Roles and Responsibilities
This section outlines the roles and responsibilities an agency should allocate as part of their cyber security function:
- Agencies have flexibility to tailor these roles to their organisational context, but all responsibilities must be allocated and performed regardless of role title.
- An agency may not have all the roles outlined below.
- These responsibilities can be allocated to roles not specifically named in this policy or shared among multiple roles.
For more information email policy@cyber.nsw.gov.au for a copy of the guidance documents.
Agency Heads
All Agency Heads (e.g. Commissioners, Chief Executive Officers), including the Secretary of a department, are accountable for:
- Ensuring their agency complies with the requirements of this policy and timely reporting on compliance with the Policy
- Ensuring their agency develops, implements and maintains an effective cyber security plan and/or information security plan
- Determining their agency's risk appetite using the approved whole-of-government Internal Audit and Risk Management Policy
- Appropriately resourcing and supporting agency cyber security initiatives including training and awareness and continual improvement initiatives to support this policy
- Approving internal security policies as required
The Secretary of a department is accountable for:
- Appointing or assigning an appropriate senior executive band officer in the agency or across the department, with the authority to perform the duties outlined in this policy – this person should be dedicated to security at least at the department level
- Appointing or assigning a senior executive band officer with authority for Industrial Automation and Control Systems (IACS) cyber security for the agency or department (if applicable)
- Ensuring all agencies in their department implement and maintain an effective cyber security program
- Supporting the agency's cyber security plan
- Ensuring their agency complies with the requirements of this policy and timely reporting on compliance with the Policy
- Ensuring their agency develops, implements and maintains an effective cyber security plan and/or information security plan
- Determining their agency's risk appetite using the approved whole-of-government Internal Audit and Risk Management Policy
- Appropriately resourcing and supporting agency cyber security initiatives including training and awareness and continual improvement initiatives to support this policy
- Approving internal security policies as required
ICT & Digital Leadership Group (IDLG)
The IDLG is chaired by the Government Chief Information and Digital Officer (GCIDO) and is attended by the Chief Information Officers (CIOs) in NSW Government. The IDLG is responsible for:
- Endorsing the Policy and any updates
- Ensuring the Policy's implementation across NSW Government
- Reviewing the summarised agency/department reports against the Policy's mandatory requirements
- Providing leadership, support and resources for the Policy and advocating organisational commitment to improving the cyber security culture of the agency/department
NSW Chief Cyber Security Officer (NSW CCSO)
The NSW CCSO is accountable for:
- Creating and implementing the NSW Government Cyber Security Strategy
- Building a cyber-aware culture across NSW Government
- Receiving, collating and reporting on high cyber risks and monitoring cyber security incident reports across NSW Government
- Reporting on consolidated agency compliance and maturity
- Chairing the NSW Government Cyber Security Steering Group (CSSG)
- Consulting with agencies and providing advice and assistance to the NSW Government on cyber security including improvements to Policy, capability and capacity
- Recommending and recording exemptions to any part of the NSW Government Cyber Security Policy
- Representing NSW Government on cross-jurisdictional matters relevant to cyber security
- Assisting agencies to share information on security threats and cooperate on security threats and intelligence to enable management of government-wide cyber risk
- Creating and implementing the NSW Government cyber incident response arrangements
- Coordinating the NSW Government response to significant cyber incidents and cyber crises
Chief Information Security Officers (CISO) or Chief Cyber Security Officers (CCSO)
All CISOs and CCSOs, or staff with those responsibilities are responsible for:
- Defining and implementing a cyber security plan for the protection of the agency's information and systems
- Developing a cyber security strategy, architecture, and risk management process and incorporate these into the agency's current risk framework and processes
- Assessing and providing recommendations on any exemptions to agency or department information security policies and standards
- Implementing policies, procedures, practices and tools to ensure compliance with this policy
- Investigating, responding to and reporting on cyber security events
Department CISOs and CCSOs only, or staff with those responsibilities are responsible for:
