSMs may also be appointed at the EL2 level where appropriate. ITSA/ITSMs must be cleared for access to all information processed by the agency s systems and able to be briefed into any compartmented information on the agency s systems. Required capabilities Service Delivery Supports System Security 1. Reviews reports on, or analyses information on, security incidents and patterns to determine remedial actions to correct vulnerabilities. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security. 2. Ensures information ownership responsibilities are established for each information system and implements a role based access scheme. 3. Liaises with stakeholders to establish mutually acceptable contracts and service agreements. Leads and Develops People 1. Performs project management duties where appropriate. 2. Directs the implementation of appropriate operational structures and processes to ensure an effective information security program. 3. Provides direction to system developers and architects. 4. Oversees an information security section. 5. Acts as a mentor 6. Co-ordinates communication, awareness and training in information security for the agency Supports Shared Purpose and Direction 1. Develops strategies for ensuring the security of automated systems. 2. Ensures that the policy and standards for security are fit for purpose, current and are correctly implemented. 3. Reviews new business proposals and provides specialist advice on security issues and implications. 4. Advises the appropriate stakeholders of changes affecting the organisation s information technology security posture. 5. Works with system owners to determine appropriate information security policies for their systems and to respond to recommendations from audits. 6. Works with system owners to obtain and maintain the accreditation of their systems. 7. Provides technical advice to committees, including other agency and inter-agency committees as required. 8. Maintains security knowledge base. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 17

Information Security Analyses and Evaluates 1. Specifies organisational procedures for the assessment of an activity, process, product or service, against recognised criteria, such as ISO 27001. 2. Provides leadership and guidelines on information assurance security expertise for the organisation, working effectively with strategic organisational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. 3. Reviews security plans and procedural documentation, including disaster recovery plans, to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. Technology Audit 1. Develops plans for risk-based audit coverage of technology systems for inclusion in audit planning and uses experience to ensure audit coverage is sufficient to provide the business with assurance of adequacy and integrity. 2. Leads and manages complex technical audits, managing specialists contracted to contribute highly specialised technical knowledge and experience. 3. Identifies areas of risk and specifies interrogation programs. Recommends changes in processes and control procedures based on audit findings, including, where appropriate, the assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity. Emerging Technology Monitoring 1. Co-ordinates the identification and assessment of new and emerging hardware, software and communication technologies, products, methods and techniques. 2. Evaluates likely relevance of these for the organisation. Provides regular briefings to staff and management. 3. Works with the CISO to formulate the organisation s information security budget. 4. Interprets and/or approves security requirements as they relate to the capabilities of new information technologies, taking into account organisational policies and government guidelines and legislation. Applies Technical Proficiency 1. Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed. 2. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated. 3. Recommends and schedules information security related repairs within the organisation s infrastructure and undertakes more complex repairs. 4. Validates the planning and scheduling of the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 4. Provides general and specific advice, and authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms. 5. Reviews or develops effective vulnerability countermeasures 6. Reviews the report of, or participates in, an information security risk assessment or review. 7. Oversees the development of the audit planning process. 8. Reports to senior managers on technical aspects of information security management, and compliance with and enforcement of policies across the agency. 5. Ensures that protection and detection capabilities are acquired or developed using an engineering approach and are consistent with the organisation s information technology security architecture. 6. Identifies security program implications of new technologies or technology upgrades. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 18

INFORMATION TECHNOLOGY SECURITY OFFICER Overview of the role Staff in this role work report directly to the Information Technology Security Manager (ITSM). The ITSO role may be combined with that of the ITSM in small agencies. Agencies may also chose to have this role performed by existing system administrators with an additional reporting chain to an ITSM for the information security aspects of their role. Agencies may also choose to have the responsibilities of an ITSO undertaken externally as part of outsourcing of their ICT services. ITSOs should not have additional responsibilities beyond those needed to fulfil the role and the role should be undertaken by personnel with an appropriate level of authority based on the size of the agency or their area of responsibility within an agency. Where an ITSO is appointed by the agency, it would be expected that this position would be as an Executive Level 1 officer. ITSOs must be cleared for access to all information processed by the agency s systems and able to be briefed into any compartmented information on the agency s systems. Required capabilities Service Delivery Supports System Security 1. Reviews information systems for actual or potential breaches in security and ensures that all identified breaches in security are promptly and thoroughly investigated. 2. Ensures that security records are accurate and complete including certification documentation. 3. Validates and authorises user and access administration on systems in accordance with the defined policies, standards and procedures of the agency. 4. Ensures patches are applied and removes known system weaknesses in accordance with information security policies and standards. Delivers Service Excellence 1. Develops and manages customer service performance requirements for information security 2. Assists operational staff to locate and repair information security problems and failures. Leads and Develops People 1. Provides direction to system developers regarding correction of security problems identified during testing. 2. Provides on the job training and coaching for team members. Supports Shared Purpose and Direction 1. Drafts and maintains the policy, standards, procedures and documentation for security. 2. Interprets security policy and contributes to development of standards and guidelines that comply with this. 3. Monitors contract performance and reviews deliverables and contract requirements related to organisational information technology security and privacy. 4. Communicates with system owners and personnel to increase their awareness of applicable information security policies and standards. Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 19

Information Security Analyses and Evaluates 1. Conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. 2. Investigates major breaches of security, and recommends appropriate control improvements. 3. Writes and publishes reports on incident outcomes and distributes to appropriate stakeholders. 4. Analyses information security incidents and patterns to determine remedial actions to correct vulnerabilities. 5. Monitors and evaluates the effectiveness of the organisation s information security procedures and safeguards for the infrastructure. 6. Develops and implements the necessary security plans and procedural documentation, including disaster recovery plans, to ensure that information security incidents are avoided during shutdown and long term protection of archived resources is achieved. 7. Reports unresolved network security exposures, misuse of resources or noncompliance situations to an ITSM. Technology Audit 1. Evaluates functional operation and performance in light of test results and makes recommendations regarding certification or accreditation. 2. Examines vulnerabilities and determines actions to mitigate them. Develops and applies effective vulnerability countermeasures. 3. Analyses information security vulnerability bulletins for their potential impact on the computing or network environment, and takes or recommends appropriate action. Emerging Technology Monitoring 1. Monitors the market to gain knowledge and understanding of currently emerging technologies. 2. Identifies new and emerging hardware and software technologies and products based on own area of expertise, assesses their relevance and potential value to the organisation, contributes to briefings of staff and management. Applies Technical Proficiency 1. Ensures that any system changes required to maintain security are implemented. 2. Recommends and schedules information security related repairs, upgrades or project tasks within the organisation s environment. 3. Writes and maintains scripts required to ensure security of the infrastructure s environment. 4. Plans and schedules the installation of new or modified hardware, operating systems, and software applications ensuring integration with information security requirements for the infrastructure. 5. Schedules and performs regular and special backups on all infrastructure systems. 4. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organisation. 5. Interprets patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the organisation s information technology security program. 6. Oversees the development of organisational logging standards to comply with audit requirements. 7. Manages and audits system event logs. 3. Formulates or provides input to the organisation s information security budget. 4. Develops network security requirements specific to an acquisition for inclusion in procurement documents Produced for AGIMO by Workplace Research Associates Pty Ltd 2010 Page 20