Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Public Administration

ISMF Guideline 4b - Role and responsibilities of the ITSA

advertisement 
OCIO/G4.4b
Government guideline on cyber security
ISMF Guideline 4b
Role and responsibilities of the
Information Technology Security Adviser (ITSA)
BACKGROUND
On 7 April 2008 Cabinet approved the South Australian Government Protective Security
Management Framework (PSMF). As a result of this decision, Cabinet has directed that all
agencies will appoint an ITSA. The Office of the Chief Information Officer (OCIO) is responsible for
providing guidance on the implementation of the PSMF where it relates to Information and
Communications Technology (ICT) security. This includes guidance on the appointment of an
ITSA and what should be included in the job and person specification of the staff member
appointed as an ITSA. This guideline supports implementation of ISMF Policy Statement 4.
GUIDANCE
This guideline describes the role of the Information Technology Security Adviser (ITSA) and sets
baseline requirements including an overview of ITSA responsibilities and required capabilities in
order to facilitate the selection of suitable persons to fill the role.
ROLE OF THE INFORMATION TECHNOLOGY SECURITY ADVISER
The ITSA is responsible for providing support and advice to senior management on security
measures required to ensure that information stored, processed or communicated by the agency’s
information systems and services is protected without creating unnecessary administrative or other
barriers.
This role demands that incumbents uphold high levels of trust, integrity and responsibility. The
ITSA provides support and forthright, independent and impartial advice to the Agency Security
Executive (ASE) and works closely with the Agency Security Adviser (ASA).
The ITSA will be the principal contact point for the OCIO on ICT security matters. They will be
regularly advised and consulted by the OCIO in relation to threats to the State Government’s ICT
infrastructure, systems and services.
ISMF Guideline 4b
ISMF Guideline 4
REQUIREMENTS
In order to fulfil duties of the position, agencies should ensure that the person considered for
appointment to the role of ITSA:

is a public sector employee;
The position of ITSA must be held by a public servant. It is recognised that an ITSA may not
have an extensive knowledge on all security issues and may seek guidance from external
providers. The Cyber Security Services Portal of the e-Projects panel provides an avenue for
agencies to obtain qualified security services on a broad range of matters.

can complete Information Security Management Framework (ISMF) implementation courses
Understanding and Implementing an Information Security Management System and/or Lead
Auditor Information Security Management Systems;

has both broad business and technical knowledge;
The ITSA must be able to articulate and provide advice on complex technological ICT systems
and services security matters to executives and business owners, and communicate risks in a
context that may be readily understood by personnel at all levels within the organisation.

has broad knowledge of contemporary ICT security practice;
The ITSA must have a detailed knowledge of agency specific and South Australian
Government protective security policy, principles and minimum standards, and be provided
with opportunity to maintain this knowledge.

can obtain a security clearance to the required classification;
The ITSA will be required to obtain and maintain a South Australian Government security
clearance of at least PROTECTED, or to the highest classification of any information or
systems they require access to in order to fulfil their role. A security clearance is an
administrative determination that an individual is eligible and suitable for access to security
classified information and resources. For more information on security clearances and
personnel vetting refer to ISMF Guideline 9.

has had a minimum of five (5) years’ experience in a relevant ICT role such as security, audit,
assurance, governance, risk or compliance.
Personnel appointed to ITSA positions are expected to have experience in the field related to
their work area. Depending on the size of the agency and/or complexity of the agency’s
security requirements, the ITSA may need extensive experience and substantial or higher
knowledge in their field of expertise.
The ITSA is responsible for providing definitive advice to the Agency Security Executive (ASE) on
the adequacy of security measures to ensure:

the agency’s ICT systems and services (such as cloud platforms) are protected against
unauthorised access or compromise, and that

information in electronic form is stored, processed and/or communicated in accordance with
the law, South Australian Government policies, and the information security requirements
detailed in the agency’s security plan.
By working together closely, the Agency Security Adviser (ASA) and ITSA should ensure that any
physical, information or personnel security measures complement the security measures taken to
protect the agency’s ICT systems and services.
Government guideline on cyber security
Role and responsibilities of the ITSA v1.1
Page 2 of 6
ISMF Guideline 4b
ISMF Guideline 4
RESPONSIBILITIES AND COMPETENCIES
Typical responsibilities and baseline skill requirements of IT Security Advisers have been
described in the attached Role Statement for IT Security Advisers.
ITSA positions should be at a level that only requires broad direction in terms of objectives,
mission or functions. Agencies should consider outputs by the ITSA as authoritative. In terms of
the SFIA Framework, ITSA’s should be undertaking their role at a minimum SFIA Responsibility
Level 5: Ensure, Advise1.
In addition to the responsibilities described in the Role Statement, the ITSA may be required to:

provide briefings and advice to agency personnel on ICT security, including ICT briefings to
staff located or travelling overseas

investigate and report cyber security incidents to the Office of the CIO, in conjunction with
the ASA (refer ISMF Standard 140 – Notifiable Incidents).
In addition to the skills described in the attached Role Statement, the ITSA should possess, or be
given suitable training to develop, competency in the following areas:

Communication and business management skills.

Comprehensive knowledge of the standards which govern the security of government ICT
systems as detailed in the Information Security Management Framework (ISMF), including
but not limited to the standards AS/NZS ISO/IEC 27002 and AS/NZS ISO 31000.

