OCIO/G4.

1b
Government guideline on cyber security

ISMF Guideline 1b
Roles and responsibilities in establishing and maintaining an Information Security Management System (ISMS)
BACKGROUND Information communication technology [ICT] underpins many of the South Australian Governments services that protect the lives and property of citizens, and support the social and economic wellbeing of the community. Version 3 of the South Australian Information Security Management Framework [ISMF] introduced a requirement for government agencies to establish and maintain an Information Security Management System [ISMS] in alignment with the principles contained in the ISO 27001 standard. Transition priorities and expectations for the scope of the ISMS are described in ISMF Guideline 1a. This guideline supports implementation of ISMF Policy Statement 1.

GUIDANCE This guideline has been developed to provide clarification on the roles and responsibilities within South Australian Government agencies that are currently defining, establishing and maintaining an ISMS. It also describes a process flow highlighting, at each stage, the involvement of various roles (or stakeholders) and the required outputs encompassing documents and decisions that must be recorded by the business. A generic overview of the ISMS process is described in Figure 4 of the Information Security Management Framework. This guideline describes a process specifically tailored to the roles and governance arrangements in South Australian Government agencies and considers the scope of an agency-wide (or organisational) ISMS.

ROLE OF THE RISK ASSESSMENT The business-driven risk-based approach to cyber security of the ISMF requires decisions to be recorded on how risks have been addressed in order to provide an adequate level of assurance to the business that cyber security controls and protection mechanisms are in place, being used and effective. The risk assessment process and arising documentation underpins the entire ISMS process. It effectively permits the business to identify risks in given areas and the required steps to reduce the residual risks to an acceptable level. This is achieved by considering how risks will be treated, tolerated, transferred or terminated. By applying protection efforts to the most sensitive and/or critical parts of the business and reducing the overheads of a traditional and arbitrary compliance based model:

ISMF Guideline 1b

ISMF Guideline 4

duplication of efforts and resource overheads may be eliminated over time funding to cyber security initiatives can be allocated in a more predictable and consistent manner productivity gains are realised by focusing workforce efforts where they are required prioritisation of security initiatives are directly aligned to business priorities and goals

As a quality management system, the ISMS is an ongoing function that embeds a continual improvement cycle. This requires agencies to reconsider protection measures and assure themselves that these measures are still relevant, being applied, effective, communicated and understood by all relevant parties including suppliers to government. It provides an opportunity to remove measures that are no longer applicable or relevant and to modify any existing measures taken to protect information assets in light of contemporary or emerging threats. A single risk assessment may be used for multiple purposes within an agency and its importance cannot be understated. The risk assessment is of particularly high value to the business when applied to: the establishment of new ICT systems, platforms or architectures. machinery of government changes including mergers and separation of workforce functions. the establishment of an ISMS. business impact assessments. business continuity and disaster recovery planning activities. applications for exemption from whole of government ICT standards. procurement undertakings. contracting services to a third party. obtaining services from a third party. post incident reviews. reviewing and improving the ISMS. ICT audits.

ESTABLISHING AND MAINTAINING AN ISMS IN GOVERNMENT AGENCIES The process outlined below describes relevant agency roles, procedures, decision points and documented outputs at each stage of the ISMS lifecycle. The applicability of the Cyber Security Services Portal as an avenue for procuring ISMS related cyber security services from the private sector is also described. The final stage after an ISMS has been established is for the business to determine which elements, if any, of the agency operating environment require certification to the AS/NZS ISO/IEC 27001 standard. Independent certification provides additional assurance to the business itself and to those who are reliant on the systems, services and processes provided by the organisation (such as select sectors of the community or the public in general).