- Reporting cyber incidents to the appropriate agency governance forum and Cyber Security NSW based on severity definitions provided by Cyber Security NSW
- Supporting agencies in their department to implement and maintain an effective cyber security program including via effective collaboration and/or governance forums
- Managing the budget and funding for the cyber security program
- Applying for relevant programs/funding (eg. DRF, ACSC uplift programs)
Chief Information Officer (CIO) or Chief Operating Officer (COO)
CIOs or COOs, or staff with CIO/COO responsibilities are accountable for:
- Working with CISOs and across their agency to implement this policy
- Implementing a cyber security plan that includes consideration of threats, risks and vulnerabilities that impact the protection of the agency's information and systems within the agency's cyber security risk tolerance
- Ensuring that all staff, including consultants, contractors and outsourced service providers understand the cyber security requirements of their roles
- Clarifying the scope of CIO or COO responsibilities for cyber security relating to assets such as information, building management systems and IACS
- Assisting CISOs/CCSOs or an equivalent position with their responsibilities
- Ensuring a secure-by-design approach for new initiatives and upgrades to existing systems, including legacy systems
Information Security Manager, Cyber Security Manager or Senior Responsible Officer
Information Security Managers, Cyber Security Managers or Senior Responsible Officers are responsible for one or all of the following within their agency or department:
- Managing and coordinating the response to cyber security incidents, changing threats, and vulnerabilities
- Developing and maintaining cyber security procedures and guidelines
- Providing guidance on cyber security risks introduced from business and operational change
- Managing the life cycle of cyber security platforms including design, deployment, ongoing operation, and decommissioning
- Ensuring appropriate management of the availability, capacity and performance of cyber security hardware and applications
- Providing input and support to regulatory compliance and assurance activities and managing any resultant remedial activity
- Developing a metrics and assurance framework to measure the effectiveness of controls
- Providing day-to-day management and oversight of operational delivery
Information Management Officer
A department or agency should have a person or persons who fulfil the role of Information Management Officer as part of their role and are responsible for:
- Acting as a focal point within their agency for all matters related to information management that are required to support cyber security
- Ensuring that a cyber incident that involves information damage or loss is escalated and reported to the appropriate information management response team in your agency
Internal Audit
Agency Internal Audit teams are responsible for:
- Validating that the cyber security plan meets the agency's business goals and objectives and ensuring the plan supports the agency's cyber security strategy
- Regularly reviewing their agency's adherence to this policy and cyber security controls
- Providing assurance regarding the effectiveness of cyber security controls
Risk
Agency Risk teams are responsible for:
- Assisting to ensure the risk framework is applied in assessing cyber security risks and with setting of risk appetite
- Assisting the agency CISO in analysing cyber security risks
- Meeting with the department CISO to ensure cyber risk frameworks fit into the Enterprise Risk Framework
3rd party ICT providers
Agencies are responsible under the cyber security Policy for managing cyber security requirements. This includes contract clauses, monitoring and enforcement for 3rd party ICT providers and the ICT security of non-government organisations holding and/or accessing government systems.
Where agencies require 3rd party organisations to comply with the Policy, agencies should ensure they have the following in place to protect government systems outsourced to them or that they may have access to:
- Mandatory Requirement 1.5: The third-party organisation has a process that is followed to notify the agency quickly of any suspected or actual security incidents and follows reasonable direction from the agency arising from incident investigations (noting this will vary based on risk profile and risk appetite).
- Mandatory Requirement 2.1: The third-party organisation ensures that their staff understand and implement the cyber security requirements of the contract.
- Mandatory Requirement 3.1: Any 'Crown Jewel' systems must be covered in the scope of an Information Security Management System (ISMS) or Cyber Security Framework
- Mandatory Requirement 3.4: Cyber security requirements are built into the early stages of projects and the system development life cycle (SDLC), including agile projects.
- Mandatory Requirement 3.5: Ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data, including processes for internal fraud detection.
This does not prevent other contractual obligations being imposed.