Roles and Responsibilities

Each agency should have someone performing each of the following roles:

ICT & Digital Leadership Group (IDLG)

The IDLG, chaired by the Government Chief Information and Digital Officer (GCIDO), is responsible for:

  • Approving the policy and any updates
  • Ensuring its implementation across NSW Government
  • Reviewing the summarised agency/cluster reports against the policy’s mandatory requirements

Agency heads

The Secretary of a department is accountable for:

  • Appointing or assigning an appropriate senior executive band officer in the agency or across the cluster, with the authority to perform the duties outlined in this policy – this person should be dedicated to security at least at the cluster level
  • Appointing or assigning a senior executive band officer with authority for Industrial Automation and Control Systems (IACS) cyber security for the agency or cluster (if applicable)
  • Ensuring all agencies in their cluster implement and maintain an effective cyber security program
  • Supporting the agency’s cyber security plan

All Agency Heads (e.g. Commissioners, Chief Executive Officers), including the Secretary of a department, are accountable for:

  • Ensuring their agency complies with the requirements of this policy and timely reporting on compliance with the policy
  • Ensuring their agency develops, implements and maintains an effective cyber security plan and/or information security plan
  • Ensuring CISOs (or equivalent) and a senior executive band officer for IACS (if applicable) attend the agency’s risk committee meetings as advisors or committee members
  • Determining their agency’s risk appetite using the approved whole-of-government Internal Audit and Risk Management Policy
  • Appropriately resourcing and supporting agency cyber security initiatives including training and awareness and continual improvement initiatives to support this policy

 

 

 

Chief Information Security Officers (CISO) or Chief Cyber Security Officers (CCSO)

CISOs and CCSOs, or staff with those responsibilities are responsible for:

  • Defining and implementing a cyber security plan for the protection of the agency’s information and systems 
  • Developing a cyber security strategy, architecture, and risk management process and incorporate these into the agency’s current risk framework and processes
  • Assessing and providing recommendations on any exemptions to agency or cluster information security policies and standards
  • Attending agency or cluster risk committee meetings as an advisor or member
  • Implementing policies, procedures, practices and tools to ensure compliance with this policy
  • Investigating, responding to and reporting on cyber security events
  • Reporting cyber incidents to the appropriate agency governance forum and Cyber Security NSW based on severity definitions provided by Cyber Security NSW
  • Representing their agency on whole-of-government collaboration, advisory or steering groups established by Cyber Security NSW or cluster CISO 
  • Establishing training and awareness programs to increase employees’ cyber security capability
  • Building cyber incident response capability that links to agency incident management and the whole of government cyber response plan 
  • Collaborating with privacy, audit, information management and risk officers to protect agency information and systems
  • For cluster CISOs, supporting agencies in their cluster to implement and maintain an effective cyber security program including via effective collaboration and/or governance forums
  •  Managing the budget and funding for the cyber security program. 

Chief Information Officer (CIO) or Chief Operating Officer (COO)

CIOs or COOs, or staff with CIO/COO responsibilities are accountable for:

  • Working with CISOs and across their agency to implement this policy 
  • Implementing a cyber security plan that includes consideration of threats, risks and vulnerabilities that impact the protection of the agency’s information and systems within the agency’s cyber security risk tolerance
  • Ensuring that all staff, including consultants, contractors and outsourced service providers understand the cyber security requirements of their roles
  • Clarifying the scope of CIO or COO responsibilities for cyber security relating to assets such as information, building management systems and IACS 
  • Assisting CISOs/CCSOs or equivalent position with their responsibilities
  • Ensuring a secure-by-design approach for new initiatives and upgrades to existing systems, including legacy systems
  • Ensuring all staff and providers understand their role in building and maintaining secure systems

Information Security Manager or Cyber Security Manager

Information Security Managers or Cyber Security Managers are responsible for one or all of the following within their agency or cluster:

  • Managing and coordinating the response to cyber security incidents, changing threats, and vulnerabilities
  • Developing and maintaining cyber security procedures and guidelines
  • Providing guidance on cyber security risks introduced from business and operational change 
  • Managing the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
  • Ensuring appropriate management of the availability, capacity and performance of cyber security hardware and applications 
  • Providing input and support to regulatory compliance and assurance activities and managing any resultant remedial activity 
  • Developing a metrics and assurance framework to measure the effectiveness of controls
  • Providing day-to-day management and oversight of operational delivery 

NSW Chief Cyber Security Officer (NSW CCSO)

The NSW CCSO is accountable for:

  • Creating and implementing the NSW Government Cyber Security Strategy
  • Building a cyber-aware culture across NSW Government
  • Receiving, collating and reporting on high cyber risks and monitoring cyber security incident reports across NSW Government
  • Reporting on consolidated agency compliance and maturity
  • Chairing the NSW Government Cyber Security Steering Group (CSSG)
  • Consulting with agencies and providing advice and assistance to the NSW Government on cyber security including improvements to policy, capability and capacity
  • Recommending and recording exemptions to any part of the NSW Government Cyber Security Policy
  • Representing NSW Government on cross-jurisdictional matters relevant to cyber security 
  • Assisting agencies to share information on security threats and cooperate on security threats and intelligence to enable management of government-wide cyber risk
  • Creating and implementing the NSW Government cyber incident response arrangements 
  • Coordinating the NSW Government response to significant cyber incidents and cyber crises

Information Management Officer

A cluster or agency should have a person or persons who fulfil the role of Information Management Officer as part of their role and are accountable for:

  • Acting as a focal point within their agency for all matters related to information management that are required to support cyber security
  • Ensuring that a cyber incident that involves information damage or loss is dealt with in the proper manner and reported to the State Archives and Records Authority
     

Internal Audit

Agency Internal Audit teams are accountable for:

  • Validating that the cyber security plan meets the agency’s business goals and objectives and ensuring the plan supports the agency’s cyber security strategy
  • Regularly reviewing their agency’s adherence to this policy and cyber security controls 
  • Providing assurance regarding the effectiveness of cyber security controls

Risk

Agency Risk teams are responsible for:

  • Assisting to ensure the risk framework is applied in assessing cyber security risks and with setting of risk appetite
  • Assisting the agency CISO in analysing cyber security risks
  • Meeting with cluster CISO to ensure cyber risk frameworks fit into the Enterprise Risk framework

Vendors/3rd parties

Vendors/3rd parties are responsible for:

  • Complying with the NSW Cyber Security Policy minimum standards
  • Complying with all relevant whole-of-government security requirements, including all security-related controls/clauses in procurement contracts