Government guideline on cyber security Roles and responsibilities in establishing and maintaining an ISMS v1.1

Page 2 of 7

ISMF Guideline 13 1b ISMF Guideline

Required documents
1. Records of management decisions 2. Document Control Procedures
Step 1: Secure management commitment including executive oversight and governance

The Agency (or ISMS Project Manager) forms a Security Governance Group (such as a Security Steering Committee). The Groups members should ideally comprise: the CIO, ASE, CTO and Senior Security Manager(s).
Required documents
1. ISMS Scope 2. ISMS Policy Statement
Step 2: Define ISMS scope

The Business Owners in consultation with the ITSA define the initial scope of the ISMS. Critical assets to the Agency and/or State must be included in the initial scope (refer to ISMF Guideline 10).
Required documents
1. Inventory
Step 3: Inventory of Information Assets

Business Owners, Platform Managers, the ITSA, supply chain providers (i.e. StateNet Services, Shared Services SA and contracted suppliers) and other relevant staff identify which ICT systems underpin business functions.
Required documents
1. Agency risk assessment methodology based on ISO 31000 standard
Step 4a: Information Security Risk Assessment Procedure

Business Owner(s) in consultation with the ITSA or a Cyber Security Services Portal provider conduct a risk assessment using established Agency methods.

Required documents
1. Risk assessment report verified by ITSA 2. Risk treatment plan 3. Statement of Applicability 4. Completed SoA tool (optional)
Step 4b: Information Security Risk Assessment Report

Complete a risk assessment report. The ISMS Statement of Applicability (SoA) tool can be used to identify which controls from the ISMF are to be implemented once information classifications have been determined.

Required documents
1. Agency Security Plan 2. ISMS (once established)
Step 5: Agency Security Plan Incorporating the organisation's ISMS

The CE must develop, implement and maintain the Agency Security Plan as per section 4.3.1 of the PSMF. The ASE is responsible for oversight of the Security Management Compliance Program as outlined in section 4.3.2 of the PSMF of which an ISMS is a crucial element. As custodian of the organisational ISMS, the ASE maintains the organisational ISMS. The Security Governance Group may also maintain the ISMS provided the ASE is a member.

Required documents
1. Internal ISMS audit procedure incl. schedule Steps 6 & 7: Establish an ISMS Implementation Working Group / Reconvene after changes 2. Preventative action procedures The ISMS Implementation Working Group is responsible for maintaining various control documents. Suggested members of 3. ISMS controls (SoA tool) this group include: Platform Managers, Senior Security Managers, the ISMS Project Manager, the ITSA, the ASA and other staff 4. Metrics as required. Responsibilities include prioritisation of the ISMS rollout, custodian of individual SoA tool outputs, development 5. Incident records of metrics to be used for the Security Management Compliance Program and determining the audit calendar/schedule. 6. Records control 7. Corrective actions
Step 8: Consolidation of Control Documents to an ISMS

Required documents
1. Sign off from CIO (or CTO)

Draft versions of the organisational ISMS are created using a composite view of the ICT systems, their classifications and the risk measures that have been applied. The ASE is the custodian. The final draft must be validated by the CIO to confirm that necessary application, platforms, technology and physical facilities have been accounted for.

Step 9: Approval from Chief Executive

The Agency CE signs off on the new or revised ISMS.

Required documents
Step 10: Operational Procedures

1. Documented procedures
(as required)

Platform Managers implement and maintain operational procedures. For example Information Security policies, standards, procedures and guidelines, security logs, compliance and audit reports, awareness training records etc. Industry sourced Cyber Security Services from seven broad categories encompassing: Investigative Services / Forensics Assessments Government Security Policy Implementation Auditing Consulting Architecture and design Systems Development and Analysis
Step 13: (Optional) ISO 27001 Certification Assessment Step 12: Corrective Actions

2. BCP/DR plans

Step 11: Periodic Review/Audit

As part of the continual improvement cycle, periodic self-assessments and independent audits of the ISMS (or parts thereof) are undertaken. Audits are often calendar driven. Assessments may also be event or change driven.

1. Findings, conclusions, recommended actions 2. Post incident reviews

Required documents

Changes resulting from an audit or review process (including self assessments and post incident reviews)are made in alignment with the Agencys change control procedures.

Agencies requiring certification for all or select parts of their ICT environment may contact the Office of the Chief Information Officer for further guidance or approach the Cyber Security Services Portal to seek the required services.

