DPC/G4.4b Government guideline on cyber security

ISMF Guideline 4bRole and responsibilities of theInformation Technology Security Adviser (ITSA)

BACKGROUND

On 7 April 2008 Cabinet approved the South Australian Government Protective Security Management Framework (PSMF). As a result of this decision, Cabinet has directed that all agencies will appoint an Information Technology Security Adviser [ITSA]. The Department of the Premier and Cabinet is responsible for providing guidance on the implementation of the PSMF where it relates to Information and Communications Technology (ICT) security. This includes guidance on the appointment of an ITSA and what should be included in the job and person specification of the staff member appointed as an ITSA. This guideline supports implementation of ISMF Policy Statement 4.

GUIDANCEThis guideline describes the role of the ITSA and sets baseline requirements including an overview of ITSA responsibilities and required capabilities in order to facilitate the selection of suitable persons to fill the role.

ROLE OF THE INFORMATION TECHNOLOGY SECURITY ADVISERThe ITSA is responsible for providing support and advice to senior management on security measures required to ensure that information stored, processed or communicated by the agency’s information systems and services is protected without creating unnecessary administrative or other barriers.

This role demands that incumbents uphold high levels of trust, integrity and responsibility. The ITSA provides support and forthright, independent and impartial advice to the Agency Security Executive (ASE) and works closely with the Agency Security Adviser (ASA).

The ITSA will be the principal contact point for DPC on ICT security matters. They will be regularly advised and consulted by DPC in relation to threats to the State Government’s ICT infrastructure, systems and services.

ISMF

REQUIREMENTS

In order to fulfil duties of the position, agencies should ensure that the person considered for appointment to the role of ITSA:

is a public sector employee;

The position of ITSA must be held by a public servant. It is recognised that an ITSA may not have an extensive knowledge on all security issues and may seek guidance from external providers. The Cyber Security Services Portal of the e-Projects panel provides an avenue for agencies to obtain qualified security services on a broad range of matters.

can complete Information Security Management Framework (ISMF) implementation courses Understanding and Implementing an Information Security Management System and/or Lead Auditor Information Security Management Systems;

has both broad business and technical knowledge;

The ITSA must be able to articulate and provide advice on complex technological ICT systems and services security matters to executives and business owners, and communicate risks in a context that may be readily understood by personnel at all levels within the organisation.

has broad knowledge of contemporary ICT security practice;

The ITSA must have a detailed knowledge of agency specific and South Australian Government protective security policy, principles and minimum standards, and be provided with opportunity to maintain this knowledge.

can obtain a security clearance to the required classification;

The ITSA will be required to obtain and maintain a South Australian Government security clearance of at least PROTECTED, or to the highest classification of any information or systems they require access to in order to fulfil their role. A security clearance is an administrative determination that an individual is eligible and suitable for access to security classified information and resources. For more information on security clearances and personnel vetting refer to ISMF Guideline 9.

has a minimum of five (5) years’ experience in a relevant ICT role such as security, audit, assurance, governance, risk or compliance.

Personnel appointed to ITSA positions are expected to have experience in the field related to their work area. Depending on the size of the agency and/or complexity of the agency’s security requirements, the ITSA may need extensive experience and substantial or higher knowledge in their field of expertise.

The ITSA is responsible for providing definitive advice to the ASE on the adequacy of security measures to ensure:

the agency’s ICT systems and services (such as cloud platforms) are protected against unauthorised access or compromise, and that

information in electronic form is stored, processed and/or communicated in accordance with the law, South Australian Government policies, and the information security requirements detailed in the agency’s security plan.

By working together closely, the ASA and ITSA should ensure that any physical, information or personnel security measures complement the security measures taken to protect the agency’s ICT systems and services.

Government guideline on cyber securityRole and responsibilities of the ITSA v1.2

Page 2 of 6

ISMF Guideline 4b

ISMF

RESPONSIBILITIES AND COMPETENCIES

Typical responsibilities and baseline skill requirements have been described in the attached Role Statement for ITSAs.

ITSA positions should be at a level that only requires broad direction in terms of objectives, mission or functions. Agencies should consider outputs by the ITSA as authoritative. In terms of the SFIA Framework, ITSA’s should be undertaking their role at a minimum SFIA Responsibility Level 5: Ensure, Advise1.

