DPC/G4.1b Government guideline on cyber security

ISMF Guideline 1b Roles and responsibilities in establishing and maintaining an Information Security Management System (ISMS)

BACKGROUND

Information communication technology [ICT] underpins many of the South Australian Government’s services that protect the lives and property of citizens, and support the social and economic wellbeing of the community. Version 3 of the South Australian Information Security Management Framework [ISMF] introduced a requirement for government agencies to establish and maintain an Information Security Management System [ISMS] in alignment with the principles contained in the ISO 27001 standard. Transition priorities and expectations for the scope of the ISMS are described in ISMF Guideline 1a. This guideline supports implementation of ISMF Policy Statement 1.

GUIDANCE

This guideline has been developed to provide clarification on the roles and responsibilities within South Australian Government agencies that are currently defining, establishing and maintaining an ISMS. It also describes a process flow highlighting, at each stage, the involvement of various roles (or stakeholders) and the required outputs encompassing documents and decisions that must be recorded by the business. A generic overview of the ISMS process is described in Figure 4 of the Information Security Management Framework. This guideline describes a process specifically tailored to the roles and governance arrangements in South Australian Government agencies and considers the scope of an agency-wide (or organisational) ISMS.

ROLE OF THE RISK ASSESSMENT

The business-driven risk-based approach to cyber security of the ISMF requires decisions to be recorded on how risks have been addressed in order to provide an adequate level of assurance to the business that cyber security controls and protection mechanisms are in place, being used and effective. The risk assessment process and arising documentation underpins the entire ISMS process. It effectively permits the business to identify risks in given areas and the required steps to reduce the residual risks to an acceptable level. This is achieved by considering how risks will be treated, tolerated, transferred or terminated. By applying protection efforts to the most sensitive and/or critical parts of the business and reducing the overheads of a traditional and arbitrary compliance based model:

ISMF Guideline 1b

Government guideline on cyber security

Roles and responsibilities in establishing and maintaining an ISMS v1.3

Page 2 of 7

duplication of efforts and resource overheads may be eliminated over time

funding to cyber security initiatives can be allocated in a more predictable and consistent manner

productivity gains are realised by focusing workforce efforts where they are required

prioritisation of security initiatives are directly aligned to business priorities and goals As a quality management system, the ISMS is an ongoing function that embeds a continual improvement cycle. This requires agencies to reconsider protection measures and assure themselves that these measures are still relevant, being applied, effective, communicated and understood by all relevant parties including suppliers to government. It provides an opportunity to remove measures that are no longer applicable or relevant and to modify any existing measures taken to protect information assets in light of contemporary or emerging threats. A single risk assessment may be used for multiple purposes within an agency and its importance cannot be understated. The risk assessment is of particularly high value to the business when applied to: the establishment of new ICT systems, platforms or architectures.

machinery of government changes including mergers and separation of workforce functions.

the establishment of an ISMS.

business impact assessments.

business continuity and disaster recovery planning activities.

applications for exemption from whole of government ICT standards.

procurement undertakings.

contracting services to a third party.

obtaining services from a third party.

post incident reviews.

reviewing and improving the ISMS.

ICT audits.

ESTABLISHING AND MAINTAINING AN ISMS IN GOVERNMENT AGENCIES

The process outlined below describes relevant agency roles, procedures, decision points and documented outputs at each stage of the ISMS lifecycle. The applicability of the Cyber Security Services Portal as an avenue for procuring ISMS related cyber security services from the private sector is also described.

The final stage after an ISMS has been established is for the business to determine which elements, if any, of the agency operating environment require certification to the AS/NZS ISO/IEC 27001 standard. Independent certification provides additional assurance to the business itself and to those who are reliant on the systems, services and processes provided by the organisation (such as select sectors of the community or the public in general).