Government guideline on cyber security Roles and responsibilities in establishing and maintaining an ISMS v1.1

Page 3 of 7

ISMF Guideline 1b

RELEVANT STAKEHOLDERS AND ROLES Agency Security Adviser [ASA] The Agency Security Adviser is a Position of Trust as defined in the PSMF. They are responsible for the protective security aspects detailed in the PSMF, notably the protection of facilities and personnel. The ASA should be consulted as necessary during risk assessments and during review of applicable aspects of the organisations ISMS. The ASA is often involved at steps 2, 4a, 4b, 6, 7 and 9 for protective security aspects to be included as part of the overarching ISMS in an agency. Agency Security Executive [ASE] The Agency Security Executive is a Position of Trust as defined in the PSMF. Security performance outcomes and operations are assigned to the ASE. The ASE should be the custodian of any approved version of the organisations ISMS. Other appointed positions by way of the PSMF should have access to the ASE as required to support stated executive outcomes and performance requirements. The ASE is normally involved at steps 1, 5, 8 and 13 of the ISMS process.

Business Owner The Business Owner is the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner. (e.g. The party most impacted by the loss of confidentiality, integrity or availability of Information is typically the Business Owner.) The Business Owner is involved in steps 2, 3, 4a, 11 and 12 of the ISMS process and may be called upon to provide additional information during other phases of ISMS maintenance. Chief Executive [CE] The Chief Executive is ultimately accountable for all agency security aspects described in the PSMF , specifically the development and maintenance of the Agency Security Plan. An ISMS is a key supporting component in fulfilment of the plans objectives and requirements. Consequently, the organisational ISMS must be approved by the CE in order to assure the accountable party that agency cyber security protection measures are adequate and proportionate to the risk profile (i.e. appetite and tolerance to risk) of the agency. The CE must approve the ISMS as described in Step 9 of the ISMS process. Chief Information Officer [CIO] An agency CIO is equipped with the necessary authority and access to business information to bridge the delta between the business and the underpinning ICT environment. In the context of operating an ISMS, the CIO should be included as a member of the Security Governance Group and must be consulted on any final draft ISMS or after significant changes have been made to an existing ISMS. This is a necessary step in validating the correlation of business protection requirements with the capabilities of the ICT environment.
Government guideline on cyber security Roles and responsibilities in establishing and maintaining an ISMS v1.1 Page 4 of 7

ISMF Guideline 1b

ISMF Guideline 4

The CIO is typically engaged during steps 1, 3 and 8 of the ISMS process.

Chief Technology Officer [CTO] An agency CTO can provide valuable insight into the ICT operating environment, its capabilities and characteristics, technology roadmap and the procedures and controls used by ICT Platform Managers. In the absence of an agency CIO, the CTO may be referenced to provide validation of the draft ISMS from a technology standpoint. The CTO is often utilised during steps 1, 3 and 12 of the ISMS process. Cyber Security Services Portal [CSSP] The CSSP operates as a dedicated portal under the broader eProjects panel of the Government of South Australia. It provides a mechanism for agencies to efficiently procure cyber security services from a panel of industry providers and practitioners. Portal suppliers have been pre-qualified to determine that they are capable and adequately qualified to assist agencies in meeting their responsibilities and obligations for ICT/cyber security as described in both the PSMF and ISMF. A range of cyber security services can be procured via the portal from seven broad categories. A secondary objective of the portal is to assist agencies in the implementation of an Information Security Management System [ISMS] and to ensure that the capability and maturity of our suppliers is in alignment (lock step) with the capability and maturity expectations placed on agencies in all matters pertaining to cyber security. The CSSP may be used to facilitate or improve an agencys ISMS deployment during steps 1, 2, 3, 4a, 5, 6, 10, 11, 12 and 13 of the ISMS process. Information Technology Security Advisers [ITSA] Information Technology Security Adviser is a Position of Trust as defined in the PSMF. This role is appointed by an Agency or organisation to manage the security of information and ICT systems. CTO Notification 89 (issued by the Office of the Chief Information Officer) provides information about this role, including guidance on the selection of suitable persons to fill the role. The ITSA is involved at most stages of ISMS development in an advisory capacity but cannot make final determinations on behalf of the business, as the matters impacting the business must be dealt with directly by the Business Owner and/or executive management as required. A foundation requirement of the ITSA is to review and provide commentary and advice on risk assessments that are undertaken by various parts of the business. Independent Auditor(s) Independent and periodic review of the organisations ISMS is an essential component of ongoing and continual improvement to the agencys overall cyber security posture. An Independent Auditor may be externally sourced, part of the internal audit function or the external audit function provided to government by way of the South Australian Auditor-Generals Department. Independent audits should not be confused with self-assessment reviews. ISMS Custodian The Agency Security Executive [ASE] should be the custodian of the organisations ISMS. This approach is consistent with the requirement of the role to establish, maintain and provide oversight of the agencys security management compliance program which is described in the PSMF. In the