In addition to the responsibilities described in the Role Statement, the ITSA may be required to:

provide briefings and advice to agency personnel on ICT security, including ICT briefings to staff located or travelling overseas

investigate and report cyber security incidents to DPC, in conjunction with the ASA (refer ISMF Standard 140 – Notifiable Incidents).

In addition to the skills described in the attached Role Statement, the ITSA should possess, or be given suitable training to develop, competency in the following areas:

Communication and business management skills.

Comprehensive knowledge of the standards which govern the security of government ICT systems as detailed in the Information Security Management Framework (ISMF), including but not limited to the standards AS/NZS ISO/IEC 27002 and AS/NZS ISO 31000.

Awareness of technological controls and complementary security requirements contained in the Australian Government Information Security Manual (ISM).

Measures to detect and manage cyber security incidents, as well as preserving evidence for security investigations.

This guideline is a good practice guideline applied to the protective security policy position and operating characteristics of the Government of South Australia at the time of writing. The individual requirements and operational characteristics of agencies will have direct bearing on what attributes, competencies and security clearances are required to appoint an Information Technology Security Adviser.

1 As defined in SFIA Framework Version 5 available at www.sfia.org.uk. The SFIA Framework forms the basis of the South Australian Government ICT Skills Framework.

Government guideline on cyber securityRole and responsibilities of the ITSA v1.2

Page 3 of 6

ISMF Guideline 4b

REFERENCES, LINKS & ADDITIONAL INFORMATION

DPC/F4.1 Government of South Australia Information Security Management Framework

PC030 Government of South Australia Protective Security Management Framework [PSMF]

Australian Government Protective Security Policy Framework [PSPF]

AS/NZS ISO 31000:2009

Skills Framework for the Information Age

Document Control

ID DPC/G4.4bVersion 1.2Classification/DLM PUBLIC-I2-A1Compliance DiscretionaryOriginal authorisation date November 2013 Last approval date September 2017Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.

ISMF Guideline 4b

INFORMATION TECHNOLOGY SECURITY ADVISERAn Information Technology Security Adviser [ITSA] is an ICT security expert responsible for advising the business on risk and security aspects of an agency’s ICT environment and ensuring that security measures are undertaken in a coordinated manner. ITSAs typically work with business owners, Agency Security Executives and Agency Security Advisers to identify risks and recommend security controls. They may be responsible for developing security controls; incorporating security measures in ICT projects and programs; managing the response to cyber security incidents; coordinating or responding to the findings of ICT audits; managing contractors in the delivery of secure services; delivering information security awareness training and programs, and; developing information security budgets, plans, policies and procedures.

The below skills are derived from the ICT Skills Framework (based upon the Skills Framework for the Information Age - SFIA)

Information Security SCTY (SFIA Levels 3-6)The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.

Information Assurance INAS (SFIA Levels 5-7)The leadership and oversight of information assurance, setting high level strategy and policy, to ensure stakeholder confidence that risk to the integrity of information in storage and transit is managed pragmatically, appropriately and in a cost effective manner.   Business Risk Management BURM (SFIA Levels 4-7)The planning and implementation of organisation-wide processes and procedures for the management of risk to the success or integrity of the business, especially those arising from the use of information technology, reduction or non-availability of energy supply or inappropriate disposal of materials, hardware or data.

Consultancy CNSL (SFIA Levels 5-7)The provision of advice and recommendations, based on expertise and experience, to address client needs. May deal with one specific aspect of IT and the business, or can be wide ranging and address strategic business issues. May also include support for the implementation of any agreed solutions.

Government guideline on cyber securityRole and responsibilities of the ITSA v1.2

Page 5 of 6

Role Statement

INFORMATION TECHNOLOGY SECURITY ADVISERExperience and education

It is recommended that ICT professionals in this role have a minimum of five years’ experience in a relevant ICT role and hold a relevant tertiary qualification and/or a professional ICT certification. The professional certifications below are congruous to the body of knowledge, skills and experience required for this role. Certifications issued by professional bodies demonstrate a defined level of knowledge and experience in ICT and information security and also require an ongoing commitment to professional development.

It is strongly recommended that ITSAs appointed to the role described by the Protective Security Management Framework are afforded the opportunity to acquire, hold and maintain one of these recognised certifications within the first 12 months of employment.

Certified Information Security Manager (ISACA)

Certified Information Systems Auditor (ISACA)

Certified Information Systems Security Professional ((ISC)2)

Certified Auditor ISO 27001 Information Security Management Systems

Government guideline on cyber securityRole and responsibilities of the ITSA v1.2

Page 6 of 6