ISMF Guideline 13 ISMF Guideline 1b

Government guideline on cyber security

Roles and responsibilities in establishing and maintaining an ISMS v1.3

Page 3 of 7

Required documents 1. Records of management decisions 2. Document Control Procedures

Required documents 1. ISMS Scope 2. ISMS Policy Statement

Required documents 1. Inventory

Required documents 1. Agency risk assessment

methodology based on ISO 31000 standard

Required documents 1. Agency Security Plan 2. ISMS (once established)

Required documents 1. Sign off from CIO (or CTO)

1. Findings, conclusions, recommended actions

2. Post incident reviews

Required documents

Required documents 1. Documented

procedures (as required)

2. BCP/DR plans

Required documents 1. Internal ISMS audit procedure

incl. schedule 2. Preventative action procedures 3. ISMS controls (SoA tool) 4. Metrics 5. Incident records 6. Records control 7. Corrective actions

Required documents 1. Risk assessment report

verified by ITSA 2. Risk treatment plan 3. Statement of Applicability 4. Completed SoA tool (optional)

Step 13: (Optional) ISO 27001 Certification Assessment

Agencies requiring certification for all or select parts of their ICT environment may contact the DPC for further guidance or approach the Cyber Security Services Portal to seek the required services.

Step 12: Corrective Actions

Changes resulting from an audit or review process (including self assessments and post incident reviews)are made in alignment with the Agency’s change control procedures.

Step 11: Periodic Review/Audit

As part of the continual improvement cycle, periodic self-assessments and independent audits of the ISMS (or parts thereof) are undertaken. Audits are often calendar driven. Assessments may also be event or change driven.

Step 10: Operational Procedures

Platform Managers implement and maintain operational procedures. For example Information Security policies, standards, procedures and guidelines, security logs, compliance and audit reports, awareness training records etc.

Step 9: Approval from Chief Executive

The Agency CE signs off on the new or revised ISMS.

Step 8: Consolidation of Control Documents to an ISMS

Draft versions of the organisational ISMS are created using a composite view of the ICT systems, their classifications and the risk measures that have been applied. The ASE is the custodian. The final draft must be validated by the CIO to confirm that

necessary application, platforms, technology and physical facilities have been accounted for.

Steps 6 & 7: Establish an ISMS Implementation Working Group / Reconvene after changes

The ISMS Implementation Working Group is responsible for maintaining various control documents. Suggested members of this group include: Platform Managers, Senior Security Managers, the ISMS Project Manager, the ITSA, the ASA and other staff as required. Responsibilities include prioritisation of the ISMS rollout, custodian of individual SoA tool outputs, development

of metrics to be used for the Security Management Compliance Program and determining the audit calendar/schedule.

Step 5: Agency Security Plan Incorporating the organisation's ISMS

The CE must develop, implement and maintain the Agency Security Plan as per section 4.3.1 of the PSMF. The ASE is responsible for oversight of the Security Management Compliance Program as outlined in section 4.3.2 of the PSMF of which an ISMS is a crucial element. As custodian of the organisational ISMS, the ASE maintains the organisational ISMS. The Security

Governance Group may also maintain the ISMS provided the ASE is a member.

Step 4b: Information Security Risk Assessment Report

Complete a risk assessment report. The ISMS Statement of Applicability (SoA) tool can be used to identify which controls from the ISMF are to be implemented once information classifications have been determined.

Step 4a: Information Security Risk Assessment Procedure

Business Owner(s) in consultation with the ITSA or a Cyber Security Services Portal provider conduct a risk assessment using established Agency methods.

Step 3: Inventory of Information Assets

Business Owners, Platform Managers, the ITSA, supply chain providers (i.e. StateNet Services, Shared Services SA and contracted suppliers) and other relevant staff identify which ICT systems underpin business functions.

Step 2: Define ISMS scope

The Business Owners in consultation with the ITSA define the initial scope of the ISMS. Critical assets to the Agency and/or State must be included in the initial scope (refer to ISMF Guideline 1a).

Step 1: Secure management commitment including executive oversight and governance

The Agency (or ISMS Project Manager) forms a Security Governance Group (such as a Security Steering Committee). The Group’s members should ideally comprise: the CIO, ASE, CTO and Senior Security Manager(s).