Awareness of technological controls and complementary security requirements contained
in the Australian Government Information Security Manual (ISM).

Measures to detect and manage cyber security incidents, as well as preserving evidence
for security investigations.
This guideline is a good practice guideline applied to the protective security policy position and
operating characteristics of the Government of South Australia at the time of writing. The individual
requirements and operational characteristics of agencies will have direct bearing on what
attributes, competencies and security clearances are required to appoint an Information
Technology Security Adviser.
1
As defined in SFIA Framework Version 5 available at www.sfia.org.uk. The SFIA Framework forms the basis of the
South Australian Government ICT Skills Framework.
Government guideline on cyber security
Role and responsibilities of the ITSA v1.1
Page 3 of 6
ISMF Guideline 4b
REFERENCES, LINKS & ADDITIONAL INFORMATION

PC030 Government of South Australia Protective Security Management Framework [PSMF]

Australian Government Protective Security Policy Framework [PSPF]

AS/NZS ISO 31000:2009

Skills Framework for the Information Age
ID
OCIO_G4.4b
Classification/DLM
PUBLIC-I2-A1
Issued
November 2013 (re-issued as ISMF Guideline 4b from Guideline 17 – February 2014)
Authority
Security and Risk Steering Committee
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\ISMFguidelines\ISMFguideline4b(ITSA).docx
Records management
File Folder: 2011/15123/01 - Document number: 7027349
Managed & maintained by
Office of the Chief Information Officer
Authors
Jason Caley, Principal Policy Adviser
Fern Tomas, Senior Analyst Assurance
Reviewer
Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES ,
Director Security and Risk Assurance
Compliance
Discretionary
Review date
February 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 4b.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Role Statement
IT SECURITY ADVISER
An IT Security Adviser is an ICT security expert responsible for advising the business on risk
and security aspects of an agency’s ICT environment and ensuring that security measures
are undertaken in a coordinated manner. IT Security Advisers typically work with business
owners, Agency Security Executives and Agency Security Advisers to identify risks and
recommend security controls. They may be responsible for developing security controls;
incorporating security measures in ICT projects and programs; managing the response to
cyber security incidents; coordinating or responding to the findings of ICT audits; managing
contractors in the delivery of secure services; delivering information security awareness
training and programs, and; developing information security budgets, plans, policies and
procedures.
The below skills are derived from the ICT Skills Framework (based upon the Skills
Framework for the Information Age - SFIA)
Information Security SCTY (SFIA Levels 3-6)
The management of, and provision of expert advice on, the selection, design, justification,
implementation and operation of information security controls and management strategies to
maintain the confidentiality, integrity, availability, accountability and relevant compliance of
information systems with legislation, regulation and relevant standards.
Information Assurance INAS (SFIA Levels 5-7)
The leadership and oversight of information assurance, setting high level strategy and
policy, to ensure stakeholder confidence that risk to the integrity of information in storage
and transit is managed pragmatically, appropriately and in a cost effective manner.
Business Risk Management BURM (SFIA Levels 4-7)
The planning and implementation of organisation-wide processes and procedures for the
management of risk to the success or integrity of the business, especially those arising from
the use of information technology, reduction or non-availability of energy supply or
inappropriate disposal of materials, hardware or data.
Consultancy CNSL (SFIA Levels 5-7)
The provision of advice and recommendations, based on expertise and experience, to
address client needs. May deal with one specific aspect of IT and the business, or can be
wide ranging and address strategic business issues. May also include support for the
implementation of any agreed solutions.
This work is licensed under a Creative Commons Attribution 3.0 Australia licence, http://creativecommons.org/licenses/by/3.0/au/
To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia 2013.
Skills Framework for the Information Age quoted by kind permission of The SFIA Foundation: www.SFIA.org.uk.
Page 5 of 6
IT SECURITY ADVISER
Experience and education
It is recommended that ICT professionals in this role have a minimum of five years’
experience in a relevant ICT role and hold a relevant tertiary qualification and/or a
professional ICT certification. The professional certifications below are congruous to the
body of knowledge, skills and experience required for this role. Certifications issued by
professional bodies demonstrate a defined level of knowledge and experience in ICT and
information security and also require an ongoing commitment to professional development.
It is strongly recommended that IT Security Advisers appointed to the role described by the
Protective Security Management Framework are afforded the opportunity to acquire, hold
and maintain one of these recognised certifications within the first 12 months of
employment.

Certified Information Security Manager (ISACA)

Certified Information Systems Auditor (ISACA)

Certified Information Systems Security Professional ((ISC)2)

Certified Auditor ISO 27001 Information Security Management Systems
This work is licensed under a Creative Commons Attribution 3.0 Australia licence, http://creativecommons.org/licenses/by/3.0/au/
To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia 2013.
Skills Framework for the Information Age quoted by kind permission of The SFIA Foundation: www.SFIA.org.uk.
Page 6 of 6
Related documents
School ICT Policy
School ICT Policy
ICT in Art and Design work
ICT in Art and Design work
Evolving ICT into Computing Secondary
Evolving ICT into Computing Secondary
Viviki Platform
Viviki Platform
Innovative use of ICT in home economics
Innovative use of ICT in home economics
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Guideline 37a - Department of the Premier and Cabinet
ISMF Guideline 37a - Department of the Premier and Cabinet
Download
advertisement