If you noticed your neighbor’s house was on fire, you would call the fire department. You would want to help the neighbor and also ensure that the fire doesn’t spread to other homes. It takes a lot of people to protect your neighborhood. Everyone in the neighborhood has some responsibility to ensure everyone’s safety. Show
Information has a life of its own. It travels by many different methods; it is collected on paper forms, through Web sites and over the phone. It is processed by people and used in business transactions, such as transferring money or mailing bank statements. Information resides on desktops, laptops and servers. No single person is responsible for the security of the information. It is the responsibility of the whole to ensure the privacy and accuracy of the information. Those responsible for securing information include: Managers, data custodians and system ownersThese groups collaborate with business partners, technologists, employees and users to ensure that policies, procedures and best practices are implemented. They are aware of the risks to managing the information and how it is processed. They identify resources for addressing these risks. They may lead efforts to:
Business partnersBusiness partners are responsible for processing the information. They collaborate with technologists to implement systems that digitally collect, store and transfer the information. Business Partners collaborate internally and externally to build and maintain information systems. Business partners may work with:
EmployeesEmployees are responsible for following the policies and procedures for managing the information in a secure manner. Examples include but are not limited to:
TechnologistsTechnologists develop, implement and maintain the information systems by setting up servers, developing code, administering applications, maintaining networks and building security controls and procedures. They implement controls and processes to protect the information. Their job functions include:
VendorsBusiness partners often rely on vendors as a solution for implementing services in a cost-effective manner. In contractual agreements, system owners and business partners should identify how the vendor should manage the information. Contractual agreements should include:
System usersSystem users are responsible for understanding policies and procedures that apply to them. Unlike employees, they might not work for the system swner (for example, applicants to UW use our system but are not employees). They should also be aware of how to protect their identity information. System Users will benefit from an understanding of:
The role of the Chief Information Security Officer (CISO) requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building. Additionally, a CISO must adopt a continuous approach to learning and up-skilling in order to maintain pace with the cyber threat landscape and new technologies. It is expected that a CISO show innovation and imagination in conceiving and delivering cyber security strategies for their organisation. Providing cyber security leadership and guidanceTo provide cyber security leadership and guidance within an organisation, it is important that the organisation appoints a CISO. Control: ISM-0714; Revision: 5; Updated: Oct-20; Applicability: All; Essential Eight: N/A Overseeing the cyber security programThe CISO within an organisation is responsible for overseeing their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a Chief Security Officer, a Chief Information Officer and other senior executives within their organisation. Control: ISM-1478; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1617; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-0724; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Coordinating cyber securityThe CISO is responsible for ensuring the alignment of cyber security and business objectives within their organisation. To achieve this, they should facilitate communication between cyber security and business stakeholders. This includes translating cyber security concepts and language into business concepts and language, as well as ensuring that business teams consult with cyber security teams to determine appropriate controls when planning new business projects. Additionally, as the CISO is responsible for the development of their organisation’s cyber security program, they are best placed to advise projects on the strategic direction of cyber security within their organisation. Control: ISM-0725; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-0726; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Reporting on cyber securityThe CISO is responsible for reporting cyber security matters to their organisation’s senior executive or Board. Reporting should cover:
Reporting on cyber security matters should be structured by business functions, regions or legal entities and support a consolidated view of an organisation’s security risks. It is important that the CISO is able to translate security risks into operational risks for their organisation, including financial and legal risks, in order to enable more holistic conversations about their organisation’s risks. Control: ISM-0718; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A Overseeing incident response activitiesTo ensure the CISO is able to accurately report to their organisation’s senior executive or Board on cyber security matters, it is important they are fully aware of all cyber security incidents within their organisation. The CISO is also responsible for overseeing their organisation’s response to cyber security incidents, including how internal teams respond and communicate with each other during an incident. In the event of a major cyber security incident, the CISO should be prepared to step into a crisis management role. They should understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders. Control: ISM-0733; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1618; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Contributing to business continuity and disaster recovery planningThe CISO is responsible for contributing to the development and maintenance of their organisation’s business continuity and disaster recovery plans, with the aim to improve business resilience and ensure the continued operation of critical business processes. Control: ISM-0734; Revision: 3; Updated: Jun-21; Applicability: All; Essential Eight: N/A Developing a cyber security communications strategyTo facilitate cyber security cultural change across their organisation, the CISO should act as a thought leader by continually communicating their strategy and vision. A communication strategy can be helpful in achieving this. Communications should be tailored to different parts of their organisation and be topical for the intended audience. Control: ISM-0720; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A Working with suppliersThe CISO is responsible for ensuring that consistent vendor management processes are applied across their organisation, from discovery through to ongoing management. As supplier relationships come with additional security risks, the CISO should assist personnel with assessing cyber supply chain risks and understand the security impacts of entering into contracts with suppliers. Control: ISM-0731; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Receiving and managing a dedicated cyber security budgetReceiving and managing a dedicated cyber security budget will ensure the CISO has sufficient access to funding to support their cyber security program, including cyber security uplift activities and responding to cyber security incidents. Control: ISM-0732; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Overseeing cyber security personnelThe CISO is responsible for the cyber security workforce within their organisation, including plans to attract, train and retain cyber security personnel. The CISO should also delegate relevant tasks to cyber security managers and other personnel as required and provide them with adequate authority and resources to perform their duties. Control: ISM-0717; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Overseeing cyber security awareness raisingTo ensure personnel are actively contributing to the security culture of their organisation, a cyber security awareness training program should be developed. As the CISO is responsible for cyber security within their organisation, they should oversee the development and operation of the cyber security awareness training program. Control: ISM-0735; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A Further informationFurther information on responding to cyber security incidents can be found in the managing cyber security incidents section of the Guidelines for Cyber Security Incidents. Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing. Further information on the procurement of outsourced services can be found in the managed services and cloud services section of the Guidelines for Procurement and Outsourcing. Further information on cyber security awareness training programs can be found in the cyber security awareness training section of the Guidelines for Personnel Security. System ownersSystem ownership and oversightSystem owners are responsible for ensuring the secure operation of their systems. However, system owners may delegate the day-to-day management and operation of their systems to system managers. Control: ISM-1071; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A Control: ISM-1525; Revision: 1; Updated: Jan-21; Applicability: All; Essential Eight: N/A Protecting systems and their resourcesBroadly, the risk management framework used by the Information Security Manual has six steps: define the system, select controls, implement controls, assess controls, authorise the system and monitor the system. System owners are responsible for the implementation of this six step risk management framework for each of their systems. Control: ISM-1633; Revision: 0; Updated: Jan-21; Applicability: All; Essential Eight: N/A Control: ISM-1634; Revision: 1; Updated: Jun-22; Applicability: All; Essential Eight: N/A Control: ISM-1635; Revision: 2; Updated: Jun-22; Applicability: All; Essential Eight: N/A Control: ISM-1636; Revision: 1; Updated: Jun-22; Applicability: All; Essential Eight: N/A Control: ISM-0027; Revision: 4; Updated: Jan-21; Applicability: All; Essential Eight: N/A Control: ISM-1526; Revision: 2; Updated: Jun-22; Applicability: All; Essential Eight: N/A Annual reporting of system security statusAnnual reporting by system owners on the security status of their systems to their authorising officer can assist the authorising officer in maintaining awareness of the security posture of systems within their organisation. Control: ISM-1587; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Further informationFurther information on using the Information Security Manual’s six step risk management framework can be found in the applying a risk-based approach to cyber security section of Using the Information Security Manual. Further information on monitoring systems and their operating environments can be found in the event logging and monitoring section of the Guidelines for System Monitoring. |