Industry sourced Cyber Security Services from seven broad categories encompassing:

Investigative Services / Forensics

Assessments

Government Security Policy Implementation

Auditing

Consulting

Architecture and design

Systems Development and Analysis

ISMF Guideline 1b

Government guideline on cyber security

Roles and responsibilities in establishing and maintaining an ISMS v1.3

Page 4 of 7

RELEVANT STAKEHOLDERS AND ROLES

Agency Security Adviser [ASA] The Agency Security Adviser is a Position of Trust as defined in the PSMF. They are responsible for the protective security aspects detailed in the PSMF, notably the protection of facilities and personnel. The ASA should be consulted as necessary during risk assessments and during review of applicable aspects of the organisation’s ISMS. The ASA is often involved at steps 2, 4a, 4b, 6, 7 and 9 for protective security aspects to be included as part of the overarching ISMS in an agency. Agency Security Executive [ASE] The Agency Security Executive is a Position of Trust as defined in the PSMF. Security performance outcomes and operations are assigned to the ASE. The ASE should be the custodian of any approved version of the organisation’s ISMS. Other appointed positions by way of the PSMF should have access to the ASE as required to support stated executive outcomes and performance requirements. The ASE is normally involved at steps 1, 5, 8 and 13 of the ISMS process. Business Owner The Business Owner is the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner.

(e.g. the party most impacted by the loss of confidentiality, integrity or availability of Information is typically the Business Owner.)

The Business Owner is involved in steps 2, 3, 4a, 11 and 12 of the ISMS process and may be called upon to provide additional information during other phases of ISMS maintenance. Chief Executive [CE] The Chief Executive is ultimately accountable for all agency security aspects described in the PSMF, specifically the development and maintenance of the Agency Security Plan. An ISMS is a key supporting component in fulfilment of the plan’s objectives and requirements. Consequently, the organisational ISMS must be approved by the CE in order to assure the accountable party that agency cyber security protection measures are adequate and proportionate to the risk profile (i.e. appetite and tolerance to risk) of the agency. The CE must approve the ISMS as described in Step 9 of the ISMS process. Chief Information Officer [CIO] An agency CIO is equipped with the necessary authority and access to business information to bridge the delta between the business and the underpinning ICT environment. In the context of operating an ISMS, the CIO should be included as a member of the Security Governance Group and must be consulted on any final draft ISMS or after significant changes have been made to an existing ISMS. This is a necessary step in validating the correlation of business protection requirements with the capabilities of the ICT environment.

ISMF Guideline 1b

Government guideline on cyber security

Roles and responsibilities in establishing and maintaining an ISMS v1.3

Page 5 of 7

The CIO is typically engaged during steps 1, 3 and 8 of the ISMS process. Chief Technology Officer [CTO] An agency CTO can provide valuable insight into the ICT operating environment, its capabilities and characteristics, technology roadmap and the procedures and controls used by ICT Platform Managers. In the absence of an agency CIO, the CTO may be referenced to provide validation of the draft ISMS from a technology standpoint. The CTO is often utilised during steps 1, 3 and 12 of the ISMS process. Cyber Security Services Portal [CSSP] The CSSP operates as a dedicated portal under the broader eProjects panel of the Government of South Australia. It provides a mechanism for agencies to efficiently procure cyber security services from a panel of industry providers and practitioners. Portal suppliers have been pre-qualified to determine that they are capable and adequately qualified to assist agencies in meeting their responsibilities and obligations for ICT/cyber security as described in both the PSMF and ISMF. A range of cyber security services can be procured via the portal from seven broad categories. A secondary objective of the portal is to assist agencies in the implementation of an Information Security Management System [ISMS] and to ensure that the capability and maturity of our suppliers is in alignment (‘lock step’) with the capability and maturity expectations placed on agencies in all matters pertaining to cyber security. The CSSP may be used to facilitate or improve an agency’s ISMS deployment during steps 1, 2, 3, 4a, 5, 6, 10, 11, 12 and 13 of the ISMS process. Information Technology Security Advisers [ITSA] Information Technology Security Adviser is a Position of Trust as defined in the PSMF. This role is appointed by an Agency or organisation to manage the security of information and ICT systems. CTO Notification 89 (issued by the Office for Digital Government) provides information about this role, including guidance on the selection of suitable persons to fill the role. The ITSA is involved at most stages of ISMS development in an advisory capacity but cannot make final determinations on behalf of the business, as the matters impacting the business must be dealt with directly by the Business Owner and/or executive management as required. A foundation requirement of the ITSA is to review and provide commentary and advice on risk assessments that are undertaken by various parts of the business. Independent Auditor(s) Independent and periodic review of the organisation’s ISMS is an essential component of ongoing and continual improvement to the agency’s overall cyber security posture. An Independent Auditor may be externally sourced, part of the internal audit function or the external audit function provided to government by way of the South Australian Auditor-General’s Department. Independent audits should not be confused with self-assessment reviews. ISMS Custodian The Agency Security Executive [ASE] should be the custodian of the organisation’s ISMS. This approach is consistent with the requirement of the role to establish, maintain and provide oversight of the agency’s security management compliance program which is described in the PSMF. In the