Government guideline on cyber security Roles and responsibilities in establishing and maintaining an ISMS v1.1

Page 5 of 7

ISMF Guideline 1b

ISMF Guideline 4

absence of an ASE, ISMS custodianship should be assigned to the Chief Executive or the Security Governance Group.

Platform Manager The Platform Manager is responsible for the ongoing maintenance of an ICT platform comprising hardware, software and ancillary components. They are the custodian of the information stored, processed or transmitted via the ICT platform. In general terms, a Platform Manager is able to determine how technology based security controls can be applied to a given platform in order achieve the desired risk treatments that have been stipulated by the business. Security Governance Group The function of an agency Security Governance Group (such as a steering committee) is to provide oversight on all aspects of the agencys protective security posture incorporating personnel, physical facilities, information and ICT. With respect to the ISMS, this group must comprise senior management and have executive representation. The measurement of ISMS progress and success, in the form of progress reporting, implementation challenges and schedule, barriers to deployment and improvement considerations are typically reported to this group on a regular basis, as part of a comprehensive security oversight program. Composition of the group should ideally include the following representation: ASE, CIO, Senior Security Manager(s), a representative from human resources, and the CTO. Securing management commitment and support (ISMF Standard 4) and assigning appropriate personnel for the oversight of security programs (ISMF Standard 6) are essential components to successful ISMS deployment which is further elaborated in both the ISO 27001 international standard and the ISMF. The Security Governance Group should have direct oversight of the holistic ISMS program and specifically is involved during steps 1, 5, 11 and 13 of the ISMS process.

ADDITIONAL CONSIDERATIONS Agencies should contact the Office of the CIO should they identify State Government Critical Information Infrastructure (refer ISMF Guideline 37a) as part of their ISMS. Recommendations arising from independent audits of the agency ISMS should be prioritised for treatment by Business Owners taking into consideration value for effort exerted, achievability and criticality to reduce risks identified by the audit findings. Detailed implementation guidance for developing and establishing an ISMS is contained in the ISO/IEC 27003 standard.

This guideline does not constitute an absolute or mandatory method for establishing and maintaining an Information Security Management System. It is merely a good practice guideline based on the AS/NZS ISO/IEC 27001 standard and applied to the protective security policy position and operating characteristics of the Government of South Australia at the time of writing. The individual requirements and operational characteristics of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s) and how such outcomes are achieved.

Government guideline on cyber security Roles and responsibilities in establishing and maintaining an ISMS v1.1

Page 6 of 7

ISMF Guideline 1b Guideline 1

REFERENCES, LINKS & ADDITIONAL INFORMATION OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] PC030 Government of South Australia Protective Security Management Framework [PSMF] AS/NZS ISO/IEC 27001:2006 ISO/IEC 27003:2010 AS/NZS ISO 31000:2009 IEC/ISO 31010:2010 Australian Government Protective Security Policy Framework [PSPF] ISMF Guideline 1a - Transition guidance for agencies and suppliers: Government of South Australia ISMS SoA tool

ID Classification/DLM Issued Authority Master document location Records management Managed & maintained by Author Reviewer Compliance Review date

OCIO_G4.1b PUBLIC-I2-A1 March 2014 (redesignated from ISMF Guideline 13 as ISMF Guideline 1b) Security and Risk Steering Committee Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\ISMFguidelines\ISMFguideline1b(ISMS roles).docx File Folder: 2011/15123/01 - Document number: xxxxxxxx Office of the Chief Information Officer Jason Caley, Principal Policy Adviser / Hannah Wheaton, Graduate Project Officer Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES , Director Security and Risk Assurance Discretionary February 2016

To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Guideline 1b.

This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright South Australian Government, 2014. Disclaimer