Roles and Responsibilities

ICT & Digital Leadership Group (IDLG)

The IDLG, chaired by the Government Chief Information and Digital Officer (GCIDO), is responsible for:

  • Approving the policy and any updates
  • Ensuring its implementation across NSW Government
  • Reviewing the summarised Agency/Cluster reports against the policy’s mandatory requirements

Agency heads

The head of each NSW Agency is accountable for:

  • Ensuring their Agency complies with the requirements of this policy and reporting on compliance with the policy
  • Ensuring their Agency develops, implements and maintains an effective information and cyber security plan
  • Appointing or assigning an appropriate senior executive band officer in the Agency or across the Cluster, with the authority to perform the duties outlined in this policy – this person should be dedicated to security at least at the cluster level
  • Appointing or assigning a senior executive band officer with authority for IACS cyber security for the Agency or Cluster (if applicable)
  • Ensuring CISOs (or equivalent) and a senior executive band officer for IACS (if applicable) attend the Agency’s risk committee meetings as advisors or committee members
  • Determining their Agency’s tolerance for security risks using the approved whole-of-government Internal Audit and Risk Management Policy
  • Appropriately resourcing and supporting Agency cyber security initiatives including training and awareness and continual improvement initiatives to support this policy
  • For cluster Secretaries, ensuring all agencies in their cluster implement and maintain an effective cyber security program


Chief Information Officer (CIO) or Chief Operating Officer (COO)

CIOs or COOs, or staff with CIO/COO responsibilities are accountable for:

  • Working with CISOs and across their Agency to implement this policy
  • Implementing a cyber security plan that includes consideration of threats, risks and vulnerabilities that impact the protection of the Agency’s information and systems within the Agency’s cyber security risk tolerance
  • Ensuring that all staff, including consultants, contractors and outsourced service providers understand the cyber security requirements of their roles
  • Clarifying the scope of CIO or COO responsibilities for cyber security relating to assets such as information, building management systems and IACS
  • Assisting CISOs/CCSOs or equivalent position with their responsibilities
  • Ensuring a secure-by-design approach for new initiatives and upgrades to existing systems
  • Ensuring all staff and providers understand their role in building and maintaining secure systems

Chief Information Security Officers (CISO) or Chief Cyber Security Officers (CCSO)

CISOs and CCSOs, or staff with those responsibilities are responsible for:

  • Assisting with defining and implementing a cyber security plan for the protection of the Agency’s information and systems 
  • Attending Agency or Cluster Risk Committee meetings as an advisor or member
  • Implementing policies, procedures, practices and tools to ensure compliance with this policy
  • Investigating, responding to and reporting on cyber security events
  • Reporting cyber incidents to the appropriate Agency governance forum and Cyber Security NSW based on severity definitions provided by Cyber Security NSW
  • Representing their Agency on whole-of-government collaboration, advisory or steering groups established by Cyber Security NSW or cluster CISO 
  • Establishing training and awareness programs to increase employees’ cyber security capability
  • Building cyber incident response capability that links to Agency incident management and the whole of government cyber response plan 
  • Collaborating with privacy, audit, information management and risk officers to protect Agency information and systems
  • For cluster CISOs, supporting agencies in their cluster to implement and maintain an effective cyber security program including via effective collaboration and/or governance forums

NSW Chief Cyber Security Officer (NSW CCSO)

The NSW CCSO is accountable for:

  • Creating and implementing the NSW Government Cyber Security Strategy
  • Building a cyber-aware culture across NSW Government
  • Receiving, collating and reporting on high cyber risks and monitoring cyber security incident reports across NSW Government
  • Reporting on consolidated Agency compliance and maturity
  • Chairing the NSW Government Cyber Security Steering Group (CSSG)
  • Consulting with agencies and providing advice and assistance to the NSW Government on cyber security including improvements to policy, capability and capacity
  • Recommending and recording exemptions to any part of the NSW Government Cyber Security Policy
  • Representing NSW Government on cross-jurisdictional matters relevant to cyber security 
  • Assisting agencies to share information on security threats and cooperate on security threats and intelligence to enable management of government-wide cyber risk
  • Creating and implementing the NSW Government cyber incident response arrangements 
  • Coordinating the NSW Government response to significant cyber incidents and cyber crises

Information Management Officer

A Cluster or Agency should have a person or persons who fulfil the role of Information Management Officer as part of their role and are accountable for:

  • Acting as a focal point within their Agency for all matters related to information management that are required to support cyber security
  • Ensuring that a cyber incident that involves information damage or loss is dealt with in the proper manner and reported to the State Archives and Records Authority

Internal Audit

Agency Internal Audit teams are accountable for:

  • On a risk basis, regularly reviewing their Agency’s adherence to this policy and cyber security controls 
  • Assisting the Agency CISO in analysing internal controls and developing the cyber security plan


Agency Risk teams are responsible for:

  • Assisting to ensure the risk framework is applied in assessing cyber security risks and assist with setting of risk appetite
  • Assisting the Agency CISO in analysing cyber security risks and developing the cyber security plan