ISMF Guideline 1b

Government guideline on cyber security

Roles and responsibilities in establishing and maintaining an ISMS v1.3

Page 6 of 7

absence of an ASE, ISMS custodianship should be assigned to the Chief Executive or the Security Governance Group. Platform Manager The Platform Manager is responsible for the ongoing maintenance of an ICT platform comprising hardware, software and ancillary components. They are the custodian of the information stored, processed or transmitted via the ICT platform. In general terms, a Platform Manager is able to determine how technology based security controls can be applied to a given platform in order achieve the desired risk treatments that have been stipulated by the business. Security Governance Group The function of an agency Security Governance Group (such as a steering committee) is to provide oversight on all aspects of the agency’s protective security posture incorporating personnel, physical facilities, information and ICT. With respect to the ISMS, this group must comprise senior management and have executive representation. The measurement of ISMS progress and success, in the form of progress reporting, implementation challenges and schedule, barriers to deployment and improvement considerations are typically reported to this group on a regular basis, as part of a comprehensive security oversight program. Composition of the group should ideally include the following representation: ASE, CIO, Senior Security Manager(s), a representative from human resources, and the CTO. Securing management commitment and support (ISMF Standard 4) and assigning appropriate personnel for the oversight of security programs (ISMF Standard 6) are essential components to successful ISMS deployment which is further elaborated in both the ISO 27001 international standard and the ISMF. The Security Governance Group should have direct oversight of the holistic ISMS program and specifically is involved during steps 1, 5, 11 and 13 of the ISMS process.

ADDITIONAL CONSIDERATIONS

Agencies should contact the Department of the Premier and Cabinet should they identify State Government Critical Information Infrastructure (refer ISMF Guideline 37a) as part of their ISMS.

Recommendations arising from independent audits of the agency ISMS should be prioritised for treatment by Business Owners taking into consideration value for effort exerted, achievability and criticality to reduce risks identified by the audit findings.

Detailed implementation guidance for developing and establishing an ISMS is contained in the ISO/IEC 27003 standard.

This guideline does not constitute an absolute or mandatory method for establishing and maintaining

an Information Security Management System. It is merely a good practice guideline based on the

AS/NZS ISO/IEC 27001 standard and applied to the protective security policy position and operating

characteristics of the Government of South Australia at the time of writing. The individual

requirements and operational characteristics of agencies will have direct bearing on what measures

are implemented to mitigate identified risk(s) and how such outcomes are achieved.

REFERENCES, LINKS & ADDITIONAL INFORMATION

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

AS/NZS ISO/IEC 27001:2006

ISO/IEC 27003:2010

AS/NZS ISO 31000:2009

IEC/ISO 31010:2010

Australian Government Protective Security Policy Framework [PSPF]

ISMF Guideline 1a - Transition guidance for agencies and suppliers

ISMF Control Selection Tool

Document Control

ID DPC/G4.1b

Version 1.3

Classification/DLM PUBLIC-I2-A1

Compliance Discretionary

Original authorisation date March 2014

Last approval date September 2017

Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence. To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.